What are the awareness obligations under NIS2 / the Dutch Cybersecurity Act?

Article 20 requires board training in cyber risks. Article 21 requires an information security policy including employee awareness. Both require demonstrable compliance.

Which sectors fall under the Dutch Cybersecurity Act?

Energy, transport, healthcare, finance, drinking water, digital infrastructure, government, space and more. Check the NCSC's NIS2 self-assessment tool to determine whether your organisation is obliged.

How can 2LRN4 help with Cbw compliance?

2LRN4 provides a demonstrable training programme for both board (Art. 20) and employees (Art. 21), including reports that serve as evidence for supervisory authorities.

Should security training be mandatory?

The question "should security training be mandatory?" sounds simple but has two layers. Legally, in many frameworks training is now a legal requirement. Practically, it only works if you implement the obligation correctly, otherwise you get ticks without behaviour change. Where is the balance, and how do you set up mandatory training so it actually changes something?

What the law says about obligation

In the Netherlands and the EU, awareness training is in 2026 effectively mandatory, even though no law uses that exact word. NIS2 and the Cbw require an information security policy with awareness and training (article 21). Cbw article 24 explicitly mandates board training. DORA article 13 requires financial institutions to deliver role-based training with effectiveness measurement. EU AI Act article 4 requires AI literacy since February 2025. GDPR demands awareness as a controller measure (article 39).

In practice this means any organisation without a mandatory base training programme runs into trouble at every audit or incident. The question is no longer whether you may make training mandatory, but how.

At the same time no law specifies length or frequency. That is where you design: short and frequent (microlearning) or long and annual. Behavioural science strongly favours the former; compliance is achievable with both.

Why pure obligation alone does not work

Training delivered purely as obligation produces high completion (people click through) but little learning. Study after study shows a mandatory module without a why is remembered worse than a module combining motivation, explanation and obligation.

At the same time, full voluntariness works in almost no organisation. Voluntary enrolment usually sits below 30 percent, and the enrolled group is exactly the group that already knows most. The group you most want to reach does not enrol.

The workable middle: a mandatory base layer with clear reasoning, plus role-based add-ons that feel logical and useful to most. Obligation works when experienced as meaningful, not bureaucratic.

Three ingredients of an obligation people accept

To make obligation work, build in three things:

Explain the why. For the organisation (compliance, continuity), for the team (incident avoidance), for the individual (private life safer, own responsibility). Pure duty without explanation gets the least learning.
Reasonable deadlines and own pace. Not "done today", but several weeks with free moment choice. Microlearning blocks of four to eight minutes across months work better than one long session.
Connection to reality. A module showing how to secure your own Netflix or banking account feels less like obligation and more like gift. Personal applicability is a strong lever.

What to do with employees who refuse

A small group resists mandatory training. Three resistance types, three approaches:

The sceptical senior. "I have worked here 25 years and never been hacked." Approach: acknowledge experience, ask advice, involve as ambassador.

The busy specialist. "I really do not have time." Approach: make it as light as possible (microlearning), give freedom in timing.

The principled refuser. Rare but visible. Route through HR with explicit explanation that under Cbw and DORA, training is tied to continued access to certain systems or roles. Apply this carefully: employment-law assessment is essential.

Sanctions and consequences: what is workable?

In practice, hard sanctions for non-completion backfire. What does work:

Access restriction to specific systems until base training is completed. Works best for new joiners (linked to onboarding) and role changes.

Visibility via aggregation. Department-level completion rates shared in the organisation. Social pressure works without naming individuals.

For the board (Cbw article 24) it differs: non-compliance can trigger personal liability, no cultural matter but legal. Documentation of board training is crucial and non-optional.

What does not work: visible 'naming and shaming', mandatory retraining on phishing clicks (undermines reporting), or disciplinary action without warning. These lower reporting faster than they raise completion.

How to anchor this in an awareness programme

A workable combination of obligation and motivation:

Base programme mandatory for all, annual, twenty to thirty minutes total in microlearning. Covers GDPR, AUP, Cbw essentials, AI literacy. Explain the legal link explicitly.

Role-based add-ons recommended, not hard-mandated. With a good why (for your function, for your team) 70-90 percent follow voluntarily.

Board training strictly mandatory and tightly documented. Cbw article 24 requires demonstrability; not work-in-progress, but completed evidence per board member.

Phishing simulations regularly for everyone, with short microlearning on clicks, no sanction. This is behaviour training combining completion and learning value.

One platform that makes everything demonstrable: group-level completion, board training status, behaviour metrics from simulations. Audit-ready.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the NIS2 page

Sources

FAQ

Is security training legally mandatory?

In the Netherlands and EU 2026 it is effectively mandatory via multiple frameworks: NIS2/Cbw, DORA, GDPR and AI Act. Board training is explicitly mandatory under Cbw article 24. No framework names specific hours.

Does mandatory training work better than voluntary?

Not automatically. Pure obligation without explanation yields ticks but little learning. Voluntary rarely reaches above 30 percent. Middle ground: mandatory base with explanation, plus recommended role-based modules.

What about employees who refuse?

Examine the resistance type. The sceptical senior responds to acknowledgement, the busy specialist to space. The principled refuser needs HR and employment-law assessment, particularly when access is tied to completion.

May I block access if training is not completed?

Yes, if policy-anchored and proportional. Works best for specific systems (critical apps, customer data) and on role change. Avoid blanket access blocks on general base training; that disrupts work more than it gains.

What is the sanction for non-compliance by the board?

Under Cbw article 24 board members can be held personally liable for relevant harm from non-compliance with the board training duty. Not a cultural but legal matter.

Does mandatory retraining on phishing clicks work?

No, the opposite. Mandatory retraining after a click punishes the behaviour, undermines reporting culture, and with it your early detection. A short explanation in place is enough; sanctions are harmful.

How do I measure whether mandatory training works?

Combine completion rate with behaviour metrics from phishing simulations (click, report and time-to-first-report). High completion with flat behaviour signals obligation without learning; falling click rate with rising report rate indicates success.