NIS2 never says "keep training records." It tells you to follow training, encourage staff training, and demonstrate cybersecurity hygiene — and the record is the only thing the auditor can verify. This guide breaks down the field-level requirements, retention windows, and audit-export expectations that have emerged across early enforcement.
NIS2 itself does not contain a clause that reads "the entity shall maintain training records." Instead, the obligation is an inevitable consequence of three explicit requirements. Article 20(2) requires management body members to follow training: the only way an inspector can verify that requirement is a per-director record. Article 21(2)(g) requires basic cyber hygiene practices and cybersecurity training: the only way an inspector can verify the program reaches all employees is a per-participant record. Article 21(4) requires organizations to demonstrate the proportionality and effectiveness of their measures: aggregated records — coverage, completion rates, validity status — are the demonstration. Together, these three requirements mean that without a register, the entity cannot prove compliance with measures it has demonstrably implemented. Several national authorities have made this explicit in guidance: ANSSI's NIS2 implementation note, BSI's BSI-CS 134 reference, and ACN's D.lgs. 138/2024 application notes all list training records as a mandatory artifact for inspection.
Practical consequence: by the time you respond to an audit request, the records must exist. Reconstructing them from email threads or shared drives after the fact is the failure mode several early enforcement cases have flagged.
An audit-defensible record is short — typically eight fields — and machine-readable. Reglyze's training register stores exactly these fields per row, regardless of training source. If you build your own register, mirror this shape so an auditor can read your export without prior briefing.
Full name and either an internal employee ID or an organizational email address. Anonymous training does not count for compliance purposes; the record must tie back to a specific person whose access to systems can be verified.
Title in the language the training was delivered, plus a version or revision identifier. Versioning matters because a training course updated mid-cycle (e.g. after a new threat trend) is a different course; the record should reflect which version the participant completed.
Name of the entity that delivered the training — internal team, external vendor, certified body. If the training was self-paced via an LMS, the provider is the platform owner. Record the provider so an auditor can validate authenticity if required.
ISO 8601 (YYYY-MM-DD) is the safe format. The completion date is what the validity window is measured from. Avoid free-text dates like "April 2026" — they fail machine readability and slow inspection.
Numeric percentage and the threshold. "Passed 84% on a 60% threshold" is unambiguous. If the training has no quiz, record the duration completed (e.g., 60 minutes of 60). Some auditors push back on training without an assessment, so a quiz is recommended even for refresher modules.
Most organizations use a 365-day validity for staff awareness, longer for foundational courses, shorter for highly technical modules. Record both the validity period and the explicit expiry date so the register can drive renewal reminders.
A pointer to the underlying artifact: PDF attestation file, LMS completion record URL, signed certificate. The reference must remain valid for the full retention period — broken links are an audit finding.
When the record was added to the register, separately from the completion date. This timestamp is the integrity anchor: it lets an inspector verify the record was created near the completion event and not back-dated.
NIS2 itself sets no retention period. Member State transpositions and emerging supervisory practice converge on the windows below. When in doubt, retain longer — the cost is negligible compared to the cost of a missing record during an inspection.
Five years from the date of the last completion is the de facto standard across France, Germany, and Italy. The reasoning: an audit cycle is typically 3 years, and the regulator can ask for the complete history of two consecutive cycles.
Longer retention for board records reflects the personal liability dimension of Article 20. Some national authorities recommend retaining for the full duration of the director's mandate plus an additional period — practically, 10 years covers most cases.
Aggregated quarterly reports for at least three years. Individual click-rate data is more sensitive — many organizations anonymize after the immediate follow-up cycle to limit data-protection exposure.
For roles like CISO, DPO, security architect, OT engineer in critical infrastructure: longer retention aligned with role tenure. Document the retention rationale in the awareness program description so an auditor sees a deliberate decision.
Auditors are not impressed by polished record formats. They are impressed by records that are hard to alter and easy to export. Three properties matter.
Records should not be silently editable. A spreadsheet is acceptable only if version history is retained. Most modern compliance platforms — including Reglyze — store records in append-only tables: corrections create a new revision; the original is retained for audit traceability.
CSV or JSON, ideally both. Auditors prefer CSV for sampling and PDF for the per-participant attestation. A register that requires the auditor to navigate a UI to read records is friction; an export they can take away wins.
Both the completion event and the record creation event must carry a server-side timestamp. Client-side dates are weak evidence. Reglyze stamps both with a monotonically increasing record ID so back-dating is detectable.
Retain a copy of the register outside the source platform — automated weekly export to a secure file store is typical. Several auditors specifically test for what happens when the LMS or training platform is decommissioned: the records must survive.
From the first eighteen months of NIS2 inspections in the EU, a handful of record-level mistakes account for the bulk of findings. They are cheap to fix once you know to look.
Names but no IDs
Training records show "John Smith" but the HR system has two John Smiths. The auditor cannot reconcile to a specific account. Always pair the name with an internal ID or unique organizational email.
Per-team rosters with no individual completions
A spreadsheet listing the people who attended a session does not prove each one engaged with — and learned from — the content. Pair the roster with individual quiz scores or signed acknowledgments.
Records that exceed their validity window without renewal
An attestation dated April 2024 is no longer evidence of current training in May 2026. The register must drive renewal: scheduled reminders 30 / 14 / 7 days before expiry, plus an escalation to the manager if the renewal lapses.
Provider records the entity cannot independently access
If your awareness training is delivered through a third-party LMS and you only retain a coverage screenshot, you are dependent on the vendor for audit response. Export the underlying records to your own register on a recurring schedule.
Board minutes that reference "training" without a register link
Article 20 evidence requires a traceable chain from board approval to per-director attestation. Minutes that mention training in passing, without a register entry, do not close the loop.
Records with no integrity protection
An editable Google Sheet that anyone can rewrite is the weakest possible record. Move records into a system with append-only semantics, role-based access, and tamper-evident audit logging.
The Reglyze training module ships with a register that captures the eight fields above by default. Per-participant attestations are generated as PDFs at quiz pass time, signed with the organization name, and pinned to the participant's record. Validity windows default to 365 days for staff awareness and 12 months for management body training, with reminder workflows already wired up at 30 / 14 / 7 days before expiry. Coverage is computed continuously and presented to the board as part of the quarterly cybersecurity dashboard. Exports are one-click CSV plus a per-record PDF bundle — exactly the shape early NIS2 auditors have asked for.
What the management body must approve, oversee, and learn — the source of the per-director record requirement.
NIS2 Article 20 Training (board duties)The staff baseline that drives the per-employee record requirement.
NIS2 Staff Awareness Training (Article 21(2)(g))ISO 27001 already mandates a documented information requirement (Clause 7.5) — your existing controls map straight across.
NIS2 vs ISO 27001Missing records is one of the cheapest infractions to find — and to sanction.
NIS2 Fines & Penalties 2026