NIS2Compass — NIS2-Compliance-Plattform
Use CasesPricing

Weiterführende Seiten

  • Blog
  • FAQ
  • Glossar
  • Use Cases
  • Branchen
  • Preisgestaltung

Offizielle Quellen

  • BSI – Bundesamt für Sicherheit in der Informationstechnik
  • NIS2-Richtlinie (EUR-Lex)
  • NIS2UmsuCG (Bundesgesetzblatt)
NIS2Compass — NIS2-Compliance-Plattform

Ihr Navigator durch die NIS2-Compliance

Rechtliches

  • Datenschutzerklärung
  • Allgemeine Geschäftsbedingungen
  • Cookie-Richtlinie
  • Impressum

Ressourcen

  • Blog
  • Use Cases
  • Branchen
  • Preise
  • FAQ
  • Glossar

Kontakt

Kontakt

kontakt@nis2compass.de

NIS2Compass bietet Informationen und Orientierungshilfen zur NIS2-Compliance. Die Inhalte stellen keine Rechtsberatung im Sinne des Rechtsdienstleistungsgesetzes (RDG) dar und ersetzen keine individuelle rechtliche oder fachliche Beratung.

© Copyright 2026 NIS2Compass. Alle Rechte vorbehalten.

Entwickelt in DeutschlandAllianz für Cyber-Sicherheit — Teilnehmer
Home/Blog/Employees as the Biggest NIS2 Risk: BSI Monitor 2026
Guide

Employees as the Biggest NIS2 Risk: BSI Monitor 2026

Authored by NIS2Compass Experten, NIS2 Compliance Expert
Last updated:June 25, 20269 min read
Abstract chain in dark blue with one highlighted, teal-glowing link — symbolizing employees as the central element of NIS2 cybersecurity

The BSI Cybersicherheitsmonitor 2026 shows only 14 percent of people inform themselves regularly about cybersecurity. What §30 (2) No. 7 and §38 (3) BSIG mean for SMEs — and how a BSI-compliant awareness program is built.

Employees are the biggest NIS2 risk: according to the BSI Cybersicherheitsmonitor 2026, only 14 percent of the population inform themselves regularly about cybersecurity. §30 (2) No. 7 BSIG therefore turns training into a mandatory measure. NIS2Compass bundles every step from the training plan to audit-proof evidence in its "Training & Awareness" chapter.

What does the BSI Cybersicherheitsmonitor 2026 actually show?

The Cybersicherheitsmonitor 2026 is a joint study by the BSI and the ProPK (German Police Crime Prevention Program). 11 percent of respondents were victims of an internet-related crime in the past twelve months, 88 percent report damages, and 33 percent suffered financial losses. Only 14 percent inform themselves regularly about cybersecurity.

The study is based on 3,060 interviews with people aged 16 and over. Data was collected between January 6 and 12, 2026, weighted by age, gender, federal state, and education. The results were published on May 11, 2026 in Stuttgart and Bonn.

The most frequent offenses, in order of mentions:

  • Online shopping fraud
  • Online banking fraud
  • Unauthorized access to online accounts
  • Phishing

Knowledge gaps in the population are substantial. Only 55 percent recognize strong passwords as a basic protective measure. Just 54 percent are familiar with antivirus software. 40 percent engage with cybersecurity only occasionally. That means: four out of ten adults in Germany do not engage systematically with digital risks.

BSI president Claudia Plattner frames the results as follows: "Cybersecurity must become easier, more present, and more understandable in the everyday lives of consumers." (translated from German). ProPK chair Dr. Stefanie Hinz adds: "Cybercrime has long since arrived at the heart of society." (translated from German).

What does this mean for NIS2 in practice? These consumers are the same people who use corporate logins on workdays, open business emails, and shop online on behalf of their employer. The study is therefore not a pure consumer issue but a direct SME risk indicator.

Those who do not set a strong password in private life will not do so on the corporate VPN either. Those who fail to recognize phishing in their personal inbox will not recognize it in business mail either. For the roughly 29,000 NIS2-affected companies in Germany, this is a concrete operational problem: the human attack surface is measurable, it is large, and it is the most common entry point for security incidents.

Why does §30 (2) No. 7 BSIG make awareness an NIS2 obligation?

§30 (2) No. 7 BSIG explicitly requires "concepts and procedures in the area of cyber hygiene and cybersecurity training". This turns employee awareness into a statutory obligation, not a best practice. Anyone unable to demonstrate training violates the NIS2UmsuCG and risks fines of up to 10 million euros.

The wording of §30 BSIG lists cyber hygiene and training as point 7 of ten minimum measures. This point ranks equally alongside risk management, incident response, and access controls. There is no statutory hierarchy that places technical measures above organizational ones. Management bodies must implement all ten areas in a documented manner.

The distinction between two terms that §30 deliberately mentions side by side is important. Cyber hygiene describes basic behavior in everyday IT work and is continuous: secure password practice, consistent MFA use, a locked screen when leaving the workstation, timely updates. Awareness training, on the other hand, is structured knowledge building, event-driven, such as annual mandatory training, onboarding modules for new employees, and refreshers after security incidents. The BSIG requires both, not one or the other.

