NIS2 Compliance Training

Done-for-you NIS2 training for your whole team

We deliver mandatory NIS2 training across your workforce and management body — Article 20 governance, Article 21 risk-management measures, incident reporting, and supply-chain obligations. Managed rollout, audit-ready evidence. Live for your team in under a week.

100,000+ professionals trained

Article 20 management-body briefing included

Live for your team in 5 business days

Dedicated customer success manager

Used by essential & important entities

Browse the Course Catalog

Get a custom training quote

Tell us your team size — receive a tailored proposal within 1 business day.

Trusted by Compliance Teams at Leading Organizations

IKEA

Roche

Coca-Cola

Samsung

Huawei

Microsoft

JPMorgan Chase

Volkswagen

Shell

Nestlé

Siemens

BMW

Unilever

AXA

Lufthansa

Pfizer

Adidas

IKEA

Roche

Coca-Cola

Samsung

Huawei

Microsoft

JPMorgan Chase

Volkswagen

Shell

Nestlé

Siemens

BMW

Unilever

AXA

Lufthansa

Pfizer

Adidas

The cost of getting this wrong

Staff training is your first line of defence — and the first piece of evidence regulators ask for.

€10M

or 2% of global turnover

NIS2 Article 34 — maximum fine for essential entities

€7M

or 1.4% of global turnover

for important entities — both per individual breach

Personal

liability for management body members

Article 20(1) makes directors personally accountable for cybersecurity governance

Why NIS2 training is mandatory — not optional

NIS2 Article 20(2) explicitly requires essential and important entities to ensure that members of their management body and their employees follow regular cybersecurity training. Article 20(1) makes the management body personally liable for non-compliance. Article 21 mandates a documented set of risk-management measures including awareness training, incident handling, and supply-chain security — all of which require workforce training to operate. Supervisory authorities across EU member states have begun audits and the first fines have already landed.

Article 20(2) — workforce + management body training is a direct legal requirement, not best practice

Article 20(1) — management bodies are personally liable for cybersecurity governance failures, including training gaps

Article 21 — risk-management measures (incident handling, supply chain, encryption, access control) all depend on trained staff

Article 23 — incident reporting within 24 hours; staff must know how to escalate or you miss the window

Your training program covers every NIS2 obligation

Curated from our full library and tailored to whether you're an essential or important entity, your sector (Annex I or II), and your headcount — you don't pick modules from a menu, we propose the right curriculum.

NIS2 scope: essential vs. important entities, Annex I vs. Annex II sectors

Article 20 governance: management-body responsibilities and personal liability

Article 21 risk-management measures (the 10 minimum requirements)

Incident handling, classification, and escalation workflows

Article 23 incident reporting — 24-hour, 72-hour, and final report cadence

Supply-chain security & ICT third-party risk

Business continuity, backup, and crisis management

Vulnerability handling, patching, and disclosure

Cryptography, access control, and asset management

Workforce cybersecurity awareness as a NIS2 control

Not sure what your team needs?

Free proposal — within 1 business day

We curate the right modules for each part of your team

All Employees

Management Body

IT & Security

Incident Response

Procurement & Vendor Risk

AI Users

What every enterprise rollout includes

Managed rollout in 5 business days

Dedicated customer success manager handles enrolment, role mapping, kickoff communications, and reminder cadence.

Article 20 audit-ready evidence

Dated certificates per learner, exportable completion logs, and management-body training records that meet supervisory authority documentation expectations.

Manager dashboard & reporting

Track completion across teams, departments, and entities. Export evidence packages for supervisory authorities and customer security questionnaires.

Single sign-on (SSO) & SCIM

SAML 2.0, OIDC, and SCIM provisioning. New joiners enrolled automatically. Leavers de-provisioned. Zero admin overhead.

Annual refresher cycle built-in

Multi-year licensing rolls learners forward each year with content updates as member-state transposition guidance evolves.

Custom modules & policy attestations

Your logo on certificates, co-branded learner emails, and the option to attach your incident response plan or vendor risk policy to any module.

Enterprise Rollout

Designed for security teams rolling out NIS2 training to 25 — 5,000+ employees

We don't sell self-checkout seats to enterprises. We propose a curated curriculum based on your entity classification and sector, manage the rollout, and hand you an evidence package your supervisory authority will accept on the first review.

