--- title: NIS2 Cybersecurity Training Plan Guide description: How to build an approvable NIS2 cybersecurity training plan (PR.AT-01). Practical guide covering awareness programs, role-based training, and competency tracking. canonical: https://www.aegister.com/en/cms/insights/nis2-cybersecurity-training-plan-pr-at-01/ url: /en/cms/insights/nis2-cybersecurity-training-plan-pr-at-01/ lang: en --- ![](/static/images/header-contact.webp) # NIS2 cybersecurity training plan: practical guide for an approvable PR.AT-01 document --- ![NIS2 cybersecurity training plan: practical guide for an approvable PR.AT-01 document](/static/images/cms/nis2-requisiti-di-base.webp) ## NIS2 cybersecurity training plan: practical guide for an approvable PR.AT-01 document February 03, 2026 [NIS2](/en/cms/keyword/nis2/) [Appendix C](/en/cms/keyword/appendix-c/) [board approval](/en/cms/keyword/board-approval/) [ACN](/en/cms/keyword/acn/) +5 Under the ACN baseline framework, the training plan is explicitly included among documents requiring approval by management and directive bodies (Appendix C, PR.AT-01 point 1). Timeline-wise, incident notification obligations are already active from January 2026, while the baseline implementation horizon for many organizational measures remains October 2026. A structured training plan is therefore both an immediate risk control and a compliance requirement. ## Key takeaways - The training plan is a governance-approved document, not only an HR calendar. - PR.AT-01 and PR.AT-02 expectations require role-based cybersecurity capability building. - Evidence (attendance, tests, exercises, remediation) is central to audit readiness. - Training should be integrated with incident, risk, and policy governance cycles. ## Regulatory framing for training under NIS2 ACN guidance maps cybersecurity hygiene and training practices to baseline measures including PR.AT-01 and PR.AT-02. In operational terms, organizations should define mandatory training streams, role segmentation, recurrence, and measurable effectiveness. A recurring gap is documenting course titles without proving behavioral and operational impact. Expected maturity includes traceable participation, role alignment, periodic refresh, and corrective actions when outcomes are weak. ## What an approvable training plan should contain | Section | Why it matters for PR.AT-01 execution | | --- | --- | | Scope and training governance | Clarifies mandatory population and accountabilities | | Role-based learning paths | Aligns content with technical and business risk exposure | | Annual calendar and recurrence rules | Ensures continuity and minimum training cadence | | Onboarding/offboarding training controls | Reduces early-stage human risk exposure | | Test/simulation model | Measures effectiveness beyond attendance | | Evidence and reporting structure | Supports auditability and management oversight | ## Practical structure from the Aegister template approach ### 1. Objective, scope, and references Define training purpose, organizational perimeter, and baseline references. ### 2. Audience segmentation and role matrix Group audiences by risk profile: executives, technical teams, operational staff, privileged users, suppliers. ### 3. Training catalogue and annual cycle Set mandatory modules, refresh cadence, and trigger-based extraordinary sessions. ### 4. Delivery model and ownership Define internal/external delivery, accountability between CISO and HR, and completion governance. ### 5. Effectiveness validation model Use quizzes, simulations, incident trend correlation, and targeted remediation. ### 6. Evidence register and audit reporting Track attendance, outcomes, remediation actions, and management reporting. ## Common training-plan quality gaps to avoid - Generic training for all roles with no risk-based segmentation. - Attendance tracked but no effectiveness validation. - No linkage with incident trends and recurring weaknesses. - Training plan disconnected from onboarding/offboarding flows. - Evidence incomplete for audit and management review. ## 20-day hardening checklist | Week | Priority actions | | --- | --- | | Week 1 | Validate role matrix and mandatory training population | | Week 2 | Finalize annual catalogue, ownership, and evidence model | | Week 3 | Run first validation cycle and close top capability gaps | ## FAQ ### Does the training plan require formal approval by management bodies? Yes. Appendix C includes the training plan among documents requiring approval by management and directive bodies (PR.AT-01 point 1). ### Is attendance tracking enough for NIS2 training compliance? No. Participation records are necessary, but organizations should also prove effectiveness through tests, simulations, and corrective actions. ### What is the minimum practical output expected from this plan? A role-based annual training system with traceable evidence, effectiveness checks, and governance reporting. ## Conclusion and next steps A NIS2 training plan should create measurable capability, not only complete mandatory sessions. Organizations that align role-based content, effectiveness metrics, and governance reporting early are better positioned for October 2026 readiness and for supporting live obligations already active. ## Related reading - [NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now](/en/cms/insights/nis2-mandatory-documents-master-guide-board-approval/) - [NIS2 training and cyber-competency register: practical guide to auditable workforce evidence](/en/cms/insights/nis2-training-competency-register-workforce-evidence/) - [NIS2 Protection Controls (PR): Technical and Organizational Measures in Execution](/en/cms/insights/nis2-protection-pr-technical-organizational-measures/) - [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/) - [Aegister Virtual CISO Service](/en/solutions/virtual-ciso/) ## Official sources - [ACN – Guida alla lettura delle specifiche di base](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) - [ACN – Determinazione obblighi di base 379907/2025](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) - [ACN – Modalità e specifiche di base](https://www.acn.gov.it/portale/nis/modalita-specifiche-base) - [Gazzetta Ufficiale – Decreto Legislativo 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG) Share this post ## Related News [![NIS2 incident management and CSIRT notification plan: practical guide for an approvable RS.MA-01 document](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/) [NIS2 incident management and CSIRT notification plan: practical guide for an approvable RS.MA-01 document](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/) [The incident management plan is mandatory under NIS2 Appendix C (RS.MA-01). This guide covers what an approvable plan must include, a practical template with CSIRT notification workflow and timing logic, common gaps, and a 20-day hardening checklist.](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/) [NIS2](/en/cms/keyword/nis2/) [Appendix C](/en/cms/keyword/appendix-c/) +8 [![NIS2 crisis management plan: practical guide for an approvable ID.IM-04 document](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-crisis-management-plan-id-im-04/) [NIS2 crisis management plan: practical guide for an approvable ID.IM-04 document](/en/cms/insights/nis2-crisis-management-plan-id-im-04/) [The crisis management plan is mandatory under NIS2 Appendix C (ID.IM-04). This guide covers what an approvable plan must contain, a practical template with CMT roles and communication playbooks, common gaps, and a 20-day hardening checklist.](/en/cms/insights/nis2-crisis-management-plan-id-im-04/) [NIS2](/en/cms/keyword/nis2/) [Appendix C](/en/cms/keyword/appendix-c/) +7 [![NIS2 disaster recovery plan: practical guide for an approvable ID.IM-04 document](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-disaster-recovery-plan-id-im-04/) [NIS2 disaster recovery plan: practical guide for an approvable ID.IM-04 document](/en/cms/insights/nis2-disaster-recovery-plan-id-im-04/) [The disaster recovery plan is mandatory under NIS2 Appendix C (ID.IM-04). This guide covers what an approvable DR plan must contain, a practical template with recovery tiers and playbooks, common gaps, and a 20-day hardening checklist.](/en/cms/insights/nis2-disaster-recovery-plan-id-im-04/) [NIS2](/en/cms/keyword/nis2/) [Appendix C](/en/cms/keyword/appendix-c/) +7 ### NIS 2 Compliance with Aegister Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support. [Discover](/en/solutions/compliance/nis2/)