With NIS-2, security training becomes mandatory

With the transposition of the NIS-2 Directive into German law and the amendment of the BSI Act (BSIG), cyber security requirements for affected organisations are increasing significantly. Operators of “important” and “particularly important entities” are, for the first time, explicitly obliged to implement, document and monitor effective security measures.

These measures also include the provision of basic training and awareness-raising activities in the field of information security (Section 30 (2) no. 7 BSIG). As a result, security training is becoming a legal requirement for many companies and public authorities for the first time.

Who is affected?

The NIS-2 rules apply to a wide range of public and private organisations across a total of 18 sectors, including energy, transport, banking, healthcare, research and food. In principle, only entities with more than 50 employees or an annual turnover or balance sheet total of at least €10 million are affected.

In addition, some organisations fall within the scope regardless of their size. These include key elements of digital infrastructure, parts of public administration, certain monopoly and sole providers, and operators of critical infrastructure. Overall, the regulations affect a broad spectrum of companies and public bodies in Germany that play a central role in strengthening the country’s digital security and resilience.

The law categorises affected organisations as “important entities” and “particularly important entities”. However, this classification has no impact on the scope of the new training obligations: both groups are equally required to train their staff.

Who must be trained?

All individuals who work with the organisation’s IT infrastructure and sensitive data must receive training. In practice, this means all employees of the organisation.

What must be covered?

Section 30 (2) no. 7 BSIG requires basic training and awareness-raising measures in the field of information technology security. The aim is to convey the fundamentals of information security and to raise awareness of threats such as phishing, social engineering, CEO fraud and malware.

Our eLearning courses allow you to fully meet these requirements: the modules Basic Training Cybersecurity and Refresher Cybersecurity clearly and practically cover all essential fundamentals and are ideally suited to fulfilling the statutory training obligation.

Conclusion

The training obligation under section 30 (2) no. 7 BSIG is now binding for all entities affected by NIS-2. With our eLearning courses, you are ideally prepared: compliant with the law, practical and sustainable, enabling you to meet your regulatory obligations effectively.

Interested? Please feel free to get in touch with us!