Cyber security awareness training for mid-market employees: certified online courses for the DACH region
The human factor decides your IT security. Certified cyber security awareness training as 15-20-minute learning stones from EUR 39 per user per year - NIS2-compliant, no seminar days, no IT jargon.
The best firewall won’t protect your company if an employee clicks on a phishing email. This is exactly where cyber security awareness training comes in: it closes the gap between technical IT security and human behaviour. For mid-market companies in the DACH region, this training is no longer a voluntary add-on – since the NIS2 requirements took effect in December 2025, it has been a legal obligation, coupled with personal liability for management.
This article is aimed at managing directors and IT managers of mid-market companies with 20 to 1,000 employees. It shows you why the human factor is the decisive weak point in your security strategy, which legal requirements you have to meet, and how you can protect your entire workforce with certified online training – without seminar days, without travel, without IT jargon.
The PASSION4IT Academy offers 9 specialised online courses for this, designed as focused learning stones of 15–20 minutes that become immediately applicable in day-to-day work. Cyber security awareness training from EUR 39 per user per year, with a certificate for every completed module.
What you’ll take away from this article:
- Why technical protective measures alone are not enough, and what role untrained employees play in cyberattacks
- Which legal obligations NIS2 and the EU AI Act create for your company
- How 9 modular online courses form a 360° security net for your workforce
- Why 15-minute learning stones create more behavioural change than full-day on-site seminars
- Which concrete costs and which ROI you can expect
Why a firewall is not enough: the human factor in cyber security
Intrusion detection systems, firewalls, endpoint protection – many companies invest heavily in technical IT security. And yet cyberattacks still succeed. The reason is almost always the same: an employee opens a manipulated email, enters credentials on a fake website, or uses a weak password. According to a Kaspersky study, in almost a third of German companies an attacker was aided by the behaviour of the company’s own employees. At the same time, 54 % had already been affected by network attacks, and in 42 % malicious code made it into the network.
Detecting such threats does not fail for lack of technology. It fails because the people in front of the screens don’t know what to look out for. Employees are decisive for a company’s IT security – they are either the strongest line of defence or the biggest weak point. Cyber security awareness training reduces the risk of successful attacks by building exactly this awareness.
The everyday weak point: how phishing and social engineering hit the mid-market
Phishing emails are long past being badly worded messages from supposed princes. Modern attack scenarios use AI-generated, personalised emails that are barely distinguishable from legitimate business correspondence. Social engineering goes even further: attackers research org charts, supplier relationships, and internal processes in order to manipulate individual employees in a targeted way – by email, phone, or even in person.
For mid-market companies, the damage is especially severe. According to the German Federal Ministry for Economic Affairs, the typical cost of a successful attack ranges between EUR 15,000 and more than EUR 95,000 per incident – depending on business interruption and recovery effort. In ransomware attacks on mid-sized businesses, total costs including downtime and reputational damage can reach EUR 200,000 to 500,000.
Of German companies with at least 10 employees, 43 % reported having been victims of digital data theft in 2024/25. Through targeted training, employees learn to recognise phishing emails and social engineering – before a click turns into a security incident.
NIS2 and liability: why employee training is becoming a legal obligation in the DACH region
Since December 2025, the tightened requirements for implementing the NIS2 Directive (BSIG-E) have applied in Germany. This regulation affects far more companies than the previous NIS Directive – in particular many mid-market businesses that until now did not count themselves part of the “critical infrastructure” sector.
The key requirements for your company:
- Management training obligation: Section 38 BSIG-E obliges management to complete cybersecurity training on a regular basis. Failure to comply risks personal liability.
- Workforce-wide awareness training: For all employees, structured training on cyber threats, security measures, and reporting procedures must be documented.
- Documentation obligation: Training must be documented in an audit-proof manner – content, participation, certificates. Without proof, sanctions loom.
In addition, since 2 February 2025, Article 4 of the EU AI Act requires companies that use AI systems to ensure sufficient AI competence among their staff. Enforcement with supervision and sanctions begins on 2 August 2026. Certified training helps to implement these compliance requirements verifiably, and specialised training simultaneously supports meeting GDPR requirements.
The question is no longer whether you train your employees. The question is whether your training holds up to the legal requirements – documented, up to date, and certified.
