Case Study: NIS2 Training for Board and Leadership teams at a Healthcare Organization

Situation:

NCC Group's client, a global healthcare organization headquartered in Denmark, identified itself as falling within the scope of the expanded NIS2 Directive. Although the Danish government had not yet transposed the Directive into national legislation, the organization recognized the strategic importance of early compliance planning.

Since October 2024, NIS2 requires board members and senior management to understand, oversee and implement effective cyber security risk management practices to ensure their organizations are operationally resilient. 

In a proactive move, this client initiated NIS2-focused training for its board members, executives, and local management teams across its European operations. This initiative was directly aligned with Article 20 (Governance) of the NIS2 Directive, which mandates:

“Management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis.”

The organization aimed to ensure its senior leadership was well-informed of the Directive’s requirements and fully understood their governance responsibilities in preparation for future compliance.

At a glance:

Organization: Danish Operator of Global Healthcare Services

Sector: Healthcare

Challenges: The NIS2 Directive had not yet been transposed into Danish law. They needed to navigate regulatory uncertainty, engage leadership across geographies, and deliver sector-relevant training aligned with future cyber threats, legal obligations, and operational realities.

Solution: NCC Group designed and delivered tailored NIS2 training for their board and senior leaders, combining strategic, operational, and regulatory insights for long-term use throughout their organization

Results: The training was highly praised for clarity and relevance, equipping the client’s leadership with actionable guidance. The sessions strengthened the organization’s readiness for NIS2 compliance and raised their overall cyber resilience. 

The client faced several key challenges in preparing for NIS2 compliance:

• Regulatory ambiguity: With the Directive not yet transposed into Danish law, the organization needed to anticipate future legal obligations while navigating legal clarity.
• Leadership engagement: Ensuring board members and senior leaders across multiple geographies understand their roles and responsibilities under NIS2.
• Scalability: Developing training materials that could be adapted and reused across different countries and operational scenarios.
• Sector-specific relevance: Delivering content that was not only legally accurate but also tailored to the unique risks and realities of the healthcare sector.

The client selected NCC Group as its trusted partner based on:  

• Established relationships: A proven track record of successful collaboration across multiple projects.
• Sector expertise: The Group has supported the healthcare sector with cyber security solutions for over 25 years. They deeply understand the sector's landscape, supported by active engagement with global regulators and public bodies.
• Cyber compliance specialty: NCC Group's deep research and threat intelligence heritage enhances their cyber security solutions. Their experts have the experience and ability to translate complex regulatory requirements into actionable insights for both executive and operational audiences. A team of Professional Evaluation and Certification Board (PECB) Certified NIS2 Directive implementers offers unmatched knowledge, insights, and trusted guidance when supporting organizations in achieving their compliance goals. 

NCC Group collaborated with the client to design and deliver a tailored NIS2 training program for the organization's Board and senior leadership.

The program was developed and led by Managing Consultant Julian Brown and Senior Advisor Ade Clewlow, and was structured to reflect the current interpretation of the EU Directive while anticipating national implementation.

The training was delivered through two remote sessions and one in-person session at the client's headquarters in Copenhagen. It was structured around three core focus areas:

1. Board-level training:

•  Setting strategic cyber security direction
• Establishing cyber risk appetite
• Strengthening stakeholder trust
• Mitigating legal and financial risk
• Embedding a security-conscious culture
• Leadership and governance expectations under NIS2

2. Executive & local management training:

• Translating strategy into operational action
• Risk-informed decision-making
• Managing third-party and supply chain security
• Enhancing operational resilience

3. Fundamental cyber security principles:

• Core risk management concepts
• Implementation approach to NIS2
• Business continuity and crisis response
• Understanding regulatory enforcement and penalties
• Final recommendations and next steps

Additionally, NCC Group developed editable training materials to support internal adaptation and reuse across the client's European operations.

NCC Group successfully delivered all three training sessions, engaging the client's Board of Directors and senior leadership in interactive, discussion-led formats tailored to their organizational context.

The training received overwhelmingly positive feedback. Participants praised:
•    The clarity and relevance of the content
•    The practical, real-world examples used
•    The actionable guidance on leadership responsibilities

As a result of this engagement, the client is now significantly better positioned to implement the NIS2 Directive and strengthen its overall cyber security posture. The training brought clarity to regulatory obligations and enabled leadership to take informed, strategic action in anticipation of future compliance requirements.

Ade Clewlow, Senior Adviser at NCC Group and training facilitator:

"We helped demystify NIS2 for senior leaders, turning complex regulation into clear, actionable insight—empowering our healthcare client to lead confidently on cyber security governance and compliance."