Skip to content

Services, Wiki-Artikel und Blog-Beiträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Mandatory Training §38 BSIG BSI Guidance AWARE7 + isits AG

NIS-2 Training for Management

Your legally required training under §38 BSIG - compact in 4 hours. Based on the official BSI guidance document. No technical prior knowledge required.

4 hours
Online or in-house
Certificate §38 BSIG
Reserve Seat at isits AG Request In-House Training

Next date: 10 June 2026 · Seats available

Why this NIS-2 training is mandatory

The NIS-2 implementing legislation (BSIG) obliges the management of important and particularly important entities not only to implement and monitor risk management measures (§38 Para. 1), but also to regularly attend training (§38 Para. 3 BSIG). The training obligation is not optional - it is a statutory requirement.

§38 Para. 3 BSIG defines three specific competence areas that a management training must cover:

1

Risk Recognition

Recognition and assessment of cybersecurity risks - at strategic, not technical level

2

Risk Management

Knowledge of technical and organisational risk management practices and the 10 minimum measures under §30 BSIG

3

Impact Assessment

Assessment of the impact of risks and measures on the services provided by the entity

Technical specialist knowledge is not required - but the ability to make well-founded strategic decisions on cyber and information security is. The BSI recommends in its guidance document of 30.09.2025 that training addresses all three areas - a focus only on risk management measures would not be assessed as sufficient.

Personal Liability of Management

§38 Para. 1 BSIG obliges management to implement and monitor risk management measures under §30. §38 Para. 2 governs liability: management is personally liable for culpably caused damage under the rules of corporate law applicable to the legal form. During supervisory measures by the BSI under §§61, 62 BSIG, compliance with the training obligation is also checked. Fines: up to EUR 10 million or 2% of global annual turnover.

Practice not theory - your instructors are penetration testers

This training is delivered by AWARE7 GmbH - a specialized German cybersecurity consulting firm - in cooperation with isits AG (International School of IT Security, 20+ years training partner).

What this means for you: your instructors are not pure jurists or theorists. They conduct penetration tests, ISMS audits and incident response engagements in practice. The examples and scenarios in the training come from real projects - anonymised but real.

Your benefits

  • Fulfil training obligation under §38 Para. 3 BSIG - with documentation per §61/§62 BSIG
  • All three BSI competence areas - risk recognition, risk management and impact assessment
  • 10 measures under §30 Para. 2 BSIG - with BSI guidance questions for self-assessment
  • Minimise liability risks - reliable documentation vis-a-vis supervisory authorities (§§61, 62 BSIG)
  • No examination required - neither legally nor by the BSI mandatorily required
  • Practical perspective - instructors with experience from real penetration tests and ISMS audits
  • BSI mandatory content fully covered - plus supplementary optional content with scenarios and case studies

10 Risk Management Measures under §30 Para. 2 BSIG

The BSI guidance document defines specific guidance questions for each of the ten statutory minimum measures that management must be able to answer. Our training covers all ten measures at management level:

1

Risk Analysis

Concepts for risk analysis and security for information systems

2

Incident Response

Handling security incidents

3

Business Continuity

Backup, recovery, crisis management

4

Supply Chain Security

Security in the supply chain and with service providers

5

Secure IT Procurement

Security measures in acquisition, development and maintenance

6

Effectiveness Evaluation

Evaluating the effectiveness of risk management measures

7

Cyber Hygiene & Training

Basic procedures and training for employees

8

Cryptography

Use of cryptography and encryption

9

Personnel Security

Personnel security, access control and asset management

10

MFA & Secure Communication

Multi-factor authentication and secured emergency communication

In cooperation with isits AG

The isits AG - International School of IT Security is an established cybersecurity training centre with over 20 years of experience, headquartered in Bochum. The cooperation combines the practical expertise of AWARE7 with the proven training infrastructure and certification competence of isits AG.

Training Agenda

Legal Framework & NIS-2 Directive

~60 minutes

  • Overview of objectives, scope and applicability of the NIS-2 Directive
  • National implementation: NIS2UmsuCG and amended BSIG
  • Implementation, monitoring and training obligations of management (§38 Para. 1-3 BSIG)
  • Personal liability under corporate law rules (§38 Para. 2 BSIG)
  • Reporting, notification and registration obligations including three-stage reporting regime
  • Documentation obligation and evidence management (§§61, 62 BSIG)

Risk Management & Standards

~90 minutes

  • Risk analysis: identification, assessment and monitoring of cybersecurity risks
  • 10 minimum measures under §30 Para. 2 BSIG - significance and implications at management level
  • Risk treatment strategies: avoidance, reduction, transfer, acceptance
  • Incident response, business continuity and supply chain security
  • Overview of standards and best practices (ISO 27001, BSI IT-Grundschutz, NIST CSF)
  • Sector- and entity-specific requirements and threat scenarios