The 360° security net: the 9 online courses of the PASSION4IT Academy
The PASSION4IT Academy offers a modular programme of 9 specialised cyber security courses in total. Companies can book individual courses flexibly or tailor them as a combined programme to their exact digital maturity and needs. Everything takes place fully online, in focused learning stones of 15–20 minutes, with a certificate for each completed module.
The pricing structure is transparent and mid-market-friendly: cyber security from EUR 39 per user per year, the Business Bundle with all modules for EUR 99 per user per year. Certified online cyber security training minimises security risks in the mid-market – and at a fraction of the cost that a single security incident causes.
The proven foundation: from awareness to incident response
Six courses form the core programme and cover the full breadth of cyber security – from basic awareness to being able to act in an emergency:
- Cyber Security Awareness Training (the foundation) – The entry point for any workforce. Fundamentals of information security, typical threats, safe behaviour in everyday work. Designed for non-IT staff, no jargon, no prerequisites. E-learning formats are demonstrably effective for cyber security awareness training because they convey knowledge in digestible units rather than in information overload.
- Cyber Security Next Level – Advanced knowledge for employees who, beyond the basics, should develop an understanding of more complex attack scenarios and protective measures.
- NIS2 Briefing – Regulatory requirements explained clearly. What the NIS2 Directive concretely means for your company, which obligations exist, and how you demonstrate compliance.
- Password & Identity Security – Zero-effort security for Teams and M365. Strong passwords and MFA should be used for all business accounts. This module shows how that works without friction in everyday life – pragmatic, not theoretical.
- Phishing & Social Engineering – Recognise attacks before they take effect. This module sensitises your team to real attack scenarios and shows how to instantly expose fraudulent emails and manipulative communication. Supplemented by controlled phishing simulations and hands-on tests, the workforce learns to recognise threats in real day-to-day work in good time, sustainably strengthening security awareness.
- Incident Response Essentials – What to do in an emergency? Reporting channels, responsibilities, first steps in security incidents. Well-trained employees prevent security gaps that lead to considerable costs.
On the pulse of the times: the new modules for AI, mobile work, and secure partner communication
Three brand-new modules were rolled out in 2026 to respond to current cyber threats and regulatory developments:
- Safe use of AI tools in the company (EU AI Act compliant training): What happens when a company introduces artificial intelligence without preparing its employees? Shadow AI emerges: employees use ChatGPT, Copilot, or other tools without control, entering company data into external systems without understanding the risks. This module conveys safe AI use, data protection limits, and the competence obligation under Art. 4 EU AI Act. In the PwC survey, 67 % of mid-market companies state that AI-related risks are one of the drivers of their IT security investments. Training 50 employees in AI – without on-site effort and without high costs – is exactly what this module is designed for.
- Mobile Security (safe on the move with smartphone and laptop): Employees must be able to work safely with Wi-Fi and VPN even in the home office or when travelling, protect devices if lost, and correctly assess public networks. Mobile work creates new weak points – this module closes them.
- Cyber security in external contact (communicating safely with customers, suppliers, and external partners): Supply chain risks and partner communication are increasingly becoming a gateway. According to PwC, 47 % of mid-market companies report that business partners were affected by cyber incidents. Online training conveys current hacking techniques and security solutions that address exactly these risks.
How does the training work in the mid-market?
A modular cyber security programme only works if it fits into everyday work – not the other way around. That is why the PASSION4IT Academy relies on learning stones: focused units of 15–20 minutes that can be accessed device-independently and require no jargon. Online training is location-independent and available in short units. Every employee learns at their own pace – whether at the desk, in the home office, or between two customer appointments.
The logic behind it: in the mid-market, digitization does not fail for lack of technology. It fails because people don’t understand the technology, don’t want to use it, or don’t know how to use it safely. The PASSION4IT Academy closes this gap – not with day-long seminars that are forgotten the next day, but with focused learning stones that are immediately applicable in everyday work and build verifiable competence.
