NIS 26 min read

NIS 2 Cyber Hygiene and Training Requirements

Article 21(2)(g) of the NIS 2 Directive requires organizations to implement basic cyber hygiene practices and cybersecurity training. Combined with Article 20's management training obligation, this creates a comprehensive framework for building cybersecurity awareness at every level of the organization. These requirements recognize that human factors remain one of the most significant cybersecurity risks.

Key Takeaways

Point Summary
Mandatory training Both management and employees must receive cybersecurity training
Cyber hygiene Basic security practices must be implemented and maintained across the organization
Management obligation Article 20 specifically requires management body members to undergo training
Regular cadence Training should be ongoing, not a one-time event
Measurable outcomes Organizations should track training effectiveness and participation

Quick Answer: NIS 2 requires all in-scope organizations to implement basic cyber hygiene practices and provide cybersecurity training to their workforce. Management must also undergo specific cybersecurity training. These requirements apply to both essential and important entities.

What is Cyber Hygiene Under NIS 2?

Cyber hygiene refers to the fundamental cybersecurity practices that every organization should implement. While NIS 2 does not provide an exhaustive list, the following practices are generally expected:

Password and Authentication

Practice Description
Strong passwords Enforce minimum complexity requirements and password length
Multi-factor authentication Implement MFA for access to critical systems and remote access
Password managers Encourage or mandate the use of password management tools
No password sharing Prohibit sharing of credentials between users
Regular rotation Rotate passwords for privileged and service accounts

Software and System Management

Practice Description
Patch management Apply security patches promptly across all systems
Software inventory Maintain an inventory of authorized software
Automatic updates Enable automatic updates where feasible
End-of-life management Replace or isolate systems that no longer receive security updates
Secure configuration Apply security baselines to all systems before deployment

Network Security

Practice Description
Network segmentation Separate critical systems from general-purpose networks
Firewall management Maintain and review firewall rules regularly
Secure Wi-Fi Use WPA3 or WPA2-Enterprise for wireless networks
VPN for remote access Require encrypted connections for remote work
DNS security Implement DNS filtering to block known malicious domains

Data Protection

Practice Description
Encryption Encrypt sensitive data at rest and in transit
Data classification Classify data by sensitivity level
Secure disposal Properly destroy data when no longer needed
Backup procedures Regular, tested backups with secure storage
Access control Limit data access based on need-to-know

Physical Security

Practice Description
Device security Lock screens, disk encryption on endpoints
Clean desk policy Secure physical documents and devices when unattended
Visitor management Control and monitor visitor access to facilities
Removable media Restrict or control the use of USB drives and other removable media

Training Requirements

Management Training (Article 20)

NIS 2 explicitly requires management body members to undergo cybersecurity training. This training should enable management to:

  • Identify and assess cybersecurity risks
  • Evaluate the impact of risks on the entity's operations
  • Understand the entity's cybersecurity risk-management measures
  • Make informed decisions about cybersecurity investments
  • Fulfill their oversight and approval responsibilities

Recommended topics for management training:

  • NIS 2 requirements and personal liability
  • The organization's threat landscape and risk profile
  • Cybersecurity governance and decision-making
  • Incident response and reporting obligations
  • Supply chain security considerations
  • Current cyber threat trends relevant to the sector

Employee Training

All employees should receive regular cybersecurity awareness training covering:

Topic Description
Phishing awareness Recognizing and reporting phishing attempts
Social engineering Understanding manipulation tactics
Safe browsing Identifying malicious websites and downloads
Data handling Proper classification and handling of sensitive information
Incident reporting How to report suspected security incidents internally
Remote work security Secure practices when working outside the office
Physical security Protecting devices and documents
Password security Creating and managing strong passwords

Role-Specific Training

Staff with specific security responsibilities should receive additional training:

Role Additional Training
IT administrators Secure configuration, patch management, access control
Developers Secure coding practices, vulnerability management
Incident responders Detection tools, forensics, communication protocols
HR/Procurement Supplier security assessment, employee lifecycle security
Customer-facing staff Data protection, social engineering awareness

Building a Training Program

Step 1: Assess Current Awareness Levels

  • Conduct baseline phishing simulations
  • Survey employees on security knowledge
  • Review past incident data for human-factor root causes
  • Identify high-risk roles and departments

Step 2: Design the Program

  • Create role-based training tracks (management, general staff, technical staff)
  • Include both initial onboarding training and regular refresher sessions
  • Use varied formats: e-learning, workshops, simulations, newsletters
  • Align content with the organization's actual threat landscape

Step 3: Implement and Deliver

  • Roll out training on a regular schedule (at least annually, more frequently for high-risk topics)
  • Conduct phishing simulations periodically (monthly or quarterly)
  • Provide just-in-time training when new threats emerge
  • Make training engaging and relevant to daily work

Step 4: Measure and Improve

Metric Purpose
Training completion rate Track participation across the organization
Phishing simulation results Measure awareness improvement over time
Incident reports Monitor whether employees are reporting more effectively
Knowledge assessments Test retention of key security concepts
Time to report Measure how quickly employees flag suspicious activity

Step 5: Document Everything

Maintain comprehensive records for NIS 2 compliance evidence:

  • Training materials and curricula
  • Attendance records and completion certificates
  • Assessment results and improvement trends
  • Management training participation logs
  • Phishing simulation results and follow-up actions

Common Questions

How often should training be conducted?

NIS 2 does not specify a frequency, but best practice is to provide security awareness training at least annually for all employees, with more frequent reinforcement through simulated phishing exercises (monthly or quarterly), security newsletters, and targeted training when new threats emerge. Management training should be conducted at least annually.

Is online training sufficient?

Online training is acceptable and often practical for large organizations. However, a blended approach combining e-learning, workshops, tabletop exercises, and phishing simulations is generally more effective. The key is that training is regular, relevant, and measurable, regardless of the delivery format.

What if employees fail phishing simulations?

Failed phishing simulations should be treated as learning opportunities, not punitive events. Provide immediate educational feedback when an employee fails a simulation, offer additional targeted training, and track improvement over time. A culture of blame-free reporting encourages employees to report real phishing attempts promptly.

← PreviousNIS 2 Business Continuity RequirementsNext →NIS 2 National Transposition: How Member States Implement the Directive
Back to NIS 2 guides