NIS2
EU Directive 2022/2555 raising cybersecurity obligations across essential and important entities, with behavioral controls and training now in audit scope.
NIS2 is Directive (EU) 2022/2555, the European Union’s second Network and Information Security directive. It replaces the original NIS directive of 2016 and dramatically widens the scope of regulated entities, the depth of required controls, and the personal accountability of management. Member states had to transpose NIS2 into national law by 17 October 2024.
NIS2 classifies regulated organizations as essential entities (energy, transport, banking, healthcare, digital infrastructure, public administration, space) or important entities (postal, waste, food, manufacturing, digital providers, research). Both categories must implement the ten risk-management measures listed in Article 21 — and importantly, the human dimension is explicit.
- Article 21(2)(g) mandates “basic cyber hygiene practices and cybersecurity training” for staff, including management.
- Article 20 holds management bodies personally accountable for approving and overseeing cybersecurity risk-management measures.
- Article 23 sets a 24-hour early warning and 72-hour incident notification clock to the national CSIRT.
- Article 32–34 empowers competent authorities to impose administrative fines up to €10M or 2% of global turnover for essential entities (€7M or 1.4% for important entities).
Compared to NIS1, NIS2 makes two shifts that matter for the security-leadership reader. First, training is no longer a checkbox — supervisors expect to see ongoing, role-appropriate practice, not an annual e-learning attestation. Second, the behavioral evidence of how employees actually act under risk is increasingly what auditors ask for, alongside the policy documents.
This is why HRM platforms — including Engarde (engarde.cc) — are now part of NIS2 compliance conversations: they generate the running record of who was nudged, what they did next, and how the behavioral baseline moved over time. Related frameworks in the EU stack include DORA for financial entities and GDPR Article 32 for the data-protection dimension. French entities also align with ANSSI guidance for technical implementation.
Related terms
- DORA (Digital Operational Resilience Act)EU Regulation 2022/2554 making digital operational resilience — including human-factor controls — directly binding on financial entities since 17 January 2025.
- ANSSI (Agence nationale de la sécurité des systèmes d'information)France's national cybersecurity agency — publishes the guidance, certifications (SecNumCloud, CSPN) and incident-response posture French organizations align with.
- GDPR Article 32The GDPR clause requiring controllers and processors to implement appropriate technical and organizational measures — increasingly read to include behavioral controls.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.
- Security Awareness Training (SAT)The legacy compliance-driven training category — annual e-learning modules and click-rate phishing tests — that Human Risk Management is now replacing.