Awareness Training and Vulnerability Management: What § 30 BSIG Requires Operationally

§ 30 BSIG is the normative backbone of NIS2 — ten mandatory areas that every affected organization must implement. From risk registers to supply chain security to multi-factor authentication. For management and IT leadership, most of these ten points remain abstract: What does 'risk analysis' actually mean? How deep does 'supply chain security' need to go?

Two obligations are different. They are operationally immediately tangible, generate measurable data every week, and form the interface where cybersecurity meets day-to-day hospital operations: cyber hygiene and training (point 7) and security in the acquisition, development, and maintenance (point 5). In practice, this translates into two core disciplines: Awareness Training and Vulnerability Management.

This guide shows what § 30 BSIG operationally requires for these two areas — and what NIS2-compliant implementation means in practice in a hospital, a medical care center (MVZ), or a pharmaceutical company. Not as an abstract compliance discussion, but as a concrete playbook.

Three preliminary notes. First: Awareness and VM are not two independent obligations, but two halves of the same task. Humans and machines are the two major attack surfaces — securing only one does not solve the problem. Second: In an audit, both areas are the first to be checked because they have tangible artifacts (training records, scan reports). Third: NIS2 has raised the bar — a one-time e-learning course or an annual vulnerability scan is no longer enough.

Awareness — what § 30 BSIG requires

§ 30(2) No. 7 BSIG requires 'concepts and procedures for cyber hygiene as well as training in the security of network and information systems'. The NIS2 Directive specifies this in Art. 21(2)(g): training must enable the workforce to 'recognize, avoid, and minimize the impact of cyberattacks'.

That sounds general — and is often interpreted too generally. In practice, BSI auditors, external auditors, and cyber insurers ask for concrete evidence:

• Who was trained when, with what content, and for how long?

• How is the learning effect measured?

• What adjustments are made when click rates rise?

• How are new employees integrated into the system?

• How is management trained itself (mandatory under § 38 BSIG)?

What is not enough. A one-time 30-minute mandatory video during onboarding with a checkbox confirmation. That may have been standard in 2018, but in 2026 it is neither regulatorily nor practically sufficient. Yesterday's typical phishing click does not learn from today's quiz questions — it learns from concrete, realistic simulations that take place in daily hospital operations.

What is enough. A combination of three components:

1. Annual core course with consistent content (phishing recognition, password hygiene, data protection, reporting paths) and documented participation.

2. Regular phishing simulations (typically monthly) that reflect real attack patterns from the healthcare sector — fake HIS emails, fabricated shift schedule changes, false e-prescription notifications.

3. Microlearning spotlights several times a year on current topics (cloud phishing, MFA bypass, AI-generated emails, sector-specific threats).

This three-part combination documents itself almost automatically: training system logs for point 1, phishing platform reports for point 2, spotlight participation for point 3. Prepared as an audit report — done.

Important: Awareness is not the IT department's task, but HR's. IT provides the platform, but content, frequency, and tone belong in HR's hands. Otherwise awareness quickly becomes technical compliance theater that the workforce experiences as paternalism.

Awareness in operational implementation

What does that look like in practice? Four components that together create a NIS2-compliant awareness architecture:

Format: microlearning instead of frontal lecturing. A 60-minute webinar once a year that nobody listens to is not proof of training — it is a compliance fiction. What has proven effective: four to five short modules of 4 to 5 minutes each, accessible on the endpoint, with a small knowledge check per module. Staff can fit this into waiting periods or breaks — acceptance is significantly higher than with mandatory appointment formats.

Frequency: annual core course plus three spotlights per year. The core course covers the basics (phishing, passwords, data protection, reporting route). The spotlights supplement the program with three short refreshers — one to two minutes, in the quarters without a core course, without repeating the previous year. This makes the training obligation apply all year round, not just once in January.

Target groups: differentiated, not one-size-fits-all. Nursing, physicians, administration, IT, and management have different attack vectors and different learning needs. Nursing staff need examples from ward operations (fake HIS warnings, fabricated shift changes). Administration needs CEO fraud scenarios and invoice manipulation. IT needs privileged account risks. Management needs whaling examples plus regulatory overview.

Phishing simulation as an effectiveness measure. Training without follow-up measurement is training in the dark. Phishing simulations are the only method that reliably shows whether training content has landed. The key metrics:

• Click rate: Who clicks on simulated phishing links? (Expected development: 25 to 35% baseline → under 10% after 12 months)

• Reporting rate: Who actively reports suspicious emails? (Expected development: under 5% baseline → over 30% after 12 months)

• Repeat click rate: Do employees click repeatedly after training feedback? (Indicator of structural risk in individual teams)

Important to know: In Germany, phishing simulations are subject to co-determination under § 87(1) No. 6 of the Works Constitution Act. A clean works agreement with anonymization, purpose limitation, and a ban on use for personnel measures is a prerequisite for the start.

