Art. 21(2)(g) NIS 2 + CIR §8

NIS 2 cyber hygiene and security training under Article 21(2)(g)

Article 21(2)(g) NIS 2 covers your workforce. Article 20(2) covers your management body. Two separate duties. CIR (EU) 2024/2690 §8 sets out what the workforce duty actually means: an awareness programme for everyone, plus role-specific training for people in security-relevant roles.

Simon OrzelSimon Orzel·

The short version

Article 21(2)(g) puts cyber hygiene and security training on the list of ten cybersecurity measures every essential and important entity must have in place. The duty covers everyone in the entity, including the management body and direct providers.

CIR (EU) 2024/2690 §8 splits the duty into two parts. §8.1 is awareness: a programme that reaches every staff member, repeated periodically, aligned with your information security policy and your actual threat picture, covering threats, contact points and resources. §8.2 is role-specific training: identify staff in security-relevant roles, train them on secure configuration and operation, known threats, and how to behave during a security-relevant event.

This is not the same duty as Article 20(2). Article 20(2) is training for the management body itself, on cybersecurity risks and management practices. Article 21(2)(g) is training for the rest of the organisation. You need both. Auditors check both.

The legal source
Three layers stacked on top of each other. The directive (binding on every EU country). The implementing regulation (directly applicable EU law for the sectors named in the Annex). The national transposition (in Germany: BSIG).

Article 21(2)(g) NIS 2 Directive (2022/2555)

Basic cyber hygiene practices and cybersecurity training.

This is point (g) on the list of ten cybersecurity measures every essential and important entity has to put in place. It is the workforce-wide duty, distinct from the management-body training in Article 20(2).

CIR (EU) 2024/2690, Annex §8

For the purposes of Article 21(2)(g) of Directive (EU) 2022/2555, the relevant entities shall ensure that their employees, including members of the management body and direct providers, are aware of risks, informed of the importance of cybersecurity, and apply cyber hygiene practices.

Because this is a regulation (not a directive), it is directly binding EU law. §8.1 sets the awareness programme. §8.2 sets the role-specific training duty. It applies to DNS providers, TLD registries, cloud and data centre providers, MSPs, trust service providers and the other sectors listed in its Annex.

§30(2)(7) BSIG (Germany)

Basic procedures in the area of cyber hygiene and training in the area of cybersecurity.

Germany copies the EU text closely. The implementation path the BSI points at is IT-Grundschutz Baustein ORP.3 'Sensibilisierung und Schulung zur Informationssicherheit', which covers both the awareness side and the role-specific side.

The three things CIR §8 actually requires
CIR 2024/2690 §8 has two sections but three distinct duties when you read them carefully. Awareness for everyone. Role-specific for some. Onboarding plus periodic update.
§8.1

Awareness programme for everyone

A programme that reaches every staff member, including the management body and direct providers. Repeated periodically, not one-off. New joiners are picked up. The content is aligned with your information security policy and your real threat picture. It covers the cyber threats that actually apply to you, the contact points if something looks wrong, and the resources staff can use.

§8.2

Role-specific training for security-relevant roles

Identify which roles need security-relevant skills. Then train those people on three things: how to configure and operate the systems they touch (including mobile devices), the known threats that apply to their work, and how to behave during a security-relevant event. Broader than IT: helpdesk, developers, HR, finance can all qualify.

§8.1 + §8.2

New joiners and periodic update

Both parts of §8 say the programme has to reach new staff in security-relevant roles and be updated regularly. That means an onboarding step inside HR processes, plus a review cadence on the curriculum itself, so the content tracks the threats you actually face today rather than the threats you faced two years ago.

Two rules that shape the whole duty
Two interpretive rules cut across §8. They explain why a one-size-fits-all video does not pass and why the same programme cannot serve every role.

Awareness and role-specific are two distinct programmes

§8.1 and §8.2 are not the same thing repackaged. Awareness goes to everyone. Role-specific goes to people whose work creates or controls security exposure. The content is different, the cadence is different, the proof is different. If your training plan only has one programme, you are missing one of the two duties.

