Cybersecurity Awareness: Why Technology Alone Isn’t Enough
7 min read
Eighty-four percent of German companies that experienced a cyberattack in 2025 reported phishing as the attack vector. At the same time, only 24 percent of all companies train their entire workforce. The rest are cutting corners precisely where attackers wield their most potent tools. As of December 6, 2025, this is no longer merely negligent-it is illegal: The NIS2 Implementation Act makes awareness training mandatory for roughly 30,000 companies in Germany. Failure to comply carries the risk of fines up to €10 million.
What is NIS2 AWARENESS TRAINING REQUIREMENT?
NIS2 AWARENESS TRAINING REQUIREMENT is a concrete priority for companies in 2026 because it directly shapes cyber resilience, security operations and regulatory duties. This article uses synaforce as an example to show which requirements, figures and operational steps matter in practice.
The Most Important Points in Brief
- 84 percent of German companies that were targeted report phishing as the attack vector (TÜV Cybersecurity Study 2025, 506 companies).
- Only 24 percent of companies train all employees, while 20 percent do not provide any training at all (BSI Annual Report 2025).
- The NIS2 Implementation Act has been in force since December 6, 2025: Section 30 of the BSIG mandates training, and Section 38 of the BSIG holds company management personally liable.
- One year of targeted phishing training reduces the click rate from 33.1 to 4.1 percent-a reduction of 86 percent (KnowBe4, 14.5 million users).
- AI-powered phishing emails achieve a click rate of 54 percent, and deepfake vishing increased by over 1,600 percent in Q1 2025.
- The average cost of a phishing attack in Germany is 4.15 million euros (IBM Cost of a Data Breach 2025).
The Gap Between Technology and Human Behavior
The firewall is configured, MFA is enabled, and endpoint protection is deployed. And yet, an employee clicks a link in a deceptively authentic Microsoft 365 email and enters their credentials. Germany’s BSI Situation Report 2025 documents 950 reported ransomware attacks during the reporting period, with 80 percent targeting small and medium-sized enterprises. On average, 119 new vulnerabilities are discovered each day-an increase of 24 percent compared to the previous year.
However, these statistics tell only part of the story. The Verizon Data Breach Investigations Report 2025 reveals that 60 percent of all confirmed security breaches worldwide involve human error as a contributing factor. Not an exploit or a zero-day vulnerability, but rather a person clicking a link, sharing access credentials, or sending sensitive data to the wrong recipient.
The issue isn’t that companies lack technology; it’s that even the best technology fails when people don’t think critically about security first. This very gap highlights the problem: according to the BSI (Federal Office for Information Security), 79 percent of companies provide IT security training to their employees-on paper, this sounds promising. Yet only 24 percent train every single employee, while 55 percent focus solely on specific roles. Moreover, one in five companies offers no training at all.
NIS2 Makes Awareness a Mandatory Requirement
Since December 6, 2025, the NIS2 Implementation Act has been in force in Germany. It affects approximately 30,000 companies with 50 or more employees or an annual turnover of at least 10 million euros across 18 sectors. The registration obligation with the BSI has been effective since January 6, 2026.
Two paragraphs are crucial for the topic of awareness. Section 30(2) of the BSIG obligates affected companies to provide cybersecurity training and awareness programs as part of their mandatory risk management measures. Section 38(3) of the BSIG goes a step further: senior management must regularly attend such training sessions themselves and demonstrate sufficient knowledge of risk assessment. In September 2025, the BSI published guidance on NIS2 executive-level training, outlining specific content requirements.
The fines are substantial. For essential entities: up to 10 million euros or 2 percent of worldwide annual revenue, whichever amount is higher. For important entities: up to 7 million euros or 1.4 percent. There is no transition period; these measures have been directly applicable since the law came into effect.
Nevertheless, according to the TÜV Cybersecurity Study 2025, only 50 percent of affected companies are aware of the NIS2 Directive. Half of them do not even realize they are subject to it.
AI Is Changing the Attack Surface
The classic phishing email-riddled with spelling errors and sent from a dubious address-is a thing of the past. KnowBe4 has observed that 82.6 percent of all phishing emails now incorporate AI elements: grammatically flawless text, personalized greetings, and contextually relevant content. AI-generated phishing emails achieve a click-through rate of 54 percent-roughly 4.5 times higher than traditional phishing attempts.
Even more concerning is the trend in deepfake vishing. Deepfake-based voice cloning attacks surged by over 1,600 percent in the first quarter of 2025 compared with the previous quarter. The most notorious case involved a finance employee at the British engineering firm Arup, who transferred US$25 million after participating in a fake video conference featuring AI-generated deepfake avatars of the CFO and senior executives. A TÜV study confirms that 51 percent of IT security experts in Germany are already witnessing AI-assisted cyberattacks. Among large enterprises, this figure rises to 81 percent.
At the same time, only 10 percent of German companies are leveraging AI for their own cybersecurity defenses. Attackers are adopting AI technologies far more rapidly than defenders, which is widening the awareness gap: employees trained to spot spelling mistakes and suspicious sender addresses are essentially powerless against AI-generated threats.
“Ninety-one percent of companies rate their cybersecurity as good or very good. Yet, one in seven companies was successfully attacked last year. This perception gap represents one of the greatest risks.”
