NIS2 says train your board. A slide deck will not do it.

NIS2 turned board-level security training into a legal obligation, not a nice-to-have. Article 20 puts accountability for cyber risk on the management body itself, and Article 20(2) requires those same people to be trained. Most organisations are dealing with that by booking a ninety-minute seminar or an e-learning module. It ticks the box. It does almost nothing for the thing NIS2 actually cares about.

What NIS2 actually asks of your board

Article 20 isn’t a training requirement bolted onto a technical directive. It’s a governance requirement. The management body has to approve the cyber risk-management measures, oversee how they’re implemented, and can be held personally liable when they get it wrong. Article 20(2) then says those same managers have to be trained to identify risks and assess the organisation’s cyber risk-management practices. Read that again. The law doesn’t ask your board to be aware of cyber risk. It asks them to make and defend decisions about it.

Why the seminar is the default

The seminar is the obvious answer, and it’s obvious for good reasons. It’s cheap, it scales, one expert can brief a whole leadership team in an afternoon, and it leaves you with an attendance record to show an auditor. If the goal were to inform the board that NIS2 exists and that cyber risk is real, the seminar would be exactly the right tool. That’s just not the goal.

Information is not instinct

A board that has sat through a good NIS2 briefing can tell you what the directive says. That’s not the same as being able to run the meeting where the CISO asks for budget they don’t want to give. Or the meeting thirty minutes after a breach, where someone has to decide what to tell the regulator inside the seventy-two hour window. Those are decisions made under pressure, with half the information you’d like and real consequences either way. You don’t get better at them by being told about them. You get better at them by making them, getting them wrong somewhere it’s safe to get them wrong, and making them again. That’s the training the law has in mind, whether it puts it in those words or not.

What board training looks like when it works

It looks like the board actually making the calls. You put a real governance decision in front of them, with a clock and a trade-off, and let the consequences play out on the table instead of in production. That’s what EXPOSURE does. It’s a board-governance game built around the decisions NIS2 Article 20 puts on management, run as a facilitated half-day. The board doesn’t learn about oversight. They practise it.

NIS2 won’t accept “we ran a seminar” as evidence forever. And even if it did, a seminar was never going to change how your board behaves in the room that actually matters. Train them the way you’d train anyone for a decision that counts. Let them make it.

NIS2 is not the only EU regime raising this bar. DORA does the same for operational resilience in financial services, and the wider case for training over slideware runs through game-based training for EU cyber regulation.

Frequently asked questions

Does NIS2 legally require board-level cybersecurity training?

Yes. NIS2 Article 20(2) requires members of management bodies to undergo training to identify risks and assess cyber risk-management practices, and Article 20(1) makes them accountable for the measures themselves.

Is a seminar or e-learning enough for NIS2 management training?

It satisfies the paper obligation but not the intent. NIS2 holds management accountable for decisions, and a seminar transfers information without ever rehearsing the decisions. It is the minimum, not the goal.

What is the alternative to a NIS2 board seminar?

A facilitated exercise where the board actually makes the governance decisions under pressure, such as a board-governance game like EXPOSURE, so they practise the accountability the law assigns them.

Who is legally accountable under NIS2?

The management body. Article 20 makes them approve and oversee the risk-management measures and allows them to be held liable, which is why their training has to go beyond awareness.

Want to put this in front of your team?

I run these as games your board and your responders actually take part in, not another slideshow. Tell me where your team is and what they need to practise, and we will set it up.

No cookies here

Notice there’s no cookie banner here.
That’s intentional and the site is still GDPR-compliant. I chose to avoid cookies and stick to basic, privacy-friendly stats.
My analytics are cookieless: self-hosted Plausible (EU) and PostHog in cookieless mode, with your IP anonymized. No cross-site tracking, nothing that identifies you.
The one cookie I can set does the opposite of every other cookie: it tells my stats to ignore you completely, and you only get it if you ask.

Everybody wins.