Does NIS2 require phishing training?

NIS2 Article 21(2) lists cybersecurity training and 'basic cyber hygiene practices' as mandatory measures for essential and important entities. Phishing recognition is treated as a core element of basic cyber hygiene by ENISA and member-state competent authorities. Entities must also ensure their management bodies follow training to gain sufficient knowledge to identify cybersecurity risks (Article 20).

Who is in scope for NIS2?

NIS2 dramatically expanded scope compared to NIS1, covering 'essential entities' (including energy, transport, banking, financial market infrastructures, healthcare, drinking and waste water, digital infrastructure, ICT service management, public administration and space) and 'important entities' (postal and courier services, waste management, manufacture of certain critical products, food production and digital providers). Size thresholds generally apply at 50 employees or 10 million EUR turnover, though some sectors are in scope regardless of size.

Does NIS2 require training for the board and executives?

Yes - Article 20 explicitly requires that members of management bodies of essential and important entities follow training, and obliges them to offer similar training to their employees on a regular basis. This is a meaningful change from NIS1 and reflects the directive's emphasis on accountability at the top. Management bodies may also be held personally accountable for non-compliance under Article 32.

What are the penalties for NIS2 non-compliance?

Member states must provide for administrative fines of up to 10 million EUR or 2 percent of the worldwide annual turnover for essential entities, and up to 7 million EUR or 1.4 percent for important entities, whichever is higher. Competent authorities may also issue binding instructions, suspend authorisations and hold management personally accountable.

How often must NIS2 entities run phishing simulations?

The directive does not prescribe frequency, but ENISA and several member-state competent authorities have published guidance pointing to regular, ongoing programs rather than annual events. Quarterly is the practical floor; monthly campaigns covering email, SMS phishing and voice phishing are increasingly cited as good practice. The training must be 'relevant and proportionate to the risk' and address the actual threat landscape.

NIS2 Directive: EU Phishing Training Requirements (2026 Compliance)

NIS2 Directive: EU Phishing Training Requirements

By The Bait & Phish Team
NIS2, Compliance, EU Cybersecurity

The NIS2 Directive (Directive (EU) 2022/2555) replaced the original NIS Directive and was required to be transposed into national law across EU member states by October 2024. By 2026, member-state competent authorities are actively enforcing Article 21 cybersecurity risk-management measures and Article 20 management-body obligations. For organizations classified as essential or important entities, the practical compliance question is the same one most regulations now demand: how do you produce evidence that your phishing training program is real, current and reaching the right people?

This post covers what NIS2 actually requires for phishing training, what national competent authorities are looking for in early enforcement and how to design a program that satisfies both the rank-and-file employee training obligation under Article 21 and the management-body training mandate under Article 20.

Why NIS2 specifically calls out cybersecurity training

NIS1 focused on operators of essential services and digital service providers, with relatively light awareness obligations. NIS2 widened the in-scope sectors substantially and added Article 21(2) which lists ten categories of mandatory measures, including:

Risk analysis and information system security policies.
Incident handling.
Business continuity and crisis management.
Supply chain security.
Security in network and information systems acquisition, development and maintenance.
Policies and procedures to assess the effectiveness of measures.
Basic cyber hygiene practices and cybersecurity training.
Policies on cryptography and encryption.
Human resources security and access control.
Multi-factor authentication and secured communications.

The seventh measure is the training mandate. ENISA's guidance on basic cyber hygiene treats phishing recognition as a core element, and several national competent authorities - including BSI in Germany, ANSSI in France and the NCSC in the Netherlands - have published guidance pointing toward continuous, measurable phishing simulation as the practical evidence of compliance.

Article 20: the management-body training obligation

The most consequential change from NIS1 is Article 20, which requires that members of management bodies of essential and important entities follow training to gain sufficient knowledge and skills to identify cybersecurity risks and assess cybersecurity risk-management practices. Management bodies must also offer similar training to employees on a regular basis.

Three operational consequences:

The board and executive team must complete documented cybersecurity training. This is not delegable.
Management is obliged to offer training to employees regularly - meaning the program must be in place and operational, not aspirational.
Article 32 enables member states to hold management personally accountable for non-compliance, including potentially temporary prohibitions from holding management functions in cases of repeated non-compliance.

Phishing simulation is the natural evidence form for both the board's own training and the program offered to employees. Targeted higher-difficulty campaigns aimed at executive accounts (whaling-tier templates) demonstrate management is participating, not exempted.

What competent authorities expect to see

Early enforcement actions and published guidance from member-state authorities point to a recognizable evidence set:

Documented cybersecurity training program with stated frequency and content scope.
Records of management-body training completion with dates and content references.
Records of employee training, broken out by role and including third-party staff covered by Article 21(2)(d) supply-chain measures.
Phishing simulation campaign reports demonstrating the program is operational, not just documented.
Evidence the program is reviewed and updated - Article 21(2)(f) requires policies to assess the effectiveness of measures.
Incident reporting evidence demonstrating personnel know how to report suspicious activity.