Curriculum tailored to essential vs. important entity classification
Up to 40% off list price at 25, 50, 100, 250, and 500+ seats
Article 20 management-body briefing (45 min) included
Multi-entity rollouts supported for groups operating across EU member states
Evidence package — exportable reports, completion logs, certificates

What customers say

“NIS2 made annual security training a board-level obligation. The managed rollout meant we hit the deadline without burning internal capacity, and the management-body briefing got our directors aligned in 45 minutes — exactly what Article 20(2) asks for.”

Head of Information Security, Volkswagen

Manufacturing — 1,500+ employees trained

“We operate across multiple member states. The training program handled the rollout per entity, gave us per-entity completion reports, and the supply-chain module slotted straight into our vendor onboarding. Our supervisor accepted the evidence on first review.”

Group CISO, Shell

Energy — 2,000+ employees trained

Frequently Asked Questions

Is NIS2 training legally required?

Yes — Article 20(2) explicitly requires essential and important entities to ensure their management body members and employees follow regular cybersecurity training. The NIS2 Cooperation Group has published guidance reinforcing this, and supervisory authorities across EU member states have begun audits. Failure to comply exposes the organisation to fines up to €10M or 2% of global turnover, and management bodies to personal liability under Article 20(1).

How is NIS2 different from the original NIS Directive?

NIS2 dramatically expands scope — it now covers ~160,000 EU entities across 18 sectors (vs. ~7,000 under NIS1), introduces personal liability for management bodies, mandates 24-hour early warning and 72-hour incident notification, and standardises 10 risk-management measures across all member states. Most importantly for our purposes, it makes workforce and management-body training an explicit legal obligation rather than implicit best practice.

Are we an essential or important entity?

Essential entities are large organisations in Annex I sectors (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space). Important entities are medium organisations in Annex I or any size in Annex II sectors (postal/courier, waste, chemicals, food, manufacturing, digital providers, research). The classification drives both the obligations and the maximum fine tier. Our quote-prep call clarifies this in 5 minutes.

How long does a typical enterprise rollout take?

Most rollouts are live for the workforce within 5 business days of contract signature. Multi-entity rollouts (groups operating across EU member states) typically take 7–10 business days due to per-entity setup, but each entity completes independently.

Do you cover the Article 20 management-body training requirement?

Yes — every enterprise rollout includes a 45-minute management-body briefing covering Article 20 governance obligations, personal liability, risk-management measures, and incident reporting. It's specifically designed to satisfy supervisor expectations of board-level training without taking a full day.

How does pricing work for a team of 500 employees?

Enterprise pricing is volume-based with discount tiers at 25, 50, 100, 250, and 500+ seats. A 500-seat rollout typically lands 35–40% below list price. Multi-year terms unlock further discounts and include the annual refresher cycle. Multi-entity discounts apply for groups operating across multiple member states. Request a custom proposal for an exact quote.

Can we add custom modules — e.g. our incident response plan?

Yes. We routinely add policy attestations and custom modules: incident response plans, vendor risk procedures, business continuity playbooks, asset management standards. Your CSM scopes the additions during onboarding.

Do you offer single sign-on and SCIM?

Yes — SAML 2.0, OIDC, and SCIM provisioning are included on enterprise plans. New joiners are auto-enrolled into the right modules based on department; leavers are de-provisioned automatically.

Can we white-label certificates and learner emails?

Yes — your logo is added to certificates and learner-facing emails on every enterprise plan. Single-tenant white-label and custom domain are available on request.

Related guides

Cybersecurity

NIS2 Directive: Who Must Comply? The Definitive Guide to Scope, Sectors, and Obligations in 2026

Education

Compliance Glossary: Key Terms and Definitions 2026

Cybersecurity

Best Cybersecurity Awareness Training Providers (2026)

Ready to brief us on your team rollout?

Tell us your entity classification (essential or important), your sector, and your headcount. We'll come back with a curriculum proposal, pricing, and a rollout plan within 1 business day.

Free proposal · response within 1 business day

Why NIS2 training is mandatory — not optional