The Management Training module helps your organisation track and manage cybersecurity training for management body members as required by NIS2 Article 20. This article explains the regulatory obligation, walks through every form field, describes the ten training topic areas, and shows how training records feed into your overall NIS2 compliance posture.

Regulatory Context — Article 20 Governance

What Art. 20 Requires

Article 20 of NIS2 imposes a direct obligation on the management bodies of essential and important entities. Specifically:

  • Management body members must approve the cybersecurity risk-management measures taken pursuant to Art. 21.
  • They must oversee the implementation of those measures.
  • They can be held personally liable for infringements.
  • They are required to undergo training to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices.
  • They must encourage the entity to offer similar training to all employees on a regular basis.

Why Personal Liability Matters

NIS2 is one of the first EU directives to explicitly extend liability to individual members of the management body. If an essential or important entity is found to be non-compliant with Art. 21 measures and the management body failed to approve, oversee, or undergo training, national authorities can impose sanctions on the individuals involved. This makes documented training records a critical compliance artefact.

⚠️
Personal Liability: Under Art. 20(1), Member States shall ensure that the management bodies can be held liable for infringements of the directive. Keep training records with certificate references as evidence of due diligence.

Accessing the Training Module

Navigate to NIS2 → Management Training in the sidebar. The list page shows all recorded training sessions with summary cards at the top.

Summary Cards

CardDescription
Training RecordsTotal number of training entries logged across all members
Members TrainedCount of unique management body members with at least one record
ExpiredTraining records whose expiry date has passed (red border when >0)
Expiring SoonRecords expiring within the next 90 days (amber border when >0)

Training Records Table

The main table lists every training record with the following columns:

  • Member — name and role/title of the management body member
  • Training — training title and certificate reference (if provided)
  • Provider — the training provider (e.g., SANS Institute, internal)
  • Date — when the training was completed
  • Expiry — when the training certificate expires (if applicable)
  • StatusValid, Expiring Soon, or Expired

Recording a Training Session

Click Record Training to open the form. The form is divided into three sections: Member Details, Training Details, and Topics Covered.

Form Fields

FieldTypeBadgeDescription
Member Name Text Required Full name of the management body member who received the training.
Role / Title Text Required The member's role, e.g., CEO, CTO, CFO, Board Member, CISO.
Training Title Text Required Name of the course or training programme, e.g., "Cybersecurity Fundamentals for Executives".
Training Provider Text Optional Organisation that delivered the training (e.g., SANS Institute, ISC2, internal training department).
Training Date Date Required The date the training was completed or the certificate was issued.
Expiry Date Date Optional When the training certificate or qualification expires. Used for renewal tracking.
Certificate Ref Text Optional The certificate ID or reference number for audit evidence.
Topics Covered Multi-select (chips) Optional Select one or more of the ten predefined cybersecurity topic areas (see below).
Notes Textarea Optional Free-text field for additional context about the training session.

The Ten Training Topic Areas

Venvera provides ten predefined topic areas aligned with the Art. 21(2) cybersecurity measures. When recording a training session, select all topics that were covered. This allows you to build a coverage matrix showing which management body members have been trained on which topics.

#TopicWhat It Should CoverWhy It Matters
1 Cyber Threat Landscape Current threat actors, attack vectors (ransomware, phishing, supply chain attacks), sector-specific threats, threat intelligence basics. Management must understand the threats facing their entity to make informed risk decisions and allocate resources effectively.
2 Risk Identification and Assessment Risk assessment methodologies, likelihood and impact scoring, risk registers, risk appetite and tolerance levels. Art. 21(2)(a) requires policies on risk analysis. Management must understand risk assessment to approve and oversee these policies.
3 Incident Response Procedures Incident classification, escalation procedures, containment strategies, Art. 23 notification timelines (24h/72h/1mo), communication protocols. Art. 21(2)(b) requires incident handling processes. Management must know when and how to respond during a significant incident, including regulatory notifications.
4 NIS2 Regulatory Obligations NIS2 directive overview, scope (Essential vs Important), Art. 21 measures, Art. 23 reporting obligations, penalty framework, personal liability under Art. 20. Management cannot oversee compliance with NIS2 without understanding their legal obligations and the consequences of non-compliance.
5 Business Continuity and Crisis Management BCP/DRP fundamentals, crisis management frameworks, backup strategies, recovery time and recovery point objectives (RTO/RPO). Art. 21(2)(c) requires business continuity measures. Management must approve BCPs and participate in crisis management exercises.
6 Supply Chain Security Third-party risk assessment, vendor due diligence, contractual security requirements, monitoring of supplier risk profiles, DORA/NIS2 supply chain obligations. Art. 21(2)(d) requires supply chain security. Management must understand how third-party risks can impact the entity.
7 Data Protection and Privacy GDPR fundamentals, data classification, data breach notification (Art. 33/34 GDPR), intersection with NIS2 incident reporting, privacy by design. Many NIS2 incidents also involve personal data. Management must understand the interplay between NIS2 and GDPR obligations.
8 Cryptography and Encryption Encryption standards, TLS/SSL, key management, data-at-rest and data-in-transit protection, certificate management. Art. 21(2)(h) requires cryptography policies. Management should understand encryption as a fundamental security control.
9 Access Control and Identity Management Least privilege, role-based access control, privileged access management, identity lifecycle, HR security procedures. Art. 21(2)(i) covers HR security and access control. Management must approve access policies and understand identity risks.
10 Network and Information System Security Network segmentation, firewall management, vulnerability management, patch management, MFA implementation, secure communications. Art. 21(2)(e) and (j) cover system security and MFA. Management must understand the technical controls protecting their infrastructure.

