varhugi

NIS2 and Varhugi

Documented staff security training is one of the core duties under NIS2. This page explains who's covered, what the directive requires for training, and how Varhugi delivers it in your first week.

This page is general guidance, not legal advice. The text is pending final review before launch.

What NIS2 is

NIS2 (EU Directive 2022/2555) is the EU's network and information security law, replacing the original NIS Directive from 2016. It falls under the EEA Agreement and is implemented in Iceland through the Act on the Security of Network and Information Systems. The goal is a common baseline of cybersecurity across member states.

Who's covered

The directive applies to medium and large entities (typically over 50 staff or €10M turnover) operating in the following sectors:

Essential services

Energy (electricity, gas, district heating), transport, banking and financial services, healthcare, drinking water and wastewater, digital infrastructure, public administration, and space.

Important services

Postal and courier services, waste management, manufacture and distribution of chemicals, food production, manufacturing of certain devices, digital providers (cloud, search, social media), and research.

Smaller organisations outside these sectors are usually exempt, but in practice end up on the hook indirectly when their NIS2-covered customers demand documented training of their suppliers.

What NIS2 says about staff training

Article 21 of NIS2 mandates "systematic risk-management measures" in cybersecurity. Among the explicit items are "basic cyber hygiene practices and cybersecurity training of staff".

In practice that means:

  • Regular (not one-off) cybersecurity training for staff.
  • A documented record of who trained on what, and when.
  • Evidence that auditors and regulators can verify.
  • Specific accountability for leadership, they can be personally liable for compliance with the duty.

How Varhugi covers the training requirement

  • Monthly modules

    Five-minute modules in Icelandic, automatically rolled out to staff. No implementation. No LMS cost.

  • A documented certificate per employee

    Every completion produces a verifiable certificate that auditors and customers can check on a public page (varhugi.is/verify), without us being in the loop.

  • An audit-ready PDF report on one click

    A monthly PDF that summarises the training status of all staff in the period. Ready to hand to your auditor or regulator.

  • Automated reminders

    You don't have to chase anyone. Reminders go out before due date, after due date, and once training on a topic is over 12 months old.

The audit flow

  1. 1You open the dashboard and click "Download audit report".
  2. 2You get a PDF, staff list, completed modules, dates, scores, and a summary of the overall status.
  3. 3The auditor receives the file. Every certificate referenced is independently verifiable at varhugi.is/verify/{code}, no further data exchange needed.

Get started in a week

Want a walk-through, a demo, or a tailored conversation for your team, drop us a line and we'll be in touch within one business day.

Try it freeContact us