8 April 2026 • NIS2
Schools and educational institutions across Europe are increasingly targeted by cybercriminals. In early 2025, hackers had access to the IT systems of Eindhoven University of Technology (TU/e) for five days, using stolen credentials and a VPN without two-factor authentication. Classes were cancelled for an entire week. At the same time, the NIS2 directive requires part of the European education sector to demonstrably improve its digital security. But which institutions does it apply to, and what exactly do they need to do? This article breaks it down.
Does education fall under NIS2?
NIS2 applies when an organisation meets two conditions simultaneously: it must operate in a designated sector (Annex I or II of the directive) and exceed the size thresholds. Size alone is not enough, sector designation is the primary gate.
The NIS2 directive includes higher education as part of the research sector (Annex II). Universities and universities of applied sciences that conduct research can therefore be classified as important entities. Secondary and primary education are not listed in the annexes and do not automatically fall under NIS2, regardless of their size.
That said, it is not as simple as “large vocational institutions are always exempt.” There are three situations in which secondary and primary education organisations can still be affected.
Which educational institutions (potentially) fall under NIS2?
| Type of institution | NIS2 status | Notes |
|---|---|---|
| Universities | Likely important entity | Research function + size; meet both conditions |
| Universities of applied sciences | Possibly important entity | Depends on size and research activities |
| Vocational institutions (MBO) | Not automatically in scope | Sector not designated; national designation or mixed structure may change this |
| Secondary education | Not automatically in scope | Sector not designated; large school groups may fall under NIS2 via national designation or mixed structure |
| Primary education | Not automatically in scope | Sector not designated; indirect requirements via partners possible |
Size thresholds: NIS2 applies to organisations with more than 50 employees or an annual turnover/balance sheet total exceeding €10 million. But size alone does not place an organisation in scope — sector designation is always the first requirement.
When do secondary and primary schools fall under NIS2 anyway?
“Not automatically in scope” does not mean “not relevant.” There are three situations in which secondary and primary education organisations do encounter NIS2:
1. National designation
Member states may designate organisations as critical entities outside the European annexes. The Dutch government can decide that large school groups with a significant societal role fall under the Cybersecurity Act. Particularly very large boards overseeing dozens of schools and thousands of staff members are at risk of this.
2. Mixed organisations
Many school groups run both secondary and vocational education, or are affiliated with a university of applied sciences. If the vocational or higher education component is large enough and conducts research activities, that part may fall under NIS2. In practice, this pulls the security requirements through to the entire organisation.
3. Indirect requirements via the supply chain
Organisations subject to NIS2 must secure their supply chain. If a school organisation supplies software, shares data, or collaborates with institutions that are NIS2-obligated, those partners may pass on security requirements. Grant providers and government clients are also increasingly imposing these kinds of requirements.
What are the obligations for educational institutions?
When an educational institution falls under NIS2, the same basic obligations apply as for other sectors. The most relevant ones for the education context:
Risk analysis and security policy
You are required to systematically map out the risks to your networks, systems, and data, including systems used by suppliers such as SIS providers, cloud services for learning platforms, and collaboration tools.
Incident reporting obligation
Significant incidents, such as ransomware attacks on student administration systems or data breaches involving student personal data, must be reported to the competent authority within 24 hours.
Supply chain security
Software and service providers must demonstrably meet your security requirements. Think of providers of learning platforms, student information systems, or cloud storage.
Access management and authentication
Multi-factor authentication for access to systems containing sensitive data is mandatory. In the education context, this certainly applies to staff with access to student records, financial systems, and research data. The attack on TU Eindhoven in January 2025 illustrates what goes wrong without MFA: hackers gained entry via a VPN without two-step verification and had undetected access for five days.
Security awareness training for staff
NIS2 explicitly requires institutions to train staff in cybersecurity. This covers not just IT staff, but also lecturers, researchers, and support personnel, anyone with access to systems and data.
Why cybersecurity in education deserves extra attention
Educational institutions are attractive targets for cybercriminals due to the combination of valuable research data, large volumes of personal data, and a relatively open IT culture. Some specific challenges:
- Large user groups — tens of thousands of students and staff with varying access rights.
- High turnover — students enrol and graduate every year; accounts must be actively managed.
- Open network culture — academic freedom sometimes clashes with strict security policies.
- Limited IT budgets — especially at smaller institutions, there is limited room for security investment.
- Valuable research data — intellectual property and research results are of interest to state actors.
How Guardey helps educational institutions
Guardey offers security awareness training with content tailored to the education sector. Staff learn to recognise phishing, handle data securely, and know what to do when they spot something suspicious. in short, digestible modules that fit into a busy working week.
By training staff consistently, educational institutions meet the NIS2 awareness obligation while simultaneously building an institution that is less vulnerable to the attacks that hit the sector every day.
Want to know exactly what NIS2 means for your institution? Check the NIS2 guide for 2026 with all obligations, thresholds, and a practical checklist.
Not every educational institution formally falls under NIS2, but the boundary is less clear-cut than it appears. Universities and large universities of applied sciences are NIS2-obligated in most cases. For vocational, secondary, and primary education, it depends on national designation, organisational structure, and the partners they work with.
Start with a clear scope determination, conduct a risk analysis, and ensure staff are demonstrably trained. Those are the steps that directly address most NIS2 obligations, and that show, as an institution, that cybersecurity is taken seriously.
Security awareness training: useful even without NIS2
NIS2 may not apply to every educational institution, but the threats it responds to do. Security awareness training helps your staff recognise and respond to cyber attacks regardless of whether compliance is required.
Guardey for education
Guardey has developed specific training modules for education staff. Download the brochure or explore what a tailored programme looks like for your institution.
Guardey for education