What are the awareness obligations under NIS2 / the Dutch Cybersecurity Act?

Article 20 requires board training in cyber risks. Article 21 requires an information security policy including employee awareness. Both require demonstrable compliance.

Which sectors fall under the Dutch Cybersecurity Act?

Energy, transport, healthcare, finance, drinking water, digital infrastructure, government, space and more. Check the NCSC's NIS2 self-assessment tool to determine whether your organisation is obliged.

How can 2LRN4 help with Cbw compliance?

2LRN4 provides a demonstrable training programme for both board (Art. 20) and employees (Art. 21), including reports that serve as evidence for supervisory authorities.

Acceptable use policy (AUP): what it should cover

An Acceptable Use Policy (AUP) is the written agreement between organisation and employee about what may and may not be done on work equipment, with work data and on business accounts. It is one of the most practical steering instruments you have: shorter than an ISMS, more concrete than a code of conduct, and exactly therefore indispensable in the Cbw, GDPR and AI Act context. What belongs in it, how do you keep it workable, and how do you anchor it in awareness?

What an AUP is and what it does

An AUP describes in a single accessible document the rules for using company assets: laptops, mobile devices, email, internet, collaboration software, cloud services, AI tools, and business accounts. It translates the broader information security policy and the GDPR into concrete behaviour on the work floor. Unlike a thick handbook, an AUP is meant to be read and understood.

Legally the AUP provides a basis for measures when someone crosses a line. At the same time it is a communication tool: it explains why a rule exists, not just what the rule is. An AUP consisting only of prohibitions works poorly on the work floor. An AUP that briefly and humanly explains why something is safe or unsafe helps people behave accordingly even under workload.

Under the Cbw and GDPR an AUP is not a named requirement, but in operation it is. Supervisors ask at every investigation about the policy regulating how employees handle information. An organisation without an AUP rarely passes an audit without extra explanation, and at a breach its absence is a direct penalty risk.

What a modern AUP should at minimum contain

A workable AUP is short: five to eight pages, in plain language. The following topics belong in it in 2026:

Purpose and scope. Who it applies to and which assets.
General conduct. Passwords, MFA, locking, loss reporting, handling personal data, separating work and private.
Email, internet and collaboration. What is and is not allowed with business email, browsing, social media, external collaboration and guest access.
Approved services and shadow IT. Which cloud services are approved, how to request a new one, what is prohibited (free AI prompts with confidential data, unapproved translators).
AI use. Since the EU AI Act indispensable. Which AI services are available internally, which data may not enter (and which may not), who is point of contact in doubt.
Personal data and GDPR. Base rules for processing, sharing and retaining personal data; the reporting route at a suspected breach.
Personal use. Whether it is allowed and to what extent; the limits of employer monitoring (employee privacy is a counterbalancing interest).
Sanctions and escalation. What happens on violation; what route exists for raising issues.

What in 2026 is new or strengthened in an AUP

Three topics formerly optional, now essential:

AI use. Without clear rules, staff use free AI for confidential work and unknowingly share data with third parties. Describe which services are approved, which data must not enter public models, and how to have a new AI service assessed.

Mobile and remote work. The line between in- and out-of-office has blurred. Describe what applies for laptops in cafés and trains, mobiles on personal networks, and how work and private use are separated on company phones.

Reporting behaviour. A good AUP states explicitly that reporting does not lead to sanctions when one made a mistake (a click, a wrong email, a shared document). Without that explicit invitation to report without blame, reporting culture declines and early detection with it.

How to write an AUP people actually read

A five-page AUP gets read; a twenty-five-page one does not. Three techniques:

Write in the second person and short sentences. Avoid legalese. Replace "in respect of" with "about", "by occasion of" with "at", "is obliged to" with "must". An AUP is a user manual, not a contract.

Give examples where helpful. "Do not share a sensitive document externally via a personal Google Drive" beats "exercise adequate security of confidential data". Concrete examples in key places make the AUP work.

Explain why. A rule explained is accepted; a rule ordered is dodged. "We ask you to avoid free online translators for customer documents because those services may store your input and use it for training" beats "use of external services is prohibited".

How to keep the AUP current and alive

An AUP ages quickly. Cloud services expand, AI tools appear, attacks shift. Three practical measures:

Refresh at least annually. Make it part of the ISMS or awareness annual cycle. A 2022 AUP is largely unusable on AI in 2026.

Use version history. Which changes were made and why; which date carried which version. Audit material under the Cbw.

Ask for active acceptance. At onboarding and on every major update. A signed acceptance via a one-click button in the awareness platform with automatic timestamp and version captures this; avoid acceptance disappearing in a mailbox.

How to anchor this in an awareness programme

An AUP does not stand alone. It lives by being linked to training and behaviour.

Cover the AUP in new-joiner onboarding. One short five-minute module on the ten most important rules, plus an acceptance tick. Under the Cbw demonstrability is crucial.

Reference the AUP explicitly in awareness modules. "The rule for sharing customer data is in the AUP, section 4." That keeps the document alive and known, rather than retrieved only at incident time.

Work jointly with HR and the privacy officer. The AUP touches employment law (sanctions), GDPR (personal data and employee privacy) and information security. One policy carried by three disciplines is stronger than three separate documents.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the NIS2 page

Sources

FAQ

What is an Acceptable Use Policy (AUP)?

A written agreement between organisation and employee about what may and may not be done on work equipment, with work data and on business accounts. More concrete than an ISMS, shorter than a handbook.

Is an AUP mandatory?

Not by name in a specific law, but in operation yes. Supervisors ask at audit and incident about the policy regulating how staff handle information. Absence is a direct risk at breach or audit.

How long should an AUP be?

Five to eight pages in plain language works best. Longer is not read, shorter misses essentials. Examples and the why behind rules matter more than completeness.

What is new in an AUP in 2026?

AI use (which services approved, which data not in public models), mobile and remote work, and an explicit invitation to report without blame at one's own mistakes.

How often should I update an AUP?

At least annually, and at every major change in tools or regulation. AI sections age faster than general conduct.

Must an AUP be signed?

Acceptance is strongly advised and under the Cbw demonstrably required. A one-click acceptance in the awareness platform with timestamp and version suffices; paper signatures are no longer needed.

Can personal use be banned in the AUP?

A full ban is practically uncommon in the Netherlands and rarely workable. A workable middle ground: personal use within reasonable limits, with clear exceptions for specific cases and without unlimited employer monitoring of business devices.