Documentation for the audit case. Concrete artifacts that must be in the ISMS file:

• List of training sessions conducted with date, content, duration, participants

• Individual training records (anonymized or pseudonymized)

• Quarterly evaluation of phishing simulations with trend

• Annual evaluation of the effectiveness of the awareness program

• Management training record under § 38 BSIG (with agenda and attendance list)

Vulnerability Management — what § 30 BSIG requires

Vulnerability Management is not named as a separate obligation in § 30 BSIG. It is spread across two points:

• Point 5: Security in the acquisition, development, and maintenance of network and information systems. This covers patch management, vulnerability handling, and secure configuration.

• Point 10: Multi-factor authentication and secured voice, video, and text connections. This is where MFA hygiene and secure remote access land — both closely intertwined with Vulnerability Management.

What the standard leaves open: frequency, depth, SLAs. NIS2 deliberately avoids detailed requirements in favor of 'state of the art'. That is elegant from a regulatory perspective — but operationally confusing, because 'state of the art' is not an audit criterion you can check off.

In practice, the following translation has become established:

Asset inventory as a mandatory foundation. Vulnerability Management without an asset inventory is blind. If you do not know which devices are connected to the network — servers, workstations, medical devices, IoT, mobile endpoints — you cannot look for vulnerabilities. A complete asset inventory with categorization (type, OS, patch status, location, owner) is the first mandatory deliverable.

Scanning frequency. State of the art means continuous scanning for IT infrastructure, not point-in-time checks. External (internet-exposed) systems: daily. Internal systems: weekly. Anyone scanning once a year is not meeting the state of the art. Medical devices, however, are not actively scanned — industry best practice (HHS 405(d)) is passive network discovery in combination with CVE matching and SBOM analysis, because active scans on IoMT devices can cause outages in clinical operations.

Authenticated scanning. Not all vulnerabilities are visible from the outside. Authenticated scanning — meaning: using valid login credentials on the target systems — reveals configuration weaknesses, outdated libraries, local patch status, and default credentials. Unauthenticated scanning sees only the exterior and regularly underestimates the real risk.

Clinically weighted prioritization. A CVSS score of 9.8 on an office printer web interface is less critical than a CVSS 7.2 on the PACS server. The generic CVSS assessment must be contextualized clinically — proximity to patients, criticality of care, fallback options. Otherwise, IT teams patch the spectacular but non-critical vulnerabilities first and the medium-sized but care-critical ones last.

Remediation SLAs. State of the art does not say 'patch everything immediately', but 'risk-prioritized handling with SLAs'. Typical in NIS2-compliant setups: critical vulnerabilities (CVSS ≥ 9, exploitable, exposed) within 7 to 14 days, high vulnerabilities within 30 days, medium ones within 90. If you document that you do not patch, document compensating measures — additional network segmentation, intensified monitoring, restricted access.

Vulnerability Management in operational implementation

In practical implementation, four critical components emerge:

Continuous, not point-in-time asset discovery. Hospital networks change daily. New medical devices are connected, maintenance staff bring notebooks, cloud workloads come and go. A classic inventory spreadsheet is outdated 24 hours after creation. State of the art: agent-based asset tracking plus network discovery, combined.

Medical devices as a special case (IEC 80001-1). In the clinical environment, there is a special feature: patches on medical devices are subject to the MDR and may affect the manufacturer's conformity assessment. An unauthorized security patch by the hospital IT can technically mean a modification of the medical device — with liability consequences. Solution: document patch requests to the manufacturer, measure response times, implement compensating measures (network segmentation, monitoring) if patching is delayed.

Authenticated scanning of critical systems. HIS, PACS, LIS, Active Directory, backup systems — core infrastructure must be scanned authentically, not just from the outside. Common findings in hospital setups:

• Outdated libraries in Java- and Python-based applications (Log4Shell class)

• Missing patches on workstations because updates run only in maintenance windows

• Default credentials on medical devices ('admin/admin', 'service/service')

• Unsecured maintenance interfaces (Telnet, old SMB versions)

• Inconsistent permissions in Active Directory

Remediation with SLA and escalation. Every critical vulnerability gets an owner, an SLA, and an escalation path. If the manufacturer does not deliver a patch within 14 days, the hospital escalates to compensating measures — additional network segmentation, intensified monitoring, and, if necessary, temporary shutdown of the affected system.

Documentation for the audit case. Concrete artifacts:

• Asset inventory with patch status and owners

• Weekly scan reports with a diff to the previous month

• Quarterly trend reports by care area

• List of open vulnerabilities with risk rating, SLA, and compensating measures

• Manufacturer correspondence regarding medical device patches

• Annual penetration test or external validation

The distinction between 'we scan' and 'we manage vulnerabilities' is essential here. Scanning is the easier half. The harder half is accompanying the process from detection to closure — and documenting that not everything can be fixed, but everything has been assessed.

Awareness and Vulnerability Management as a dual lever

Why not just one of the two? Because humans and machines are two structurally different attack surfaces that do not compensate for each other.

