2LRN4 security awareness platform
NL · EN

NIS2 Checklist

NIS2 awareness checklist — what must be demonstrable?

NIS2 requires organizations not only to organize security awareness, but also to make it demonstrable. This checklist helps you assess whether your program meets the requirements of Articles 20 and 21 and is ready for audit or management reporting.

Book a demo NIS2 awareness platform

This checklist is based on NIS2 Directive Articles 20 (management training and awareness) and 21 (risk management measures, including employee training). Use it as an internal assessment tool, not legal advice.

A. Board-level responsibility (art. 20)

  • The board is demonstrably aware of NIS2 awareness obligations.
  • Board members have completed or are enrolled in a cybersecurity training as required by Article 20.
  • There is designated ownership of the awareness program at board level.
  • Board reporting on awareness is prepared and retained at least quarterly.
  • The organization can demonstrate that management is actively involved in risk assessment.

B. Employee training and awareness (art. 21)

  • All in-scope employees receive at least one security awareness training per year.
  • Trainings cover NIS2-relevant themes: phishing, ransomware, access control, incident reporting, third parties.
  • Completion per employee and department is traceable and exportable.
  • Onboarding includes a security awareness component for new employees.
  • There is demonstrable differentiation in training by risk group or role (segmentation).
  • There is a repeat structure: awareness is offered periodically, not just once.

C. Phishing simulation as a risk measure (art. 21 f)

  • The organization runs phishing simulations as part of risk management.
  • Results are tracked: click rate, report rate, post-simulation behavior.
  • Employees who click are guided, not penalized (blame-free culture).
  • Phishing follow-up is linked to targeted training or explanation.
  • A minimum simulation frequency of 4 to 6 times per year is maintained.

D. Reporting and audit evidence

  • Reports are available by period, department, entity or audience.
  • Exportable overviews of participation, progress and behavioral development are available.
  • The program has a documented annual plan with themes and scheduled moments.
  • KPIs for awareness are defined (completion, click rate, report rate).
  • Audit evidence is available for external review or internal assessments.

E. Process integration

  • User management is connected to HR or Active Directory (no manual lists).
  • Employee exits automatically revoke licenses or block access.
  • There are internal communication moments around awareness themes (newsletter, intranet, leader video).
  • The program is reviewed for effectiveness and adjusted at least annually.
  • There is an escalation path when audiences lag on completion or behavior.
What next?

Want to see how 2LRN4 supports every step on this checklist? Book a demo and we walk through it based on your organization's situation.

Book a demo
Related pages
NIS2 awareness platform How to build a security awareness program Board reporting for awareness Phishing simulation as a risk measure