NIS 2 Directive Trained Professional (NIS2DTP) program


Overview

The NIS 2 Directive gives the opportunity to risk and compliance managers to implement new and more stringent cybersecurity rules, and to dramatically improve risk prevention, detection, response, incident handling, business continuity, supply chain security, vulnerability handling and disclosures.

According to Article 20 (Governance), the management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation, and can be held liable for infringements.

According to Article 20, Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

According to Article 21 (Cybersecurity risk-management measures), essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

Taking into account the "state-of-the-art" and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.

The measures shall be based on an "all-hazards approach" that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include "at least" the following:

(a) policies on risk analysis and information system security;

(b) incident handling;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies and asset management;

(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.


Objectives

The program has been designed to provide with the skills needed to understand and support compliance with the NIS 2 Directive.

It also provides with the skills needed to pass the NIS 2 Directive Trained Professional (NIS2DTP) exam, and to receive the Certificate of Completion, that provides independent evidence to firms and organizations that you have a quantifiable understanding of the subject matter.


Target Audience

The program is beneficial to risk and compliance managers and professionals, auditors, consultants, suppliers and service providers that:

- work for EU companies and organizations that have to comply with the NIS 2 Directive,

- work for non-EU companies and organizations that have operations in EU Member States or provide services to EU citizens, and have to comply with the NIS 2 Directive.

The Directive applies to "essential" and "important" public and private entities, as described below.


Who must comply with the NIS 2 directive?

According to Article 2 (Scope) of the NIS 2 Directive, NIS 2 applies to:

1: Public or private entities of a type referred to in Annex I or II (follows) which qualify as medium-sized enterprises, or exceed the ceilings for medium-sized enterprises, and which provide their services or carry out their activities within the European Union.

A microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. NIS 2 does not apply there.

A small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. NIS 2 does not apply there too.

A medium-sized enterprise is defined as an enterprise which employ between 50 and 250 persons and which have an annual turnover between EUR 10 million and EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. NIS 2 applies there.


In ANNEX I we have:

1. Energy.

a. Electricity.
— Electricity undertakings.
— Distribution system operators.
— Transmission system operators.
— Producers.
— Nominated electricity market operators.
— Market participants.

b. District heating and cooling.
— Operators of district heating or district cooling.

c. Oil.
— Operators of oil transmission pipelines.
— Operators of oil production, refining and treatment facilities, storage and transmission.
— Central stockholding entities.

d. Gas.
— Supply undertakings.
— Distribution system operators.
— Transmission system operators.
— Storage system operators.
— LNG system operators.
— Natural gas undertakings.
— Operators of natural gas refining and treatment facilities.

e. Hydrogen.
— Operators of hydrogen production, storage and transmission.


2. Transport.

a. Air.
— Air carriers used for commercial purposes.
— Airport managing bodies, airports, including the core airports and entities operating ancillary installations contained within airports.
— Traffic management control operators providing air traffic control (ATC) services.

b. Rail.
— Infrastructure managers.
— Railway undertakings, including operators of service facilities.

c. Water.
— Inland, sea and coastal passenger and freight water transport companies.
— Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports.
— Operators of vessel traffic services (VTS).

d. Road.
— Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity.
— Operators of Intelligent Transport Systems.


3. Banking.
— Credit institutions.


4. Financial market infrastructures.
— Operators of trading venues.
— Central counterparties (CCPs).


5. Health.
— Healthcare providers.
— EU reference laboratories.
— Entities carrying out research and development activities of medicinal products.
— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.
— Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list).


6. Drinking water.
— Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.


7. Waste water.
— Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.


8. Digital infrastructure.
— Internet Exchange Point providers.
— DNS service providers, excluding operators of root name servers.
— TLD name registries.
— Cloud computing service providers.
— Data centre service providers.
— Content delivery network providers.
— Trust service providers.
— Providers of public electronic communications networks.
— Providers of publicly available electronic communications services.


