How to perform training and awareness according to NIS 2

The NIS 2 Directive states very clearly that all employees, including the senior management, need to go through cybersecurity training. So, where should you start – which topics should be covered, and how should the whole process be organized?

Which topics to cover in NIS2 cybersecurity training and awareness

In Chapter IV — Cybersecurity risk-management measures and reporting obligations, NIS2 specifies various activities and security measures that need to be performed.

The best approach to defining topics for cybersecurity training and awareness is to cover each of these activities and measures. However, not all of these topics will be appropriate for everyone in the company — therefore, you will see below that I have separated the topics according to the target audience.

Topics for all employees (including the mid-level and senior management)

• The basics of the NIS2 Directive (cover all relevant articles)
• Basic cyber hygiene practices (Article 21 paragraph 2 point g)
• Incident handling (Article 21 paragraph 2 point b)
• Backup (Article 21 paragraph 2 point c)
• Business continuity (Article 21 paragraph 2 point c)
• The use of multi-factor authentication and continuous authentication solutions (Article 21 paragraph 2 point j)

Comprehensive Guide to the NIS 2 Directive

Free white paper that explains the basics of the European Union’s NIS 2 Directive

DOWNLOAD NOW

Topics for IT employees and security managers

• Policy on information system security (Article 21 paragraph 2 point a)
• Disaster recovery (Article 21 paragraph 2 point c)
• Security in network and information systems acquisition, development, and maintenance (Article 21 paragraph 2 point e)
• Policies and procedures regarding the use of cryptography and encryption (Article 21 paragraph 2 point h)
• Access control (Article 21 paragraph 2 point i)
• Asset management (Article 21 paragraph 2 point i)
• Secured voice, video, and text communications (Article 21 paragraph 2 point j)
• Secured emergency communication systems (Article 21 paragraph 2 point j)

Topics specific to security managers

• Steps for NIS 2 compliance (relevant articles in Chapter IV)
• How is NIS 2 related to ISO 27001? (Preamble recital (79), Article 21 paragraph 1, Article 25)
• How is NIS 2 related to DORA? (Preamble recital (28))
• How is NIS 2 related to CER? (Article 2 paragraph 3, Article 3 paragraph 1 point f)
• How is NIS 2 related to the EU GDPR? (Preamble recital (121), Article 35)
• Certification of IT products and services (Article 24)
• Government bodies defined in NIS 2 (several articles)
• Organizing regular cybersecurity trainings for different levels of employees in a company (Article 20 paragraph 2; Article 21 paragraph 2 point g)
• How to perform risk assessment and treatment according to NIS 2 (Article 21 paragraph 1)
• Assessing vulnerabilities and quality of suppliers (Article 21 paragraph 3)
• Human resources security (Article 21 paragraph 2 point i)
• Assessing the effectiveness of cybersecurity risk management measures (Article 21 paragraph 2 point f)
• Taking corrective measures (Article 21 paragraph 4)

Topics for top management and security managers

• What are the essential and important entities that must comply with NIS 2? (Article 3)
• Main cybersecurity requirements of NIS 2 (Article 21)
• Approving and overseeing cybersecurity risk management measures (Article 20 paragraph 1)
• Crisis management (Article 21 paragraph 2 point c)
• Supply chain security (Article 21 paragraph 2 point d)
• Reporting obligations (Article 23)
• NIS 2 fines and liabilities (Article 20 paragraph 1; Article 32 paragraph 6; Article 34)
• Cybersecurity legislation by EU countries (Article 41)

The process of setting up NIS 2 training

Overall, the process of setting up cybersecurity training that is compliant with NIS 2 should follow these steps:

1. Assess the risks in the company — this is the basis for writing security documents, and for finding out what to focus on in cybersecurity training.
2. Define cybersecurity policies and procedures — this way, cybersecurity roles and responsibilities become clear.
3. Define the target groups for training within the company — groups of employees with different cybersecurity roles.
4. Define topics for the training – based on risks, roles, and responsibilities – that will differ for various target groups.
5. Define how often the training will be delivered, how it will be measured, and who will be in charge.

Options for delivering training on a regular basis

There are several options for delivering NIS 2 cybersecurity training:

a) Instructor-led in-classroom training

Pros:

• Training can be adapted according to the needs of the company
• Higher engagement

Cons:

• Probably the most expensive
• Cannot be delivered very often
• Hard to deliver separate training for different target groups

b) Instructor-led online training

Pros:

• Training can be adapted according to the needs of the company

Cons:

• Lower engagement

c) Pre-recorded online training delivered via learning management system (LMS)

Pros

• Easy tracking of attendance and test results
• Employees can watch videos at their convenience
• The most budget-friendly option

Cons

• Attendees cannot ask questions to the instructor directly

Finding the training with the best fit

Ultimately, setting up the training process and selecting the option for delivering training will depend on the circumstances of the particular company — after analyzing your own situation, you can pick the best solutions for you.

For more information about NIS2, download this free white paper: Comprehensive guide to the NIS 2 Directive.