The NIS2 Directive (Network and Information Systems Directive 2) is the European Union’s updated framework for improving cybersecurity across critical sectors. While the UK is no longer part of the EU, the directive still has significant implications for all organisations that are located or operate within the EU or work with EU-based partners. NIS2 places a strong emphasis on strengthening cybersecurity governance, improving incident response, and addressing vulnerabilities in supply chains. A key element of compliance is ensuring that organisations have the right skills and training in place to meet its requirements.
For many organisations, the skills and training component of NIS2 can feel overwhelming. What does it mean to have a "skilled workforce"? How do you ensure your employees are prepared to meet the directive’s demands? And what steps can you take to align your training programs with NIS2 requirements? This blog will break it all down, helping you understand the directive’s focus on skills and training and how to implement a strategy that ensures compliance while strengthening your cybersecurity posture.
Why Skills and Training Are Central to NIS2
At its core, NIS2 is about resilience. The directive aims to ensure that essential and important entities—such as those in healthcare, energy, transport, and digital infrastructure—can withstand and recover from cyber incidents. To achieve this, NIS2 mandates that organisations implement robust cybersecurity measures, including having a workforce equipped to handle evolving threats.
The directive explicitly highlights the importance of cybersecurity awareness, skills development, and training. This focus recognises that even the most advanced technologies and policies are ineffective without skilled professionals to implement and manage them. Human error remains one of the leading causes of cyber incidents, and NIS2 seeks to address this by ensuring that employees at all levels are adequately trained.
Key Skills and Training Requirements Under NIS2
To comply with NIS2, organisations must focus on several key areas related to skills and training:
1. Cybersecurity Awareness for All Employees
NIS2 emphasises the need for a culture of cybersecurity awareness across the organisation. This means ensuring that all employees—not just IT staff—understand the basics of cybersecurity, such as recognising phishing emails, using strong passwords, and following secure practices when handling sensitive data.
2. Specialised Skills for Cybersecurity Professionals
Organisations must ensure that their cybersecurity teams have the advanced skills needed to manage risks, respond to incidents, and implement technical controls. This includes expertise in areas such as:
- Threat detection and response
- Vulnerability management
- Incident handling and forensics
- Risk assessment and mitigation
3. Ongoing Training and Development
Cyber threats are constantly evolving, and so must the skills of your workforce. NIS2 requires organisations to provide regular training and development opportunities to ensure that employees stay up to date with the latest threats, technologies, and best practices.
4. Third-Party Risk Management
Given the directive’s focus on supply chain security, organisations must also ensure that employees responsible for vendor management and procurement understand how to assess and mitigate third-party risks.
5. Incident Response Preparedness
NIS2 mandates that organisations have robust incident response plans in place. This requires training employees on their roles and responsibilities during a cyber incident, as well as conducting regular simulations and exercises to test preparedness.
The NIS2 Directive represents a significant step forward in improving cybersecurity across critical sectors. By placing a strong emphasis on skills and training, the directive recognises that people are at the heart of cybersecurity resilience. For organisations, this is both a challenge and an opportunity. By investing in your workforce, you can not only achieve compliance but also build a stronger, more secure organisation.
Start by assessing your current skills gaps, developing a tailored training program, and fostering a culture of continuous learning. With the right approach, you can ensure that your employees are prepared to meet the demands of NIS2 and contribute to a safer digital future.
Learn more about what NIS2 means for your during a recent webinar with law firm, Osborne Clarke.
