NIS2 asks whether your security measures actually work. Prove it.

It's no longer enough to run awareness training and manage risk. Under NIS2's implementing rules, you're expected to test whether those measures are effective — and show your working.

"We trained everyone" stopped being an answer

NIS2's implementing regulation turned Article 21's broad duties into specific, testable requirements. Your awareness programme has to be tested for effectiveness. Your role-based training has to be assessed. Your risk-management measures need a documented process that measures, analyses, and evaluates whether they work. Delivering the programme is the baseline expectation. Proving it changed behaviour is the requirement.

Effectiveness lives in behaviour, not attendance

An effective awareness programme shows up as people behaving more securely over time — not as a spreadsheet of completions. Praxis Navigator measures the behaviour your programme is meant to change, from your own Microsoft 365 data, and tracks it as a rolling baseline. When a regulator or auditor asks how you know your measures work, you answer with evidence instead of activity.

Evidence your board can read too

NIS2 puts security on the management agenda and holds leadership accountable for it. Stakeholder-ready reports turn behavioural data into the picture your board needs to show they understand — and are steering — the organisation's risk.

The plan

1

Connect — Connect Microsoft 365 in 15 minutes.

2

See — See how your people actually behave, with history from day one.

3

Prove — Evidence your awareness, training, and risk measures are working.

Peer-reviewed field research

29–55%

of the variation in phishing susceptibility is attributable to organizational-level factors, not individual ones.

Measured across 83,269 employees in 510 organizations, using their real responses to phishing campaigns.

Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.

Industry forecast

Gartner expects that by 2030, the major cybersecurity control frameworks will judge human risk by measurable behaviour change rather than training completion.

Gartner, cybersecurity trend guidance.

NIS2 requires you to test whether your awareness and training are effective, and to run a documented process that assesses whether your risk-management measures work. Applies to essential and important entities across 18 sectors.

Questions security leaders ask

Does NIS2 require you to measure the effectiveness of security awareness training?
Yes. Under NIS2's implementing regulation, awareness programmes must be tested for effectiveness and role-based training must be assessed — not simply delivered. Completion rates show attendance; effectiveness has to be shown as a change in behaviour over time.
How do you prove security training effectiveness for compliance?
You measure the behaviour the training is meant to change, establish a baseline, and track it over time. Before-and-after behavioural evidence — more people using MFA, fewer risky actions, faster improvement after you intervene — is what demonstrates effectiveness. Praxis Navigator produces it from your own Microsoft 365 data.
What's the difference between activity metrics and behavioural evidence?
Activity metrics count what happened — courses completed, links clicked, emails sent. Behavioural evidence shows what changed — whether people actually handle security more safely than before. Regulations increasingly ask for the second. Only the second proves a measure is effective.