No loss of productivity: hands-on online modules for your team
The difference between a learning stone and a classic e-learning module lies not in the technology but in the application rate. Large e-learning platforms such as LinkedIn Learning offer extensive libraries – but without a focus on the concrete risks and processes of a mid-market company. The content is too generic, the number of modules overwhelming, the applicability in everyday work low. The PASSION4IT Academy is positioned differently: as hands-on workforce qualification, not as a content library.
| Criterion | Full-day on-site seminar | PASSION4IT Academy learning stones |
|---|---|---|
| Time per employee | 8 hours + travel time | 15–20 minutes per learning stone |
| Loss of productivity | An entire working day | Minimal, flexibly integrable |
| Knowledge transfer into everyday work | Low – content forgotten after days | High – immediately applicable content |
| Scalability | Limited, high organisational effort | Unlimited, no on-site effort |
| Cost for 100 employees | EUR 15,000–30,000 incl. organisation | EUR 3,900 (cyber security) / EUR 9,900 (Business Bundle) |
| Certification | Confirmation of attendance | Certificate per completed module |
| Content updates | Only when rebooking | Continuous, always up to date |
Online solutions are often cheaper than on-site training – and the frequency and practical relevance of training measurably increases effectiveness. A continuous learning programme improves lasting behavioural change, because knowledge is not dumped in a single block of information but embedded into everyday work over weeks and months.
Common challenges and how to solve them
Introducing awareness training sounds simple. In practice, companies face recurring hurdles.
Employee resistance to yet more training
“Not another training” – this reflex is understandable. Employees have full calendars and little appetite for theory-heavy mandatory events. The solution: 15-minute learning stones with immediate practical relevance. No blocks of theory, no lectures. Every learning stone delivers a concrete behaviour that is applicable the same day. Complexity is reduced, understanding rises.
No measurable behavioural change after classic seminars
Many companies have already invested in cybersecurity training – and yet employees keep clicking on suspicious links. The problem lies not in a lack of willingness but in the format. Day-long seminars overwhelm with too much content at once and offer little transfer into everyday work. Microlearning with phishing simulations and certification per module creates measurability: learning progress, test results, and certificates document whether competence was actually built – or whether time was merely served.
High administrative effort for training management
Most IT departments in the mid-market have neither the capacity nor the skills to manage a training programme manually. The PASSION4IT Academy offers a fully automated online platform with central administration, progress tracking, and automatic certificate generation. No additional IT effort, no coordination marathon.
Conclusion: make cyber security a routine
The human factor decides the effectiveness of your entire security strategy. Technical protective measures such as firewalls and intrusion detection systems are necessary – but they are not enough. With the NIS2 Directive and the EU AI Act, security awareness training has become a legal obligation in the DACH region. And the cost of prevention is only a fraction of what a single cyberattack can cost.
The question is not whether your employees need digital training. The question is whether the training you give today still lands in everyday work tomorrow.
Your next steps:
- Arrange a live demo: Let us show you the Academy live in a short, personal call. We discuss your individual needs, walk you through the platform, and show you how uncomplicated training management is for your company.
- Choose modules based on concrete needs: Together we select the right modules – from targeted individual courses to the complete Business Bundle for your entire team.
- Start a pilot group: Test the Academy with no fuss with a pilot group of 10–20 employees, measure acceptance, and only then scale the training to the entire workforce.
You’ll find all 9 courses, prices, and booking options at the PASSION4IT Academy.
Frequently asked questions
How long does a typical cyber security awareness training take?
Each learning stone of the PASSION4IT Academy takes 15–20 minutes. The courses consist of several learning stones completed at your own pace – no seminar day, no lecture-style training. This lets the training be integrated into everyday work without loss of productivity.
Are the online courses NIS2-compliant for mid-market companies?
Yes. The courses cover the requirements of the NIS2 Directive – including documentation, certification, and proof of training content. The NIS2 Briefing addresses the regulatory requirements directly, and every completed module delivers an audit-proof certificate.
Can the courses be integrated into existing LMS systems?
The PASSION4IT Academy offers integration options with existing learning management systems. The platform itself includes progress tracking and central administration, so professional training management is possible even without your own LMS.
What sets the PASSION4IT Academy apart from classic e-learning platforms?
Large platforms such as LinkedIn Learning offer broad content libraries but no focused mid-market qualification. The PASSION4IT Academy is not a content library but a hands-on further-education platform with mid-market-specific content designed for direct applicability and behavioural change. There is no incomprehensible IT jargon here and no unnecessary prerequisites. Instead, you receive a tailored recommendation for the perfectly fitting module combination.
Are the courses suitable for non-IT staff without prior knowledge?
Absolutely. The courses are explicitly designed for the entire workforce – no jargon, no technical prerequisites. From reception through sales to accounting: every employee can understand the content and apply it directly.
Further resources
- Cyber security training in the mid-market: certified, online employee protection
- AI driver’s licence under EU AI Act Art. 4: mandatory training in the mid-market
- PASSION4IT Academy – certified online learning stones for the entire workforce