NIS2 Art.21.2g: Basic Cyber Hygiene Practices and Cybersecurity Training
What This Control Requires
The measures referred to in paragraph 1 shall include at least the following: (g) basic cyber hygiene practices and cybersecurity training.
In Plain Language
Most successful attacks exploit basic mistakes - weak passwords, unpatched software, a clicked phishing link. Cyber hygiene and training address exactly this by ensuring everyone in the organisation follows routine security practices that prevent the bulk of common threats.
Cyber hygiene covers the fundamentals: regular patching, strong passwords with multi-factor authentication, least-privilege access, reliable backups, network segmentation, endpoint protection, and secure device configuration. These form the baseline that everything else builds on.
Training is not just for IT. Every employee is a potential entry point, particularly through phishing and social engineering. Programmes need to be role-appropriate, run regularly, and kept current with the evolving threat landscape. Critically, NIS2 also requires senior management to receive specific training on their governance responsibilities.
How to Implement
Define mandatory cyber hygiene standards for the organisation covering password policies (complexity, MFA, no reuse), endpoint security (antivirus, disk encryption, screen locks), email security (phishing awareness, attachment handling, link verification), software update cadences, and acceptable use of devices and networks.
Enforce these standards technically wherever possible. Use group policies, MDM solutions, and network access controls to ensure devices meet your security baseline before they can access organisational resources. Roll out MFA for all remote access, email, and critical applications.
Build a cybersecurity awareness and training programme with four layers: mandatory onboarding training for every new starter, annual refreshers covering current threats, role-specific training for IT admins, developers, and incident responders, and targeted sessions for management on their NIS2 governance duties.
Run regular phishing simulations and track results over time. Departments or individuals with higher click rates should receive additional coaching. The goal is behaviour change, not blame.
Make security easy to follow. Create an intranet security hub, quick-reference guides, and a dead-simple process for reporting suspicious activity. If doing the secure thing is harder than the insecure thing, people will take shortcuts.
Track training effectiveness through phishing simulation trends, completion rates, incident data related to human factors, and staff surveys. Use these metrics to refine and improve the programme continuously.
Do not forget contractors and temporary staff. They need the same hygiene requirements and security awareness training before touching any organisational system.
Evidence Your Auditor Will Request
- Documented cyber hygiene standards and baseline security requirements
- Cybersecurity training programme plan with role-based curriculum
- Training completion records for all staff including management
- Phishing simulation results and trend analysis
- Evidence of technical enforcement of cyber hygiene measures (MFA, endpoint compliance)
Common Mistakes
- Training is a once-a-year checkbox exercise with no engagement or reinforcement
- Senior management is exempt from or does not participate in cybersecurity training
- Cyber hygiene standards exist but are not enforced through technical controls
- No phishing simulation programme or results are not used to improve training
- Contractors and third-party personnel are not included in training requirements
Related Controls Across Frameworks
Frequently Asked Questions
Does NIS2 require cybersecurity training for board members?
What qualifies as 'basic' cyber hygiene?
Track NIS2 compliance in one place
AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.
Start Free Assessment