NIS2 readiness check — how NIS2-ready is your organization?

1/8

Does your organization have a designated owner of the security awareness program at board level?

NIS2 art. 20 — board-level accountability

Yes Partially No

2/8

Do all in-scope employees receive at least one security awareness training per year?

NIS2 art. 21 — periodic training for all staff

Yes Partially No

3/8

Does your organization run regular phishing simulations as part of risk management?

NIS2 art. 21(f) — behavioral risk measure

Yes Partially No

4/8

Can you export participation rates and behavioral results (click rate, report rate) for management or auditors?

Audit evidence — exportable reporting

Yes Partially No

5/8

Have board members demonstrably completed a cybersecurity training?

NIS2 art. 20 — board training is explicitly required

Yes Partially No

6/8

Are trainings differentiated by role, department or risk group?

Segmentation improves effectiveness and demonstrability

Yes Partially No

7/8

Do you have a documented annual plan for awareness activities with set themes and moments?

Program structure vs. one-off actions

Yes Partially No

8/8

Are awareness results and KPIs periodically reviewed by management or the board?

Governance linkage — evidence of active steering

Yes Partially No

How NIS2-ready is your organization?