9. ICT service management (business-to-business).
— Managed service providers.
— Managed security service providers.


10. Public administration.
— Public administration entities of central governments as defined by a Member State in accordance with national law.
— Public administration entities at regional level as defined by a Member State in accordance with national law.


11. Space.
Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.


ANNEX II


1. Postal and courier services.


2. Waste management.
— Undertakings carrying out waste management, excluding undertakings for whom waste management is not their principal economic activity.


3. Manufacture, production and distribution of chemicals.
— Undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, and undertakings carrying out the production of articles.


4. Production, processing and distribution of food.
— Food businesses which are engaged in wholesale distribution and industrial production and processing.


5. Manufacturing.

(a) Manufacture of medical devices and in vitro diagnostic medical devices.
— Entities manufacturing medical devices, and entities manufacturing in vitro diagnostic medical devices.

(b) Manufacture of computer, electronic and optical products.

(c) Manufacture of electrical equipment.

(d) Manufacture of machinery and equipment.

(e) Manufacture of motor vehicles, trailers and semi-trailers.

(f) Manufacture of other transport equipment.


6. Digital providers.
— Providers of online marketplaces.
— Providers of online search engines.
— Providers of social networking services platforms.


7. Research.
— Research organisations.


Important note: This is an overview, not a detailed list of activities. Depending on their products or services, and where their products or services belong in NACE (the statistical classification of economic activities in the European Union), entities must carefully consider if they must comply with the NIS 2 Directive or not.

For example, in the scope of the NIS 2 Directive, we have the activity "manufacture of computer, electronic and optical products". What exactly does NIS 2 mean? According to NIS 2, these are "undertakings carrying out any of the economic activities referred to in section C division 26 of NACE Rev. 2":

We have to visit section C division 26 of NACE Rev. 2, and find:

26.1 Manufacture of electronic components and boards.
26.2 Manufacture of computers and peripheral equipment.
26.3 Manufacture of communication equipment.
26.4 Manufacture of consumer electronics.
26.5. Manufacture of instruments and appliances for measuring, testing and navigation; watches and clocks.
26.6. Manufacture of irradiation, electromedical and electrotherapeutic equipment.
26.7 Manufacture of optical instruments and photographic equipment.
26.8. Manufacture of magnetic and optical media.

Another example, in the category "banking" belong "Credit institutions as defined in Article 4, point (1), of Regulation (EU) No 575/2013". In Regulation (EU) No 575/2013, "credit institution" means an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account.


Non-EU entities must also comply with the NIS 2 directive.

In cases where a DNS service provider, TLD name registry, content delivery network provider, cloud computing service provider, data centre service provider and digital provider not established in the EU offers services within the EU, it should designate a representative.

In order to determine whether such an entity is offering services within the Union, it should be ascertained whether it is apparent that the entity is planning to offer services to persons in one or more Member States.

The mere accessibility in the Union of the entity’s or an intermediary's website or of an email address and of other contact details, or the use of a language generally used in the third country where the entity is established, is as such insufficient to ascertain such an intention.

However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the entity is planning to offer services within the Union.

The representative should act on behalf of the entity and it should be possible for competent authorities or the CSIRTs to contact the representative. The representative should be explicitly designated by a written mandate of the entity to act on the latter's behalf with regard to the latter's obligations under this Directive, including incident reporting.


Non-EU entities that offer services to EU citizens must also be aware of Article 24.

Article 24, Jurisdiction and territoriality.

1. DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers referred to in point 8 of Annex I, as well as digital providers referred to in point 6 of Annex II shall be deemed to be under the jurisdiction of the Member State in which they have their main establishment in the Union.

2. For the purposes of this Directive, entities referred to in paragraph 1 shall be deemed to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk management measures are taken. If such decisions are not taken in any establishment in the Union, the main establishment shall be deemed to be in the Member State where the entities have the establishment with the highest number of employees in the Union.

3. If an entity referred to in paragraph 1 is not established in the Union, but offers services within the Union, it shall designate a representative in the Union. The representative shall be established in one of those Member States where the services are offered. Such entity shall be deemed to be under the jurisdiction of the Member State where the representative is established.

