Game-based training for EU cyber regulation

EU cyber regulation has stopped asking whether your people are aware. NIS2, DORA, and the Cyber Resilience Act now expect trained management, tested plans, and rehearsed processes, and they put a name to the person who answers for it when those are missing. A document that says you have them isn’t the same as actually having them. Games and exercises are how you meet the intent, not just the paperwork.

Here’s which regulation applies to you, what it actually expects of your people, and where a game earns its place.

The map

Regulation Who it applies to What it expects of your people and plans Where a game helps
NIS2 Essential and important entities across the EU Accountable, trained management (Article 20) and working incident handling (Articles 21 and 23) EXPOSURE for board governance, Malware & Monsters for incident response
DORA Financial entities and their critical ICT providers A tested operational resilience and continuity programme (Articles 11 and 24 to 26) FAILOVER, run against your real continuity plan
CRA Manufacturers of products with digital elements Secure-by-design, vulnerability handling, and incident reporting for the product itself A tabletop to rehearse the vulnerability-handling and incident-reporting duties

NIS2: train the people you hold accountable

NIS2 makes the management body accountable for cyber risk and requires those same people to be trained, with real incident-handling capability underneath them. That’s not an awareness problem. It’s a decision problem. EXPOSURE puts the board’s governance decisions on the table, and Malware & Monsters rehearses the incident response the same directive expects. The longer argument is in why a NIS2 board game beats a seminar.

DORA: test the plan, do not just file it

DORA requires financial entities to run a real operational resilience testing programme and to actually test their continuity plans, not just maintain them. A plan you have never run is a hypothesis. FAILOVER runs a business-continuity exercise against your actual plan, so you find the gaps before an incident does. The longer argument is in why a DORA tabletop beats a checklist.

CRA: a narrower but real fit

The Cyber Resilience Act is a different kind of animal. It governs the security of products with digital elements: secure-by-design, handling vulnerabilities across the product lifecycle, and reporting actively exploited vulnerabilities and incidents. Most of that is engineering, not training, so I’ll be honest: a game doesn’t carry the CRA the way it carries NIS2 or DORA. Where it does help is the process side. Rehearsing how your team receives, triages, and reports a vulnerability or an incident under the CRA clock, so the obligation is muscle memory instead of a document nobody has ever opened.

Where to start

If you’re not sure which of these applies to you, here’s the short version: most organisations touch at least one, and the larger ones touch all three through their supply chain. Start with the regulation that already has your board’s attention, and train the people it holds responsible. All of these games sit in the wider serious games catalogue if you want to compare them side by side.

Outside the EU? US defense contractors have their own version of this in CMMC. See why CMMC wants you to test your incident response.

Frequently asked questions

Which EU cyber regulation applies to me?
NIS2 applies to essential and important entities across most critical sectors. DORA applies to financial entities and their critical ICT providers. The CRA applies to manufacturers of products with digital elements. Many organisations fall under more than one, directly or through their supply chain.
Can a game satisfy NIS2 or DORA training and testing obligations?
A game does not issue a certificate, but it delivers the substance those obligations are about: NIS2 wants trained, accountable management and working incident handling, and DORA wants tested continuity and resilience. A facilitated game or exercise is a direct way to produce and evidence that.
What is the difference between NIS2, DORA, and CRA?
NIS2 is about organisational cyber risk management and governance, DORA is about operational resilience for the financial sector, and the CRA is about the security of the products you make. They overlap but hold different people responsible for different things.
Does the CRA require training?
The CRA is mainly a product-security regulation, so its obligations are largely technical rather than training. The training-shaped part is making sure your team can actually run the vulnerability-handling and incident-reporting processes it requires, which is something you can rehearse.

No cookies here

Notice there’s no cookie banner here.
That’s intentional and the site is still GDPR-compliant. I chose to avoid cookies and stick to basic, privacy-friendly stats.
My analytics are cookieless: self-hosted Plausible (EU) and PostHog in cookieless mode, with your IP anonymized. No cross-site tracking, nothing that identifies you.
The one cookie I can set does the opposite of every other cookie: it tells my stats to ignore you completely, and you only get it if you ask.

Everybody wins.