The 24/72-hour reporting clock

NIS2 Article 23 requires significant incidents to be reported in stages: an early warning to the CSIRT or competent authority within 24 hours, an incident notification within 72 hours and a final report within one month. Phishing-led incidents are routinely the cause of significant incidents under the directive, and the speed at which the workforce reports suspicious activity directly affects whether the 24-hour clock can be met.

Continuous phishing simulation builds the muscle memory for fast reporting. A workforce trained with a one-click reporting button - including an Outlook add-in for Microsoft 365 environments - typically detects malicious activity in hours rather than days, which is decisive for the 24-hour early-warning obligation.

Multi-language coverage across the EU workforce

NIS2 entities frequently operate workforces speaking multiple languages. ENISA guidance and several national authorities expect awareness materials and simulations to be delivered in the languages personnel actually use. Multi-language training delivery is now a practical requirement for organizations operating in multiple member states, and translated phishing simulations produce more realistic engagement data because the lures match the linguistic context personnel encounter.

Multi-channel coverage: SMS phishing and voice phishing

2026 phishing is multi-channel. Threat reports from ENISA and major commercial vendors confirm that smishing and vishing volumes have grown significantly, particularly targeting personnel of essential entities in healthcare, energy and financial services. NIS2 Article 21 measures must address the actual threat landscape, which means email-only simulation programs increasingly fall short.

Adding SMS phishing and voice phishing campaigns alongside email simulations is becoming the expected baseline for essential-entity programs. The same platform that runs your email campaigns should run smishing and vishing scenarios so the evidence consolidates into a single report.

Sector-specific intensification

Several sectors face additional pressure under NIS2:

Banking and financial market infrastructures. The Digital Operational Resilience Act (DORA) overlays NIS2 with detailed ICT-risk requirements including awareness training.
Healthcare. National guidance frequently references additional patient-data sensitivity and tighter incident reporting expectations.
Energy. Sector-specific competent authorities have issued additional guidance on operator personnel awareness.
Digital infrastructure. Cloud, data center and content-delivery providers face customer-driven evidence requests beyond the regulatory minimum.

Supply-chain awareness obligations under Article 21(2)(d)

Article 21(2)(d) explicitly extends cybersecurity risk-management measures to supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. In practice this has produced a cascading awareness obligation: essential and important entities are increasingly requiring their suppliers to evidence phishing training programs as part of vendor assurance.

Two practical implications:

If you are an in-scope entity, your vendor risk management process should include a question on the vendor's phishing program - frequency, channels, evidence format. Several national competent authorities have issued guidance pointing in this direction.
If you are a supplier to in-scope entities, having a clean phishing-program evidence package ready to share under NDA is now a sales-cycle accelerant. Vendors that cannot evidence a continuous program lose contracts at renewal.

Documentation retention for competent-authority requests

NIS2 does not specify a single retention period for cybersecurity records, but member-state implementations and supervisory practice typically expect:

Active program records (campaign logs, training completion, policy versions) retained for the longer of three years or any sector-specific retention obligation.
Significant-incident records retained for at least the period required by the national breach-notification regime.
Management-body training records retained for the duration of each member's tenure plus the relevant statutory period.

Records reconstructed retroactively after an inquiry are visibly different from records maintained in real time. The audit-ready position is to maintain documentation as a normal operating practice - quarterly export, version-controlled policy, dated training-completion records - rather than scrambling when a competent authority requests information.

The clean NIS2 program

The pattern that produces clean evidence under NIS2 - and supports the parallel evidence sets needed for ISO 27001, GDPR Article 32 and DORA where applicable - looks like this:

Annual structured cybersecurity training for all personnel, with role-differentiated content.
Dedicated management-body training meeting Article 20 obligations, with documented completion records for board and executive participants.
Monthly or quarterly phishing simulations across email, SMS phishing and voice phishing.
Three difficulty tiers (easy, regular, hard) with higher-difficulty templates aimed at high-value roles.
Auto-assigned remediation training for users who fall for simulations.
Multi-language delivery across the workforce.
Quarterly written program report retained for inspection by competent authorities.
Inclusion of relevant supply-chain personnel where the contract puts them within scope.

Bait & Phish has been running phishing simulation programs for organizations across the EU since 2010 and supports this design out of the box, including multi-language template libraries and exportable reports formatted for member-state authority requests. If your organization is preparing for a NIS2 inspection or a customer-driven supply-chain assessment, the team can walk through evidence packaging - start at contact. For a hands-on capability test, the free trial covers up to 25 users with no credit card required, and pricing for production deployments is on the pricing page.

Many essential entities also field cyber insurance underwriting questions that overlap heavily with NIS2 evidence; our companion guide on what cyber insurers ask about phishing training covers the parallel evidence set most carriers now expect.

See also: Phishing training compliance comparison across SOC 2, HIPAA, PCI DSS, NIST CSF, ISO 27001, GDPR and NIS2 - side-by-side table of clauses, expected cadence and audit posture.

This post is informational and not a substitute for legal advice. NIS2 implementation varies by member state; consult qualified counsel for guidance on your specific national transposition.

Related compliance guides

29apr