In the absence of a representative, any Member State in which the entity provides services may take legal actions against the entity for the infringement of this Directive.


Course Synopsis


Introduction.
- The NIS 2 Directive Trained Professional (NIS2DTP) exam.
- The certificate of completion.


Part 1

The European Union (EU). How does the legislative process work?
- Key institutions.
- The European Commission, the most important institution for risk and compliance professionals.
- How does the legislative process work?
- The European System of Financial Supervision (ESFS).
- Legal acts after the Treaty of Lisbon.
- Delegated acts, supplementing or amending certain non-essential elements of a basic act.
- Implementing acts.
- Regulatory technical standards (RTS), Implementing technical standards (ITS).
- The European Data Protection Supervisor and the European Data Protection Board.
- The Committee of European Auditing Oversight Bodies (CEAOB).
- The European External Action Service.
- The Common Foreign and Security Policy (CFSP).
- The Common Security and Defence Policy (CSDP).
- The European Network and Information Security Agency (ENISA).
- The European Multidisciplinary Platform Against Criminal Threats. (EMPACT).
- The European framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU).
- The Euro Cyber Resilience Board for pan-European Financial Infrastructures (ECRB).
- The Cyber Information and Intelligence Sharing Initiative (CIISI-EU).
- The High-Level Expert Group on Artificial Intelligence (AI HLEG).


Part 2

“An Open, Safe and Secure Cyberspace”, the EU's vision on how to prevent cyber disruptions and attacks, and respond to them.
- 1. Achieving cyber resilience.
- 2. Drastically reducing cybercrime.
- 3. Developing cyber defence policy and capabilities related to the Common Security and Defence Policy (CSDP).
- 4. Developing the industrial and technological resources for cyber-security.
- 5. Establishing an international cyberspace policy for the European Union and promote EU core values.


The NIS Directive (EU 2016/1148), the first piece of EU-wide cybersecurity legislation.
- 1. National capabilities.
- 2. Cross-border collaboration.
- 3. National supervision of critical sectors.
- The NIS Cooperation Group.
- The NIS Directive, important parts.
- Transposition of the NIS Directive.


Part 3

Introduction to the NIS 2 Directive.
- The “lex specialis derogat legi generali” (special law repeals general laws) doctrine, accepted by the EU and international law.
- NIS 2 as lex generalis, a general law.
- NIS 2 is a legal obligation only when there is no special law for a sector.
- NIS 2 and Regulation (EU) 2022/2554 (the Digital Operational Resilience Act - DORA).
- NIS 2 and Directive (EU) 2022/2557 (the Critical Entities Resilience Directive - CER).
- NIS 2 and Directive 95/46/EC (General Data Protection Regulation - GDPR).
- Before discussing Article 1 of the NIS 2 Directive.
- NACE Rev. 2.
- Annex I, Sectors of High Criticality.
- Annex II, Other Critical Sectors.


The Articles of the NIS 2 Directive

CHAPTER I, GENERAL PROVISIONS.
- Subject matter.
- Scope.
- Essential and important entities.
- Sector-specific Union legal acts.
- Minimum harmonisation.
- Definitions.


CHAPTER II, COORDINATED CYBERSECURITY FRAMEWORKS.
- National cybersecurity strategy.
- Competent authorities and single points of contact.
- National cyber crisis management frameworks.
- Computer security incident response teams (CSIRTs).
- Requirements, technical capabilities and tasks of CSIRTs.
- Coordinated vulnerability disclosure and a European vulnerability database.
- Cooperation at national level.


CHAPTER III, COOPERATION AT UNION AND INTERNATIONAL LEVEL.
- Cooperation Group.
- CSIRTs network.
- European cyber crisis liaison organisation network (EU-CyCLONe).
- International cooperation.
- Report on the state of cybersecurity in the Union.
- Peer reviews.


