NIS2 training requirement - How to ensure information security

NIS2 mandates comprehensive training in information and cybersecurity. This post will explore these essential requirements and provide some suggestions to help your organization follow these legal standards.

What does NIS2 say about training?

It is not uncommon for the initial pathway for an attack to target individuals who are tricked into clicking a link, opening attachments, or otherwise enabling an attack. Ensuring that we are involved in strengthening security is therefore crucial to prevent such threats.

NIS2 has recognized the critical role of education in information and cybersecurity by incorporating two requirements regulated in Article 20 of its directive, outlined in the following two parts:

• "Ensure that members of essential and significant entities' management bodies are mandated to undergo training"
• "and should encourage essential and significant entities to regularly offer similar training to their employees to ensure they gain sufficient knowledge and expertise"

Education is typically a part of an information security management system (ISMS). When looking at ISO 27001:2022, it controls 6.3 which delves into this area.

How can you effectively manage NIS2 training?

To begin with, the general training that should be provided to employees, the focus should be on fostering a deep understanding of the latest threats and equipping them with the necessary knowledge to avert these dangers. This is typically covered by traditional awareness programs.

It's important to continually refresh this training to integrate new threats as they emerge, ensuring they remain relevant and robust against evolving risks. Additionally, it's essential to tailor the educational content to address sector-specific vulnerabilities, ensuring comprehensive coverage.

Cegal's Cyber Security Awareness service offers foundational training materials tailored to your organization's needs. This service facilitates the seamless integration of sector-specific components to ensure relevance and effectiveness. Furthermore, it includes a unique feature to gauge employees' understanding through simulated phishing exercises.

It's essential to recognize that specific segments of your organization may necessitate additional, specialized training. This could involve staff responsible for IT and OT systems or those working in particularly sensitive departments.

Beyond the general training, management must engage in a more comprehensive and customized educational program. Leadership must thoroughly understand the risk management strategies employed to safeguard the organization against current threats, as specified in Article 21 §2.

For NIS2 management training, it's beneficial to facilitate guided sessions that encourage engagement and allow management to explore topics of particular relevance to them. The training materials should be tailored to align with the leadership's expertise, factoring in the specific IT and OT system implementations, as well as the unique threats faced by the organization.

Cegal and NIS2

Cegal's information and cybersecurity experts are dedicated to helping you establish a robust ISMS. Whether you need us to lead the entire process or provide targeted support in specific areas of ISMS implementation, we can ensure that your organization meets all necessary standards.

Furthermore, our Cyber Security Awareness service not only delivers standardized training in information and cybersecurity, but also offers the flexibility of bespoke training sessions. This service includes tracking of training completion and the integration of simulated phishing exercises to effectively measure and enhance the cybersecurity knowledge of your team.