NIS-2-Training-Manager

Meets the NIS 2 requirements §38 BSIG

NIS 2 Training for Managing Directors

   Compact format: 60 to 90 minutes

   Covers the content of the BSI guidance document

   Tailored to NIS 2 readiness within the company 

   Live event, in-person or virtual 

   Top speakers from security specialists

 

Request a consultation
 

Over 2,000 customers trust us, from startups to large enterprises

Compact and Management-Compliant

By security and learning specialists 

IS-FOX is the security awareness brand of cybersecurity specialist HvS-Consulting. We are ISO 27001 certified and have experienced lead auditors and ISMS consultants on our team. Together with our learning specialists and trainers, we have developed a best-practice training program that covers all relevant content concisely—typically in 90 minutes. Our instructors all have several years of experience in management training in the field of cybersecurity.

NIS-2 training for managers content

The content of the NIS-2 training

Operational Resilience

Operational Resilience

How do companies become resilient?

NIS-2-Basics-Manager-Operational-Resilience

We start with best-practice security processes: how does enterprise-wide security work today? How does an organization become “digitally resilient”?

  • Through the triad of information security management, business continuity management, and third-party risk management.
  • This applies not only to cyber risks, but to all risks that could disrupt the organization’s operations.
     

Key messages:

  1. Security and digital resilience are not just “an IT thing”; they cut across all areas of the business.
  2. Risk management is essential, not only within one’s own organization but also throughout the supply chain.
  3. Despite comprehensive measures, incidents can always occur. You must be prepared for that as well.  
What is NIS-2?

What is Nis-2?

Security Best Practices turned into Law  

nis-2-training-manager-what-are-NIS-2-requirements

NIS-2 requires nothing less than operational resilience from affected companies! It is not just “another IT law,” but rather enforces the implementation of international security standards. A good thing!

  • NIS-2 requires risk management, not only within one’s own organization, but also throughout the supply chain.
  • In line with the security best practice “Resilience is good, detection is a must,” NIS-2 also requires the detection and professional handling of incidents.

Key messages:

  1. NIS-2 is not a “regulatory bogeyman”, but rather years of security best practices now written into law.
  2. Those who have done their security homework in recent years (e.g., through ISO 27001 certification or the TISAX label) have already implemented a large part of it.
How does risk management work?

How does risk management work?

Identify assets, assess risk, determine measures

nis-2-training-manager-risk-process

This determines whether the training session lasts 60 minutes or 4 hours. For management teams with enterprise risk management and an existing ISMS, these topics can be assumed to be familiar and need only be briefly touched upon. For all others, it makes a great deal of sense to impart this substantial knowledge, as this is the only way management can assess and steer the company’s status. Key terms here are:

  • The risk process: Determine critical assets and potential damage – Identify threats and assess the probability of occurrence – Derive and implement protective measures (TOMs) – Test and optimize effectiveness.
  • The CIA objectives (Confidentiality, Integrity, Availability)
  • Risk management (Avoid, Reduce, Transfer, Accept)
  • The benefits of an ISMS (Information Security Management System)
  • The PDCA cycle (Plan - Do - Check - Act)
Status of Implementation

Status of Implementation

So, where exactly are we?  

nis-2-training-manager-technical-and-organizational-measures-TOMs

Now we’re getting down to specifics. How ready is the company or the affected units for NIS 2? We typically conduct this part of the training together with the security officer. Prior to this, we have jointly assessed the status of NIS 2 readiness through structured questions and discussions. 

  • What do the technical and organizational measures (TOMs) look like in the area of prevention (resilience)?
  • How effective are the detection and response processes?
  • How mature is business continuity management?
  • Have we classified and are we in control of the supply chain?
  • Are all measures documented?

In companies with a high level of security maturity discuss familiar topics from past reports here. In others, we additionally explain the interactions between the individual measures. 

The duties of the management

The duties of the management

What are the specific To-Dos?

nis-2-training-manager-tasks-and-duties

Depending on the level of security maturity, the recommended actions vary significantly:

  • Low maturity level: Establish the right organizational structure and implement an ISMS. Implement the TOMs. Take this issue seriously; it’s not just about compliance with a law, it’s about the company’s future in the event of a cyber attack.
  • High maturity level: Past investments are now paying off. But that’s no reason to let up. Risks change, and compliance with a law does not automatically mean a high level of security.  

