What are the awareness obligations under NIS2 / the Dutch Cybersecurity Act?

Article 20 requires board training in cyber risks. Article 21 requires an information security policy including employee awareness. Both require demonstrable compliance.

Which sectors fall under the Dutch Cybersecurity Act?

Energy, transport, healthcare, finance, drinking water, digital infrastructure, government, space and more. Check the NCSC's NIS2 self-assessment tool to determine whether your organisation is obliged.

How can 2LRN4 help with Cbw compliance?

2LRN4 provides a demonstrable training programme for both board (Art. 20) and employees (Art. 21), including reports that serve as evidence for supervisory authorities.

Which compliance requirements mandate security awareness training?

In 2026 security awareness training no longer sits only in an internal policy but in several laws and standards at once. The Dutch Cybersecurity Act (NIS2), DORA, ISO 27001, GDPR, NEN 7510 and the EU AI Act each carry their own requirements around awareness and training. Which one applies to your organisation, what exactly do they demand, and how do you combine them into one workable programme rather than five parallel tracks?

NIS2 and the Dutch Cybersecurity Act: the general baseline

The EU NIS2 directive is implemented in the Netherlands via the Cybersecurity Act (Cbw), replacing the old Wbni. The Cbw applies to essential and important entities in healthcare, finance, energy, drinking water, digital infrastructure, government and the entire higher-education sector, among others. Two articles directly touch awareness.

NIS2 article 21 (Cbw article 21) requires an information security policy with an explicit awareness and training component for employees. The policy must be documented and compliance must be demonstrable to the supervisor.

NIS2 article 20 (Cbw article 24) introduces a board training obligation. Board members must receive regular training to understand and assess cyber risks. The Cbw also introduces personal liability for board members: non-compliance can lead to administrative fines and, in severe cases, personal sanctions.

DORA for the financial sector: lex specialis

Since 17 January 2025 the Digital Operational Resilience Act (DORA) applies to all financial institutions in the EU. DORA is a regulation, applies directly, and takes precedence where it overlaps with the Cbw.

DORA article 13 requires financial entities to set up ICT awareness programmes and digital operational resilience training. Requirements: regular base training for all staff, additional specialised training for critical functions, role-tailored training, periodic board training, and effectiveness measurement (not just attendance).

In practice this means banks, insurers, asset managers, payment service providers and critical ICT suppliers can build one integrated programme covering DORA, with a small addendum for Cbw-specific items like Cbw article 24 board training.

ISO 27001 and NEN 7510: standards-based requirements

ISO 27001:2022 contains in clause 7.2 a formal requirement for awareness: staff must be aware of the information security policy, their contribution to the effectiveness of the ISMS, and the consequences of non-compliance. Annex A.7.2 (control) extends this with a formalised training and awareness programme.

For healthcare in the Netherlands, NEN 7510 additionally applies. NEN 7510 refers to the same principles and adds sector-specific training on medical data, patient safety and chain collaboration.

In practice ISO 27001 and NEN 7510 cover almost the same requirements for healthcare organisations, with emphasis differences. Anyone demonstrably meeting ISO 27001:2022 clause 7.2 and Annex A.7.2 also covers the bulk of the Cbw requirements on training.

GDPR: awareness as a controller measure

The GDPR mentions awareness less explicitly than NIS2 or DORA, but article 39 (tasks of the data protection officer) explicitly includes "monitoring compliance" including "awareness-raising and training of staff involved in processing".

In practice the Dutch DPA asks at any investigation after a breach about the state of your awareness programme: which training was completed, how was compliance monitored, and how have employees been instructed on their role with personal data. An organisation without a recorded programme risks an additional fine after a breach purely on insufficient awareness grounds.

The GDPR requirement is therefore less specified than NIS2 but equally real in enforcement. Demonstrable annual training for everyone working with personal data is a key pillar of your defence.

