How do I build an effective security awareness programme?

Start with a risk analysis and baseline measurement, choose a platform with risk-based learning material, set up an annual calendar, combine training with phishing simulations and measure quarterly.

How large should the security awareness budget be?

European benchmarks are €5-20 per employee per year depending on the platform and level of support. Compare this to the average cost of a data breach (>€4M).

How do I get management involved in security awareness?

Present click rates and risk figures in board language (financial risk, reputational damage, legal liability). Have the board complete a short training themselves, this increases sense of urgency.

How to choose between SCORM and a standalone awareness platform

The choice between SCORM and a standalone awareness platform mainly comes up at organizations that already operate an LMS and are wondering whether a second learning environment is really needed. SCORM is an open standard that lets you import individual modules into your own LMS. A standalone awareness platform is a separate environment built specifically for security awareness, with training, phishing simulation, audience segmentation and governance reporting in one.

It is not a technical choice but an operational one. The question is not which standard is better, but which approach fits how your organization wants to manage, measure and demonstrate awareness. This page helps you make that trade-off concrete.

Comparison translated into practice

See how 2LRN4 delivers SCORM packages and the full platform side by side, so you can choose what fits your setup.

View the SCORM page

Where SCORM is strong

SCORM works well when awareness primarily needs to land as content within an existing LMS strategy. You keep one place for all learning paths, you reuse the single sign-on you already have and you let reporting flow through tooling your organization already knows. For L&D teams that view awareness as part of the broader training portfolio, this is a logical route.

SCORM is also the pragmatic choice in closed environments. Sectors such as defense, parts of healthcare and certain government domains work with networks that cannot load external content. A standalone SCORM package that runs entirely within the own LMS meets that requirement more easily than a platform hosted externally.

Where a standalone awareness platform becomes stronger

A standalone awareness platform wins as soon as awareness needs to be more than content. Phishing simulation, audience segmentation by risk profile, automatic reminders and governance reporting are standard components, not something you have to build around separately. That reduces administration and gives management more consistent steering information.

The difference grows further in multilingual organizations or with strongly different audiences. A platform can automatically pick the right language based on the HR record, give finance a different course path than operations, and track risk indicators per team. With SCORM you have to arrange that at the LMS level, which in practice does not always scale.

The comparison on five decision points

Hosting and runtime

SCORM: The package runs in your LMS, you retain full control over the environment.

Standalone awareness platform: The platform is hosted by the vendor, with monitoring and updates handled remotely.

Content updates

SCORM: Static packages are one-off, Connected packages are kept current centrally by the vendor.

Standalone awareness platform: Continuous updates by the vendor, without an LMS administrator having to import anything.

Phishing simulation

SCORM: Not included, requires a separate tool or service.

Standalone awareness platform: Native component with campaign templates and click and report behavior in the same reporting.

Reporting and governance

SCORM: Limited to what your LMS can extract from cmi.completion_status, cmi.success_status and score.

Standalone awareness platform: Specific NIS2 reporting aligned with national transpositions, risk profiles per team and audit evidence logic.

Languages and scalability

SCORM: You deliver a separate package per language, or a wrapper that selects the correct language.

Standalone awareness platform: Automatic language selection, audience segmentation and rollout across multiple entities or sites.

What organizations actually do in practice

In practice it is rarely all-or-nothing. Many organizations choose SCORM packages as a base layer in their existing LMS and add a standalone platform or separate services where the SCORM route falls short. Phishing simulation through a separate tool, or an additional platform component for governance reporting, are then logical extensions.

Other organizations turn it around. They use the standalone platform for the entire awareness approach and only export specific modules to the LMS for onboarding purposes. Which direction fits depends mainly on where your organization gets its evidence and steering information from: the LMS or a dedicated awareness environment.

What NIS2 and the national transpositions say about this

NIS2 articles 20 and 21 do not prescribe which technical platform you use. The directive does require that board members are demonstrably trained and that employees structurally build security awareness. The bottleneck is therefore not SCORM versus platform, but whether your approach is demonstrably continuous and reaches different audiences differently.

Across the EU, member states have transposed NIS2 into their own national laws — examples include the Cyberbeveiligingswet in the Netherlands (article 24 on board training), the NIS2 law of 26 April 2024 in Belgium, the NIS2UmsuCG in Germany, the NISG 2024 in Austria, the NIS2 transposition law in France and the Spanish Royal Decree-Law transposing NIS2. Most introduce a specific board training obligation. A SCORM package rolled out once without repetition rarely satisfies these. A platform that automatically assigns training, sends reminders and generates board reports provides that evidence more easily.

The core question for governance is therefore not "SCORM or platform" but "can you show that training is continuous, targeted per audience and measured on outcome". Both routes can demonstrate that, but the amount of manual work differs considerably.

When SCORM is deliberately the right choice

SCORM is deliberately the right choice when your L&D function is mature, your LMS is already running, and awareness content mainly needs to fit within the broader learning portfolio. Also in closed networks without external connections, or at organizations with a strict IT security baseline, SCORM Static is the most realistic route.

When governance, phishing simulation and audience segmentation are central, or when you want to roll out across 27 languages without maintaining a package per language, a standalone platform comes out stronger. The trade-off only becomes clear once you put your exact reporting and evidence requirements on the table.

Questions to ask vendors in this comparison

For SCORM: how often are the packages refreshed, and is that a Static or Connected model? Can you deliver sample packages we validate in our LMS first?

For a platform: which reporting is standard and which requires extra configuration? Do I get segmentation per team, language or risk profile without custom work?

For both: which awareness topics are included, how often are they refreshed, and how do they handle sector-specific risks such as healthcare, government or financial services?

And above all: how does the solution translate into the evidence you have to present to auditors, board members or regulators? A vendor that has no concrete answer to that usually delivers content rather than a programme.

Related on this site

Security awareness as SCORM for your existing LMS · Security awareness platform · How to choose a security awareness platform · How to build a security awareness program · NIS2 awareness

FAQ

Is SCORM cheaper than a standalone awareness platform?

On package price SCORM looks cheaper, especially the Static model. But once you factor in hosting, governance reporting, phishing simulation and manual audience segmentation, that often flips. The comparison only becomes fair when you include all components your organization actually needs.

Can I combine SCORM with a standalone platform?

Yes, and many organizations do exactly that in practice. SCORM packages are used for structural onboarding content in the existing LMS, while the standalone platform delivers phishing simulation, segmentation and board reporting. The key is to prevent double reporting by picking one source as the single source of truth.

Does SCORM satisfy NIS2 and the national transpositions across the EU?

SCORM itself is a delivery format and says nothing about compliance. Whether your approach qualifies depends on how you handle continuity, audience segmentation and evidence logic. A SCORM package rolled out once without repetition rarely qualifies under NIS2 or its national transpositions, while a Connected approach with annual updates and structured reporting makes that considerably easier. Specific obligations (such as a separate board training duty) vary per country.

Which variant fits a public sector or healthcare organization in Europe?

For European public sector and healthcare organizations, sector-specific content and national frameworks (NIS2 transposition, plus national standards like BIO and NEN 7510 in the Netherlands, BSI baseline in Germany, ANSSI guidance in France, ENS in Spain) matter more than the delivery format. Both SCORM and a platform can deliver that content. Practice shows that board training obligations and continuous evidence are easier to achieve with a platform, while SCORM is more logical when a strong LMS is already in place and awareness is part of a broader learning portfolio.