Security awareness for education — every framework, one platform

Education type determines the applicable framework

Dutch education has three main segments, each with its own information-security regime. The framework that applies depends on the education type.

The entire higher education sector — both polytechnics (HBO) and research universities (WO) — falls under the Dutch Cybersecurity Act (Cbw, the Dutch implementation of the NIS2 directive). It is a national law directly binding on institutions, with a duty of care for network and information systems (article 21) and a separate board training obligation for executive and supervisory boards (article 24).

MBO institutions work with the MBO Information Security Framework, managed by saMBO-ICT and MBO Digitaal. This framework benchmarks all MBO institutions annually on maturity and awareness, and is a sector-specific translation of ISO 27001/27002. MBO institutions that also offer higher-education programmes or conduct substantial research may additionally fall under the Cbw.

Primary, secondary and special education (PO, VO, SO) use the IBP-FO framework, managed by Kennisnet and SIVON. It is mandatory for all PO, VO and SO schools and is materially different from the MBO IBP framework — confusion between these "IBPs" is common.

Higher education (HBO and WO): Dutch Cybersecurity Act

The entire higher education sector falls under the Cbw. Universities are designated as essential entities, polytechnics as important entities. For awareness purposes the regime difference is small: both must demonstrably comply with the duty of care (Cbw / NIS2 article 21) and the board training obligation (Cbw / NIS2 article 24).

The duty of care under article 21 requires structured awareness and cyber hygiene as an organisational measure. Article 24 mandates board members (executive and supervisory boards) to demonstrably complete cybersecurity training — they can be held personally liable for culpable negligence.

2LRN4 delivers per board member and per employee evidence directly usable for Cbw supervision. The platform integrates via SURFconext for SSO and aligns with the SURFaudit maturity assessment — so you use one platform both for Cbw evidence and for the broader SURF maturity assessment for higher education.

Vocational education: MBO IB framework

MBO institutions use their own framework, the MBO Information Security Framework managed by saMBO-ICT and MBO Digitaal. This sector-specific framework includes requirements for awareness, periodic training and board responsibility. MBO institutions are compared annually via the MBO IBP benchmark.

2LRN4 provides an MBO track aligned with the structure of colleges and the audiences within an MBO institution: teachers, instructors, internship coordinators, support staff and executive boards. Reporting is directly exportable for the MBO IBP benchmark.

MBO institutions that also offer higher-education programmes or conduct substantial research may additionally fall under the Cbw — have this assessed per institution, and use 2LRN4 multi-tenant reporting to manage both frameworks in parallel.

Primary/secondary education (PO/VO/SO): IBP-FO

For primary, secondary and special education the IBP-FO framework applies, drafted by Kennisnet and SIVON. It is mandatory for all PO, VO and SO schools. Awareness is required at the level of school boards, school leaders, teachers and support — comparable to BIO but more concise and specifically aimed at pupil data.

In primary/secondary education, "pupil" is a separate category of personal data (special-category data for under-16s). 2LRN4 provides content for school staff with scenarios around parent/guardian impersonation, pupil administration fraud and breaches in pupil tracking systems.

One platform, three reporting profiles

In practice many education groups work across multiple sectors at once. A regional vocational college may combine adult VO and MBO; a polytechnic may also offer MBO programmes. 2LRN4 supports multi-tenant reporting so that one institution generates the right framework (Cbw, MBO IB or IBP-FO) and the right audit reporting per business unit — without duplicate administration.

How this solution fits into a broader awareness program

Most organizations do not solve this topic with one isolated action. They need a combination of clear content, targeted follow-up, segmentation and reporting that can also be explained internally.

That is why 2LRN4 connects this solution to the wider platform, the knowledge base and management reporting. It keeps this from being an isolated page and turns it into part of a structural approach.

Implementation, adoption and management reporting

A strong solution only becomes valuable when teams can actually operate it. That is why 2LRN4 focuses not only on content or simulation, but also on setup, segmentation, reporting and adoption. That makes awareness easier to scale without turning administration into a job of its own.

For management, explainability matters most. Which teams improve? Which themes need more attention? How does this support audit or NIS2 goals? That is why this page is written for both the user and the decision-maker.

Why this solution stays scalable

Many awareness initiatives start well and then lose momentum because management becomes fragmented. Audiences change, content must be updated and reporting requires more manual work than expected. A scalable approach therefore requires not only strong content, but also a platform that evolves with growth and changing risk.

2LRN4 supports that scalability by bringing training, phishing simulation, reporting and internal content together. That means this page does not stop at a promise; it points to a solution that is also operationally sustainable.

FAQ

Which framework applies to my education institution?

Higher education (both HBO and WO): the Dutch Cybersecurity Act (Cbw, the NL implementation of NIS2). Research universities are designated as essential entities, polytechnics as important entities — both fall fully under the Cbw. MBO: the MBO Information Security Framework by saMBO-ICT and MBO Digitaal. Primary/secondary (PO, VO, SO): the Kennisnet/SIVON IBP-FO framework.

Do polytechnics also fall under the Cbw?

Yes. Polytechnics are designated under the Cbw as important entities — no longer only via the old SURF framework but as a statutory regime. That means duty of care (art. 21) and a board training obligation for executive and supervisory boards (art. 24), with personal liability for board members.

Do research universities also fall under the Cbw?

Yes. Research universities are designated as essential entities under the Cbw. In addition to the duty of care and board training, essential entities face an active supervisory regime — regulators may audit unannounced and impose fines for non-compliance.

Is "IBP" the same for all education sectors?

No, this is a common misconception. "IBP" stands for Information Security and Privacy, but primary/secondary uses the IBP-FO framework (Kennisnet/SIVON) and MBO has its own MBO IBP framework (saMBO-ICT). For higher education, "IBP" is no longer a separate framework — there the Cbw applies as a statutory regime, with the SURF maturity assessment as operational implementation.

How does the platform align with the MBO framework and benchmark?

The platform maps awareness participation, phishing results and board training onto the MBO IB framework control categories. Reporting is exportable in the format used by saMBO-ICT and MBO Digitaal for the annual MBO IBP benchmark.

Is the platform suitable for primary/secondary schools?

Yes. For primary/secondary an adapted track is available aimed at school staff: teachers, school leaders, support and the board. Scenarios are tailored to the school context (parent impersonation, pupil tracking system, school administration). Compliance is aligned with the Kennisnet/SIVON IBP-FO framework.

How do we handle students and pupils as audience?

Students and pupils are not employees and do not fall under the awareness requirements for staff within the frameworks. The platform focuses on staff (teachers, researchers, support, board). For student onboarding awareness or pupil education a separate light version is available.

Does the platform work with SURFconext and federated identity?

Yes. The platform integrates via SAML 2.0 with SURFconext for SSO at higher-education institutions. For MBO and primary/secondary, direct integrations with Microsoft Entra/AD, Google Workspace and the Kennisnet Federation are also available.

Can we manage multiple education sectors in one platform?

Yes. Education groups spanning multiple sectors (e.g. primary + secondary, or adult VO + MBO, or HBO + MBO) use multi-tenant reporting. Per business unit the right framework, content and audit reporting — managed from one platform.