EU AI Act: AI literacy since February 2025

Since 2 February 2025 article 4 of the EU AI Act obliges every organisation using AI systems to ensure AI literacy among employees and persons operating AI systems on their behalf. This applies to developers and users, to risk-bearing AI systems and ordinary ones.

Concretely your 2026 awareness programme must contain an AI component: what AI is, which risks exist, which approved AI services are available, what the limits of AI use are, and which sensitive data must not be entered into public AI systems. The requirement is open in form but strict in operation.

Build this AI module into your existing awareness plan. That stops the AI Act becoming a stand-alone project and ensures AI awareness fits seamlessly into general cyber awareness. In practice a module of four to six minutes, refreshed annually in line with newly approved services, works best.

How to combine all requirements into one workable programme

Not five separate programmes, one integrated annual plan that bundles the requirements. Practical build:

Base programme for all staff. Phishing, passwords, physical security, AI literacy, data protection. Covers NIS2 art. 21 and Cbw, GDPR, AI Act art. 4 and the base of ISO 27001 clause 7.2.
Role-based deep-dive modules. Finance: CEO fraud, BEC, verification protocols. IT: incident response, MFA bypass. HR: GDPR in recruitment, AI Act in selection. Healthcare: patient data (NEN 7510).
Board training. Periodic for the board, focused on cyber risk, governance and liability. Covers Cbw article 24 and DORA article 13 (board part).
Periodic phishing simulations. Four to six per year with modern variants (smishing, quishing, AitM). Provides the measurable behaviour evidence supervisors want.
Demonstrable administration. One central platform with attendance, completion, simulation results and board participation, audit-ready.

What supervisors actually ask for

Supervisors (RDI, DNB, AFM, IGJ, Dutch DPA) increasingly ask in audits or incidents for the same three elements: documented policy stating training goals, evidence of execution (which modules by which groups), and effectiveness evidence (which measurable improvement, usually via phishing simulations).

Crucially, do not build these three only after an incident. A good awareness platform captures the administration by default and provides audit reports on demand. The Cbw also requires 24/72-hour reporting on significant incidents; without a file you cannot respond meaningfully at that moment.

A final practical tip: refresh policy and programme at least annually. Laws change (the Cbw entered into force in phases, the AI Act likewise) and threats evolve. A static folder on SharePoint is rarely enough at audit; a living programme demonstrably maintained is.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the NIS2 page

Sources

FAQ

Is awareness training legally required in the Netherlands?

Yes, under several frameworks at once. NIS2/Cbw (articles 21 and 24), DORA (article 13) for finance, GDPR (article 39), ISO 27001 (clause 7.2) and the EU AI Act (article 4, AI literacy) each demand forms of awareness and training.

Which requirement is the strictest?

For financial institutions DORA is strictest, with explicit demands on content, frequency and effectiveness measurement. For other essential and important entities the Cbw leads, with board training obligation and personal board liability.

What is Cbw article 24?

Cbw article 24 obliges the board to regular training on cyber risk and governance. Board members can be held personally liable on non-compliance and resulting harm. A direct transposition of NIS2 article 20.

What is AI literacy under the EU AI Act?

Article 4 EU AI Act since 2 February 2025 requires organisations to make staff and third parties who operate AI literate in AI: what it is, which risks exist, how to use it responsibly and which data does not belong in public systems.

How many training hours per year are enough?

No framework specifies hours. In practice 20-30 minutes per employee per year (split into microlearning) works well, plus role-specific deepening and board training. What matters is demonstrable compliance, not hour-count.

Must I store training evidence myself?

Yes, and it must be audit-available. A good platform keeps attendance, completion, scores and simulation results automatically. Under the Cbw a paper administration is no longer an acceptable baseline for mid-sized and larger organisations.

Can I build one programme covering all requirements?

Yes, and that is the workable approach in practice. One base programme for all staff, role-based modules for finance, IT, HR and healthcare, and board training together cover NIS2, Cbw, DORA, GDPR, ISO 27001 and the AI Act. Avoid five parallel tracks; one integrated annual plan works much better.