NIS2 has raised the bar for cyber security across Europe, and for good reason. Threats are more persistent, more sophisticated, and more disruptive than ever before, and regulators are responding by demanding stronger security controls, clearer accountability, and better visibility into how organisations manage risk. 

In response, many organisations have taken familiar and sensible steps. They’ve invested in new security tools, strengthened their technical defences, refined policies, and increased risk reporting to leadership. All of this plays an important role in improving security posture. And yet, history shows that these measures alone won’t be enough. 

When breaches happen, they rarely begin with a breakdown in technology. They begin with a human decision, often made quickly, under pressure, or without enough context to recognise the risk in that moment. That is where NIS2 success or failure will ultimately be determined. 

NIS2 Puts People Firmly in Scope 

One of the most common misconceptions around NIS2 is that it’s primarily a technical or IT-led regulation. While it does include requirements around systems, monitoring, incident reporting, and supply chain security, its scope is much broader than that. 

NIS2 places clear emphasis on risk management, governance, and organisational resilience. It expects organisations to understand where their real risks exist, how those risks evolve over time, and whether the controls in place are genuinely effective at reducing them. That effectiveness isn’t measured by how many tools are deployed or how comprehensive a policy library looks on paper, but by whether risks are being managed in practice. 

Responsibility is also pushed firmly upwards. Senior management are expected to approve risk management measures and oversee their ongoing effectiveness. In that context, human behaviour becomes impossible to ignore. Decisions around access, credential handling, data sharing, and responses under pressure all directly influence whether controls hold up when they’re tested. 

NIS2 doesn’t frame this as a secondary or soft issue. It treats human behaviour as a core component of organisational risk. 

Most Breaches Still Begin with Everyday Decisions 

Despite years of progress in cyber security technology, the most common breach paths remain remarkably consistent. According to the latest Data Breach Investigations Report, around 60 per cent of breaches involve a human element, including phishing, compromised credentials, and routine mistakes, highlighting how much human behaviour still influences risk. In that same report, stolen or misused credentials were the primary initial access vector in about 22 per cent of cases, with phishing contributing roughly 15 per cent, which shows that attackers continue to exploit predictable human-related pathways into organisations. These figures underline how many incidents begin not because of a flaw in security tooling, but because of everyday decisions made when people are busy, distracted or under pressure, reinforcing the need for a human-centric approach to managing risk. 

These situations don’t arise because employees are careless or malicious. They arise because people are trying to do their jobs in fast-moving environments where convenience, urgency, and competing priorities often shape behaviour. Attackers understand this dynamic extremely well, which is why social engineering continues to be such an effective tactic. According to the Verizon Data Breach Investigations Report (DBIR), social engineering techniques are involved in nearly three quarters of breaches, making it one of the most consistently successful ways for attackers to gain initial access by exploiting human decision-making rather than technical flaws. 

 Technology is designed around defined processes and predictable inputs, but it often assumes people will behave consistently, even when they’re tired, under pressure, or working with incomplete information. From a NIS2 perspective, that gap matters. Regulators aren’t only interested in whether controls exist, but whether they’re resilient enough to withstand real-world conditions. 

If a control depends on perfect behaviour in imperfect circumstances, it represents a risk that needs to be understood and managed. 

Why Policy and Annual Training Fall Short 

Most organisations can demonstrate that they have security policies in place and that employees complete regular awareness training. For a long time, this has been treated as reasonable evidence of due care. 

Under NIS2, that assumption becomes harder to defend. 

Policies describe how things should work, and annual training explains expected behaviour in theory. What they don’t show is how people actually respond when faced with realistic scenarios that mirror the pressures of their day-to-day roles. They don’t reveal where judgement breaks down, where uncertainty creeps in, or where well-intentioned people make risky choices simply to keep work moving. 

From a regulatory standpoint, this creates a visibility gap. Completion rates and policy acknowledgements demonstrate activity, but they don’t demonstrate effectiveness. They don’t show whether risky behaviours are being reduced, whether employees can recognise threats when they appear, or whether decision-making improves over time. 

As NIS2 drives a more risk-based and outcomes-focused approach to compliance, organisations will need to show that their awareness programmes influence behaviour in a measurable way, not just that content has been delivered. 

Behavioural Evidence Matters More Than Attendance 

One of the most significant shifts introduced by NIS2 is the focus on ongoing risk management rather than point-in-time compliance. Regulators want confidence that organisations understand their exposure and are actively managing it as threats and behaviours change. 

