What are the awareness obligations under NIS2 / the Dutch Cybersecurity Act?

Article 20 requires board training in cyber risks. Article 21 requires an information security policy including employee awareness. Both require demonstrable compliance.

Which sectors fall under the Dutch Cybersecurity Act?

Energy, transport, healthcare, finance, drinking water, digital infrastructure, government, space and more. Check the NCSC's NIS2 self-assessment tool to determine whether your organisation is obliged.

How can 2LRN4 help with Cbw compliance?

2LRN4 provides a demonstrable training programme for both board (Art. 20) and employees (Art. 21), including reports that serve as evidence for supervisory authorities.

Which security topics matter most for executives and boards?

Since Cbw article 24 entered into force in 2024-2025, the question of which security topics executives should know is no longer academic. Board members and senior management are personally liable for cyber governance, and the training they take must reflect that responsibility: not operational detail, but strategic steering, risk weighing and crisis conduct. What belongs in 2026?

Why board training differs from employee training

An employee learns how to spot phishing and what to do with a stolen password. A board member learns something else: how to steer on cyber risk, which questions to ask the CISO, how to co-decide during an incident, and what liability they carry when things go wrong. The themes overlap; the level is fundamentally different.

Under Cbw article 24 board training is legally mandatory for essential and important entities. Liability is personal: not the organisation but the individual board member can be held accountable for a breach demonstrably caused by insufficient cyber governance. That changes what a board member must be able to do, namely: ask questions, decide under uncertainty, and escalate when needed.

Good board training is therefore not a shortened employee course. It is a separate learning path covering strategic topics, focused on decision-making and oversight rather than recognising a suspicious email.

The seven topics that belong in 2026

A workable top seven for board training under Cbw article 24:

Cyber governance and liability. What is the legal role of a board member under Cbw, DORA and GDPR, what decisions are expected from the board, and what documentation do you need to show you fulfilled your duty?
Risk analysis and acceptance. What type of cyber risk does the organisation run, which measures are in place, and what residual risk is consciously accepted? The board does not make technical decisions but signs off on the risk framework.
The threat landscape at a high level. What are ransomware, BEC, AI-generated phishing and supply-chain attacks, and what damage have they typically caused at comparable organisations?
Incident response at board level. What happens in the first 24 hours after a major incident, which decisions sit with the board (pay or not pay, customer communication, supervisor notification), and how do you rehearse that in advance?
Compliance landscape. Cbw, DORA, GDPR, AI Act, NEN 7510 in healthcare. Which apply, what reporting duties exist, and how does the board report on compliance?
AI governance. Since the EU AI Act in force from February 2025: which AI systems run in the organisation, what risk classification do they have, and how do you ensure AI literacy among staff?
Board reporting and dashboards. Which cyber indicators recur every quarter, how do you interpret a phishing report rate or a vulnerability scan, and which trends call for steering?

What does not belong in board training

A few topics that often appear in board training but should not:

Technical detail on attack chains. A board member does not need to know how a buffer overflow works or what an SQL injection does. They do need to know the CISO has measures against that category and how often they are tested.

Operational incident procedures. The playbook for who does what hour by hour after ransomware sits with IT and the CSIRT. The board knows the headline and their own role, not the full runbook.

Phishing simulations at board level without context. Board members tested with a phishing email learn little; their agendas are too dense and they delegate triage. A tabletop exercise on a ransomware scenario at the board table teaches far more.

Tabletop exercises: the most powerful component

The most effective component of board training is not e-learning but a tabletop. A specialist facilitator lays out a scenario ("on a Friday evening you receive notification that customer data has been leaked on a known leak platform") and the board walks through the decisions that follow in real time: who to inform, pay or not pay, spokesperson, supervisor communication.

Tabletops deliver three things other training forms do not. First, you discover where the decision process stalls (who has mandate, who is missing, what information do we lack). Second, you practise the cohesion aspect (collaborating under pressure differs from collaborating in routine). Third, you build a shared language (after a tabletop everyone knows what a "P1 incident" or "containment phase" means).

A reasonable cadence is two tabletops per year for the board with varying scenarios (ransomware, breach, AI misuse, supply-chain compromise). Combine with annual e-learning for strategic foundations.

Communication and spokesmanship in a crisis

Often undervalued in board training: how to communicate externally during and after an incident? Unnatural ground for many: board members are used to steering on certainty, and in a cyber incident certainty is gone.

Three principles that work: short, honest and consolidated. One spokesperson, no conflicting messages from departments. Open about what you know (date, attack type, affected group) and clear about what you do not yet know ("we are still investigating"). Avoid technical jargon for the public; with supervisors more detail is wise.

Under Cbw a breach notification is mandatory within 24/72 hours. Do not wait for all facts; report on what you know now and supplement as more becomes known. Preparation helps here too: a pre-prepared communication framework (which topics to mention, which not) accelerates the first 24 hours hugely.

How to anchor this in an awareness programme

Board training must be structural, not one-off.

Annual base module (45 to 60 minutes) on governance, threat landscape, compliance and board reporting. Specific to the Dutch context: Cbw article 24 components, GDPR notification, DORA at financial institutions.

Two tabletops per year with varying scenarios, facilitated by an external party for objectivity. Document the outcomes for audit.

Quarterly CISO letter to the board on the state of cyber risk, incident overview and ongoing changes. Not a thick report but half an A4. Builds familiarity between formal training moments.

Demonstrable administration. Completion per board member, date and version of training, attendance at tabletops. Under Cbw article 24 this is your evidence that you took your duty of care, both organisationally and personally.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the NIS2 page

Sources

FAQ

What topics belong in board training under Cbw article 24?

Cyber governance and liability, risk analysis and acceptance, high-level threat landscape, board-level incident response, compliance landscape (Cbw, DORA, GDPR, AI Act), AI governance, and board reporting. Operational detail does not.

How does board training differ from employee training?

An employee learns recognition and action; a board member learns steering, deciding and oversight. Same themes at a different level: not "how do I spot phishing" but "how do I know our phishing measures work".

What is a tabletop exercise?

A structured exercise where a crisis scenario is walked through at the board table, with a facilitator rolling out the scenario and the board making decisions in real time. The most effective board training element; most organisations run two per year.

Should board members know how ransomware works?

At a high level yes: the effect, damage, decisions that follow. Not in technical detail. The board steers on categories, not on attack methods.

What is the difference between Cbw article 24 and the general Cbw training duty?

Article 24 targets board members specifically: they must be personally trained on cyber risk and governance. The general duty (article 21) covers all staff. Both apply at the same time in essential and important entities.

How often should a board be trained?

Minimum annually a formal base, plus two tabletops per year and a quarterly CISO update. Plenty for the Cbw duty-of-care standard and it keeps the board sharp between formal moments.

What is the personal liability under Cbw article 24?

Board members can be held personally liable for relevant harm caused by failure to meet the board training duty and broader cyber governance. Documentation of completed training is the main defence evidence.