Your organisation’s management must approve the risk management and cybersecurity measures implemented to comply with the NIS2, and therefore has a central role in cybersecurity governance. 

To manage this responsibility effectively, NIS2’s Article 20(2) requires that management receive relevant training that strengthens their ability to understand risks, make informed decisions, and follow up on the organisation’s security measures.

There are no fixed guidelines for what these courses must look like, but what matters is that management as a whole builds the competence needed to guide the organisation’s cybersecurity efforts. 

The training can take many forms, such as general courses on cyber and information security, leadership workshops on managing cyber risks, certifications in recognised security standards such as ISO 27001, or in-house seminars tailored to your organisation.

Participation and completion of this training must be documented to demonstrate compliance, for example with a certificate or confirmation of attendance.

Management’s Role in Employee Training

Management also plays a key role in shaping employees’ skills and behaviour. Managers should actively support and encourage cybersecurity training for staff at all levels, making sure employees have competencies that match their roles and responsibilities within the organisation.

Therefore, your organisation should develop a training policy for employees, and ensure that everyone from new hires to experienced employees knows how to protect systems, follow best cyber hygiene practices, and respond appropriately to threats. By leading with their example and prioritising training, management shows that cybersecurity is important across the organisation.

This requirement aligns with the requirement of Article 21(2)(g), which states that employees must know about cyber hygiene practices and receive cybersecurity training.