The bottom line: NIS2 requires eleven critical sectors to establish and demonstrate human risk management as a mandatory cybersecurity measure.
The NIS2 Directive makes human risk management a binding requirement for eleven critical sectors. Organizations in these areas must implement measures to minimize employee-related cybersecurity risks.
The European Union is establishing an expanded compliance framework with the NIS2 Directive (Network and Information Security Directive 2), which anchors human risk management as a mandatory task. Eleven critical sectors are affected, including energy, transport, banking, insurance, healthcare, water and wastewater services, digital infrastructure, public administration, and postal and courier services.
Human risk management addresses security-critical behavioral patterns and employee misjudgments that constitute a significant attack surface for cyberattacks. Phishing, social engineering, and carelessness in handling sensitive data are among the most common entry points for security breaches. The NIS2 requirement thus compels organizations to systematically invest in training, awareness-raising, and security culture.
For compliance officers in the affected sectors, this results in increased documentation and evidence requirements. They must be able to demonstrate that their organization maintains adequate human risk management — for example, through regular training, awareness programs, incident response training, and continuous security culture development.
Source: news.google.com · Published June 20, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.1.