Expiration Tracking

Training certifications often have a limited validity period (typically 1–3 years). The system tracks three expiry statuses:

StatusConditionVisual Indicator
Valid Expiry date is more than 90 days away, or no expiry date is set Green badge with checkmark
Expiring Soon Expiry date is within the next 90 days Amber badge; summary card border turns amber
Expired Expiry date has passed Red badge with warning icon; summary card border turns red
💡
Tip: Set expiry dates on all training records, even if the certificate does not technically expire. Using a 12-month or 24-month window ensures management training is refreshed regularly, which is a best practice for demonstrating ongoing compliance.

Designing a Training Programme

Frequency Recommendations

  • Annual refresher training — all management body members should complete at least one comprehensive cybersecurity training session per year.
  • Quarterly threat briefings — short updates on the current threat landscape specific to your sector.
  • Ad-hoc training — when significant regulatory changes, new threats, or major incidents occur.
  • Onboarding training — new management body members should complete training within 30 days of appointment.

Coverage Matrix

Use the topic selection feature to build a coverage matrix across your management body. The goal is to ensure that every member has been trained on every topic at least once within a 12–24 month period. Common approach:

  • Board members / non-executive directors: Focus on topics 1, 2, 4, 5, and 7 (threat landscape, risk, NIS2 obligations, business continuity, data protection).
  • C-suite executives (CEO, CFO, COO): All ten topics, with emphasis on governance, risk, and regulatory obligations.
  • CTO / CISO: All ten topics, with deeper technical coverage on topics 8, 9, and 10 (cryptography, access control, network security).

External vs Internal Training

  • External (SANS, ISC2, ISACA) — industry-recognised certifications with independent validation. Higher cost but provides audit-ready evidence.
  • Internal (CISO-led) — tailored to organisation-specific risks. Lower cost but requires thorough documentation for auditors.
  • Hybrid (recommended) — combine external credibility with internal relevance for optimal coverage.

Step-by-Step Workflow

Step 1 — Navigate to Management Training

Go to NIS2 → Management Training in the sidebar.

Step 2 — Click Record Training

Click the Record Training button in the top-right corner.

Step 3 — Fill in Member Details

Enter the member's full name and their role or title within the management body.

Step 4 — Enter Training Details

Provide the training title, provider name, completion date, expiry date (if applicable), and certificate reference number.

Step 5 — Select Topics Covered

Click on the topic chips to select all areas the training covered. This builds your training coverage matrix over time.

Step 6 — Add Notes and Save

Optionally add notes (e.g., "Board-mandated annual refresher"), then click Save Record.

Compliance Reporting

Management training records contribute to your NIS2 compliance posture in several ways:

  • Gap Assessment: The NIS2 gap assessment includes questions about management training under pillar (g) Cyber Hygiene & Training.
  • KPI Dashboard: The Effectiveness KPIs module (Art. 21(2)(f)) can track training metrics such as percentage of management body members trained, average training age, and topic coverage rates.
  • Audit Evidence: Training records with certificate references and dates serve as documentary evidence during supervisory audits or inspections.
ℹ️
At the bottom of the Management Training page, an Art. 20 reference box displays the full text of the governance requirement for quick reference during audit conversations.