How to choose NIS2 training: a buyer's guide for essential and important entities
Article 20 requires both: management bodies must follow cybersecurity training and entities must offer similar training to all employees. Personal liability for board members. Penalties up to €10 million or 2% of global turnover. This guide walks through what NIS2 actually requires you to train on, how formats compare, and what competent authorities will look for at inspection.
What NIS2 actually requires you to train on
Article 20 sets the training duty: management bodies must follow training to gain sufficient knowledge to identify risks and assess the impact of cybersecurity risk-management measures, and entities must offer regular training to all employees on a similar basis. The duty is light on prescribed content by design. The practical scope comes from Article 21, which lists ten categories of cybersecurity risk-management measure that must be in place at the entity.
Translated into training content, that means: a baseline cyber-hygiene module for all staff (phishing, credentials, secure remote working, social engineering, escalation paths); a deeper technical module for security operations covering the Article 21 measures relevant to their role; an incident-response module practising the Article 23 reporting cycle (24-hour early warning, 72-hour notification, 1-month final report) under time pressure; a supply-chain security module for procurement and vendor management; and an Article 20 governance module for management body members covering personal liability, oversight expectations, and the questions the board needs to be able to answer at inspection.
Generic 'cybersecurity awareness' training does not cover most of this. The Article 20 board duty in particular is poorly served by phishing-only awareness products.
Eight questions to ask any provider
Does the course distinguish essential and important entities? The supervisory regime is different; the documentation expectations are different. A course that treats them identically is shallow.
Are there role-specific paths? Look for distinct content for management body, CISO and security operations, supply-chain managers, and general staff.
Is the Article 23 incident-reporting cycle practised? Reading about the 24-hour deadline and running an exercise against it are different training outcomes.
Are the ten Article 21 measure categories covered specifically? Or only at the level of general cybersecurity awareness?
Has the content been legally reviewed? Qualified EU cybersecurity counsel is the credibility floor.
How are content updates handled? ENISA guidance and national CSIRT clarifications continue to develop. Annual-update licences keep training current.
Is the course available in our EU languages? Multi-country entities need consistent training in every operating language.
Is it SCORM 1.2 ready? Anything else means a separate platform login per learner.
Who needs which training
Role
Training depth
Key topics
All staff
Awareness
Phishing, credentials, social engineering, secure remote working, escalation paths
Management body
Governance + personal liability
Article 20 duties, oversight of Article 21 measures, board questions at inspection, personal liability framework
Reporting-cycle compliance, regulator interface, public communication under live incident
What competent authorities look for at inspection
Essential entities are subject to routine ex-ante inspection, which means the documented training programme will be examined as a matter of course. Important entities will be inspected on triggered cause. The questions either inspection will ask: do you have a documented training programme covering both board and staff; do you have per-learner completion evidence; was the training role-appropriate; was it refreshed against changes in your threat picture and the AI systems in use; did the management body participate; is incident response practised under realistic time pressure; are training records integrated into the broader Article 21 risk-management documentation.
A phishing-simulation completion log does not answer those questions. A scenario-based training programme with per-learner decision-path records, paired with Article 20 board sessions and Article 23 tabletop exercises, does.
How Blend Training approaches NIS2
Blend's NIS2 course is a scenario-based programme that puts learners in the CISO and incident response lead seats during a live cyber incident with the 24-hour Article 23 clock running. It covers the ten Article 21 measure categories, the Article 23 reporting cycle, Article 20 personal liability for management body members, and the essential-vs-important supervisory distinction. The course has separate role-paths for management body, CISO, and general staff.
Content is reviewed and signed off by qualified EU cybersecurity counsel. Updates are included in the annual licence. Pricing follows the standard tier model: €690 per year (up to 50 staff), €1,490 (up to 250), €3,990 (up to 1,000), and from €15,000 per engagement for bespoke programmes. SCORM 1.2 packages, deployable to any LMS in minutes.
Article 20 mandates that management bodies of essential and important entities follow training, and ensure regular training is offered to all employees on a similar basis. The text is light on detail by design, but Article 21 (cybersecurity risk-management measures) is the source of practical training scope. At a minimum, training should cover: the entity's classification (essential vs important) and what changes with that, the ten Article 21 measure categories, incident detection and the Article 23 reporting cycle (24h early warning, 72h notification, 1 month final report), supply-chain security, basic cyber hygiene (phishing, credentials, social engineering, escalation paths), the entity's incident response plan, and personal liability under Article 20 for management body members.
