Security Awareness Training Platform
Awareness Training
GDPR
ISO27001
NIS2
AI Act
CIS18
NIST-CSF
Serious training. Seriously simple.
- Become compliant with the GDPR, NIS2, and more.
- Certificates, documentation, and compliance.
- 60+ high-quality micro-lessons.
GDPR Compliance
GDPR Awareness Training Requirements
- The controller must implement appropriate organisational measures, e.g. awareness training, to ensure and to demonstrate that processing of personal data is performed in compliance with the GDPR.
- Employees must be able to identify when and how they should process personal data in their job.
Quick Facts on the GDPR
GDPR is the most extensive business regulation to come out of the EU in many years.
Businesses must learn how to handle the GDPR efficiently and competently to secure compliance without compromising day-to-day business activities.
What is personal data?
Personal data is any data that can identify a person.
Examples:
• An email can be used to identify a person.
• A telephone number can be used to identify a person.
• An address can be used to identify a person.
• An IP address can be used to identify a person.
• The national ID number can be used to identify a person.
• The passport number can be used to identify a person.
• A credit card number can be used to identify a person.
Data that adds to what we know about a person is personal data:
• Hobbies
• Interests
• Consumption
• Behavioral patterns
• Accent
• Physical characteristics
Most data processed by companies could be considered personal data.
Who is GDPR for?
The GDPR applies to all companies, organisations, and institutions in the EU.
The GDPR also applies to any company, organisation or institution which offers goods or services to any person in the EU. This applies whether payment is involved or not.
Example: Any webshop or service selling to the EU market, whether this business is based in the US or Australia will need to comply with the GDPR.
GDPR for non-EU companies?
The GDPR applies to the processing of personal data by controllers not established in the EU if they process personal data of data subjects based in the EU.
Principles of processing personal data
The GDPR requires every data controller to follow the principles stated in article 5 of the GDPR.
Lawfulness, fairness, and transparency — You shall process personal data lawfully, fairly and so that the processing is transparent to the data subject.
Purpose limitation — You shall only collect personal data for specified, explicit, and legitimate purposes.
Data minimisation — You shall only process personal data that are adequate, relevant and limited to what is necessary.
Accuracy — The processing of personal data shall be accurate and up to date.
Storage limitation — Personal data should be deleted or anonymised when no longer needed for the original purpose.
Integrity and confidentiality — Personal data shall be processed securely to protect against unauthorised or unlawful processing.
Accountability — As a data controller, you shall be responsible for complying with these principles and be able to document this compliance.
What is a data controller?
A data controller is a business that determines the purposes and means of processing personal data.
This is an essential concept to understand as it determines your obligations concerning the GDPR.
What is a data processor?
A data processor is a business that processes personal data on behalf of the data controller.
This is an essential concept to understand as it determines your obligations concerning the GDPR.
A processor always needs to enter into a data processing agreement with the controller, according to article 28 in the GDPR.
Do I need a privacy policy?
When you collect personal data from the data subject (person), you must provide the person with information about why and how you will process this data. These requirements are written in articles 13-14 of the GDPR.
In practice, you could provide this information in a privacy policy that should be accessible to the person when collecting personal data.
How do I become GDPR-compliant?
A primary requirement in the GDPR is to maintain a record of processing activities under your responsibility (article 30).
You will also need to provide this information to your data subjects in a privacy policy (article 13+14).
You will need to process data according to the principles of this regulation (article 5).
You will need to enter data processing agreements with all data processors you have contracted to process data on your behalf (article 28).
You will need to do risk assessments of your processing activities and, based on these, implement appropriate organisational and technical measures to ensure that personal data is treated securely.
These requirements are just some of the many requirements of the GDPR.
NIS2 Compliance
NIS2 Awareness Training Requirements
- A fundamental requirement of the NIS2 is to make sure that all employees have knowledge of best cybersecurity practices and receive proper cybersecurity training.
- Your organisation's management must approve the risk management and cybersecurity measures implemented to comply with the NIS2, and therefore has a central role in cybersecurity governance.
What is NIS2?
NIS2 is the second version of the EU's Network and Information Security directive. It's a law that sets rules for how organisations in key sectors must protect their digital systems and data. It aims to improve cybersecurity across the EU by making sure 'essential' and 'important' services – like energy, transport, healthcare, banking, and digital services – take clear steps to prevent cyber incidents, detect them quickly, and recover from them effectively.
Who does NIS2 apply to?
NIS2 applies to medium and large companies in 'essential' and 'important' sectors, basically what is characterized as critical infrastructure.