Practice & Self-Assessment

~90 minutes

  • BSI guidance questions: 10 structured questions on the risk management measures
  • Scenarios, exercises and case studies from real threat situations
  • Assessment of the impact of risks and measures on services provided
  • Summary, recommendations for action and next steps
  • Issuing of training documentation per §38 Para. 3 in conjunction with §§61, 62 BSIG

Who Must Attend

Under NIS-2 implementing legislation, "management" means any natural person authorised to manage affairs and represent an important or particularly important entity. This includes:

  • CEOs, Managing Directors, Board Members - legally required under §38 Para. 3 BSIG
  • C-Level executives - COO, CFO, CTO and other senior leadership members
  • Persons in quasi-equivalent positions - those supporting or representing management
  • Compliance and risk management officers - advising management on NIS-2 matters

No technical prior knowledge required. Management does not need to be as technically proficient as IT staff - but must be able to meaningfully assess cybersecurity risks and take appropriate action.

Training Documentation

After completing the training you receive meaningful documentation containing as a minimum, per BSI guidance:

  • Participant information (name, function)
  • Duration of training
  • Content covered per §38 Para. 3 BSIG and official BSI guidance document
  • Delivered by AWARE7 GmbH in cooperation with isits AG

This documentation must be retained internally per §61 Para. 1 in conjunction with §62 BSIG and presented on request to competent authorities. During BSI supervisory measures, compliance with the training obligation will be checked.

Important: An examination of participants to prove "sufficient knowledge and skills" is neither legally nor by the BSI mandatorily required.

Upcoming Dates

10 Jun 2026, 09:00-13:00
Online
Available
16 Sep 2026, 09:00-13:00
Online
Available
25 Nov 2026, 09:00-13:00
Online
Available
Register at isits AG Request In-House Training

Frequently Asked Questions

Under §38 Para. 3 BSIG (German IT Security Act implementing NIS-2), all members of senior management are required to regularly attend training. "Management" means any natural person who is authorised by law, articles of association or partnership agreement to manage the affairs of and represent an important or particularly important entity. The BSI recommends extending the training obligation to persons in quasi-equivalent positions.
NIS-2 affects organisations with 50+ employees or EUR 10 million annual turnover in 18 defined sectors - including energy, transport, healthcare, digital infrastructure, manufacturing, food and many more. In Germany, approximately 29,500 organisations are newly affected. If in doubt, we recommend an individual impact assessment.
The law requires "regular" participation. According to the legislative explanatory notes, training offered at least every three years qualifies as regular. However, the BSI emphasises that the interval must be risk-appropriate. Regardless of the three-year cycle, re-training should occur when: there is a change in management composition, significant changes to business processes, changes in risk exposure, or material changes to risk management measures.
No. The training obligation under §38 Para. 3 BSIG is separate from employee training obligations (under §30 Para. 2 No. 7 BSIG). The law requires management to acquire sufficient knowledge and skills in three areas: (1) recognition and assessment of risks, (2) risk management practices, (3) assessment of the impact of risks and measures on the services provided. General awareness training does not cover this.
No. The training is deliberately non-technical. It is aimed at decision-makers and conveys strategic competence: recognising risks, evaluating measures, making informed decisions. Technical specialist knowledge is not required.
The training costs EUR 699 net (EUR 831.81 incl. VAT) per participant. For in-house training we prepare an individual quote. Group rates are available for company bookings of 3 or more people.
Yes. You receive meaningful documentation containing information about the training participant, duration and content covered. This documentation must be retained internally pursuant to §61 Para. 1 in conjunction with §62 BSIG and presented on request to the competent authorities or "independent bodies". Important: an examination of participants to prove "sufficient knowledge and skills" is neither legally nor by the BSI mandatorily required.
§38 Para. 1 BSIG obliges management to implement and monitor risk management measures. §38 Para. 2 governs personal liability: management is personally liable for culpably caused damage under the rules of corporate law applicable to the legal form. Fines can reach up to EUR 10 million or 2% of global annual turnover. During supervisory measures by the BSI under §§61 and 62 BSIG, compliance with the training obligation is checked.
The training takes place as a live online seminar on a GDPR-compliant platform. You only need a current browser and a stable internet connection. Interaction with instructors takes place in real time via video, audio and chat. Alternatively, we offer the training as an in-house format.
Our instructors are practising penetration testers and ISMS consultants at AWARE7 - not pure jurists or theorists. They bring practical experience from real security audits, penetration tests and incident response engagements. In cooperation with isits AG (20+ years cybersecurity training partner), we offer training that connects regulatory requirements with real threat situations.

Aus dem Blog

Weiterführende Artikel

Fulfil your NIS-2 management training obligation.

4 hours. EUR 699 net. BSI-compliant documentation. No examination required. Delivered by active penetration testers.

Register Now

Kostenlos · 30 Minuten · Unverbindlich