In a nutshell: From July 2025, companies must train all employees in cybersecurity and AI governance under NIS2 and the EU AI Act, with documented programs and penalty risks for non-compliance.
Corporate compliance is tightening from July 2025 through two regulatory frameworks: The NIS2 Directive and the EU AI Act require organisations to train all employees in cybersecurity and AI governance.
The NIS2 Directive (Network and Information Security Directive 2), whose requirements apply from July 2024 to operators of critical infrastructure and providers of essential digital services, mandates comprehensive training obligations. All employees must receive regular instruction in cybersecurity measures — not just IT personnel. This includes phishing detection, secure password practices, and incident response procedures.
The EU AI Act reinforces these requirements by adding an AI dimension. Companies that deploy or develop AI systems must also train their employees on risks and responsible use of AI technologies. This particularly affects roles that train, deploy, or monitor AI models.
For compliance functions and data protection officers, this represents a significant expansion of existing training programmes. It is no longer sufficient to communicate ad-hoc security measures — organisations must establish structured, documented training programmes and demonstrate their implementation. Violations can result in substantial fines.
In practical terms, this means developing and implementing an integrated training framework that covers both classical cybersecurity topics and AI-related governance. Particular attention should be paid to risk groups such as executives responsible for data protection and security, as well as employees in technology-critical roles.
Source: news.google.com · Published 4 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.