Prove your security measures work — the way NIS2, DORA, and GDPR now require

Three regulations, one demand: evidence that your controls are effective, not just that you have them. Here's how to prove it for the layer that's hardest to measure — how your people actually behave.

Compliance moved from "do you have it" to "does it work"

NIS2, DORA, and GDPR each now expect you to show that your security measures are effective — tested, measured, and reviewed over time. Policies, training records, and tool licences answer a question regulators have stopped asking. The question now is whether any of it changed behaviour. For your technical controls, you can measure that. For your people, most teams still can't — and that's the gap that turns an audit into a finding.

Completion rates aren't effectiveness

A finished course proves attendance. A phishing-simulation click rate proves one moment on one email. Neither shows whether your people handle real risk more safely than they did last quarter. Effectiveness is a trend in behaviour: more people using MFA, fewer risky sharing actions, faster improvement after you act. That trend is the evidence every one of these regulations is now asking to see.

See the full activity metrics vs. behavioural evidence comparison

Prove it from data you already generate

Your people work in Microsoft 365 every day, and their security behaviour is already in that signal. Praxis Navigator turns it into rolling baselines and before-and-after evidence — the proof that your measures work, in the language auditors and boards accept. You connect once. You see months of history from day one. You prove what's improving.

The plan

1

Connect — Connect Microsoft 365 in 15 minutes. No sales call, no project.

2

See — See behavioural baselines immediately, including months of history.

3

Prove — Show before-and-after evidence that your measures are working.

Peer-reviewed field research

29–55%

of the variation in phishing susceptibility is attributable to organizational-level factors, not individual ones.

Measured across 83,269 employees in 510 organizations, using their real responses to phishing campaigns.

Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.

Industry forecast

Gartner expects that by 2030, the major cybersecurity control frameworks will judge human risk by measurable behaviour change rather than training completion.

Gartner, cybersecurity trend guidance.

Peer-reviewed field research

When employees believed their colleagues were already handling security well, they became more susceptible to phishing, not less — a boomerang effect. A clear, salient security policy could likewise increase casual link-clicking.

From the same field study of 83,269 employees across 510 organizations.

Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.

One requirement, three regulations

Whichever regime brought you here, the obligation rhymes. See how NIS2, DORA, and GDPR each frame the same demand — and what satisfies it.

NIS2 requires you to test whether your awareness and training are effective, and to run a documented process that assesses whether your risk-management measures work. Applies to essential and important entities across 18 sectors.

DORA requires financial entities to monitor the effectiveness of their digital operational resilience strategy, and makes security awareness and resilience training compulsory for every employee and board member. Applies to EU financial entities.

GDPR Article 32 requires a process for regularly testing, assessing and evaluating the effectiveness of your security measures. Applies to any organization processing personal data.

Questions security leaders ask

Does NIS2 require you to measure the effectiveness of security awareness training?
Yes. Under NIS2's implementing regulation, awareness programmes must be tested for effectiveness and role-based training must be assessed — not simply delivered. Completion rates show attendance; effectiveness has to be shown as a change in behaviour over time.
What does GDPR Article 32 mean by testing the effectiveness of security measures?
Article 32 requires a process for regularly testing, assessing, and evaluating whether your technical and organisational measures actually work. For technical controls that means scans and penetration tests. For the organisational, human side it means measuring whether people handle data securely in practice — and showing it improving.
Does DORA require measuring training effectiveness?
DORA makes security awareness and resilience training compulsory for all employees and senior management, and requires financial entities to monitor how effective their resilience strategy is over time. Monitoring effectiveness means measuring behaviour and mapping how risk evolves — not counting who attended.
How do you prove security training effectiveness for compliance?
You measure the behaviour the training is meant to change, establish a baseline, and track it over time. Before-and-after behavioural evidence — more people using MFA, fewer risky actions, faster improvement after you intervene — is what demonstrates effectiveness. Praxis Navigator produces it from your own Microsoft 365 data.
What's the difference between activity metrics and behavioural evidence?
Activity metrics count what happened — courses completed, links clicked, emails sent. Behavioural evidence shows what changed — whether people actually handle security more safely than before. Regulations increasingly ask for the second. Only the second proves a measure is effective.