What are the awareness obligations under NIS2 / the Dutch Cybersecurity Act?

Article 20 requires board training in cyber risks. Article 21 requires an information security policy including employee awareness. Both require demonstrable compliance.

Which sectors fall under the Dutch Cybersecurity Act?

Energy, transport, healthcare, finance, drinking water, digital infrastructure, government, space and more. Check the NCSC's NIS2 self-assessment tool to determine whether your organisation is obliged.

How can 2LRN4 help with Cbw compliance?

2LRN4 provides a demonstrable training programme for both board (Art. 20) and employees (Art. 21), including reports that serve as evidence for supervisory authorities.

What happens when employees skip security training?

What happens when employees skip security training? The consequences run on three tracks at once: greater incident risk, possible liability for the organisation and the board, and direct consequences for the employee when training is anchored in policy and employment terms. In 2026 this is no longer theoretical. Which consequences are real, which are disproportionate, and how do you handle this workably?

Consequence 1: greater incident risk, not only for the employee

The first consequence of skipped training is simply more incidents. Someone unaware of how modern phishing looks clicks sooner. Someone unaware of an AitM attack enters MFA codes on a fake site. Someone unaware of breach reporting routes hides a mistake rather than reports it, turning an isolated incident into an organisation-wide problem.

In practice this is the main consequence, and it hits more than the skipper. A click in finance can lead to password theft, a changed supplier account number, tens of thousands of euros routed to an attacker. One skipped module, one incident, the whole department suffers.

That is why self-protection as an argument rarely works. 'You do it for yourself' does not resonate. 'You do it for your team and your customers' does. A good awareness programme makes this connection visible.

Consequence 2: liability for organisation and board

Supervisors explicitly look at the awareness programme after a breach or incident. Under the Cbw, RDI, IGJ, DNB and AFM ask at every investigation whether training was given, whether it was current, whether staff knew the reporting route. An organisation without a demonstrable programme risks an administrative fine on top of incident damage.

Cbw article 24 can additionally trigger personal board liability. A board member who did not complete the mandatory training and whose organisation then has an incident with provable failure can be held personally liable for relevant harm. This is no longer a theoretical threat; since the phased entry into force of the Cbw in 2024-2025 cases are being prepared.

For GDPR a breach caused by an employee without awareness is a separate aggravating factor when the Dutch DPA sets a sanction. The organisation can receive an additional fine solely on insufficient awareness.

Consequence 3: consequences for the employee

What applies to the employee who skips training varies per organisation, but three patterns are common:

Access restriction to specific systems or roles until base training is completed. Works best at onboarding and on role change. Proportional and accepted when in policy.
Not weighed in appraisals as a negative, but used as a reflection point for development. A manager noticing structural skipping discusses it as a development question, not a sanction.
Employment-law measure on sustained refusal. Rare but possible when training is policy-linked to continued suitability. Requires careful legal assessment; dismissal purely for "not trained" is hard in the Netherlands and rarely wise.

What rarely or never works as a consequence

Some measures are often considered but demonstrably harmful:

Naming and shaming. An intranet list of "those who have not completed" creates resistance without behaviour change. Aggregated department numbers do work.

Mandatory retraining on phishing clicks. Punishes a learning moment, lowers reporting culture, undermines your main defence. A short on-spot explanation (microlearning after click) works; mandatory retraining does not.

Salary or bonus deductions. Rarely well-founded in an employment contract; in disputes provably disproportionate. Outside specific contractual arrangements in heavily regulated contexts (finance) not workable.

Public listing of staff with low click behaviour. Combines two errors: punishing wrong behaviour plus exposing individual clicks. Harmful to culture, GDPR-illegal as onward transfer of individual data.

What does work: a workable palette of consequences

A workable approach has three layers:

For most staff (90 percent): reminders with explanation, reasonable deadlines, automatic escalation to manager for a follow-up conversation on persistent postponement. No sanction, but visibility and dialogue.

For specific roles or systems: access restriction to certain apps until base training is completed. Works at onboarding and role change, and for high-risk functions (customer-data administration, financial authorisations).

For board members under Cbw article 24: hard obligation with file. Provable completion per board member, periodically refreshed. Not as sanction but as compliance.

And finally: make what goes well visible. Praising a department with high report rate in a newsletter works far better than shaming a department with low completion.

How to anchor this in an awareness programme

Make the consequence model explicit in policy and communication.

In the AUP and training policy: name which consequences exist (access restriction, conversation, board liability). No surprises.

At onboarding: link base training to access release for specific apps. Avoids new joiners working with data for months without awareness.

For the board: separate registration of Cbw article 24 training, refreshed periodically and mentioned on the board agenda.

No annual reckoning but continuous visibility. Monthly reminders, quarterly department reporting, annual audit-readiness. Consequences are rarely deployed but provably applied consistently when needed.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the NIS2 page

Sources

FAQ

What are the consequences for an employee who skips training?

Three tracks: greater incident risk (for team and customers, not just the employee), liability for organisation and board, and direct consequences for the employee (access restriction, conversation, rarely an employment-law measure).

Can an employee be dismissed for refusing training?

In the Netherlands only in exceptional cases after careful legal assessment, usually in regulated sectors. An organisation does better steering on visibility, conversation and access than on dismissal.

May I deduct salary or bonus for non-completion?

Practically rare without specific contract clauses. In disputes provably disproportionate. Proportional consequences (access, conversation) work better.

What about board members?

Under Cbw article 24 mandatory training with personal liability on non-compliance. Documentation is crucial, no cultural matter.

Does mandatory retraining on phishing clicks work?

No, it backfires. Mandatory retraining after a click undermines reporting culture. A short on-spot explanation works; sanction does not.

What for a department with structurally low completion?

Not visible at individual level, but at department level. Conversation with the manager focused on workload and content fit. Often the cause lies in planning or relevance, not unwillingness.

How much risk does my organisation run without a programme?

Substantial under Cbw and GDPR. On top of incident damage, administrative fines, and board members can be personally liable under article 24 for relevant harm.