2LRN4 security awareness platform
← Back to knowledge base

NIS2 board training obligation across European member states

Practical guidance on nis2 board training obligation europe for organizations that want to improve secure behavior structurally.

Current

From insight to action

See how to turn this topic into a practical awareness program with training, phishing simulations and clear management reporting.

Book demo View the primary solution page
Alain Rees
Founder & Security Awareness Specialist · 2LRN4

Article 20 of the NIS2 directive requires management bodies of essential and important entities to approve cybersecurity risk management measures, oversee their implementation and complete training that allows them to identify risks, assess their impact and take informed decisions. Member states have transposed this obligation into national law along similar lines, but with notable differences in regulator, sanctions and supervisory style. ENISA publishes guidance to harmonise interpretation across the Union. This article summarises the common core and the practical variation between countries.

What article 20 of NIS2 requires

Article 20 imposes two main obligations on the management body of every essential or important entity. First, it must approve the cybersecurity risk management measures taken to comply with article 21 and oversee their implementation. Second, its members must follow training and ensure that employees receive similar training on a regular basis.

The directive does not prescribe a curriculum, a duration or a delivery format. Member states have therefore retained considerable discretion in transposition, and ENISA has published interpretative guidance to keep national implementations broadly aligned. In practice, this means a Belgian or Spanish board faces obligations that look similar on paper but are enforced by different regulators with different cultures.

Crucially, training must be aimed at decision-makers. A generic employee awareness module is not sufficient under any national interpretation observed so far. Boards need governance-level content covering threat landscape, legal obligations, incident reporting and personal liability.

How member states transposed the obligation

The national transposition acts diverge in detail. The most relevant for European boards:

  • Netherlands: Cyberbeveiligingswet (Cbw), articles 21 and 24, supervised by the Digital Trust Center and sector regulators
  • Belgium: NIS2 Act of 26 April 2024, supervised by the Centre for Cybersecurity Belgium (CCB), with the CyberFundamentals framework as practical reference
  • Germany: NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), § 38 BSIG (new version), supervised by the BSI
  • Austria: Netz- und Informationssystemsicherheitsgesetz (NISG) 2024, supervised by the Ministry of the Interior and CSIRT.at
  • France: Loi du 30 avril 2025 sur la résilience des activités d'importance vitale, supervised by the ANSSI and the sectoral CERT-FR
  • Spain: Real Decreto-ley 7/2025, supervised by CCN-CERT and INCIBE, with the Esquema Nacional de Seguridad (ENS) as the practical baseline for public-sector and supply-chain entities

Frequency, format and scope

Across all member states the training requirement is described as "regular" or "periodic". Regulators converge in interpreting this as at least one formal session per board member per year, with additional ad-hoc training after significant incidents or material regulatory changes. The total time investment that holds up under audit is typically 4 to 8 hours per board member per year.

Online, hybrid and classroom formats are accepted everywhere, as long as completion is documented. Most regulators favour shorter modules of 30 to 60 minutes over a single long annual session: better retention, easier to schedule and cleaner audit evidence. New board members generally must complete training within six months of appointment.

Existing members typically benefit from a 12 to 24-month grace period from the entry into force of the national act, then annual refresh. The Dutch, Belgian and German regulators have all been explicit on this point in their published guidance.

Documentation and audit evidence

Across jurisdictions the first question in a supervisory action is almost identical: "show us that the management body has been trained." Boards should systematically retain:

  • Per board member: name, training date, content, duration, provider, proof of completion (certificate or platform log)
  • Per entity: training plan for the current and next financial year, linked to appointments and reappointments
  • Per agenda: board meetings where cybersecurity was discussed, with minutes that demonstrate the topic was substantively addressed
  • Per incident: when the board was informed, the decision taken, the follow-up action agreed
  • Tamper-evident logs with timestamps and an audit trail are markedly stronger than loose certificates or email confirmations, and the same evidence set generally satisfies regulators in every member state

Personal liability and sanctions

NIS2 introduces direct personal liability of management body members for culpable failure to comply with their cybersecurity obligations. Member states have implemented this through their existing corporate liability frameworks, with notable variations in enforcement appetite. The BSI in Germany and the CCB in Belgium have signalled active supervision; the Dutch sector regulators have prioritised the essential-entity tier.

At entity level, fines can reach 10 million euros or 2% of global annual turnover for essential entities, and 7 million or 1.4% for important entities, whichever is higher. Civil liability for damages caused to third parties and, in cases of deliberate concealment of reportable incidents, criminal consequences apply on top.

A member who can demonstrate that training was completed, that the topic was placed on the agenda and that reasoned decisions were taken is generally protected. A member who never trained and routinely delegated cybersecurity without independent oversight is not.

Common pitfalls across the EU

ENISA and national regulators report the same patterns in the first wave of enforcement, regardless of country:

  • Using generic employee awareness modules for the board instead of governance-specific training, formally a tickbox, not admissible evidence
  • Fully delegating cybersecurity to the CISO without board verification of progress, NIS2 requires active oversight, not formal sign-off alone
  • No minutes of board meetings where cybersecurity was discussed, without an agenda item, the regulator concludes that the topic was not addressed
  • Confusion between "compliance" and "security", an entity can be NIS2-compliant on paper and operationally vulnerable; boards must be able to distinguish the two
  • Late onboarding of new board members, training deferred beyond twelve months from appointment creates an immediately auditable gap in every jurisdiction
From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the NIS2 page

Related articles

Sources

FAQ

Can board training be delivered online?

Yes. No national transposition of NIS2 prescribes a specific format. Online, hybrid and classroom training are all acceptable as long as completion is demonstrable and the content is appropriate. Short modules of 30 to 60 minutes typically fit board calendars better than a single long annual session.

Does the obligation apply to supervisory boards as well?

It depends on the national legal definition of "management body". In the Netherlands the supervisory board (RvT or RvC) is explicitly included; in Germany, Austria and France the executive board is the primary addressee, with supervisory bodies covered by their general oversight duties. ENISA recommends including all bodies that take part in approving risk measures.

What happens if a board member refuses to train?

Formally an entity-level failure and materially an individual one. The other governance bodies (supervisory board, general meeting) are expected to intervene. In persistent cases the regulator can impose corrective measures, and in the most serious cases a temporary suspension from director functions is available under German, French and Spanish law.

Does an MBA with a cybersecurity module count?

Rarely on its own. The training must be demonstrably oriented to the cyber role of a NIS2 board member. A general MBA module seldom matches the specificity that ENISA and national regulators expect. Dedicated board cyber training with national context is materially stronger.

What is a reasonable budget per board member?

For a professional programme with certification, e-learning and an annual refresher, expect 500 to 2,000 euros per board member per year. Sector collective programmes are often cheaper for smaller entities; larger groups typically operate an internal governance academy, which scales more efficiently.

How does article 20 relate to general employee awareness?

They are two distinct obligations. Article 20 covers management-body training; the general employee awareness obligation flows from the risk management measures of article 21. Both are mandatory, complementary, and in practice should be run as separate programmes with their own content, audiences and metrics.

External source: European Commission - NIS2 Directive

Related articles
NIS2 transposition across European member states → Healthcare information security awareness across European member states →
Next step

Use this article as the foundation and then see how 2LRN4 turns this topic into audience segmentation, training and reporting.

Book demo Download guide More articles