From the BSI's perspective, a complete awareness training program should cover at least the following content: detection of phishing and social engineering, password and MFA practice, handling of removable media, reporting channels in case of security suspicion, and secure device use in the home office.

The fine framework is substantial. Under §60 BSIG, essential entities face up to 10 million euros or 2 percent of global annual turnover, whichever is higher. Important entities must reckon with up to 7 million euros or 1.4 percent. A detailed overview is provided in the article NIS2 fines: what penalties apply for violations?.

NIS2Compass analyses show that awareness is the most frequently underestimated of the ten §30 minimum measures. Precisely because it does not require technical infrastructure, IT teams often delegate it to HR without anyone owning the overall process. Awareness, however, is an integral part of a functioning compliance program, as the article Do I need an ISMS for NIS2? explains in detail.

What obligations does management have under §38 (3) BSIG?

§38 (3) BSIG obliges management itself to participate in regular training on risk management and cybersecurity, not the IT manager or the information security officer. This obligation cannot be delegated. Management bodies are also personally liable under §38 BSIG for breaches of duty; the limited liability of a GmbH does not apply here.

The wording of §38 (3) BSIG is unambiguous: management bodies must "regularly participate in training to acquire sufficient knowledge and skills to identify and assess risks as well as risk management practices in the area of cybersecurity". The legislator deliberately anchored this obligation at the level of the governing body, not with the IT manager or the information security officer.

In the event of a breach of duty, the governing body is personally liable for damages. Unlike with many other obligations, the limited liability of a GmbH does not apply. This construction is a deliberate legislative decision: cybersecurity should become a top-management matter, not be relegated to the second tier. Even an existing ISO 27001 certification does not cover management's §38 training obligation, because ISO places no comparable requirement on governing bodies.

In practice, this very obligation is routinely overlooked. Many management teams treat awareness as an operational IT topic and focus on employee training. But anyone who keeps no separate record of management training does not meet §38 (3) BSIG, even if all staff have been trained.

Only documented training with date, content, duration, trainer, and participant signature is recognized. An automatically dispatched email course without proof of learning progress and participation is not enough for the BSI. The recommendation is an annual mandatory training of at least two hours, tailored to the governing body: liability, reporting obligations, escalation paths, and reporting obligations under §32 BSIG.

According to the BSI's reading, "regularly" means at least once a year, and more often in case of material changes in the threat landscape or organizational structure. If management changes, training must be made up within three months of taking office. Plain board meetings with IT security agenda items are not enough; a distinct training format with a measurable learning objective is required.

The NIS2 Guide in NIS2Compass addresses the management training obligation in Chapter 5, Step 5-3 "Document management liability and fulfill the training obligation", including Substep 5-3-2 and the "Training record for governing bodies" template.

What does a BSI-compliant awareness program look like?

A BSI-compliant awareness program has three building blocks: a training plan with a target-group matrix, annual mandatory training, and regular phishing simulations. The NIS2Compass NIS2 Guide walks through exactly this structure in Chapter 8 across three steps. Including ready-made templates for the training plan and attendance list in the Template Library.

Building block 1: The training plan

The training plan is the foundation of any awareness program and corresponds to Guide Step 8-1. It defines target groups within the company: all employees, administrators, developers, management, and external service providers with system access. For each target group, you set topics, frequency, responsible role, and training format in a binding way.

The finished plan is submitted to management for approval and reviewed annually. Without a documented training plan, evidence is missing toward the BSI that §30 BSIG is being implemented systematically. A corresponding template is available in the Template Library.

Building block 2: Conducting and documenting mandatory training

Guide Step 8-2 is divided into three substeps. Substep 8-2-1 addresses the management training under §38 (3) BSIG, the legal scope of which was already explained in the previous section. Substep 8-2-2 requires annual mandatory training for all employees, onboarding training within the first 30 days, and event-driven refreshers following security incidents or threat landscape changes.

Substep 8-2-3 requires audit-proof archiving of all training records. The specific evidence requirements imposed by the BSI are explained in the following section.

Building block 3: Phishing simulations as an effectiveness measure

Phishing simulations (Guide Step 8-3) are the only instrument that allows the effectiveness of the awareness program to be measured objectively. Two legal conditions must be observed: under the German Works Constitution Act, simulations are subject to works council co-determination. GDPR-compliant analysis is carried out exclusively in aggregate, never on a personal basis.

Mandatory content under §30 BSIG

Every awareness program must cover five core topics in terms of content: phishing and social engineering detection, password and MFA practice, secure device use, reporting channels in case of security incidents, and data protection basics. Depth varies by target group, because administrators need different material from accounting.

How do you prove awareness to the BSI?

The BSI assesses awareness based on four pieces of evidence: a training plan with target-group matrix, attendance lists per training, a training record register, and effectiveness measurement. If one of these building blocks is missing, the obligation under §30 (2) No. 7 BSIG is considered unmet. Even if training has actually taken place.

