Across Europe, public bodies work to a national baseline for information security. The Netherlands has the BIO, Germany the BSI IT-Grundschutz, Spain the ENS, and France its RGS and state security policy. The names differ, but the foundation is the same: almost all of them build on ISO 27001/27002, and every one of them requires demonstrable security awareness. On top of that, the NIS2 directive raises the bar for the public sector across the whole EU. This article shows how to meet the awareness requirement step by step, whichever baseline applies to you.
What do these baselines ask for in terms of awareness?
Because most national baselines build on ISO 27002, the awareness requirement is remarkably consistent. The core is that awareness is not a one-off action but a continuous process. A training session when someone joins is not enough; staff must stay up to date on the rules that apply to their work throughout their employment.
The requirement is also for appropriate training, meaning the content fits the employee's role and risks. An application administrator faces different risks than a front-desk officer, and the awareness should reflect that difference. Finally, every baseline asks for demonstrability: you must be able to show that the process exists and works.
Step 1: Define your audiences and their risks
Start with a short risk inventory per job group. What data does someone handle, which systems do they use, and what would go wrong in the event of a mistake? This need not be a large project; a few conversations per department already give a usable picture.
The result is an overview of audiences with the risks that matter to them. That overview drives the rest of your approach: it determines which topics you offer to whom, and it immediately forms the evidence that you have set up awareness on a risk basis.
Step 2: Set up training and repetition
Choose content that fits the audiences from step 1 and schedule it in a fixed rhythm. Short modules that recur regularly work better than one long annual session. Build awareness into onboarding too, so new staff are included from day one.
Do not forget contractors. The baselines name them explicitly where they have access to information or systems. Record how external parties are included, even when they are not in your own learning environment.
Step 3: Make it demonstrable
An auditor does not want to hear that you do something, but to see it. So record systematically:
- Participation: who completed which training and when, including new staff and external parties.
- Content and frequency: the topics you cover and how often you repeat them.
- Risk link: the rationale for why an audience receives certain topics.
- Results: metrics such as the report rate in phishing simulations, so you can show improvement.
Step 4: Improve on what you measure
Demonstrability is not an end in itself. You use the figures you gather to steer. If reporting behaviour lags in a particular department, you know where extra attention is needed.
That way the baseline requirement becomes an engine for real improvement rather than a tick-box exercise. You not only meet the standard, you demonstrably reduce risk, which is ultimately what the standard is for.
Related articles
FAQ
Which baseline applies to my organisation?
It depends on your country. The Netherlands uses the BIO, Germany and Austria the BSI IT-Grundschutz, Spain the ENS (Esquema Nacional de Seguridad), and France the RGS and PSSIE. Most build on ISO 27001/27002, so the awareness approach is largely the same across them.
How does NIS2 relate to national baselines?
NIS2 is EU-wide legislation that often applies on top of an existing national baseline. The awareness expectations overlap strongly: risk-based, continuous and demonstrable. One well-designed awareness programme serves both your national baseline and NIS2.
How often should awareness training take place?
The baselines rarely prescribe a fixed frequency but require a continuous process. In practice, short, regularly recurring modules work better than one annual session. Build awareness into onboarding for new staff as well.
What does an auditor want to see?
Evidence that the process exists and works: participation records, the topics covered and their frequency, the link between audience and risk, and results such as the report rate in phishing simulations. The combination of these is your strongest evidence.
Do contractors fall under the requirement?
Yes, where they have access to information or systems. National baselines name external parties explicitly. Record how contractors are trained and kept up to date, even when they are not in your own learning environment.