Mandatory training requirements result from:

   Cyber security: NIS 2 Directive, AI Act, IT Security Act (Germany)
   Data protection: EU General Data Protection Regulation (GDPR), Federal Data Protection Act (BDSG – Germany)
   Occupational health and safety: Occupational Health and Safety Act (ArbSchG – Germany), DGUV Regulation 1 (German Social Accident Insurance)

Explicit (legal) obligations

NIS 2 Directive (EU) – Directive (EU) 2022/2555

The NIS 2 Directive applies to approximately 30,000 companies in Germany with more than 50 employees that are classified as “essential” or “important” entities under the regulation, as they provide services in critical sectors.

Through the supply chains of these organisations, the NIS 2 Directive is expected to become relevant for up to 100,000 additional companies, as directly affected entities will require their suppliers and partners to comply with the same standards.

In Germany, the NIS 2 Directive is implemented through the Act on the Federal Office for Information Security (BSIG). This legislation includes explicit training obligations in two provisions:

Section 30 (2) BSIG requires basic training and awareness-raising measures in the field of information security for all employees.
Section 38 (3) BSIG explicitly introduces a training obligation for management bodies: “Management bodies […] must regularly participate in training in order to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in the field of information security, and to be able to evaluate the impact of risks and risk management practices on the services provided by the entity.”

Training is therefore explicitly required by law.

For the general workforce, there are no detailed legal requirements specifying how training must be delivered. As is typical under NIS 2, organisations are expected to follow best practice. Our training Fit für Cyber Security is designed in line with such best practice and has, for many years, covered the required “basic training and awareness-raising measures”. This includes topics such as phishing, passwords and password management, social engineering, ransomware, and more.

For management bodies, the German Federal Office for Information Security (BSI) has published comprehensive guidance (in German). In its first version (2025), this guidance assumes training sessions of approximately four hours, to be conducted every three years or upon a change in management.

For individuals with no prior exposure to risk management, this approach is appropriate. However, for management bodies that have been regularly informed about cyber security risks and measures as part of enterprise risk management processes, much of this content is already familiar.

In these cases, we recommend a tailored training format of 60–90 minutes. These sessions are delivered either in person or virtually and – in line with BSI expectations – are specifically adapted to the organisation’s level of maturity and implementation.

From our perspective, e-learning formats for management are only a fallback option, primarily suitable for large enterprises with more than 20 affected business units.

NIS 2 training obligation at a glance

Scope: All organisations falling under NIS 2 (approximately 36,000 in Germany), plus very likely their suppliers and service providers through supply chain requirements.
Duration: No legal requirement is defined – best practice applies. For general security awareness, typical training lasts 30–60 minutes. For management training, the German Federal Office for Information Security (BSI) recommends a 4-hour live session. However, in organisations with established risk management structures, best practice is closer to 90 minutes.
Frequency: No legal requirement is defined – best practice applies. For general security awareness, this typically means an initial foundational training in the first year, followed by refresher sessions in subsequent years. For management training, the BSI recommends every three years or upon a change in management.
Online suitability: Fully suitable for the workforce. For management, live sessions are recommended. E-learning formats are considered a fallback solution and are mainly appropriate for large enterprises.

IS-FOX recommendation on content:

Workforce: General security awareness covering phishing, passwords and password management, social engineering, ransomware, and related topics – for example Fit for Cyber Security.
Management: Best practice live NIS 2 training for executive leadership. The focus is on understanding risk management principles to enable leaders to assess and evaluate the organisation’s cyber risk posture.

EU AI Act

Article 4 of the EU AI Act requires organisations to take appropriate measures to ensure a sufficient level of AI literacy among staff and all persons involved in the operation or use of AI systems. This includes awareness, knowledge and understanding of AI systems and their risks.

The required level of AI literacy must be determined based on the individual role, prior knowledge, type of AI system used and the specific context of deployment.

Together with AI experts, legal specialists, learning professionals and subject matter experts from our client organisations, we have defined a structured AI literacy training programme. It covers AI fundamentals (how AI systems work), the risk classification under the AI Act, AI and cyber security, AI and data protection, as well as practical guidance for the safe and responsible use of AI in day-to-day work.

We are confident that this approach fully addresses Article 4 of the EU AI Act and covers all relevant topics for users of AI systems in an operational context.

