Your annual training won’t pass NIS2, here’s what auditors really want!

Passing a NIS2 audit requires more than annual training certificates; it demands verifiable proof of cyber resilience. To satisfy NIS2 Article 21, organizations must provide seven specific evidence packs that demonstrate management governance, employee competency, and measurable risk reduction, not just course completion.

Many organisations still rely on a folder of annual training certificates and struggle to compile those packs quickly.

How many? In 2024, Eurostat’s ICT usage and e-commerce enterprise survey mapped a total of 1.54 million European enterprises with more than 10 employees. Roughly 60% of those enterprises, meaning 924.000 business entities, in 2024 made their staff aware of their ICT security obligations.

The good news is that this gap is fixable once it is made visible, we are giving you a practical way to get there.

You will see the seven evidence packs auditors typically request, why completion certificates alone do not satisfy the Directive’s focus on effectiveness, and how to run a simple 48-hour test to check whether your program is audit-ready before your next review.

Why this matters now: NIS2 is a 2026 problem, not a “someday” problem

NIS2 is the European Union’s updated cybersecurity directive designed to raise the baseline of cyber resilience across 18 critical sectors and organizations, from critical infrastructure and health to digital providers, manufacturing, and many regulated services.

It matters because it reframes from cybersecurity as a governance and operational risk issue, not an information technology best practice.

Article 21 is especially important here: it expects policies and procedures that assess the effectiveness of risk-management measures. Completion becomes a starting point, while proof of impact becomes the standard.

The transposition deadline was 17 October 2024.

Around 160.000 entities across the European Union fall under the scope of the NIS2 Directive – and the European Commission called it a conservative estimate, based on Member States’ notifications by September 2025.

The European Commission made the shift visible by opening infringement procedures with letters of formal notice to 23 Member States for failing to fully transpose the directive, and then following up with reasoned opinions to 19 Member States. That signals enforcement machinery is active at European level, and supervision tends to accelerate nationally once that political cover exists.

Penalty ceilings are already defined: up to 10 million Euros or 2% of global turnover for essential entities, and at least 7 million Euros or 1.4% of global turnover for important entities. Publicly disclosed NIS2 fines remain limited so far, largely because enforcement is national, and implementation timelines have been uneven across Member States. Yet the direction is clear: supervisory authorities can ask harder questions and expect better evidence, faster.

This shift changes what counts as proof. You will demonstrate control effectiveness, not just completion.

The 7 Evidence Packs: What NIS2 Auditors Actually Demand

NIS2 requires training, requires effectiveness assessment, and requires governance.

In practice, auditors use seven evidence packs because they are a fast way to test whether your training operates like a control system rather than compliance theatre.

Across the European Union, only 24.51% of enterprises used compulsory training courses or compulsory material as part of awareness activities. This is where you will see whether your programme is audit-ready: auditors will ask whether people understood critical topics and whether failed comprehension triggered remediation.

Strongly recommended: provide a dated export from your learning platform showing who completed each module, each person’s quiz score, the pass threshold, and a list of the individuals automatically re-assigned remediation within 7 days after failing

Auditors look for indicators showing risky behaviours are trending down. In 2024, 3.43% of European enterprises reportedly suffered an external cyberattack that caused service unavailability. Events like this are exactly why you will need evidence that goes beyond certificates. Here’s what that looks like: behavioral signals, trend lines, and documented interventions that reduce repeat mistakes.

Strongly recommended: Show a three-month trend of simulated phishing results by department (report rate, click rate, credential-submission rate), plus the exact corrective action taken for the worst-performing team and the measurable change the following month.

NIS2 expects security measures to be managed, assessed, and improved. In 2024, only 35.50% of European enterprises reported having documentation on information and communication technology security measures, practices, or procedures. Auditors will test whether improvements are recorded, owned, and repeatable rather than informal and ad hoc.

Strongly recommended: Attach your last two quarterly security awareness review notes with named owners, approved actions, target dates, and a screenshot or ticket ID proving each action was implemented (for example, a new verification step in the service desk reset workflow).

This is explicitly written into NIS2 governance expectations: members of management bodies are required to follow training, and entities are encouraged to offer similar training to employees regularly.

Strongly recommended: Include the management body’s training log with meeting date, attendance, module title, and a short record of the decision it informed (for example, approving a revised access-control policy or budget for identity verification controls).

NIS2 sets a 24-hour deadline for an early warning after becoming aware of a significant incident, which makes employee recognition and escalation a control requirement. Finance teams need to freeze suspicious payments, Human Resources needs to validate identity changes, and service desks need clear verification steps before resetting access. Strongly recommended: Provide the most recent incident or tabletop exercise report showing time-to-detect, time-to-escalate, who escalated, which playbook was triggered, and evidence that staff followed the verification and reporting steps rather than improvising.

Auditors increasingly test whether you understand where human risk concentrates. The practical question becomes: which teams are most exposed, and what did you do differently for them?

Strongly recommended: Produce a risk heatmap that ranks teams by exposure (for example, finance, procurement, HR, service desk) using your own data – phishing susceptibility, privileged access levels, and volume of high-risk transactions – then show the targeted training plan that changed for the top two teams.

NIS2 requires a more complete incident notification within 72 hours. That is why auditors care about competence under pressure rather than participation during calm months.

Strongly recommended: document one timed drill where employees had to classify a scenario and take the correct first action in under 10 minutes (for example, report a suspected compromise, freeze a payment, or refuse a reset without verification), with pass/fail results and follow-up coaching records

The 48-Hour Challenge: Test Your Audit Readiness Today

Try this today: Could you compile all seven evidence packs in 48 hours, in a clean format, mapped to owners, dates, and controls?

This is the simplest way to turn a vague sense of readiness into a concrete answer. Many programs create a January spike of activity and eleven months of silence, and the 48-hour test makes that pattern visible.

A June 2024 survey of information technology professionals by Hornet security found that 22.4% of organizations run end-user security awareness training only once a year. Meanwhile attackers scale persuasion continuously, which raises the bar for what “effective training” needs to achieve.

Microsoft has reported that artificial intelligence-automated phishing emails achieved a 54% click-through rate in measured contexts, showing how quickly attack content improves compared with occasional, once-a-year modules.

Delivery formats evolve too. In the third quarter of 2025, one dataset shows 716,306 unique malicious quick response codes detected in phishing activity. In practice, that can look like a warehouse manager scanning a “shipment issue” notice and a compromise starting inside routine work.

Evidence, Not Education: The New Standard for “Continuous”

“Continuous training” is often sold as a better learning experience, but under NIS2, it serves a more strategic purpose: it creates a constant stream of behavioral evidence.

The bottleneck is rarely a lack of tools. 70% of organizations report they run more than 10 security point solutions. A widely cited industry pattern is that environments run many point solutions at once, and the remaining gap is human-risk evidence: proof that decisions and behaviours got safer over time.

A practical example auditors like to see is monthly micro-scenarios tied to critical workflows, such as invoice changes, account recovery, or supplier onboarding, coupled with documented changes in response to near misses and measured improvements.

You’ll generate all evidence packs automatically, continuous training, behavioural metrics, trending, and audit-ready documentation without turning your security team into a reporting factory. That’s what Prime Security Awareness is built to support.

Next Steps: Close the Gap

Run the 48-hour test this week. Attempt to compile the seven evidence packs and document exactly where the process breaks. That gap is your real compliance priority.

Future posts in this series will show how to build your human firewall and how companies are succeeding in automated security awareness training that actually reduces phishing risk.