CHAPTER IV, CYBERSECURITY RISK-MANAGEMENT MEASURES AND REPORTING OBLIGATIONS.
- Governance.
- Cybersecurity risk-management measures.
- Union level coordinated security risk assessments of critical supply chains.
- Reporting obligations.
- Use of European cybersecurity certification schemes.
- Standardisation.


CHAPTER V, JURISDICTION AND REGISTRATION.
- Jurisdiction and territoriality.
- Registry of entities.
- Database of domain name registration data.


CHAPTER VI, INFORMATION SHARING.
- Cybersecurity information-sharing arrangements.
- Voluntary notification of relevant information.


CHAPTER VII, SUPERVISION AND ENFORCEMENT.
- General aspects concerning supervision and enforcement.
- Supervisory and enforcement measures in relation to essential entities.
- Supervisory and enforcement measures in relation to important entities.
- General conditions for imposing administrative fines on essential and important entities.
- Infringements entailing a personal data breach.
- Penalties.
- Mutual assistance.


CHAPTER VIII, DELEGATED AND IMPLEMENTING ACTS.
- Exercise of the delegation.
- Committee procedure.


CHAPTER IX, FINAL PROVISIONS.
- Review.
- Transposition.
- Amendments.
- Repeal.
- Entry into force.


The NIS 2 Directive for non-EU entities.
- Does NIS 2 apply to companies not established in the EU?
- Article 6 and Article 26 (Jurisdiction and territoriality).
- Preamble 116, Preamble 133.


Other EU Directives and Regulations.
- The European Cyber Resilience Act.
- The Digital Operational Resilience Act (DORA).
- The Critical Entities Resilience Directive (CER).
- The Digital Services Act (DSA).
- The Digital Markets Act (DMA).
- The European Health Data Space (EHDS).
- The European Chips Act.
- The European Data Act.
- The European Data Governance Act (DGA).
- The Artificial Intelligence Act.
- The European ePrivacy Regulation.


NIS 2, DORA, or both?
- The Commission's Guidelines about the relationship between the NIS 2 Directive and the Digital Operational Resilience Act (DORA), from 18 September 2023.

Closing remarks.


Become a NIS 2 Directive Trained Professional (NIS2DTP)

This is a Distance Learning with Certificate of Completion program, provided by Cyber Risk GmbH. The General Terms and Conditions for all legal transactions made through the Cyber Risk GmbH websites (hereinafter “GTC”) can be found at: https://www.cyber-risk-gmbh.com/Impressum.html

Each Distance Learning with Certificate of Completion program (hereinafter referred to as “distance learning program”) is provided at a fixed price, that includes VAT. There is no additional cost, now or in the future, for any reason.

We will send the distance learning program via email up to 24 hours after the payment (working days). Please remember to check the spam folder of your email client too, as emails with attachments are often landed in the spam folder.

You have the option to ask for a full refund up to 60 days after the payment. If you do not want one of our distance learning programs for any reason, all you must do is to send us an email, and we will refund the payment, no questions asked.

Your payment will be received by Cyber Risk GmbH (Dammstrasse 16, 8810 Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341). Cyber Risk GmbH will also send the certificates of completion to all persons that will pass the exam.

The all-inclusive cost is 297 USD (US Dollars). There is no additional cost, now or in the future, for this program.


First option: You can purchase the NIS 2 Directive Trained Professional (NIS2DTP) program with VISA, MASTERCARD, AMEX, Apple Pay, Google Pay etc.

Purchase the NIS2DTP program here (VISA, MASTERCARD, AMEX, Apple Pay, Google Pay etc.)





Second option: QR code payment.

i. Open the camera app or the QR app on your phone.

ii. Scan the QR code and possibly wait for a few seconds.

iii. Click on the link that appears, open your browser, and make the payment.



Third option: You can purchase the NIS 2 Directive Trained Professional (NIS2DTP) program with PayPal

When you click "PayPal" below, you will be redirected to the PayPal web site. If you prefer to pay with a card, you can click "Debit or Credit Card" that is also powered by PayPal.