EU AI Act (AI literacy requirement) at a glance

Scope: All organisations that provide their employees with access to AI systems (i.e. effectively all companies, regardless of size or industry).
Duration: No legal requirement is defined. Our AI literacy training lasts 40–50 minutes.
Frequency: No legal requirement is defined.
Online suitability: Fully suitable, highly efficient in online delivery.

IS-FOX recommendation on content:
AI literacy training covering how AI works, what the EU AI Act requires, cyber security and data protection in the context of AI, as well as practical and actionable guidance for the safe use of AI in day-to-day work.

DORA – Digital Operational Resilience Act (EU Regulation 2022/2554)

DORA applies to financial entities (including banks, insurance companies, payment service providers, crypto-asset service providers, etc.) as well as to ICT third-party service providers supporting financial institutions (e.g. cloud providers, data processing services, software providers). In total, approximately 3,600 companies in Germany and more than 20,000 companies across the EU are affected.

Article 13 of DORA requires financial entities to establish ICT security awareness programmes and digital operational resilience training as mandatory components of their staff training programmes. These programmes apply to all employees and senior management and must be proportionate to the role, responsibilities and complexity of the function performed.

DORA is not a “light-touch security recommendation”, but a highly prescriptive regulation with a defined maturity level, which is also subject to supervisory review and audit by competent authorities.

From our perspective, this leads to several distinct target groups for training requirements:

General cyber security awareness training for all employees
DORA-specific content for management and leadership roles (e.g. executives, project leads)
Secure IT operations training for administrators and ICT service providers
Secure software development training for developers

DORA training requirements at a glance

Scope: Approximately 3,600 financial entities in Germany, as well as their ICT third-party service providers.
Duration: No legal requirement is defined.
Frequency: No legal requirement is defined.
Online suitability: Fully suitable for all target groups, with high efficiency in digital delivery.

IS-FOX recommendation on content:

For employees: general security awareness covering phishing, passwords and password management, social engineering, ransomware, and related topics – for example Fit for Cyber Security.
For management and project leads: the online DORA training provides a concise overview of DORA-specific requirements, including how organisations build digital operational resilience, what DORA requires, and what responsibilities employees and managers have in practice.

IT Security Act (BSIG / IT-SiG 2.0)

Under the Federal Act on the Federal Office for Information Security (BSIG) / IT Security Act (in German), operators of critical infrastructures (from defined sectors such as energy, water, transport, health, etc.), providers of digital services, operators of “particularly important facilities” and “companies in the special public interest” (e.g. defence-related companies) fall within scope. As affected organisations are also required to manage risks within their supply chains, numerous suppliers are additionally contractually obliged to comply with the relevant requirements.

The BSIG has been revised through the implementation of the NIS 2 Directive. It is now referred to as the BSIG 2025 (new version) following the transposition of the NIS 2 Directive, and therefore entails the same training obligations as under NIS 2.

Data protection under the GDPR

Training obligations arise from Article 39 and Article 32 of the General Data Protection Regulation (GDPR). Article 39 defines the tasks of the Data Protection Officer, including “awareness-raising and training of staff involved in processing operations”. Article 32 requires “appropriate technical and organisational measures to ensure the security of processing”.

Training is widely recognised as an essential component of these organisational measures. While the regulation itself does not specify a fixed interval, supervisory authorities and established case law generally expect training to take place every 1–2 years.

Our data protection training has been delivering GDPR competencies since 2018 in a simple, practical and engaging way: as an interactive foundational course for beginners, a refresher course for repeat training, or a quick test-out option for experienced users.

GDPR training requirements at a glance

Scope: All employees who process personal data (i.e. effectively any employee with access to a workplace computer, regardless of company size or industry).
Duration: No legal requirement is defined. Our online data protection training lasts 40–50 minutes.
Frequency: According to supervisory authorities and case law, typically every 1–2 years.
Online suitability: Fully suitable, highly efficient due to refresher modules and test-out options.

IS-FOX recommendation on content:
Fit for GDPR data protection addresses fundamentals, core principles, specific legal requirements, and practical guidance for everyday compliance. For subsequent years, we recommend refresher modules or a test-out assessment.

Occupational health and safety / workplace safety

In occupational health and safety, there are clear statutory training obligations that apply to all organisations, regardless of industry or size.

Section 12 of the German Occupational Health and Safety Act (ArbSchG) on instruction states that:

"The employer shall give workers sufficient and appropriate training regarding safety and health protection at work during their hours of work. The training shall comprise instructions and explanations which are geared specifically to the workers’ work place or area of work. Training must be given before workers take up their activity after recruitment or in the event of changes affecting their job or the introduction of new work equipment or new technology. The training must be adapted to developments pertaining to the risk and, if necessary, must be repeated on a regular basis."

