Across the European Union, cyber security regulations are shifting the focus from completing training to demonstrating real, measurable reductions in human risk.
Directives like NIS2 and DORA no longer ask whether risk awareness programmes exist, they ask whether organisations can prove that human behaviour supports operational resilience. While Germany is one of the first member states to fully transpose these directives into national law, similar obligations apply across the EU, and companies operating internationally face growing expectations from auditors and regulators worldwide.
This shift marks a fundamental change: awareness is no longer a checkbox, but a risk control that must be continuously measured, managed, and improved.
Understanding this shift, and knowing how to respond, is essential for organisations of all sizes who want to reduce operational risk and meet regulatory expectations.
From Awareness to Evidence: The Regulatory Imperative
For more than a decade, cyber security awareness programmes focused on learning completion and policy acknowledgements. Organisations could demonstrate compliance by delivering eLearning modules, conducting phishing simulations, or collecting signed policy acknowledgements.
Today, regulators, boards, and auditors are asking a very different question:
“Did it actually reduce risk, and can you prove it?”
This reflects the intent of EU regulations such as:
- NIS2 Directive: Requires entities to implement appropriate and proportionate technical and organisational measures and assess their effectiveness in managing ICT risks, including human-related risks
- DORA (Digital Operational Resilience Act): Requires financial organisations and ICT service providers to ensure staff competence and resilience, demonstrating the effectiveness of measures beyond completion metrics
Globally, similar trends are emerging. The US NIST Cybersecurity Framework and ISO standards such as ISO 27001/IEC 27002 emphasise risk-based approaches and continuous improvement, with human factors considered a core risk area. Even outside the EU, regulators increasingly expect organisations to demonstrate that awareness initiatives translate into actual risk reduction, rather than just completed learning.
The Knowing–Doing Gap: Why Awareness Alone Is Not Enough
The “knowing–doing gap” is the disconnect between knowing what secure behaviour looks like and actually applying it consistently in practice. Many organisations assume that delivering learning and policies is sufficient. In reality, audits increasingly show that organisations:
- Train staff, but fail to track improvement over time
- Conduct phishing simulations, but do not respond to repeat failures with targeted interventions
- Acknowledge policies, but do not link human risk to ICT risk management frameworks
The regulatory focus is no longer on participation, but on outcomes: measurable behaviour change, reduction of human error, and improved operational resilience.
What Evidence of Human Risk Reduction Looks Like
Regulators and auditors do not expect perfection. They expect documented, demonstrable improvement over time. Evidence comes from patterns and trends, not isolated metrics. Examples include:
- Phishing click rates decreasing across multiple campaigns
- Increased and faster reporting of suspicious emails
- Fewer repeat failures by the same users
- Reduced time to detect and resolve incidents
- Behavioural improvement after targeted, role-based interventions
For example, a company might identify that staff in a specific department repeatedly fail phishing tests. Targeted, role-based training is introduced, and subsequent simulations show a measurable drop in risky behaviour. This is the kind of evidence regulators expect.
Even incremental improvements count. Continuous tracking and documentation of risk reduction efforts demonstrate that awareness programmes are not static checkboxes but evolving, risk-based controls.
From Awareness Programmes to Human Risk Management
The regulatory landscape requires organisations to treat cyber security awareness as part of overall ICT risk management, not as an isolated compliance activity. This means:
- Moving from annual or one-off learning to continuous, structured programmes
- Linking failures and incidents to targeted, measurable interventions
- Tracking behavioural trends over time
- Integrating human risk into overall ICT and operational risk reporting
This is where awareness programmes become human risk management.
Organisations that do this successfully not only reduce incidents but can demonstrate resilience to regulators, auditors, and senior management.
Practical Steps to Respond
Meeting regulatory expectations doesn’t require perfect security behaviour, but it does require structured evidence of improvement.
Some of the key actions your business should take include:
- Define meaningful KPIs beyond training completion, e.g., phishing click rates, reporting frequency, repeat failures
- Track behaviour over time to demonstrate improvements
- Respond to failures with targeted learning or guidance
- Document decisions and outcomes, linking actions to specific incidents
- Review regularly to identify high-risk users or areas needing intervention
These steps mean awareness programmes evolve into continuous, evidence-based risk management, meeting regulatory and audit expectations while improving operational resilience.
How MetaCompliance Can Help
MetaCompliance helps organisations to close the knowing–doing gap by transforming awareness and incident data into regulator-ready evidence. Its platform combines:
- Continuous eLearning
- Phishing simulations
- Incident reporting
- Policy management
- Centralised reporting and trend analysis
This allows organisations to move from simply delivering learning to proving that human risk is actively managed and reduced over time.
MetaCompliance Customer Success Team work with organisations to interpret their data, structure risk-based awareness programmes, define meaningful KPIs, and present outcomes to regulators, auditors, and senior leadership. In this way, compliance turns into confidence and awareness into a measurable control that strengthens operational resilience.
From Compliance to Confidence
Across the EU and increasingly worldwide cyber security awareness is no longer a checkbox exercise. Regulations demand evidence that programmes reduce human risk and improve organisational resilience.
Organisations that embrace this shift:
- Close the knowing–doing gap
- Demonstrate measurable human risk reduction
- Build confidence with regulators and auditors
- Strengthen operational resilience
Closing the gap isn’t optional, it’s the new standard, and organisations that act now will be better prepared for real-world security challenges.
To learn more about NIS2, DORA and other regulations impacting how businesses look at risk in 2026 and beyond, read our blog: 4 Regulatory Changes CISOs Must Prepare for in 2026.