What is included in the cost of the distance learning program:


A. The official presentations (901 slides).

The presentations are effective and appropriate to study online or offline. Busy professionals have full control over their own learning and are able to study at their own speed. They are able to move faster through areas of the course they feel comfortable with, but slower through those that they need a little more time on.


B. Up to 3 online exam attempts per year.

Candidates must pass only one exam. If they fail, they must study the official presentations and retake the exam. Candidates are entitled to 3 exam attempts every year.

If candidates do not achieve a passing score on the exam the first time, they can retake the exam a second time.

If they do not achieve a passing score the second time, they can retake the exam a third time.

If candidates do not achieve a passing score the third time, they must wait at least one year before retaking the exam. There is no additional cost for additional exam attempts.

To learn more, you may visit:

https://www.nis-2-directive.com/Distance_Learning_Programs_Exam_Certificate_of_Completion.pdf


C. The certificate of completion, with a scannable QR code for verification.

You will receive your certificate via email in Adobe Acrobat format (pdf), with a scannable QR code for verification, 7 business days after you pass the exam. A business day refers to any day in which normal business operations are conducted (in our case Monday through Friday), excluding weekends and public holidays.


NIS 2 Directive Trained Professional (NIS2DTP)

D. Cyber Risk GmbH will develop a web page dedicated to each certified professional (https://www.cyber-risk-gmbh.com/Your_Name.htm).

When third parties scan the QR code on your certificate, they will visit this web page (https://www.cyber-risk-gmbh.com/Your_Name.htm), and they will be able to verify that you are a certified professional, and your certificates are valid and legitimate.

In this web page we will have your name, all the certificates you have received from us, and pictures of your certificates.

This is an example:

https://www.cyber-risk-gmbh.com/Monika_Meier.html

You can print your certificate that you will receive in Adobe Acrobat format (pdf). With the scannable QR code, all third parties can verify the authenticity of each certificate in a matter of seconds. Professional certificates are some of the most frequently falsified documents. Employers and third parties need an easy, effective, and efficient way to check the authenticity of each certificate. QR code verification is a good response to this demand.


E. If you purchase the NIS2DTP program now, you can receive all the updated and amended NIS2DTP programs at no cost until January 31, 2028.

Every time we have important developments that affect regulatory compliance with the NIS 2 Directive (NIS2), we will update and amend this training program, especially when we have important:

- Joint final draft technical standards, from the European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA).

- Regulatory Technical Standards (RTS),

- Implementing Technical Standards (ITS),

- Delegated Acts, that supplement or amend non‑essential parts of EU legislative acts, and

- Implementing Acts, that ensure that EU laws are applied uniformly.

The all-inclusive cost of your first program is $297. The all-inclusive cost of your second (and each additional) program is $197. It includes the exam, the certificate of completion, and all the updated and amended programs at no cost until January 31, 2028. You can take the exam and receive the certificate of completion only once. You cannot take the exam again, and it is not possible to receive a new certificate of completion every time you receive an updated and amended program at no cost.

If you want to take the exam again, to receive a certificate of completion having a later date on it, and to have both certificates of completion with different dates at your dedicated web page, you must purchase the updated program at a discounted cost ($197). This is not required, your original certificate will not expire.

In order to receive the updated and amended program (you have purchased the program in the past, and now you want to receive the updated and amended program at no cost), please follow the simple steps:

Please check the “Course synopsis” of the program at the registration page, to check if you have the latest version.

If we have updated the program, please send us an email with title: “Please send me the updated NIS2DTP program.”

In the email, please let us know which was the name and email address of the person or legal entity that had initially purchased the program.

You will receive the updated program in less than 48 hours (working days). Please remember to check your spam folder too.



Frequently Asked Questions for the distance learning programs.