Every employee must therefore receive training before starting work and then on a regular basis, covering workplace hazards, safety measures, first aid, fire safety, and emergency procedures.

This also applies to office workplaces and to employees working predominantly or exclusively from home. The Occupational Health and Safety Act does not differentiate between office and home office environments.

Employers’ liability insurance associations (Berufsgenossenschaften) further specify “regular intervals” in their binding regulations as at least once per year. Training must be documented, including participation, content, and date.

Occupational health and safety training can be delivered effectively via e-learning, provided it is interactive, delivers substantive content, and includes a verification mechanism such as a final assessment test.

Occupational health and safety training requirements at a glance

Scope: All organisations, regardless of size or industry, including office-based employees and home office workers.
Duration: No legal requirement is defined. Our online occupational health and safety training lasts 30–35 minutes.
Frequency: Before starting work and at least once per year thereafter.
Online suitability: Suitable provided that content is interactive and training outcomes are verifiable. Pure assessment-only formats without knowledge transfer are not permitted.

IS-FOX recommendation on content:
IS-FOX occupational health and safety online training covers occupational health and safety fundamentals, accident prevention (workplace hazards and safety measures), emergency procedures (first aid, fire safety, etc.), and health and ergonomics.

For subsequent years, we recommend refresher modules. A test-out option is currently not permitted under applicable requirements.

Implicit training obligations

In addition to clear statutory requirements, there are further reasons from which training obligations can be derived:

Business continuity

From our perspective, the most important argument is simple: organisations that do not train their employees are putting their business at risk, particularly in the area of cyber security. There are almost weekly reports of companies being so severely impacted by cyber attacks that they are forced to file for insolvency.

It is also a misconception that only large organisations are affected. While the protection of larger companies continues to improve, AI is increasingly being used to automate attacks. As a result, small and medium-sized enterprises are becoming more frequent targets.

A well-trained and security-aware employee can prevent a critical incident and protect the organisation from serious damage. The value of training is therefore unquestionable.

Negligence

Under Section 280 of the German Civil Code (BGB), organisations have a duty of care, for example with regard to the organisation of IT security. If employees are not adequately trained, damages resulting from compromised accounts or data loss may be considered a breach of organisational duties. This always depends on the individual case, but courts have already issued rulings in similar contexts.

Insurance

Many insurance policies include clauses such as: “The policyholder must implement appropriate technical and organisational measures to prevent risk.” If a loss is caused by human error (e.g. phishing or social engineering), insurers may argue that the damage could have been prevented through proper employee training and may reduce or deny compensation.

Conclusion

In addition to clear legal training obligations, there are many further strong reasons to regularly raise awareness among employees on data protection, compliance, occupational health and safety, and cyber security.

And this does not have to be a dull legal exercise. IS-FOX online training is concise, uses clear and simple language, is interactive, and provides practical tips for immediate application in daily work. This is why we have consistently received excellent ratings for years, even for traditionally “dry” topics.

Getting started is simple: select a course, invite employees, and you are done. The platform – or your organisation’s learning management system – takes care of the rest.

Disclaimer: This article is for informational purposes only and does not constitute legal advice.

About the author

Frank von Stetten

Co-founder of HvS Consulting and expert in regulatory training

Frank von Stetten is a co-founder of HvS Consulting in Munich and a recognised expert in security awareness and corporate training programmes. For more than 20 years, he and his team have delivered training on cyber security, data protection, compliance, and occupational health and safety, both as live events and as e-learning courses.

He is the author of numerous IS-FOX courses, a frequent speaker on “learning in organisations”, and currently trains many executive teams on NIS 2 compliance.

Explore our legally compliance employee trainings

Modern and entertaining IT security trainings protect your company from attacks and their consequences.

Screenshot IS-FOX EU AI Act Schulung_training

Train your employees in AI skills in accordance with Art. 4 of the EU AI Act. The online course provides practical tips, legal basics and a certificate.

Up-to-date and modern online data protection training courses make your employees fit for GDPR. Find out more and book training now!

Arbeitsschutz im Unternehmen einfach erklärt und auf den Punkt gebracht. Als E-Learning mit Zertifikat. Jetzt informieren und Schulung buchen!

Mandatory employee training for companies