Skip to content

NIS2 Training Obligation for Executives Takes Effect

At a glance: The planned BSIG amendment mandates executive leadership training in NIS2 requirements and establishes cybersecurity governance as a legally binding management responsibility.

The amendment to the Federal Information Security Act (BSIG-E) makes training on the NIS2 Directive mandatory for executive boards. § 38 of the draft thereby standardizes a compliance requirement for critical infrastructure and essential service providers.

Under § 38 of the BSIG draft, executive boards of critical infrastructure operators (KRITIS) and essential service providers will in future be required to complete training on the implementation of the NIS2 Directive. The training addresses risk management, governance structures, and the strategic aspects of information security at management level.

For CEOs, this regulation means that cybersecurity competence is no longer a voluntary qualification but becomes a legally mandated management responsibility. The training documents due diligence in NIS2 implementation and protects companies from accusations of negligence in the governance process. At the same time, it closes a potential liability gap between security management and executive leadership.

Practical implementation requires concrete training programs that must be conducted by certified trainers. Documentation and participation certificates become necessary compliance artifacts that regulators and auditors can request during inspections.


Source: news.google.com · Published 9 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.6.5.

Share on: