NIS2 Compliance Checklist 2026: Prove Your Team Is Trained

NIS2 is no longer upcoming regulation. It is enforceable law. Member states were required to transpose the directive into national law by October 2024, and enforcement has begun. Italy and Denmark have already codified penalties. Germany requires essential and important entities to register with the BSI by April 2026.

If your organization falls within NIS2's scope - and with 18 sectors and 160,000+ entities across the EU, it likely does - the question is no longer whether to comply. It is whether you can prove compliance when the supervisor asks.

This checklist focuses on the training and awareness requirements that most organizations underestimate: Article 20's mandate that your workforce demonstrates cybersecurity awareness, and Article 13's requirement for continuous learning. These are the controls where "we sent an email" is not sufficient evidence.

Who Must Comply: The 18 NIS2 Sectors

NIS2 covers 18 sectors divided into essential and important entities:

Essential entities (Annex I - higher penalties, proactive supervision):

Sector	Examples
Energy	Electricity, oil, gas, hydrogen, district heating
Transport	Air, rail, water, road
Banking	Credit institutions
Financial market infrastructures	Trading venues, central counterparties
Health	Hospitals, laboratories, medical device manufacturers
Drinking water	Water supply and distribution
Wastewater	Collection, disposal, treatment
Digital infrastructure	DNS, TLD registries, cloud, data centers, CDNs
ICT service management (B2B)	Managed service providers, managed security service providers
Public administration	Central government entities
Space	Ground-based infrastructure operators

Important entities (Annex II - lower penalties, reactive supervision):

Sector	Examples
Postal and courier services	Postal service providers
Waste management	Waste collection, treatment, disposal
Chemicals	Manufacturing, production, distribution
Food	Production, processing, distribution
Manufacturing	Medical devices, electronics, machinery, motor vehicles
Digital providers	Online marketplaces, search engines, social networks
Research	Research organizations

Size thresholds: Medium enterprises (50+ employees or EUR 10M+ turnover) and large enterprises (250+ employees or EUR 50M+ turnover) must comply. Certain entities - trust service providers, DNS providers, TLD registries - are captured regardless of size.

The Training Requirements: Articles 20 and 13

Two NIS2 articles create specific obligations around workforce cybersecurity awareness:

Article 20 - Governance requires that members of the management body undergo cybersecurity training and offer similar training to employees on a regular basis. This is not optional or delegatable. The management body - board members, C-suite executives - must personally demonstrate cybersecurity competence.

Article 13 - Learning and evolving (mirrored from the DORA framework for financial entities) requires organizations to develop ICT security awareness programmes as compulsory modules in staff training schemes. The training must be applicable to all employees with complexity commensurate to their functions.

The critical phrase in Article 20: organizations must "demonstrate that policies function through people's behavior". Having a policy is not enough. Distributing a policy is not enough. The organization must show that the workforce understands and follows the policy.

The Penalties for Getting It Wrong

NIS2 penalties are designed to be proportionate but significant:

Financial penalties:

• Essential entities: up to EUR 10,000,000 or 2% of global annual revenue, whichever is higher
• Important entities: up to EUR 7,000,000 or 1.4% of global annual revenue, whichever is higher

Non-monetary enforcement:

• Binding instructions on cybersecurity requirements
• Orders to implement risk management measures within specific timeframes
• Suspension of operations or public naming of non-compliant companies

Personal accountability:

• Temporary bans on executives from performing management roles for non-compliance attributable to management negligence

This last point is unprecedented in EU cybersecurity regulation. NIS2 makes individual executives personally accountable for compliance failures - including failures in workforce training and awareness.

The Compliance Checklist: Training and Awareness

This checklist covers the workforce training requirements specifically. It does not cover the full NIS2 scope (risk management, incident reporting, supply chain security) but focuses on the Article 20 and Article 13 obligations that require documented evidence of employee engagement.

1. Management Body Training

• Board members and C-suite have completed cybersecurity training
• Training is documented with dates, topics, and evidence of engagement
• Training covers ICT risk governance - not technical details, but risk assessment and impact understanding
• Training is refreshed regularly (annually at minimum)
• Training records are retained for the supervision period

2. Workforce Security Awareness Programme

• ICT security awareness programme exists as a formal, documented programme
• Programme is integrated into staff training schemes as a compulsory module (not optional)
• All employees are included - not just IT staff
• Training complexity is differentiated by role (technical staff get deeper material, administrative staff get proportionate content)
• Programme covers: risk identification, safe behavior, incident reporting, social engineering awareness
• Training is refreshed after cybersecurity incidents (not just on a fixed schedule)

3. Evidence of Training Delivery

• Training materials are distributed through a traceable channel (not just email)
• Distribution records show which employees received which materials
• Completion records show which employees engaged with the training
• New employees complete training within the onboarding period
• Re-training is documented when policies change or after incidents

4. Evidence of Training Effectiveness

This is where most organizations fall short. NIS2 requires demonstration that policies function through behavior - not that training was delivered.