Key messages:

  1. Impact assessment and registration are the small and easy steps. Setting up and operating an ISMS with BCM and supply chain management - those are the big challenges.
  2. You can delegate the implementation, but not the responsibility. You are liable. That is explicitly stated in the law.
  3. Those who have invested in security so far and may already be certified to an international standard can relax. The gap to NIS-2 compliance is generally small. 

 

This is exactly how we wanted the training to be!

CEO, Defense Industry Company*

 

That was surprisingly good! I didn't expect that. Thank you very much!

CEO of a mechanical engineering company*

 

Really good. Easy to understand even for non-tech people.

CFO of a chemical company*

* We usually try to attribute quotes to specific individuals and companies. For this particular audience, we are waiving this rule, but we are happy to put you in touch with the company’s (C)ISO if needed.

 

Pricing? Demo? Consulting?

We’d be happy to explain in a web meeting how we work, who is responsible for what and when, and what is the magic behind a successful training program for top managers.

 

Talk to our experts  

FAQs


Yes, specifically for affected companies.

The NIS 2 Directive has been implemented in Germany through the BSI Act (BSIG) and explicitly mandates training:

  • Article 30 (2) of the BSIG requires “basic training and awareness-raising measures in the field of information technology security” for all employees.
  • Article 38, Paragraph 3 of the BSIG additionally and explicitly regulates the training obligation for management.

The training obligation for employees

Best-practice topics for general security awareness include phishing, passwords, social engineering, ransomware, etc. Suitable IS-FOX training courses for the workforce are “Fit for Cyber Security” or “Basic Cyber Security Protection.” Includes videos, interactive exercises, a test, and a certificate.

The training requirement for management

The aim here is to impart knowledge of how risk management works so that managers can understand and assess the situation within their own company. The NIS 2 training for managing directors presented here meets this requirement exactly.


Not for top management. In principle, this target group is only suitable for e-learning courses to a limited extent. A company’s C-level executives cannot simply be “fed” information; instead, they ask very active questions:

  • How do you assess the risk situation in our company?
  • How far along is implementation at our company?
  • What do we need to do to become NIS 2 compliant? 

ll these questions can only be answered on an individual basis, not through standard training. In October 2025, the BSI reaffirmed our view in section 1.3 of its guidelines on executive training:

It is important that not only abstract knowledge is imparted, but that this always takes into account the individual circumstances of the organization for which the executive management is responsible. External training providers, in particular, must take these institution-specific aspects into account, which may entail greater effort. A sensible approach, therefore, could be a model in which general content from external providers or service providers is supplemented by specific content delivered by internal cybersecurity experts.

The Stopgap Solution for Corporations

We have already developed e-learning content for a global corporation with dozens of affected business units and over a hundred management bodies. At this scale, the approach aligns with the required proportionality. 

E-Learning for Executives and Employees

The more your staff understands the topic, the easier it will be to implement NIS 2 within your organization. Our general NIS 2 e-learning course helps build this understanding. However, it does not replace the training required for company executives.


No. The law itself (the BSIG) does not contain any specific provisions regarding content or duration:

§ 38  BSIG: “Management [...] must regularly participate in training to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in the field of information technology security, as well as to be able to assess the impact of risks and risk management practices on the services provided by the organization.”

The BSI has specified this requirement in a guideline (recommendation). The content of this guideline corresponds to a very comprehensive training program in the field of risk management.

  • For companies with underdeveloped risk management and a low level of security maturity, this content is fundamental, and the time requirement of approximately 4 hours is absolutely justified.
  • At the other extreme are stock exchange listed corporations with years of enterprise risk management experience, a strong governance structure featuring a CISO and ISOs, monthly cyber risk KPI reporting, and international certification (e.g., ISO 27001). In such cases, top management would rightly have little patience for why their time is being wasted on content they already know and understand.

So it always depends. Our time estimate of 60–90 minutes applies to companies with a relatively high level of maturity in cybersecurity.


Yes. Article 30 (2) of the German Federal Information Security Act (BSIG) requires “basic training and awareness-raising measures in the field of information technology security.”

These primarily cover the classic security awareness topics: phishing, passwords, social engineering, ransomware, etc. This requirement is therefore met by the standard training programs available on the market.

However, successful implementation of NIS-2 also requires an understanding of the measures, particularly among executives. They are the information owners within their departments; they must assess risks, allocate resources, monitor measures, etc. Without sufficient knowledge and understanding of NIS-2, this is virtually impossible. That is why we recommend training executives accordingly. We offer a compact e-learning course for this purpose, lasting approximately 25 minutes.