Is NIS2 training mandatory by law?
Yes. Article 20(2) explicitly requires both: management bodies must follow training to gain sufficient knowledge to identify and assess cybersecurity risks; entities must offer similar training to all employees on a regular basis. The duty is not optional. Competent authorities can request evidence of training programmes during inspections of essential entities and on cause for important entities. Personal liability under Article 20 means individual board members can face temporary prohibition from management functions where compliance failures persist.
When did NIS2 enforcement begin?
The Directive was due for national transposition by 17 October 2024. Many Member States missed that deadline; the Commission opened infringement proceedings against several. Where Member States have transposed, the national law applies from the date set in transposition. Where transposition is incomplete, the Directive applies directly to the extent possible. National competent authorities and CSIRTs are active in transposed states; supervisory examinations of essential entities have been running through 2025 and 2026.
What's the difference between training for essential vs important entities?
The Article 20 and Article 21 obligations are the same. The supervisory regime differs: essential entities are subject to ex-ante supervision (regular and unannounced inspections); important entities to ex-post supervision (action on evidence of non-compliance). The penalty ceiling differs (€10M / 2% turnover vs €7M / 1.4%). Training scope should reflect the supervisory model: essential-entity training programmes need to be more comprehensively documented because the entity will be inspected as a matter of routine. Important-entity programmes need to be documented well enough to respond to a triggered inspection.
What formats does NIS2 training come in?
Four main formats. (1) Free guidance from ENISA, national CSIRTs, and sectoral bodies. Strong on background; not sufficient for evidence on its own. (2) Awareness e-learning bundled with broader cybersecurity awareness subscriptions. Strong on phishing, credentials, and hygiene; usually thin on NIS2 specifics and Article 20 board duties. (3) Scenario-based e-learning that puts learners (CISO, head of compliance, board member) in a live incident, ransomware, supply-chain compromise, or insider event with the 24-hour clock running. (4) Live workshops, especially for board governance training and tabletop exercises.
How much does NIS2 training cost?
Bundled cybersecurity awareness e-learning: €15-€40 per learner per year. Scenario-based NIS2 courses: €690 to €3,990 per organisation per year on a tiered licence. Bespoke board training programmes: from €15,000 per engagement. Live tabletop exercises and incident-response simulations: €3,000 to €15,000 per session depending on scope, scenario complexity, and instructor seniority.
What should I ask any NIS2 training provider?
(1) Does the course distinguish between essential and important entities? (2) Are there role-specific paths for management body, CISO, security operations, supply-chain management, and general staff? (3) Has the content been legally reviewed by qualified EU cybersecurity counsel? (4) Are the Article 21 measures covered specifically, or only at the level of general cybersecurity awareness? (5) Is the Article 23 incident-reporting cycle practised, not just described? (6) How often is the course updated for ENISA guidance and national CSIRT clarifications? (7) Is the course available in the EU languages our entity operates in? (8) Is it SCORM 1.2 ready?
Who in my organisation needs NIS2 training?
All employees need a baseline cyber-hygiene module. Management body members need the Article 20 governance training and personal-liability awareness. CISO and security operations need the deep technical training on Article 21 measures and incident detection. Supply-chain managers need the Article 21(d) supply-chain security training. Procurement and vendor management need training on the contractual provisions required by Article 21(d). Communications and legal need the incident-reporting cycle training to handle 24-hour early warnings under pressure.
What evidence will competent authorities look for at inspection?
A documented training programme covering both Article 20 (board) and Article 21 (technical and operational), evidence of completion per learner with timestamps, evidence that training was role-appropriate, refresh cycle aligned to material changes in the entity's threat picture, evidence that the management body participated, evidence that incident-response training is practised through tabletop exercises or simulations, and integration of training records into the broader cybersecurity governance documentation that Article 21 requires.
How does NIS2 interact with DORA and the Cyber Resilience Act?
NIS2 is the horizontal cybersecurity baseline for the EU. DORA (Regulation 2022/2554) is a sector-specific regime for financial entities that takes precedence over NIS2 where it applies (Article 4 NIS2 disapplication). The Cyber Resilience Act (Regulation 2024/2847) imposes vulnerability-management duties on manufacturers of products with digital elements; it applies alongside NIS2 to entities that both make products and operate in NIS2 sectors. Training for entities that touch more than one regime needs to be designed to avoid confusion: which incident-reporting clock applies (DORA's 4-hour vs NIS2's 24-hour), which authority is the supervisor, which framework's risk-management measures take precedence in case of conflict.