It also applies to some smaller organisations if they provide critical services or are part of the supply chain for the previously mentioned sectors. If your organisation is in energy, healthcare, digital infrastructure, water, banking, or many more similar sectors, you're likely in scope.
What are the minimum requirements under NIS2?
The minimum requirements of the NIS2 are the following:
• Policies on risk analysis and information system security.
• Incident handling procedures.
• Business continuity planning, including backup management, disaster recovery, and crisis management.
• Supply chain security, covering relationships with direct suppliers and service providers.
• Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure.
• Policies and procedures to assess the effectiveness of cybersecurity risk management.
• Basic cyber hygiene practices and regular cybersecurity training.
• Policies and procedures for the use of cryptography and encryption.
• Human resources security, access control policies, and asset management.
• Use of secure authentication and communication tools, such as multi-factor or continuous authentication, and secured voice, video, and text communication.
Risk management, leadership and incident reporting
Risk Management Measures — All organisations must take a structured approach to cybersecurity risk. This includes identifying possible threats, protecting systems, detecting problems early, and being ready to respond and recover.
Leadership Accountability — Top management is held directly responsible for cybersecurity, and are made accountable by authorities for serious failures. They must approve security strategies, make sure the right measures are in place, and stay informed through regular training.
Incident Reporting — Organisations must report significant security incidents to the national cybersecurity authority (CSIRT).
What are the training requirements for leadership under NIS2?
NIS2 requires that all relevant staff, including leadership, receive regular and basic cybersecurity training (also called "cyber hygiene").
For leadership, training is mandatory. Members of the management body must complete relevant courses on managing cybersecurity risks and are expected to promote training across the organisation.
There are no strict format or content rules, but training must match the leadership's role in assessing risks and overseeing cybersecurity measures. The management team, as a whole, must have the skills to handle cybersecurity responsibilities under NIS2.
All training activities must be documented, for example with a certificate or written proof of participation.
What are the requirements for training of staff?
NIS2 requires that staff receive cybersecurity training that fits their role and responsibilities. All organisations must have a clear policy to ensure employees gain the right knowledge and skills to protect systems and handle digital threats.
Leadership plays a central role in this. They must actively encourage that staff are offered training similar to what management takes.
Training should be practical and easy to apply, covering topics like spotting phishing, handling data securely, using passwords correctly, and knowing what to do in case of an incident.
The focus should be on creating a culture where learning and awareness are ongoing. All training activities should be planned, recorded, and followed up on to ensure they are effective.
Why is training so important under NIS2?
Because even with strong technology, human error is still one of the biggest risks. Training helps staff spot threats early and act responsibly. For leadership, it's about accountability. Training shows regulators that the company is serious about security and is taking real steps to reduce risks.
What steps should organisations take now to become NIS2-compliant?
• Identify if the organisation is in scope.
• Appoint a person or team responsible for cybersecurity.
• Review current policies and procedures.
• Fill in any security gaps.
• Set up or improve incident reporting and response plans.
• Start regular cybersecurity training.
• Document everything to show compliance.
• Check with your national cybersecurity authority for local guidance.
How does NIS2 overlap with the GDPR?
NIS2 and GDPR are different EU laws, but they overlap, which means your work on one can support the other. Both require strong security for personal data and systems, and both demand a risk-based approach.
For example, in your GDPR compliance you have mapped personal data flows and the assets used for processing the data, which you can reuse to map the digital assets and processes for NIS2.
Similarly, your risk assessments for personal data protection also feed into cybersecurity risk assessments for delivery of critical services, and your incident response plan under GDPR can form the basis for the NIS2 requirement to detect, report, and respond to security incidents.
Your GDPR and NIS2 compliance efforts should definitely be aligned to avoid duplication and reduce cost.
Quick Facts on the NIS2
NIS2 is an EU directive that requires organisations classified as critical infrastructure to meet specific cybersecurity requirements.
AI Act
AI Literacy Training
- The AI Act requires organisations to deliver AI literacy training, ensuring employees gain the skills needed to work safely with AI.
- This requirement applies to anyone, whether just using ChatGPT or a data analyst working with machine learning.
IT Security
Security Frameworks Training
- Train your team on industry-standard security frameworks including ISO 27001, CIS18, and NIST-CSF to strengthen your organisation's security posture.
- Practical awareness training that helps employees understand and apply security controls in their daily work.
🇪🇺 EU Hosted
Awareness Training Platform
GDPR
ISO27001
NIS2
AI Act
CIS18
NIST-CSF
Serious training. Seriously simple.
Awareness Training