Training & Awareness
LEGAL BASIS
§30(2) No. 7 BSIG – Basic cyber hygiene practices and information security training
§38(3) BSIG – Management must regularly participate in training.
Training Program
Basic Training (all employees)
| Topic | Content | Interval |
|---|---|---|
| Phishing & social engineering | Recognition, reporting channels, practical examples | Annually |
| Password & access security | Strong passwords, MFA, password managers | Annually |
| Secure communication | Email security, encrypted channels | Annually |
| Incident reporting | Reporting obligation, channels, contacts | Annually |
| Data protection basics | Personal data, GDPR basics | Annually |
Role-Specific Training
| Target Group | Additional Content |
|---|---|
| Management | NIS2 obligations per §38, liability, governance (mandatory) |
| IT administration | Secure system operation, patch management, logging |
| Software development | Secure coding, OWASP Top 10, supply chain security |
| Project management | Security requirements in projects, risk assessment |
Onboarding
New employees receive before system access:
- Introduction to information security policy
- Basic cyber hygiene training
- Acknowledgment of security policies
Documentation
- Attendance records maintained centrally
- Training completion is a prerequisite for system access rights
- Annual evaluation of completion rates as KPI
AI Act Synergy
The AI competence program (Art. 4 AI Act) complements NIS2 training obligations. Details in the AI Act Compliance Documentation.