How often should employees take security training?

Why annual training no longer cuts it

The classic approach was simple: one hour-long course per year, tick, done. For accounting that still works on paper, but for behaviour it no longer does. Research (and the practice of organisations that seriously track click rates) shows that a module followed in January barely lands in May. Cybercriminals count on that.

The threat landscape is also too dynamic for yearly updates. AI-generated phishing, deepfake voices, quishing, MFA bypass: these are 2026 routine but missing from 2024 yearly courses. An employee trained once a year is by definition a year behind.

DORA article 13 explicitly says: training must be "regular" with measurable effectiveness. Supervisors increasingly read "regular" as at least quarterly contact with employees, not once a year.

What research and practice point to as optimal

Based on published benchmarks and what works in Dutch and European practice:

• Short modules of four to eight minutes every month, split by theme (phishing, passwords, physical, AI, data protection). Twelve short modules a year lands demonstrably better than one annual hour.
• Two to four phishing simulations per year. More leads to training fatigue and lower report rates; fewer gives too little practice. One per quarter is a healthy middle.
• Once a year a formal 'base training' covering compliance (GDPR, Cbw, AUP acceptance). Often part of onboarding, repeated annually for everyone.
• Role-specific deep-dive once or twice a year for risk groups: finance (CEO fraud), IT (incident response), HR (GDPR in recruitment), board (Cbw art. 24).
• Immediate microlearning after a phishing click. Anyone who clicks gets a short on-spot explanation. No formal module, just a one-minute learning moment.

Sector differences and compliance cadences

Sectors differ in requirements:

Financial institutions fall under DORA. Article 13 explicitly asks for frequency and measurable effectiveness; in practice this means at least monthly contact for risk functions plus six-monthly deep-dives. For the broader workforce monthly microlearning suffices.

Healthcare and public sector fall under Cbw and NEN 7510. Frequency is less hard-coded, but supervisors expect demonstrable regularity. Four microlearning modules per quarter plus an annual compliance base is workable.

Education and SMEs have more room; six to ten modules a year plus two simulations is achievable nearly anywhere. SMEs with limited capacity can share costs via sector platforms.

What to avoid: training fatigue and hollow completion

Two common problems when frequency is too high:

Training fatigue. Weekly mandatory modules feel like bureaucracy. Completion rates drop and active resistance can grow. Monthly or fortnightly is the maximum for most organisations.

Hollow completion (mindless click-through). When modules follow too fast or are too short to learn, staff finish without reading. Completion stays high, behaviour metrics do not improve. The programme looks fine on paper but not in practice.

A good gauge is the simulation report rate. Rising over 6-12 months? You are at the right pace. Stagnant or falling? Your frequency or content is off-balance, and "more often" rarely fixes it: "different" usually does.

How to anchor this in an awareness programme

A workable year programme:

Onboarding at hire: base module (15-20 minutes in microlearning blocks) on AUP, GDPR, phishing basics. Acceptance and registration automatic via the platform.

Monthly rhythm: one microlearning module per month, theme by calendar (January GDPR, February passwords, March phishing, April AI use, etc.). Four to eight minutes, short quiz or acceptance after.

Quarterly rhythm: one phishing simulation per quarter, varying form (email, smishing, quishing, AitM), with direct microlearning after a click.

Six-monthly: role-specific deep-dives for finance, IT, HR, healthcare. Supplementary, not replacing.

Annual: Cbw article 24 board training (annual base plus two tabletops), full programme audit-readiness check.

Demonstrable administration at all levels. The platform records automatically what was taken when and delivers quarterly reports to the board and supervisors on request.

Related articles

• Microlearning for employees with limited time
• Security awareness roadmap for 12 months
• How phishing simulations work in training
• Should security training be mandatory?

Sources

• NIST: security awareness and training
• NCSC NL: awareness
• DORA (EUR-Lex)

FAQ

How often should I train employees?

Monthly short modules (microlearning, four to eight minutes), plus two to four phishing simulations per year, plus an annual base training for compliance. This works better than one annual course.

Is annual training enough for compliance?

For GDPR basics often yes; for Cbw and DORA no. DORA article 13 explicitly demands regular training with measurable effectiveness. Monthly microlearning is the workable minimum.

What is a good frequency for phishing simulations?

Two to four per year. More leads to fatigue; fewer gives too little practice. One per quarter is a safe middle, varied in form.

How do I avoid training fatigue?

Keep modules short (four to eight minutes), vary topics, tie them to current incidents or laws, and avoid mandatory modules at bad moments (before bonus payouts, during reorganisation).

Does the rhythm differ by role?

Yes. Risk functions get role-specific extras once or twice a year. The general workforce follows the monthly rhythm without deep-dives.

What does DORA say about frequency?

Article 13 demands "regular" training with measurable effectiveness. In practice supervisors read this as quarterly for risk functions plus annual base.

How do I know my frequency is right?

Three numbers together: completion rate (over 90% healthy), simulation click rate (falling over 6-12 months), report rate (rising). Stagnating click or report rates signal imbalance, and "different" usually helps more than "more often".