Article 21(2)(g) puts basic cyber hygiene and training on the mandatory list. This guide tells you who must be trained, what topics the baseline must cover, how often to refresh, and the evidence your competent authority expects to see.
Article 21(2) of NIS2 lists ten minimum cybersecurity risk-management measures that every essential and important entity must implement. Letter (g) is short — "basic cyber hygiene practices and cybersecurity training" — but it is the broadest measure on the list. It applies to every employee, contractor, and third party with access to the entity's networks or data. ENISA's implementing guidance and the Commission's Implementing Regulation (EU) 2024/2690 spell out what "basic cyber hygiene" means in practice: a documented program covering everyday behaviours that prevent the majority of incidents — phishing, weak passwords, unmanaged devices, mishandled sensitive data, social engineering. This is not optional content; it is what auditors check first because it is the easiest to evidence and the highest signal for organizational maturity.
"Members of the management bodies of essential and important entities are required to follow training and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills … Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures … those measures shall be based on an all-hazards approach and shall include … (g) basic cyber hygiene practices and cybersecurity training."
The Article 21(2)(g) baseline is intentionally broad. Anyone whose actions could affect the security of the organization's information systems falls in scope. In practical terms that includes:
Office staff, field workers, executives, part-timers, interns, apprentices. The litmus test is account creation, not job title — if they have a login, they need awareness training.
Anyone who connects to the organization's network or processes its data on a regular basis. The training does not have to be delivered by you — you can require evidence from their employer — but you must verify and record it.
Cleaning crews with after-hours access to offices that hold workstations, maintenance staff in OT environments, on-site vendor personnel. National guidance is converging on the principle: physical access counts.
The baseline must be delivered before, or within 30 days of, granting system access. Several national authorities — including ANSSI and BSI — flag onboarding gaps as the most common audit finding.
The Implementing Regulation does not enumerate topics, but ENISA's awareness syllabus and emerging supervisory guidance converge on a seven-topic baseline. Reglyze's awareness module aligns to this set; you can extend it with sector-specific content.
Recognising phishing, smishing, vishing, and CEO-fraud patterns. Hands-on examples — not just slides — with screenshots from actual recent campaigns. Learners must finish able to spot a homoglyph domain and an out-of-band payment instruction.
Length over complexity, password managers, no reuse, no sharing. The training must explain why each rule exists, not just state it — adults follow rules they understand. Pair with the organization's password manager rollout.
How MFA works, why SMS is the weakest factor and authenticator apps or hardware keys are stronger. What to do when a push prompt appears unexpectedly (do not approve). Covered in Article 21(2)(j) too — the baseline reinforces it.
Locking screens, encrypted devices, no work data on personal devices, no unmanaged USB sticks. Plus the basics of removable media policy and clean-desk for printed sensitive material.
How to report a suspected incident, to whom, and why the first 24 hours matter for the entity's regulatory obligations. Learners must know the internal escalation path by name. One slide with the contact details of the security team is non-negotiable.
VPN use, public Wi-Fi risks, secure video conferencing, document handling outside the office. Especially relevant since 2020; supervisors expect to see it on the syllabus.
Plain-language scenarios: ransomware, insider data exfiltration, supply-chain compromise. Helps learners connect the regulatory abstraction to behaviours they should report.
There is no fixed cadence in the directive, but supervisory practice converges on the rhythm below. Reglyze's training register defaults to these intervals; you can override per organization or per role.
All seven topics covered before — or no later than 30 days after — the new joiner receives credentials. Track completion in the register. Delays beyond 30 days are the single most common audit finding for Article 21(2)(g).
Each employee completes a refresh covering current threat updates, policy changes, and lessons learned from any incident in the last year. Validity windows in the register are typically set to 365 days from completion.
Significant policy change, major incident, new tool rollout, regulatory change all trigger a targeted micro-module. A two-minute video plus a five-question quiz is enough — the goal is to evidence that staff were informed.
Not strictly required by the directive, but expected by mature supervisors. Quarterly simulations provide trend data the board can act on, and let you target follow-up training at people who repeatedly click.
Article 21(2)(g) is content-light but evidence-heavy. The volume of records is what catches organizations out — every employee, every year, plus onboarding and on-change additions. The audit-ready set looks like this.
Across early NIS2 inspections in Germany, France, Italy and Portugal, a small number of mistakes account for most Article 21(2)(g) findings. Avoiding them is cheap.
One-hour town hall counted as training
A live all-hands session does not produce per-participant evidence. If it must remain part of the program, run a follow-up quiz the next day with attestations for each attendee.
Generic provider course with no NIS2 framing
Off-the-shelf awareness training is fine, but it must reference NIS2 obligations or the entity's own incident reporting path. Auditors check the syllabus for these specific terms.
No follow-up for non-completers
Coverage at 88% is acceptable; coverage at 88% with no documented action for the missing 12% is not. Either complete them, escalate to revocation of access, or document a time-bound exception.
Onboarding training delayed beyond 30 days
The most common single finding. Wire training enrollment into the joiner workflow so the manager cannot mark onboarding complete until awareness training is logged.
Validity window expires without renewal
A 12-month validity is meaningless without a reminder workflow. Reglyze and most awareness platforms send reminders 30 / 14 / 7 days before expiry — use them.
Management body excluded from the staff training
Article 20 requires the board to follow training, and to encourage staff training. The two are separate — but the board must also appear in the staff awareness register, or have an equivalent specific record.
What the management body must approve, oversee, and learn — separate from the staff baseline.
NIS2 Article 20 Training (board duties)What records to keep per participant, retention windows, and audit export expectations.
NIS2 Training Records — Retention & FormatISO 27001 Annex A.6.3 (awareness) maps closely to Article 21(2)(g) — here's the delta.
NIS2 vs ISO 27001Failing the awareness baseline is one of the easiest infractions for an inspector to spot — and to fine.
NIS2 Fines & Penalties 2026Reglyze's Foundations bundle covers the full Article 21(2)(g) syllabus — phishing, passwords, MFA, device handling, incident reporting, working remote, and NIS2 incident scenarios — in EN and FR, with per-participant PDF attestations and an auto-aggregating register. From EUR 149/year up to 25 learners.