What are the awareness obligations under NIS2 / the Dutch Cybersecurity Act?

Article 20 requires board training in cyber risks. Article 21 requires an information security policy including employee awareness. Both require demonstrable compliance.

Which sectors fall under the Dutch Cybersecurity Act?

Energy, transport, healthcare, finance, drinking water, digital infrastructure, government, space and more. Check the NCSC's NIS2 self-assessment tool to determine whether your organisation is obliged.

How can 2LRN4 help with Cbw compliance?

2LRN4 provides a demonstrable training programme for both board (Art. 20) and employees (Art. 21), including reports that serve as evidence for supervisory authorities.

What is the difference between security training and compliance training?

Anyone responsible for training in an organisation eventually conflates two terms: security training and compliance training. They look similar in a platform (modules, progress, completion), but they serve different purposes, have different success criteria, and in 2026 occupy different positions relative to laws like the Cbw and the AI Act. Where exactly is the difference, and why is an organisation that mixes them measurably less safe?

Compliance training: ticks and demonstrability

Compliance training aims at showing the organisation meets an external obligation. A module explaining GDPR, a course on fines, a required acknowledgement of a new code of conduct: these are classic compliance trainings. Completion is the evidence, and evidence is what the supervisor asks for.

Practical traits: annual or law-driven, the same for everyone, ending in a short quiz, results to HR or compliance. The success criterion is the percentage of staff who completed it.

This works for its intended purpose: showing the duty was discharged. It demonstrably works less for "behaviour change". That is fine, as long as it is clear this is not the same as security training.

Security training: behaviour and resilience

Security training aims to change behaviour at moments when behaviour is under pressure. A short module on phishing with practical examples, a phishing simulation followed by microlearning, a reminder of a payment-verification routine: these are security trainings. The success criterion is a measurable behaviour change, not a tick.

Practical traits: frequent and short (microlearning), role-based, followed by observable metrics (click rate, report rate, time-to-first-report), and the outcome is a trend across six to twelve months.

Measuring security training the compliance way (completion only) yields endless ticks and no safety. Measuring compliance training the security way (behaviour only) fails the supervisor. Both functions exist, both have own metrics, and they must coexist without replacing each other.

The three differences that matter in practice

Briefly:

Purpose. Compliance proves compliance; security changes behaviour. That difference drives every design choice.
Frequency. Compliance annual or law-driven; security monthly or more, in microlearning.
Measurement. Compliance measures completion; security measures click rate, report rate, time-to-first-report.

Where a hybrid does work: demonstrable behavioural training

Under Cbw, DORA and AI Act both functions can no longer stand apart. Supervisors want completion and effectiveness. Hence a hybrid: security training that delivers compliance demonstrability.

Build a base programme meeting compliance requirements (annual, everyone, quiz, registration), but design the modules themselves as security training (short microlearning, role-based, with phishing simulations and behaviour metrics). The platform then delivers both compliance reports (who took which module) and behaviour reports (click rate, report rate).

DORA article 13 makes this explicit: "training must be tailored to role and risk; effectiveness must be measured". Pure compliance does not meet that.

Common mistakes in practice

Three patterns you regularly meet:

One long annual training combining compliance stamps with security topics, without role-based depth. Result: high completion, no behaviour change. The board sees green ticks, IT security sees no incident reduction.

Phishing simulations without follow-up training. Click rate is measured but no microlearning follows on clicks. Result: staff do not learn what they did wrong and the click rate does not fall. This is no security training but a test bench.

Compliance training pinned on security deadlines. An organisation that "quickly" rolls out a module around a new law generates ticks but misses the behaviour practice. Both tracks should run separately with their own rhythm.

How to anchor this in an awareness programme

Make the distinction explicit in policy and programme. A workable model:

Compliance layer. Annual base module on GDPR, AUP, Cbw essentials, AI Act art. 4. For everyone, with quiz and registration. Covers supervisor obligations.

Security layer. Monthly microlearning on phishing, social engineering, passwords, cloud, AI. Role-based. Followed by four to six phishing simulations per year with click and report metrics. Board training separately, quarterly.

One central platform recording both tracks in parallel, with separate reports: compliance progress for HR and privacy officer, behaviour metrics for CISO and board. That satisfies both formal requirements and the real purpose of the programme.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the NIS2 page

Sources

FAQ

What is the difference between security and compliance training?

Compliance training proves the organisation meets a legal duty (annual, everyone, quiz). Security training changes behaviour (short, frequent, role-based, with simulations and behaviour metrics). Both needed, not interchangeable.

Does compliance training cover the Cbw?

Partly. The Cbw requires an information security policy with awareness training. Pure compliance ticks meet the letter but not the demand for demonstrable effectiveness, particularly explicit under DORA art. 13.

Can I run just one track?

Not advisable. All compliance: no behaviour change. All security: no demonstrability to the supervisor. Two parallel layers work best.

How do I measure security training effectiveness?

Three numbers: click rate in phishing simulations (lower better), report rate (higher better), time-to-first-report (faster better). Movement across six to twelve months matters more than absolute level.

What about DORA?

DORA article 13 explicitly asks training "tailored to role and risk" and "effectiveness measured". Pure compliance is not enough; role-based security training with behaviour metrics is required for financial institutions.

Can compliance training be annual?

Yes, annual is fine for the compliance layer. For the security layer, annual demonstrably works worse than monthly microlearning. Treat both with their own rhythm.

Who owns which layer?

Compliance layer typically HR with privacy officer or compliance officer. Security layer with the CISO or security team. Both report to the board with different metrics.