Evidence 1: Training plan. Updated annually, with management approval. Shows: what is being trained when, to whom, and with what objective. A target-group matrix is mandatory, differentiating between standard staff, IT administrators, executives, and risk groups such as finance or procurement.

Evidence 2: Attendance list per training session. Date, trainer, participants with signature or digital confirmation. Shows: who was actually present and for whom the training has been delivered. Without this list, the obligation under §30 BSIG cannot be demonstrated, even when training has been fully carried out.

Evidence 3: Training record register. A central directory of all training, ideally as an Excel sheet or in a GRC tool. Shows: coverage per employee over time, open cases, next due dates. The register is the control document for internal audits and BSI follow-up meetings.

Evidence 4: Effectiveness measurement. Phishing click rate, post-training quiz, spot-check surveys. Shows: did the knowledge land, is the click rate decreasing across quarters? The BSI expects measurable progress, not just one-off delivery.

Retention period: at least five years, parallel to the documentation obligation under §38 BSIG. An audit trail also belongs in the package, documenting who approved what and when, and who is responsible for the next training round.

How a municipal utility learned from a phishing incident in four weeks

A municipal utility with 130 employees, classified as an essential entity in the energy sector, reported a phishing incident in March 2026: an employee had entered credentials on a spoofed login page. The notification under §32 BSIG was filed within 24 hours.

In the BSI follow-up meeting, the question came up about the awareness program. What was in place: occasional email reminders. What was missing: training plan, attendance lists, and register.

Within four weeks, the team set up a complete awareness program, following the three steps in NIS2Compass Chapter 8 and using the templates provided there. At the second audit appointment, the obligation was considered fulfilled.

If you want to check your own status in advance, use the free Pre-Check from NIS2Compass: the 18-screen gap analysis identifies the awareness gap together with other §30 measures in under 15 minutes and maps results directly to the NIS2 Guide.

Frequently Asked Questions

Does every employee have to receive awareness training?

Yes. §30 (2) No. 7 BSIG provides no exceptions. Part-time staff, working students, and external service providers with system access also fall under it. The depth of training may vary by target group, for example as an admin track, management track, or standard track. Basic awareness applies, however, to everyone with access to in-scope systems.

How often must awareness training take place?

The law does not specify a fixed cycle. The BSI recommends at least once a year, supplemented by event-driven training after incidents or threat landscape updates. Onboarding training should take place within the first 30 days. After a role change, a refresher with adjusted content also makes sense and can be evidenced in an audit.

Is e-learning enough, or does training need to be in person?

E-learning is permitted, provided effectiveness can be demonstrated. Common methods include final quizzes, learning time tracking, and phishing follow-up tests. Newsletters or PDF distribution alone are not enough. The BSI checks whether content actually reaches employees, not just whether it was sent out. In-person sessions are only advisable for sensitive roles.

What does the BSI specifically examine in awareness?

Four pieces of evidence are the focus: training plan, attendance lists, training record register, and an effectiveness measurement such as phishing click rates. If one of these records is missing, the obligation under §30 (2) No. 7 BSIG is considered unmet. This applies regardless of whether training actually took place.

Can we fully outsource awareness training?

Delivery can be delegated to external providers, but responsibility for the process remains with the company. Management is personally liable under §38 BSIG for fulfilling the training obligation. This also applies when a service provider operationally designs and delivers the training.

Sources

  • BSI press release "Cyberkriminalität im Alltag" (May 11, 2026): bsi.bund.de/Presse2026/260511_Cyberkriminalitaet_im_Alltag
  • BSI Cybersicherheitsmonitor 2026 — short report (PDF): bsi.bund.de/CyMon-ProPK-BSI_2026_Kurzbericht
  • §30 BSIG (risk management measures): gesetze-im-internet.de/bsig_2009/__30
  • §38 BSIG (management obligations): gesetze-im-internet.de/bsig_2009/__38
  • §60 BSIG (penalty provisions): gesetze-im-internet.de/bsig_2009/__60

Implement NIS2 step by step

NIS2Compass guides you step by step through implementation – with guide, templates and knowledge hub.

Get started

Ähnliche Artikel

guide

The KRITIS Umbrella Act and NIS2: What Applies to Whom?

Since July 2026, around 2,000 KRITIS operators must register in addition to NIS2. Who needs to comply with NIS2, the KRITIS Umbrella Act, or both — sectors, deadlines, and fines explained.

7 Min. Lesezeit

guide

NIS2 ISO 27001 Mapping: Excel Checklist Download

ISO 27001 covers approximately 70% of NIS2 requirements. The mapping Excel shows at a glance what is already covered — and where the regulatory gap remains.

6 Min. Lesezeit

guide

NIS2 BSI Registration: Missed the Deadline — What Now?

The statutory NIS2 registration deadline has expired, but the BSI is granting an extended deadline until 31 July 2026. How to complete your registration in the BSI portal step by step.

9 Min. Lesezeit

Back to Blog