Training content reflects your actual risk picture

§8.1 says the awareness programme has to be 'aligned with the information security policy and the risk landscape' of the entity. Generic phishing content meant for a bank will not fit a Stadtwerk or a waste-management firm. The programme has to track the threats you actually face, the systems you actually run, and the contact points staff actually have to call.

How national regulators actually run this
The EU sets the rule. Each country transposes it. The substance is the same. The local mechanics differ a little.
Germany

BSI / IT-Grundschutz Baustein ORP.3

The BSI's implementation route for §30(2)(7) BSIG is IT-Grundschutz Baustein ORP.3 'Sensibilisierung und Schulung'. ORP.3 covers both the awareness side (annual sessions for all staff) and the role-specific side (deeper modules for administrators, developers, helpdesk and managers). It also sets concrete frequency expectations and asks you to document the curriculum, attendance and a review cadence.

EU-wide

ENISA Technical Implementation Guidance

The ENISA TIG for CIR (EU) 2024/2690 maps §8 onto ISO/IEC 27001:2022 (A.6.3, A.7.2.2 in the old numbering), NIST CSF 2.0 (PR.AT) and ETSI EN 319 401. If you already run security awareness under ISO 27001, the TIG tells you which existing controls cover §8 and where the gap sits.

Other member states

National transposition laws

Every member state transposes the duty (Netherlands: Cyberbeveiligingswet, Austria: NISG, Belgium: NIS2-Wet). The substance is the same because the directive sets one EU-wide standard. What differs: documentation language, reporting channels, and which national authority audits training records.

Three traps we see all the time
Three assumptions that turn up in audit-prep calls. All three leave a documentable gap.

  • We did the management body course, we are done with NIS 2 training.

    Article 20(2) and Article 21(2)(g) are two separate duties. The management body course covers Article 20(2). Your workforce-wide programme covers Article 21(2)(g). One does not substitute for the other. An auditor will ask for evidence of both.

  • We run an annual phishing simulation, so awareness is covered.

    A phishing simulation is one tactic, not a programme. CIR §8.1 asks for a programme that covers the threats that apply to you, the contact points to report concerns, and the resources staff can use. It also has to reach new joiners and run periodically. A single yearly simulation does not meet that test on its own.

  • We train the IT team, that covers the role-specific duty.

    §8.2 says 'staff whose roles require security-relevant skills'. That is broader than IT. Helpdesk staff who reset passwords, developers who write the code, HR staff who handle joiners and leavers, finance staff who handle payment authorisation. All can sit inside §8.2. The role list has to come from your actual risk picture, not from the org chart.

How real Mittelstand operators actually do this

What we see in the German Mittelstand: an annual phishing simulation plus a security paragraph in the onboarding deck. That is not §8. §8 wants a written programme, with a target audience per module, a frequency per module, and a record per learner of what they completed and when.

The shape that holds up under audit: one awareness track for everyone (onboarding module plus annual refresh, threats and contact points), and a role-specific track for the security-relevant roles you identified (admins, developers, helpdesk, plus whichever business roles your risk analysis flagged). Document the curriculum, the audience, the frequency, the completion records, and a review date for the curriculum itself.

How we handle this on the platform

The Training (TRN) module captures the programme: each course, its target audience, its frequency, and a completion record per learner. You can attach the awareness curriculum to 'all staff' and the role-specific modules to the roles you defined. The audit trail is the evidence.

The §8.1 awareness side is satisfied by the platform's CEO course (Article 20(2)) plus an all-staff awareness track. The §8.2 role-specific side is satisfied by adding role-specific modules and assigning them to the staff your risk analysis flags. Completion is recorded automatically. Re-training cycles are scheduled by the module.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Article 21(2)(g) — eur-lex.europa.eu/eli/dir/2022/2555/oj
  • Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex §8 — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
  • BSI Act (BSIG), §30(2)(7) as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
  • BSI IT-Grundschutz Baustein ORP.3 'Sensibilisierung und Schulung zur Informationssicherheit'
  • ENISA Technical Implementation Guidance for CIR (EU) 2024/2690 (as of May 2026)
Run cyber hygiene training without spreadsheets
Awareness for everyone, role-specific for the people who need it, completion records and review cadence on one platform. Free, open source, no lock-in.
Open the free platform