1. I want to know more about Cyber Risk GmbH.

Cyber Risk GmbH is a company incorporated in Switzerland.
Company number: CHE-244.099.341.
Cantonal Register of Commerce: Canton of Zürich.
Registered address: Dammstrasse 16, 8810 Horgen, Switzerland.
Swiss VAT number: CHE-244.099.341 MWST.
EU VAT number: EU276036462. Cyber Risk GmbH is registered for EU VAT purposes in Germany (Bundeszentralamt für Steuern, Verfahren One-Stop-Shop, Nicht EU-Regelung) for the sale of services in the EU. Cyber Risk GmbH declares and pays EU VAT in a single electronic quarterly return submitted to Germany, and the German Bundeszentralamt für Steuern forwards the EU VAT due to each member State of the EU.

The owner and general manager of Cyber Risk GmbH is George Lekatis, a well-known expert in risk management and compliance. George is also the general manager of Compliance LLC, incorporated in Wilmington, NC, and offices in Washington, DC. It is a provider of risk and compliance training and executive coaching in 57 countries.

Several business units of Compliance LLC are very successful associations that offer membership, weekly or monthly updates, training, certification, Authorized Certified Trainer (ACT) programs, and other services to their members.

The business units of Compliance LLC include:

- The Sarbanes-Oxley Compliance Professionals Association (SOXCPA), the largest Association of Sarbanes-Oxley professionals in the world. You may visit: https://www.sarbanes-oxley-association.com

- The Basel iii Compliance Professionals Association (BiiiCPA), the largest association of Basel iii Professionals in the world. You may visit: https://www.basel-iii-association.com

- The Solvency II Association, the largest association of Solvency II professionals in the world. You may visit: https://www.solvency-ii-association.com

- The International Association of Risk and Compliance Professionals (IARCP). You may visit: https://www.risk-compliance-association.com

The Certified Risk and Compliance Management Professional (CRCMP) program, from the IARCP, has become one of the most recognized certificates in risk management and compliance. There are CRCMPs in 57 countries. Companies and organizations around the world consider the CRCMP a preferred certificate.

You can find more about the demand for CRCMPs at: https://www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf


CRCMP careers


“Cyber Risk GmbH Training Programs” are training programs developed, updated and provided by Cyber Risk GmbH, and include:
a) In-House Instructor-Led Training programs,
b) Online Live Training programs,
c) Video-Recorded Training programs,
d) Distance Learning with Certificate of Completion programs.


“Cyber Risk GmbH websites” are all websites that belong to Cyber Risk GmbH, and include the following:


a. Sectors and Industries.

1. Cyber Risk GmbH

2. Social Engineering Training

3. Healthcare Cybersecurity

4. Airline Cybersecurity

5. Railway Cybersecurity

6. Maritime Cybersecurity

7. Oil Cybersecurity

8. Electricity Cybersecurity

9. Gas Cybersecurity

10. Hydrogen Cybersecurity

11. Transport Cybersecurity

12. Transport Cybersecurity Toolkit

13. Hotel Cybersecurity

14. Sanctions Risk

15. Travel Security


b. Understanding Cybersecurity.

1. What is Disinformation?

2. What is Steganography?

3. What is Cyberbiosecurity?

4. What is Synthetic Identity Fraud?

5. What is a Romance Scam?

6. What is Cyber Espionage?

7. What is Sexspionage?

8. What is the RESTRICT Act?


c. Understanding Cybersecurity in the European Union.

1. The NIS 2 Directive

2. The European Cyber Resilience Act

3. The Digital Operational Resilience Act (DORA)

4. The Critical Entities Resilience Directive (CER)

5. The Digital Services Act (DSA)

6. The Digital Markets Act (DMA)

7. The European Health Data Space (EHDS)

8. The European Chips Act

9. The European Data Act

10. The European Data Governance Act (DGA)

11. The EU Cyber Solidarity Act

12. The Digital Networks Act (DNA)

13. The Artificial Intelligence Act

14. The Artificial Intelligence Liability Directive

15. The Framework for Artificial Intelligence Cybersecurity Practices (FAICP)

16. The European ePrivacy Regulation

17. The European Digital Identity Regulation

18. The European Media Freedom Act (EMFA)

19. The European Cyber Defence Policy

20. The Strategic Compass of the European Union

21. The EU Cyber Diplomacy Toolbox



2. Is there any discount available for the distance learning programs?

We do not offer a discount for your first program, as we want to keep the cost as low as possible. You have a $100 discount for your second and each additional program.

