Game-based training for EU cyber regulation
EU cyber regulation has stopped asking whether your people are aware. NIS2, DORA, and the Cyber Resilience Act now expect trained management, tested plans, and rehearsed processes, and they put a name to the person who answers for it when those are missing. A document that says you have them isn’t the same as actually having them. Games and exercises are how you meet the intent, not just the paperwork.
Here’s which regulation applies to you, what it actually expects of your people, and where a game earns its place.
The map
| Regulation | Who it applies to | What it expects of your people and plans | Where a game helps |
|---|---|---|---|
| NIS2 | Essential and important entities across the EU | Accountable, trained management (Article 20) and working incident handling (Articles 21 and 23) | EXPOSURE for board governance, Malware & Monsters for incident response |
| DORA | Financial entities and their critical ICT providers | A tested operational resilience and continuity programme (Articles 11 and 24 to 26) | FAILOVER, run against your real continuity plan |
| CRA | Manufacturers of products with digital elements | Secure-by-design, vulnerability handling, and incident reporting for the product itself | A tabletop to rehearse the vulnerability-handling and incident-reporting duties |
NIS2: train the people you hold accountable
NIS2 makes the management body accountable for cyber risk and requires those same people to be trained, with real incident-handling capability underneath them. That’s not an awareness problem. It’s a decision problem. EXPOSURE puts the board’s governance decisions on the table, and Malware & Monsters rehearses the incident response the same directive expects. The longer argument is in why a NIS2 board game beats a seminar.
DORA: test the plan, do not just file it
DORA requires financial entities to run a real operational resilience testing programme and to actually test their continuity plans, not just maintain them. A plan you have never run is a hypothesis. FAILOVER runs a business-continuity exercise against your actual plan, so you find the gaps before an incident does. The longer argument is in why a DORA tabletop beats a checklist.
CRA: a narrower but real fit
The Cyber Resilience Act is a different kind of animal. It governs the security of products with digital elements: secure-by-design, handling vulnerabilities across the product lifecycle, and reporting actively exploited vulnerabilities and incidents. Most of that is engineering, not training, so I’ll be honest: a game doesn’t carry the CRA the way it carries NIS2 or DORA. Where it does help is the process side. Rehearsing how your team receives, triages, and reports a vulnerability or an incident under the CRA clock, so the obligation is muscle memory instead of a document nobody has ever opened.
Where to start
If you’re not sure which of these applies to you, here’s the short version: most organisations touch at least one, and the larger ones touch all three through their supply chain. Start with the regulation that already has your board’s attention, and train the people it holds responsible. All of these games sit in the wider serious games catalogue if you want to compare them side by side.
Outside the EU? US defense contractors have their own version of this in CMMC. See why CMMC wants you to test your incident response.