NIS2 asks whether your security measures actually work. Prove it.
It's no longer enough to run awareness training and manage risk. Under NIS2's implementing rules, you're expected to test whether those measures are effective — and show your working.
"We trained everyone" stopped being an answer
NIS2's implementing regulation turned Article 21's broad duties into specific, testable requirements. Your awareness programme has to be tested for effectiveness. Your role-based training has to be assessed. Your risk-management measures need a documented process that measures, analyses, and evaluates whether they work. Delivering the programme is the baseline expectation. Proving it changed behaviour is the requirement.
Effectiveness lives in behaviour, not attendance
An effective awareness programme shows up as people behaving more securely over time — not as a spreadsheet of completions. Praxis Navigator measures the behaviour your programme is meant to change, from your own Microsoft 365 data, and tracks it as a rolling baseline. When a regulator or auditor asks how you know your measures work, you answer with evidence instead of activity.
Evidence your board can read too
NIS2 puts security on the management agenda and holds leadership accountable for it. Stakeholder-ready reports turn behavioural data into the picture your board needs to show they understand — and are steering — the organisation's risk.
The plan
Connect — Connect Microsoft 365 in 15 minutes.
See — See how your people actually behave, with history from day one.
Prove — Evidence your awareness, training, and risk measures are working.
Peer-reviewed field research
29–55%
of the variation in phishing susceptibility is attributable to organizational-level factors, not individual ones.
Measured across 83,269 employees in 510 organizations, using their real responses to phishing campaigns.
Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.
Industry forecast
Gartner expects that by 2030, the major cybersecurity control frameworks will judge human risk by measurable behaviour change rather than training completion.
Gartner, cybersecurity trend guidance.
NIS2 requires you to test whether your awareness and training are effective, and to run a documented process that assesses whether your risk-management measures work. Applies to essential and important entities across 18 sectors.