After you purchase the NIS 2 Directive Trained Professional (NIS2DTP) program at $297, you can purchase:

a. The Digital Operational Resilience Act Trained Professional (DORATPro) program at $197. You can find more about the program at: https://www.digital-operational-resilience-act.com/Digital_Operational_Resilience_Act_Trained_Professional_(DORATPro).html.

b. The Critical Entities Resilience Directive Trained Professional (CERDTPro) program at $197. You can find more about the program at: https://www.critical-entities-resilience-directive.com/Critical_Entities_Resilience_Directive_Trained_Professional_(CERDTPro).html.

c. The Digital Services Act Trained Professional (DiSeActTPro) program at $197. You can find more about the program at: https://www.eu-digital-services-act.com/DiSeActTPro_Training.html.

d. The Digital Markets Act Trained Professional (DiMaActTPro) program at $197. You can find more about the program at: https://www.eu-digital-markets-act.com/DiMaActTPro_Training.html.

e. The Data Governance Act Trained Professional (DatGovActTP) program at $197. You can find more about the program at: https://www.european-data-governance-act.com/DatGovActTP_Training.html.



3. Are there any entry requirements or prerequisites required for enrolling in the training programs?

There are no entry requirements or prerequisites for enrollment. Our programs give the opportunity to individuals of all levels to learn, grow, and develop new skills without the need for prior qualifications or specific experience.



4. I want to learn more about the exam.

You can take the exam online from your home or office, in all countries.

It is an open book exam. Risk and compliance management is something you must understand and learn, not memorize. You must acquire knowledge and skills, not commit something to memory.

You will be given 90 minutes to complete a 35-question exam. You must score 70% or higher.

The exam contains only questions that have been clearly answered in the official presentations.

All exam questions are multiple-choice, composed of two parts:

a. A stem (a question asked, or an incomplete statement to be completed).

b. Four possible responses.

In multiple-choice questions, you must not look for a correct answer, you must look for the best answer. Cross out all the answers you know are incorrect, then focus on the remaining ones. Which is the best answer? With this approach, you save time, and you greatly increase the likelihood of selecting the correct answer.

TIME LIMIT - This exam has a 90-minute time limit. You must complete this exam within this time limit, otherwise the result will be marked as an unsuccessful attempt.

BACK BUTTON - When taking this exam you are NOT permitted to move backwards to review/change prior answers. Your browser back button will refresh the current page instead of moving backward.

RESTART/RESUME – You CANNOT stop and then resume the exam. If you stop taking this exam by closing your browser, your answers will be lost, and the result will be marked as an unsuccessful attempt.

SKIP - You CANNOT skip answering questions while taking this exam. You must answer all the questions in the order the questions are presented.

When you are ready to take the exam, you must follow the steps described at "Question h. I am ready for the exam. What must I do?", at:

https://www.nis-2-directive.com/Distance_Learning_Programs_Exam_Certificate_of_Completion.pdf



5. How comprehensive are the presentations? Are they just bullet points?

The presentations are not bullet points. They are effective and appropriate to study online or offline.



6. Do I need to buy books to pass the exam?

No. If you study the presentations, you can pass the exam. All the exam questions are clearly answered in the presentations. If you fail the first time, you must study more. Print the presentations and use Post-it to attach notes, to know where to find the answer to a question.



7. Is it an open book exam? Why?

Yes, it is an open book exam. Risk and compliance management is something you must understand and learn, not memorize. You must acquire knowledge and skills, not commit something to memory.



8. Do I have to take the exam soon after receiving the presentations?

No. You can take the exam any time. Your account never expires. You have lifetime access to the training program. If there are any updates to the training material and you have not passed the exam, you will receive the updated program free of charge.



9. Do I have to spend more money in the future keep my certificate of completion valid?

No. Your certificate of completion will remain valid, without the need to spend money or to take another exam in the future.



