Where does NIS2 mandate security awareness training?
The directive is short on detail but unambiguous about training. Article 20(2) of NIS2 (Directive (EU) 2022/2555) requires Member States to ensure that members of the management bodies of essential and important entities follow cybersecurity training, and it pushes entities to offer similar training to staff on a regular basis - so that everyone can identify risks and assess how risk-management practices affect the services the entity provides. This is the NIS2 management training requirement, and it sits next to Article 20(1), which makes management bodies approve and oversee the cybersecurity measures - and makes them liable for infringements.
Article 21(2)(g) then lists "basic cyber hygiene practices and cybersecurity training" among the minimum risk-management measures every in-scope entity must implement. In the Slovak and Czech transpositions this appears as kybernetická hygiena: password discipline, updates, careful handling of email and attachments, and the training that keeps those habits alive. NIS2 Article 21(2)(g) is the provision auditors quote when they ask for your training records.
There is practical logic behind the legal text. ENISA's Threat Landscape reports consistently rank phishing among the most common ways attackers gain their first foothold inside an organization. A program that hardens systems but leaves people untrained ignores the most-attacked surface.
How Slovak and Czech law turn the directive into concrete duties
The directive defines what must exist; national law defines how deep it goes and when. Both Slovakia and Czechia transposed NIS2 with an act plus implementing decrees - and in both countries the decrees, not the acts, carry the concrete training duties. 2026 is the year the transition clocks run out.
Slovakia: zákon č. 69/2018 after novela č. 366/2024, plus vyhláška 227/2025
The novela zákona o kybernetickej bezpečnosti (Act No. 366/2024 Z. z.), effective 1 January 2025, extended zákon č. 69/2018 to more than 3,400 organizations, which must implement general security measures within 12 months of registration. The detail lives in vyhláška NBÚ č. 227/2025 Z. z., effective 1 September 2025. Its annex of general measures requires adequate, role-appropriate education so that the statutory body, employees and third parties all maintain cybersecurity awareness - in practice a documented plán rozvoja bezpečnostného povedomia (security-awareness development plan) defining the form, content and scope of školenia. This is the legal basis behind what Slovak managers search for as povinné školenie kybernetickej bezpečnosti. Entities regulated under the old regime may follow the old rules only until 31 December 2026; from 1 January 2027, vyhláška 227/2025 applies in full.
Czechia: nový zákon č. 264/2025 Sb. plus vyhlášky 409/2025 and 410/2025
The nový zákon o kybernetické bezpečnosti (Act No. 264/2025 Sb.), effective 1 November 2025, splits regulated entities into higher-obligations and lower-obligations regimes. Over 4,800 organizations had registered with NÚKIB by early February 2026 - of roughly 6,000 expected - and each has one year from registration to implement security measures. That puts most Czech compliance deadlines, including training, in late 2026.
Vyhláška č. 409/2025 Sb. (higher regime) requires a plán rozvoje bezpečnostního povědomí covering the form, content and scope of instruction and training, regular training with verification of awareness matched to job roles, periodic evaluation of the plan's effectiveness, and named owners for each activity. Vyhláška č. 410/2025 Sb. (lower regime, § 5) requires a secure-user-behavior policy, demonstrable instruction of top management about its duties, initial (vstupní) cybersecurity training, regular refreshers, practical training for administrators, and records of completed trainings with lists of trained persons. NÚKIB's guide to the new act and its 2026 implementation manuals walk through both decrees.
Who must be trained under NIS2?
Across the directive and both national frameworks, four groups keep appearing. Training is not one course for everyone - depth follows role.
- Statutory bodies and top management. Article 20(2) makes management training a hard requirement. Czech vyhláška 410/2025 demands demonstrable instruction of vrcholné vedení about its legal duties; the Slovak decree names the štatutárny orgán explicitly.
- All employees. The cyber-hygiene baseline: recognizing phishing, reporting suspicious messages, handling data and credentials. A practical red-flags checklist is the core curriculum here.
- Administrators and security roles. The Czech decrees require expert theoretical and practical training for administrators. Privileged accounts attract targeted attacks, so this group needs deeper, hands-on content.
- Third parties with access. The Slovak decree extends awareness expectations to third parties, and supply-chain security under Article 21(2)(d) is your responsibility - contractors with system access should be covered by contract and by your onboarding training.
How often and in what form must training happen?
Neither the directive nor the decrees fix a single interval such as "once a year." They define a structure with three layers:
- Initial training before access. New hires and new contractors are trained before, or immediately as, they receive accounts - the Czech vstupní školení is explicit, and Slovak practice under the awareness plan mirrors it.
- Regular refreshers. "Regular" (pravidelné) appears in both decrees without a number; frequency must be justified by your risk analysis. Quarterly touchpoints beat one annual marathon.
- Effectiveness evaluation. Czech vyhláška 409/2025 requires periodic evaluation of the plan's effectiveness and verification of awareness; the Slovak framework demands demonstrable measures. If you cannot show whether training changed behavior, you have a paper program.
Form matters as much as frequency. Slide-deck e-learning produces completion certificates, not behavior change. Verifying awareness in practice means testing people against realistic attacks - which is why phishing tests for employees have become the standard effectiveness instrument. Platforms like PhishGun pair simulated campaigns with localized templates in English, Slovak and Czech with in-the-moment micro-training when someone clicks, so the test itself becomes a teaching moment and the metrics double as compliance evidence.
What evidence do regulators and auditors expect?
