NIS2 training program
for your management team

The training program is based on many years of industrial experience, security authority findings, and current cybercrime research. It follows the NIS-2 directive and the recommendations of the German Federal Office for Information Security (BSI) according to the "NIS-2 Management Training - Guidance 2025". The content is aligned with ISO/IEC 27001:2022, ISO 22301, ISO/IEC 27005 and the BSI framework, and is designed for practical use in especially important and important entities.

The training is aimed at members of the management board of especially important and important entities in line with the NIS-2 implementation act (§ 38 para. 3 BSIG-E). In addition, executives, security officers, compliance officers, and supervisory board members also benefit by strengthening their ability to meet strategic and liability-related obligations.

The BSI recommends training at least every three years or whenever there are significant changes in business processes, risk exposure, or management. Training intervals should reflect each organization's risk profile. Under § 38 para. 3 BSIG-E, the training includes legal obligations, risk management, security measures, and liability topics. The average net training time is approximately four hours, depending on the organization's risk situation.

The training includes four core competency areas that build on each other and are taught in a practical way:

• 1. Introduction to NIS 2.0 and the new BSIG-E: Core content of the NIS 2 directive and its implementation in Germany, including management obligations, reporting requirements, and organizational minimum requirements for information security.

• 2. Risk management and security measures: Identification and evaluation of risks, threat scenarios, risk acceptance, and practical implementation of technical and organizational safeguards according to § 30 BSIG-E.

  • Building an organization-wide information security management system (ISMS)
  • Emergency and crisis management (according to ISO 22301)
  • Supply chain security and protection of critical dependencies
  • Promotion of cyber hygiene and security culture

• 3. Cybercrime and attack structures: Understanding current attack methods, threat actors, and patterns, as well as suitable prevention and response strategies.

• 4. Industry-specific scenarios and case exercises: Practical training and case studies with realistic decision-making situations for incident response, communication under attack, and measure prioritization.

The program includes four core modules with mandatory learning units completed by all participants. Depending on organizational specifics, the depth and scope can vary. The standard duration is about four hours. The training can also be structured modularly across multiple sessions for sector-specific depth.

To participate, you only need a laptop or PC with a stable internet connection. Our learning modules are fully online and available independent of time and place.

You decide when and where to learn, giving you maximum flexibility and independence.

After successful completion, participants receive an official competency certificate that can be used as proof for the BSI, other supervisory authorities, and external compliance auditors (according to § 61 BSIG-E).

The certificate documents training content, duration, and participants, and can be used as part of internal compliance documentation.

With the implementation of NIS-2, management bears personal responsibility for information security. Lack of knowledge or inadequate measures may lead to regulatory consequences and personal liability. The training enables leaders to assess information and cyber risks realistically, make informed decisions, and meet legal obligations confidently.

Approved providers include external training providers with proven information security expertise and qualified internal specialists, provided they have solid knowledge of the NIS-2 directive, BSI requirements, and relevant ISO standards.

Our program is led by certified cyber and information security experts with long-term experience working with federal ministries, KRITIS operators, and mid-sized organizations.

The program combines legal certainty, practice-oriented knowledge, and maximum flexibility for management:

• Clear classification of legal obligations under § 30 and § 38 BSIG-E
• Practical delivery by experienced security experts with KRITIS and public-sector backgrounds
• Individual adaptation to sector, organizational structure, and risk profile
• Legally robust documentation of participation for supervisory authorities or external auditors
• Strategic awareness of cybersecurity and liability issues at leadership level
• Location- and time-independent learning ideal for management teams with demanding schedules

Bookings can be made directly via the contact form or by email. On request, we provide an individual offer tailored to your management team's composition and requirements. The training can optionally be delivered as an in-house workshop or in a flexible online format.

Yes. On request, the training can be delivered in-house at your organization. In this format, experienced experts personally guide participants through the modules. This provides direct exchange, practical discussion, and targeted adaptation to your organization's needs.

The duration of the package can be defined individually by participants or organizations.

Typically, after completing the core module once, participants receive a maximum usage period of three years with full access to all learning content.

In addition to online modules, participants receive a comprehensive set of guidelines, procedures, and reference materials to support NIS-2 implementation.

These materials are provided as download files for practical application, documentation, and internal evidence.

Yes, our training program includes industry-specific modules tailored to sector-specific requirements and risks. These modules use real scenarios and threat landscapes from areas such as healthcare, energy, municipal administration, finance, and critical production.

The goal is practical application of knowledge. Using scenario-based exercises and case studies, participants analyze, assess, handle, and track vulnerabilities and risks, strengthening real-world risk evaluation, treatment, and communication.