MentorAll posts
Blog

Compliance training in the EU: GDPR, NIS2, safety in 2026

What mandatory training HR must run in 2026 under GDPR, the NIS2 directive, and EU safety law — with two worked examples and the 30 June audit date.

·5 min read·Mentor Team
Compliance training in the EU: GDPR, NIS2, safety in 2026

Compliance training in 2026 isn't one lecture. It is three parallel laws, each with its own deadline, audience, and evidence trail. HR runs all three in parallel.

Three pillars of mandatory training

Three EU frameworks demand documented training for employees in 2026:

  • GDPR (Regulation (EU) 2016/679) — Article 39 makes the Data Protection Officer responsible for awareness-raising and training of staff who process personal data. Supervisory authorities expect annual refreshers.
  • EU OSH framework (Directive 89/391/EEC and national OSH laws) — workers receive theoretical and practical training on hire, on transfer to a new workplace, and before new technology or processes go live.
  • NIS2 (Directive (EU) 2022/2555) — Article 20(2) requires management bodies to follow training. Article 21(2)(g) mandates "basic cyber hygiene practices and cybersecurity training" for the whole workforce.

Each law carries its own penalty regime. The common thread is evidence: no record means no training, in the eyes of an inspector.

Deadlines HR puts in the calendar

  • 30 June 2026 is the deadline for the first NIS2 compliance audit for in-scope entities.
  • Every 2 years (at most) is the longest periodic interval for higher-risk OSH retesting under most national rules.
  • Annually is what supervisory authorities typically expect for GDPR refresher training.
  • On every change — a new system, new equipment, or revised process triggers fresh training before rollout.

Who learns what

Three audiences, three contents. One module for everyone is a red flag.

  • All employees learn GDPR basics, phishing recognition, password handling, and safe email use. NIS2 calls this "basic cyber hygiene".
  • Management bodies follow their own NIS2 Article 20 module. The board must understand risks and personal liability. Delegating to the CISO does not satisfy the duty.
  • Higher-risk roles in manufacturing, construction, or hazardous-substance work need periodic OSH retesting. National rules typically cap the interval at 2 years for the riskiest positions.

Three audit findings inspectors hit most

  • "Everyone took the same test." One 80-person presentation in a meeting room is not proof of competence. There is no knowledge check with a pass mark.
  • "The director delegated it." Under NIS2 this argument fails. The inspector looks for evidence that the board itself completed training.
  • "We did it last year." Without a record showing the date, content version, and signature, training is invisible to the audit.

Worked example: a 50-person marketing agency

The agency processes client personal data and runs online campaigns. It falls under the NIS2 "important entities" scope.

  • All 50 employees are assigned a 25-minute module "GDPR + cyber hygiene". It is split into five 5-minute units. The pass mark is 80 % on the final quiz.
  • The five board members receive a separate 40-minute module "NIS2 management duties" with a signed acknowledgement.
  • Three finance staff with payroll data access get an extra GDPR module on special-category data and a 15-minute knowledge check.
  • The DPO triggers re-assignment every February. The system automatically flags expired completions as "due".

HR effort: 2 days for the first rollout, 2 hours per annual refresh cycle. The inspector sees a register with names, dates, and quiz scores.

Worked example: a 200-person manufacturer

The manufacturer has shop-floor workers, maintenance staff, and an office. Three laws braid together, one per segment.

  • 140 production workers take the OSH periodic test every 2 years. The module has 20 minutes of theory and a practical part graded live by a supervisor.
  • All 200 employees take an annual GDPR refresher (15 minutes) and NIS2 basic hygiene (10 minutes).
  • 15 team leads take the NIS2 management module (45 minutes) and sign an acknowledgement of liability.
  • 5 staff with access to industrial control systems complete a specific OT-attack module (30 minutes, every 12 months).

HR result: one LMS view shows who still owes which module. The labour inspector, supervisory authority, or national CSIRT gets the export in one click.

How records survive an audit

Inspectors do not check impressions. They check traceability. Three records must exist for every training event:

  • Who — name, role, date of assignment.
  • What — content version, length, quiz score against pass mark.
  • When — completion date and next renewal date.

A paper sign-in sheet is still allowed but unmanageable at 200 employees. A digital system with a timestamp and an immutable record is the working standard.

What an LMS does that a spreadsheet cannot

  • Auto-renewal. A module that expires in 24 months is flagged 30 days before.
  • Distinguishes submitted from passed. Clicking "complete" is not the same as 80 % on the quiz.
  • Versions content. When a law changes a deadline, you see who learned the old version and who learned the new one.
  • Separates role from assignment. A board member does not get the operational quiz, and a line worker does not get the management module.

How this is paid for

Two cost blocks HR estimates before picking a tool:

  • Content production. Three modules (GDPR, NIS2, OSH) in the local language, tailored to the company. Typically 3 to 6 person-days for a defensible first version.
  • Recordkeeping. A spreadsheet is free until the first audit. An LMS with e-signatures and timestamps pays off once headcount passes 50 or the inspector first asks for an export.

Do not forget employee time. A 25-minute module across 200 people is 83 hours of work. That belongs in the annual training budget, not as a "free" click.

In short

  • Three parallel tracks in 2026: GDPR (data protection basics), OSH (periodic safety retest, max every 2 years for higher risk), NIS2 (management plus cyber hygiene).
  • The first NIS2 audit deadline for in-scope entities is 30 June 2026.
  • Management bodies must train themselves — NIS2 Article 20 does not allow delegation.
  • Without a record showing date, content version, and pass mark, training is invisible to the audit.

Compliance in 2026 is not one module. It is a portfolio of three tracks with different deadlines. An LMS like Mentor keeps them in one register, flags expired completions automatically, and separates management modules from operational ones. Traceability and data-processing details live on the security page.

Ready to try Mentor?

14-day free trial, no card. Set-up in under 5 minutes.

Start trial