Supervision is documentation-first. An NBÚ auditor - the first Slovak cybersecurity audit falls within two years of registration - or a NÚKIB inspector will rarely watch you train; they read what you can prove. The same records satisfy ISO 27001 Clause 7.3, as covered in our ISO 27001 awareness training guide, so build the evidence once and reuse it.
| Requirement | Evidence regulators expect |
|---|---|
| Awareness development plan (SK 227/2025, CZ 409/2025) | Approved, dated plan defining form, content and scope of training; review history; named owners |
| Management training (Art. 20(2); CZ 410/2025 § 5) | Agenda, date, trainer, signed attendance of management-body members |
| Initial training before access | Onboarding checklist showing training completed before account provisioning |
| Regular all-staff refreshers | Training log: topics, dates, attendance lists, completion rates |
| Role-based training for administrators | Course outlines, certificates and dates per privileged role |
| Effectiveness evaluation | Test scores, phishing-simulation click and report rates, trend reports, remediation records |
Keep all of it in one repository, dated and exportable on request. Scattered spreadsheets fail audits almost as reliably as missing records.
Fines and personal liability if training is missing
Training sits inside the Article 21 measures, so missing it lands in the top fine band. The directive sets floors: up to at least €10 million or 2% of total worldwide annual turnover for essential entities, and €7 million or 1.4% for important entities, whichever is higher. Slovakia mirrors these - up to €10M/2% for operators of critical essential services and €7M/1.4% for other essential-service operators, with separate fines for natural persons from €100 to €5,000. Czechia allows up to CZK 250 million or 2% of net worldwide turnover in the higher regime and CZK 175 million or 1.4% in the lower.
The personal dimension is what changes board conversations. Management bodies approve and oversee the measures and can be held liable for infringements; for essential entities, supervisors can even request a temporary ban on individuals exercising managerial functions. And a missing training record is the easiest gap an inspector can find - no technical testing required, just one question: show me who was trained, on what, and when.
A 12-month NIS2-compliant training and simulation calendar
A defensible program works backwards from the evidence table above. The calendar below fits both Slovak and Czech requirements and assumes a quarterly rhythm - scale it to your risk analysis.
| Month | Activity | Evidence produced |
|---|---|---|
| 1 | Approve or update the awareness development plan; assign owners | Signed plan with review date |
| 2 | Unannounced baseline phishing simulation | Click and report rates per department |
| 3 | All-staff training: cyber hygiene, phishing red flags, incident reporting | Attendance lists, topics, dates |
| 4 | Management-body training session | Board attendance record, agenda |
| 5 | Phishing simulation #2 (new scenario); micro-training for clickers | Simulation report, remediation log |
| 6 | Technical training for administrators and privileged users | Certificates, course outlines |
| 7 | Mid-year effectiveness review against baseline | Trend report, plan adjustments |
| 8 | Refresher e-learning and policy re-acknowledgment | Completion rates, acknowledgments |
| 9 | Spear-phishing/BEC simulation for finance and management | Targeted simulation report |
| 10 | Third-party and new-hire training audit | Onboarding records, contractor confirmations |
| 11 | Phishing simulation #4; remedial training for repeat clickers | Simulation report, remediation records |
| 12 | Annual evaluation; update plan; archive the evidence pack | Annual effectiveness report |
Next steps before the deadlines hit
If your registration clock is running - and in both countries it almost certainly is - start with the four items that produce evidence fastest: adopt the awareness plan, book the management training session, run a baseline simulation, and set up the evidence repository. Our phishing simulation playbook covers the operational side step by step.
PhishGun, built by the Slovak offensive-security company Haxoris, was designed for exactly this lane: realistic phishing campaigns with localized templates in English, Slovak and Czech, an employee report workflow, and audit-ready reports you can hand to an NBÚ or NÚKIB inspector as NIS2, ISO 27001 or DORA evidence. The first phishing campaign is free - no credit card - and pricing is transparent per employee.
Frequently asked questions
Does annual e-learning satisfy NIS2 training requirements?
Usually not on its own. NIS2 and the Slovak and Czech decrees expect initial training before access, regular refreshers, and evaluation of effectiveness. A single annual module with no verification leaves two of those three layers empty. Auditors increasingly ask how you measured behavior change - completion certificates alone do not answer that question.
Are phishing simulations mandatory under NIS2?
Not by name. The directive never says "phishing simulation." But Czech vyhláška 409/2025 requires verification of security awareness and evaluation of training effectiveness, and Slovak vyhláška 227/2025 demands demonstrable, role-appropriate education. Simulations are the accepted practical way to produce that evidence, and NÚKIB guidance links risk-based testing to phishing resilience - so they are expected in substance.
Do suppliers and contractors need NIS2 training?
If they access your systems, yes in practice. The Slovak decree extends awareness expectations to third parties alongside employees and the statutory body, and NIS2 Article 21(2)(d) makes supply-chain security your responsibility. Put awareness obligations into contracts, train contractors with system access during onboarding, and keep records exactly as you would for employees.
Does management need separate NIS2 training?
Yes. Article 20(2) obliges members of management bodies to follow training so they can identify risks and assess cybersecurity risk-management practices - generic staff e-learning does not cover that. Czech vyhláška 410/2025 additionally requires demonstrable instruction of top management about its legal duties. A dedicated, documented session for the board, repeated regularly, is the defensible minimum.
What NIS2 training deadlines apply in 2026?
In Slovakia, entities regulated under the old regime may follow the old rules only until 31 December 2026; vyhláška 227/2025 applies in full from 1 January 2027, and newly registered entities must implement measures within 12 months of registration. In Czechia, security measures - including training - are due one year after registration, which for most entities means late 2026.