When it comes to human risk, that means being able to answer practical questions:  

  • Where do employees struggle most? 
  • Which behaviours introduce the highest levels of risk? 
  • How does that risk vary across roles, teams, or locations? 
  • What evidence exists that prove learning interventions are actually having an impact? 

Behavioural evidence helps answer these questions. Engagement data, responses to realistic scenarios, and patterns in decision-making all provide valuable insight into how people behave when they’re faced with situations that matter. This kind of insight supports better internal decision-making, but it also strengthens an organisation’s regulatory position by showing that human risk is being monitored and addressed systematically. 

Attendance and completion metrics on their own can’t provide that level of assurance. 

Engagement Is Not a Nice-to-Have 

 Engagement in security awareness is often discussed in terms of participation or completion, rather than its impact on how people think and act when faced with risk. In reality, it’s far more important than that. Engagement is closely linked to attention, understanding, and retention, all of which directly influence how people behave when they encounter risk. 

If employees are disengaged, they’re far less likely to absorb guidance, recognise warning signs, or apply learning when it matters most. From a NIS2 perspective, this isn’t a learning design issue, it’s a risk management issue. 

Interactive, scenario-based content plays a valuable role here because it reflects how people learn best. By placing learners in realistic situations and asking them to make decisions, organisations can surface behavioural risk in a controlled environment and provide targeted feedback that strengthens judgement over time. 

This approach aligns closely with regulatory expectations around effectiveness and continuous improvement, because it allows organisations to test assumptions, identify weaknesses, and reinforce safer behaviour in a measurable way. 

Technology Supports Resilience, People Determine It 

Strong technical controls remain essential. Firewalls, monitoring tools, identity systems, and detection capabilities all play a critical role, and NIS2 rightly expects organisations to maintain them. 

What NIS2 also demands is a clear understanding of how those controls interact with human behaviour. Organisations need visibility into where safeguards are overridden, where processes rely on assumptions that don’t hold up under pressure, and where convenience quietly undermines security. 

Answering those questions requires insight into behaviour, not just system configuration. 

Organisations that approach NIS2 purely as a technology project risk missing this entirely. Those that treat it as a resilience programme, with people at the centre, are far better positioned to meet both the letter and the spirit of the regulation. 

Building Defensible NIS2 Alignment 

As NIS2 enforcement approaches, organisations will increasingly be asked to demonstrate how they manage risk in practice. That includes technical posture, governance, and incident response, but it also includes how people are prepared to make the right decisions in the moments that matter most. 

Defensible alignment is built on evidence. Evidence that risks are understood, that behaviours are being tested, and that learning is targeted, relevant, and effective. 

When incidents occur and regulators ask how an organisation prepared its people, the answer can’t rely solely on policies and attendance records. It needs to show insight, intent, and measurable impact. 

Because ultimately, NIS2 compliance won’t fail because a tool was missing. It will fail when human behaviour is treated as an afterthought rather than a core part of risk management. 

Working with MetaCompliance

Meeting NIS2 expectations requires more than demonstrating that training has been delivered. It requires confidence that people understand their role in managing risk, that behaviours are being shaped over time, and that organisations can evidence real-world effectiveness when it matters.

MetaCompliance helps organisations take a practical and defensible approach to human risk management, supporting NIS2-aligned training without forcing a one-size-fits-all model. Rather than prescribing a single “NIS2 course,” we enable customers to build training programmes that align to their specific risk profile, organisational roles, and regulatory interpretation.

We have identified relevant learning content that can be used to support NIS2 training requirements, making it easier for organisations to demonstrate intent, structure, and relevance when preparing their people. This approach gives security and compliance teams the flexibility to design programmes that reflect how NIS2 is applied in their organisation, rather than relying on generic or purely theoretical training.

Combined with MetaCompliance’s risk-based learning approach, realistic scenarios, and meaningful engagement data, organisations gain visibility into how people actually behave — not just whether training has been completed. This supports continuous learning, targeted intervention, and measurable improvement over time, helping teams evidence that human risk is being actively managed.

As NIS2 drives greater accountability and scrutiny, organisations that can clearly show how they prepare people, influence behaviour, and adapt to changing risk will be best placed to meet both regulatory expectations and real-world threats.

Get in touch today to find out how MetaCompliance can support your NIS2 training strategy.