• Engagement metrics exist beyond binary completion (time spent, sections reviewed)
• Low-engagement patterns are identified and addressed (employees who clicked through without reading)
• Role-specific completion is tracked (did the IT team read the incident response plan? Did finance read the data handling policy?)
• Version-specific acknowledgement exists (when a policy updates, employees read the new version - not just re-acknowledge the old one)
• Training records are exportable for supervisory examination

5. Policy Distribution Documentation

• All cybersecurity policies are formally documented
• Policies are versioned with revision history
• Distribution records show which policies were sent to which employee groups
• Acknowledgement records exist for each policy version
• Reading engagement data shows employees accessed the policy documents (not just received them)

Where Checkbox Compliance Fails NIS2

Most organizations approach the checklist above with familiar tools: an LMS for training modules, an HR system for acknowledgement forms, and email for policy distribution. Each records a binary state - completed or not completed.

NIS2's language creates a higher standard. "Demonstrate that policies function through people's behavior" requires evidence that employees engaged with the material. A checkbox proves delivery. It does not prove engagement.

The gap is most visible in three areas:

Management body training. When a supervisor examines whether the board completed cybersecurity training, an LMS completion record shows they finished a module. Page-level reading analytics showing the CFO spent 22 minutes reviewing the risk governance framework across two sessions tells a different story.

Post-incident re-training. After a cybersecurity incident, NIS2 expects organizations to update training based on lessons learned. Version-controlled reading analytics show which employees read the updated policy versus the pre-incident version. A re-acknowledged checkbox does not make this distinction.

Role-differentiated evidence. NIS2 requires complexity commensurate with function. The compliance team should be able to demonstrate that the SOC team received and engaged with the detailed incident response plan while administrative staff received and engaged with the proportionate security awareness summary. A single "security training completed" flag does not satisfy this requirement.

What Supervisors Will Ask

National supervisory authorities across the EU are building their examination frameworks. While specific procedures vary by member state, the evidence requests follow a pattern:

1. "Show us your cybersecurity awareness programme." The documented programme with objectives, content, and target audiences.

2. "Show us the management body's training records." Specific evidence that board members and executives completed training - with detail beyond completion dates.

3. "Show us workforce completion rates." Which percentage of employees completed training within the required period? What about new hires?

4. "Show us how you handle policy updates." When the incident response plan was updated after the last incident, which employees received and engaged with the new version?

5. "Show us evidence of role-appropriate training." How do you differentiate training for technical versus non-technical staff? Is the differentiation documented?

Organizations that can produce page-level reading engagement data for each of these questions face a fundamentally different examination than those producing spreadsheets of checkboxes.

How to Build NIS2 Training Evidence

The practical workflow does not require replacing your existing training infrastructure. It adds an evidence layer between policy distribution and compliance reporting:

1. Upload cybersecurity policies and training materials to a document sharing platform with reading analytics
2. Generate tracked links per department, per role level, or per individual
3. Distribute through existing channels - the intranet, email, the LMS as a supplementary resource
4. Employees click the link and read in a secure browser-based viewer
5. The analytics engine records: pages viewed, time per page, completion percentage, return visits, tab visibility
6. The compliance team generates examination-ready reports per Article 20 and Article 13 requirements

For the management body, the same approach applies with higher granularity. Each board member receives a tracked link to the cybersecurity governance training materials. Their reading engagement is documented individually.

The NIS2 Timeline

Date	What Happens
October 2024	Transposition deadline (many states still in progress)
January-February 2026	Italy registration window
April 2026	Germany BSI registration deadline for essential/important entities
Ongoing 2026	National supervisory authorities begin active examinations
2027+	First wave of enforcement actions based on supervisory findings

The organizations that build their training evidence standard now - before the first examination request arrives - will face supervisors with confidence. The ones that wait will discover their documentation gaps under pressure.

NIS2 is not a checkbox exercise. It is a demonstration that cybersecurity awareness lives in your organization's behavior, not just in its policy documents. The evidence you build today determines the answer to the question a supervisor will ask tomorrow: "Can you prove your people know what they need to know?"