2LRN4 security awareness platform
← Back to knowledge base

How do I track which employees have completed training?

Practical guidance on tracking security training completion for organizations that want to improve secure behavior structurally.

Recently updated

From insight to action

See how to turn this topic into a practical awareness program with training, phishing simulations and clear management reporting.

Book demo View the primary solution page
Alain Rees
Founder & Security Awareness Specialist · 2LRN4

Tracking who has completed training sounds like an Excel question, but under the Cbw, DORA and GDPR it has become a serious compliance requirement. Supervisors no longer ask only "do you have training" but "show who completed what when". How do you set this up demonstrably without building an administrative swamp?

Why administration matters more than before

Until a few years ago a PowerPoint and a paper signature often sufficed for the auditor. Under the Cybersecurity Act (Cbw), DORA and Dutch DPA enforcement of GDPR, that is no longer true in 2026. At an incident, audit or sample check you must produce a substantiated overview within days: which employee, which module, which date, which outcome.

Recognisable administration also weighs heavily on personal liability. Cbw article 24 ties board training to personal board liability. A board member without evidence of completed training can hardly defend against the claim of insufficient diligence after an incident.

At the same time administration is not an end in itself. Recording everything while training no one scores well on paper and badly on behaviour. The art is light, automatic administration that does not disrupt work and is calmly available at audit.

The minimum you must record

A workable minimum aligned with what supervisors ask:

  • Who: employee, department, role. Sync with HR or Microsoft Entra ID so the list stays current automatically.
  • What: module name, topic, content version. Versions matter because content gets refreshed; on audit you want to show which version someone took.
  • When: start and completion date, possibly duration. DORA article 13 makes training frequency part of what must be demonstrated.
  • Outcome: completed yes/no, quiz score, policy accepted (AUP, code).
  • Behaviour metrics: for security training also phishing-simulation outcomes: click, report, time-to-first-report. Aggregated for board reporting, individual only for compliance evidence.

What not to do

Common pitfalls that make administration useless or harmful:

Sharing individual click behaviour with managers. Legally grey (GDPR purpose limitation, proportionality) and functionally disastrous. Reporting drops once employees know clicks reach management. Reporting culture is your main defence; do not undermine it for a report.

Policy acceptance via mailbox. An AUP acknowledgement disappearing into an Outlook folder is not audit evidence. Use a platform that records acceptance with date and version.

Evidence on a shared drive. PDF exports on SharePoint without version history age fast and are hard to search. A platform producing administration as a by-product avoids parallel bookkeeping.

Forgetting retention. GDPR forbids keeping data longer than needed. A 2018 training still retained at individual-score level may breach storage limitation in 2026. Set retention in policy and let the platform tidy up.

How to automate without extra work

Ideal: all administration arises as a by-product of the programme itself, with no manual entry.

Connection with HR or Microsoft Entra ID. New joiners automatically receive base training; leavers automatically marked inactive (data remains audit-available within retention). Prevents forgotten staff and manual updates.

One platform for training, simulations, policy acceptance and reporting. With everything in one system reporting is consistent and you supply one export at audit. Separate systems require manual merging, which eventually stops happening.

Automatic dashboard for management. Completion per department, open deadlines, board training status under Cbw article 24. Monthly visibility makes follow-up simple.

What a supervisor can specifically ask

Examples of questions you must answer at audit or after an incident:

  • Who completed base phishing training in the past year, and which version?
  • Which board members completed Cbw board training, with date?
  • Which departments received role-based deep-dives last quarter?
  • What is the phishing-simulation report rate over the past twelve months?
  • Who has accepted the updated Acceptable Use Policy?
  • What measures were taken after a department with strikingly low scores?

How to anchor this in an awareness programme

Treat administration as integral to the programme, not as final reporting.

One platform delivering training, simulations, policy acceptance and reporting, connected to HR or identity. Avoid separate tracks you have to merge yourself.

Quarterly reporting to the board. Completion per department, board training status, behaviour metrics from simulations. Not to grade individuals but to steer structurally.

Annual audit-readiness check. Pull the audit-style report yourself once a year and verify completeness. A gap found in March is a year-long task; a gap found at audit is a finding.

Document exceptions too. Who got an exemption why, who completed a training late and why, which staff were absent during the campaign. Without that context, blanks look more problematic than they are.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the NIS2 page

Related articles

Sources

FAQ

What is the minimum to record?

Who (employee, department, role), what (module, version), when (dates), outcome (completion, score, policy acceptance), and for security training behaviour metrics from phishing simulations. Version and date are crucial.

May I share individual click results with managers?

No. Under GDPR it is doubtful (purpose limitation, proportionality) and functionally counterproductive: reporting drops once employees know clicks reach management. Aggregated department-level numbers work.

How long to retain training evidence?

No specific Cbw term, but within GDPR personnel-record retention (usually five to seven years after exit). Set retention in policy and let the platform tidy up.

What about leavers?

Mark inactive in the platform; data stays available within retention for audit. Do not delete immediately, since past-incident reconstruction may need it.

How do I automate this?

Connect the platform to HR or Microsoft Entra ID so joiners appear automatically and leavers are flagged. One platform for training, simulations and policy avoids manual merging.

What if I am still on Excel?

Under Cbw and DORA this is no longer acceptable for mid-sized and larger organisations. Excel lacks version history, HR integration and automatic reporting. A good platform pays back within one audit cycle.

What does a Cbw audit specifically ask?

Completion per employee and module, board training status (Cbw article 24), behaviour metrics from simulations, policy acceptances (AUP, code), and content version history. A good platform delivers this as one export.

External source: European Commission - NIS2 Directive

Related articles
Should security training be mandatory? → What happens when employees skip security training? →
Next step

Use this article as the foundation and then see how 2LRN4 turns this topic into audience segmentation, training and reporting.

Book demo Download guide More articles