TÜV Cybersecurity Study 2025 (506 companies, Ipsos survey)
What Works: From Mandatory Training to Behavioral Change
The typical security training: a 45-minute online session in January, a mandatory check-off, then forgotten until the next January. The click-through rate on phishing emails dips briefly before returning to its original level within three months. One-time training sessions do not change behavior. Behavioral change requires repetition, relevance, and feedback.
The KnowBe4 Phishing Industry Benchmarking Report 2025 provides the largest dataset to date on this topic: 14.5 million users across 62,400 organizations, totaling 67.7 million simulated phishing tests. The results are clear. Before training, the average phishing click-through rate stands at 33.1 percent-meaning one in three employees clicks on a malicious link. After 90 days of continuous training, the rate drops by more than 40 percent. By twelve months, it falls to 4.1 percent-a reduction of 86 percent.
What these programs have in common: They utilize phishing simulations (monthly, with progressively increasing difficulty), micro-learning modules (3 to 5 minutes, delivered weekly or following specific events), gamification features (department leaderboards, badges, team challenges), and a simple “report” button directly integrated into Outlook or Gmail. The goal is not mere compliance with training requirements, but rather the cultivation of a security culture where employees report suspicious emails before clicking on them.
The key metric is not the click-through rate, but the reporting rate: How many employees actively report suspicious emails? Organizations with mature programs achieve reporting rates exceeding 70 percent. This means that seven out of ten employees recognize a phishing attempt and report it before any damage occurs.
Cyber Insurance: Awareness as a Contractual Condition
Anyone looking to take out or renew cyber insurance today will find that awareness training is no longer a nice-to-have-it has become an underwriting criterion. Allianz explicitly lists awareness training among its twelve core criteria for policyholders. AXA offers a six-month free awareness portal with its cyber insurance policy. The GDV Cyber Risk Questionnaire includes specific questions about training measures.
Without proof of such training, companies risk higher premiums or exclusions from coverage in the event of phishing-related damages. In a time when the average cost of a phishing attack in Germany stands at €4.15 million, this is a risk no CFO should take.
The ROI of an Awareness Program
The math is straightforward. For a mid-sized company with 200 employees, an awareness program costs between €10,000 and €20,000 per year. KnowBe4 starts at $18 per user per year, while Proofpoint begins at $25 per user per year. In addition, there’s an internal workload of 2 to 4 hours per month for administration.
On the other hand, the average cost of a single phishing incident is €4.15 million. Reducing the click rate from 33% to 4% decreases the risk of a successful phishing attack by 86%. Even with a conservative risk assessment: if the program prevents just one successful attack over ten years, it will have paid for itself a hundredfold.
Conclusion: Educate or Face Liability
The equation has shifted. Before NIS2, awareness training was a voluntary measure that some companies took seriously while most treated it as a mere formality. Since December 2025, however, it is now mandated by law. Company executives face personal liability if they fail to comply. Cyber insurers also require it as a condition of coverage. Meanwhile, attackers are raising the stakes with AI-powered phishing campaigns and deepfake vishing techniques.
The good news is that it works. A 86 percent reduction in click rates after twelve months is not just marketing hype-it’s based on data collected from 14.5 million users. The tools have matured, the costs are manageable, and the return on investment is clear. What many organizations still lack is simply the decision to get started.
Frequently Asked Questions
Does NIS2 explicitly require awareness training?
Yes. Section 30, Paragraph 2 of the BSIG obligates affected companies to conduct cybersecurity and awareness training. Section 38, Paragraph 3 of the BSIG goes further: The company’s management must participate in such training regularly. Approximately 30,000 companies in Germany with at least 50 employees or an annual turnover of 10 million euros are impacted.
How often should phishing simulations be conducted?
Monthly is ideal. More frequent sessions can lead to fatigue, while less frequent ones may diminish the training effect. The difficulty level should increase progressively and cover various attack types: CEO fraud, Microsoft login attempts, package delivery notifications, and HR-related messages. Immediately trigger micro-learning modules after any simulated clicks.
What does an awareness program cost?
KnowBe4: starting at $18 per user per year. Proofpoint Security Awareness: starting at $25 per user per year. For a company with 200 employees, this amounts to $3,600 to $5,000 annually. Additional internal effort is required-roughly 2 to 4 hours per month-for administration and analysis.
Should employees who click on phishing emails be punished?
No. Punishment discourages employees from reporting incidents. Instead, provide immediate learning modules after a click, frame the situation positively, and focus on improvement. The goal is to foster a culture of reporting rather than fear. Companies that emphasize learning achieve reporting rates exceeding 70 percent.
Do cyber insurance providers require awareness training?
It is not a legal requirement, but it has become a standard underwriting criterion. Allianz lists awareness training among its 12 core criteria. The GDV Cyber Risk Questionnaire includes specific questions on this topic. Without proof of compliance, higher premiums or exclusions for phishing-related damages may result.
How can one protect against AI-powered phishing attacks?
Traditional indicators like spelling errors no longer work effectively. Focus training on recognizing behavioral anomalies-unexpected urgency, unusual senders, or deviations from normal business processes. Complement this with technical measures: DMARC/DKIM for email authentication, AI-based email filters, and two-factor verification processes for financial transactions.
Editor’s Reading Recommendations
More from the MBF Media Network
Image source: Pexels / Tima Miroshnichenko
More on this synaforce topic
Additional service details, use cases and background are available from synaforce for managed security and compliance services.