10. Ok, the certificate of completion never expires, but things change.

Recertification would be a great recurring revenue stream for Cyber Risk GmbH, but it would also be a recurring expense for our clients. We resisted the temptation to "introduce multiple recurring revenue streams to keep business flowing", as we were consulted. No recertification is needed for our programs.

Things change, and this is the reason you need to visit the "Reading Room" of Cyber Risk GmbH every month, and read the monthly newsletter with updates, alerts, and opportunities, to stay current. You may visit:

https://www.cyber-risk-gmbh.com/Reading_Room.html



11. Which is your refund policy?

Cyber Risk GmbH has a very clear refund policy: You have the option to ask for a full refund up to 60 days after the payment. If you do not want one of our programs for any reason, all you must do is to send us an email, and we will refund the payment after one business day, no questions asked.



12. I want to receive a printed certificate. Can you send me one?

Unfortunately this is not possible. You will receive your certificate via email in Adobe Acrobat format (pdf), with a scannable QR code for verification, 7 business days after you pass the exam. A business day refers to any day in which normal business operations are conducted (in our case Monday through Friday), excluding weekends and public holidays.

Cyber Risk GmbH will develop a dedicated web page for each professional (https://www.cyber-risk-gmbh.com/Your_Name.html). In your dedicated web page we will add your full name, all the certificates you have received from Cyber Risk GmbH, and the pictures of your certificates.

When third parties scan the QR code on your certificate, they will visit your dedicated web page, and they will be able to verify that you are a certified professional, and your certificates are valid and legitimate.

Professional certificates are some of the most frequently falsified documents. Employers and third parties need an easy, effective, and efficient way to check the authenticity of each certificate. QR code verification is a good response to this demand.

You can print your certificate that you will receive in Adobe Acrobat format. With the scannable QR code, all third parties can verify the authenticity of each certificate in a matter of seconds.



13. Why should I choose your training programs?

I. There are many new Directives and Regulations in the EU, and our target audience is overwhelmed and has little time to spare. Cyber Risk GmbH has developed training programs that can assist them in understanding the new requirements, and in providing evidence that they are qualified, as they must pass an exam to receive their certificate of completion.

II. Our training programs are flexible and convenient. Learners can access the course material and take the exam at any time and from any location. This is especially important for those with busy schedules.

III. The all-inclusive cost of our programs is very low. There is no additional cost for each program, now or in the future, for any reason.

IV. If you purchase a second program, you have a $100 discount. The all-inclusive cost for your second (and each additional) program is $197.

V. There are 3 exam attempts per year that are included in the cost of each program, so you do not have to spend money again if you fail.

VI. No recertification is required. Your certificates of completion never expire.

VII. If you purchase the NIS2DTP program now, you can receive all the updated and amended NIS2DTP programs at no cost until January 31, 2028.

Every time we have important developments that affect regulatory compliance with the NIS 2 Directive (NIS2), we will update and amend this training program, especially when we have important:

- Joint final draft technical standards, from the European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA).

- Regulatory Technical Standards (RTS),

- Implementing Technical Standards (ITS),

- Delegated Acts, that supplement or amend non‑essential parts of EU legislative acts, and

- Implementing Acts, that ensure that EU laws are applied uniformly.

VIII. The marketplace is clearly demanding qualified professionals in risk and compliance management. Certified professionals enjoy industry recognition and have more and better job opportunities.

IX. Firms and organizations hire and promote fit and proper professionals who can provide evidence that they are qualified. Employers need assurance that managers and employees have the knowledge and skills needed to mitigate risks and accept responsibility. Supervisors and auditors ask for independent evidence that the process owners are qualified, and that the controls can operate as designed, because the persons responsible for these controls have the necessary knowledge and experience.

X. Professionals that gain more skills and qualifications often become eligible for higher-paying roles. Investing in training can have a direct positive impact on a manager's or employee's earning potential.

Cyber Risk GmbH, some of our clients