The human is the initial vector. Verizon Data Breach Investigations Report 2024: 68 percent of all incidents had a human factor — mostly phishing or credential theft. Awareness without VM means: employees recognize phishing emails, but if an attacker still gets in, they find an unpatched system where they can move freely.

The machine is the amplifier. Verizon DBIR 2024 showed a 180 percent increase in vulnerability exploitation as an initial vector; in the 2025 report, the share grew by another 34 percent to 20 percent of all breaches. VM without awareness means: no successful phishing click opens the door — but web server vulnerabilities or VPN gaps can be exploited directly.

Both support preparation under § 32 BSIG. In the event of an incident, BSI auditors ask both for training records and for vulnerability remediation reports. Anyone who cannot present awareness documentation in an incident has no shield in administrative fine proceedings — and neither does anyone who cannot present VM data.

Connection to § 38 BSIG management liability. In disputes, the personal liability of management is not assessed on the basis of abstract strategies, but on concrete operational evidence. Awareness and VM are the two areas that generate the most evidence — clean reports show supervisory duties fulfilled, missing reports show a breach of duty.

Operational synergy. Awareness and VM share data: Those who click in phishing simulations often sit at a system with uninstalled patches. Those who report vulnerabilities were previously in an awareness training. The two disciplines complement each other not only regulatorily, but operationally — when they are set up as one overall system, not as two isolated projects.

What is asked in the audit

In a BSI audit or in an audit by an external accountant under NIS2, awareness and VM are the first areas to be checked — because they produce operationally tangible artifacts. Typical questions:

Awareness:

• Who was trained in the last year? Provide the list with date and content.

• How do you measure the effectiveness of your training? Provide phishing simulation reports for the last 12 months.

• How is management itself trained? Provide the training record with agenda and attendance list.

• What happens to employees who repeatedly fail phishing tests? Show the escalation concept.

• How are new employees integrated into the awareness system? Document the onboarding process.

Vulnerability Management:

• Is there an asset inventory? Complete, up to date?

• When did the last scan take place? Authenticated or unauthenticated?

• How are vulnerabilities prioritized? Provide a list of currently open critical findings.

• How good is SLA compliance? Trend over the last twelve months.

• How are medical devices handled? Provide manufacturer correspondence.

• When did the last penetration test take place? Report and remediation status.

Three points typically lead to audit findings:

1. Training without effectiveness measurement. Anyone who distributes content but does not run phishing simulations cannot provide evidence of effectiveness.

2. Incomplete asset inventory. Forgotten medical devices, mobile endpoints not recorded, cloud workloads outside the inventory logic.

3. Patch SLA is theory only. On paper a 14-day SLA, in practice a 90-day reality without documented compensating measures.

These points are not found out of malice — they are the most common real weaknesses.

Common mistakes

'We do have an awareness platform.' Owning a license is not an awareness program. If you have a platform but do not operate it systematically, you have not solved the compliance risk.

'The MSSP does vulnerability management.' A common assumption, often wrong. Many managed service contracts cover only detection, not remediation. Clarification in the contract: Who scans, who prioritizes, who closes, who documents?

'Awareness is a checkbox exercise.' Workforces recognize that within weeks. If you treat awareness as a formal compliance task, you get formal compliance — not behavioral change.

'Patches block hospital operations.' Sometimes that is true. But then the rule is: risk assessment, compensating measures, documentation. Not: ignore the patch and hope.

'We do not want audit-theater overhead.' Understandable — and wrong. Without documentation, in the event of an incident there is neither insurance coverage nor a line of defense against liability under § 38 BSIG.

'We will do management training next year.' § 38 BSIG is not deferred — the obligation has applied since December 6, 2025. Anyone who has not yet documented training is without proof in the event of an incident.

Conclusion

Awareness Training and Vulnerability Management are the two halves of an operational NIS2 implementation that are seen first in an audit. § 30 BSIG requires them, Art. 21 NIS2 specifies them, and § 38 BSIG sharpens accountability through the personal liability of management.

What both areas share: They only work as continuous ongoing operations, not as a project with a start and end. Awareness without monthly phishing simulations and quarterly spotlights fizzles out. VM without weekly scanning and SLA tracking is compliance theater.

What both areas share: They produce data that are the most important evidence in an audit. If you have the data, you are regulatorily prepared. If you do not, you are unprotected in administrative fine proceedings.

What both areas share: They are demanding to implement internally because they require ongoing operation. A hospital with three IT employees can rarely sustain 24/7 vulnerability management alongside day-to-day business — and a systematic awareness program with differentiated target groups, monthly campaigns, and management reporting even less so. This is exactly where managed services come in: They provide continuous operations without the organization having to employ specialists itself.

At Entropy CS we offer Managed Awareness Training and Managed Vulnerability Management specifically for healthcare — hospital-specific phishing scenarios, monthly cadence, NIS2-compliant documentation, and reporting for management and audit. Our free risk assessment takes 30 minutes and provides an honest assessment of your current maturity in both areas — including concrete priorities for the next 12 months.