NIS2 READY
The training was completed. The presentation had dozens of slides. There was a test at the end, and everyone passed. On paper, everything looked fine. A week later, a phishing email arrived. Someone clicked. And just like that, there was an incident.
The reaction that followed was almost automatic:
“But we trained them.”
Formally, the organization was right. The training existed, the attendance sheet was signed, and the test was completed. In reality, however, the training failed to do what it was supposed to do. People did not recognize a risky situation, they did not know what to do, and they certainly did not know whom to report it to.
A common belief is that people are the biggest risk in cybersecurity. They are not. The real risk is people who are not prepared to act in the moment that matters most. Attackers understand this very well. They do not attack only technology, but also attention, fatigue, and routine.
That is why the NIS2 Directive talks about appropriate awareness and training. It does not talk about slide decks or tests. It focuses on ensuring that people can recognize risky situations and respond correctly. Awareness is not proven by documentation, but by behavior.
Behavioral change does not happen overnight. It requires repetition, consistency and shared responsibility across teams. That is why we explored this topic further in Cybersecurity Isn’t a Sprint, It’s a Team Run, where we explain why sustainable security depends on long-term mindset, not one-off activities.
The problem with many trainings is that they are too generic and disconnected from day-to-day reality. They explain terminology, definitions, and attack types, but miss the most important part – what to do next. Employees do not need to know what spear phishing is. They need to know what to do when something feels suspicious.
The trainings that work are short, clear, and focused on a single situation. Five to ten minutes. One scenario. One clear action. What does a suspicious email look like in our organization? Who should it be reported to? What happens next? When people know this, their behavior changes. And that is the real goal.
At Tazilla, we treat training as part of risk management, not as a one-off compliance task. Each relevant risk is linked to specific awareness, based on real scenarios and expected behavior. The goal is not for people to choose the correct answer in a test, but to do the right thing when it actually matters.
Tazilla also provides awareness trainings that cover the basics, but their real value emerges only when they are combined with risk ownership, clear escalation paths, and well-defined security controls.
The bottom line is simple. Training that does not change behavior is just another form of documentation. And documentation alone does not protect anyone. NIS2 knows this. Attackers know this. The question is whether we do.