NIS2 and your flexible workforce: who is responsible for training temporary workers?

NIS2 and your flexible workforce: who is responsible for training temporary workers? The obligation sits with the in-scope organisation, even when the workers come from an agency. What that means in practice for your floor.

Four workers in hard hats and safety vests walk down an aisle in a warehouse filled with stacked boxes and pallets.

Under NIS2, the in-scope organisation is responsible for its own risk-management measures, and training of staff is part of those required measures (Article 21). That responsibility does not disappear when the people doing the work are supplied by a staffing agency. If temporary workers have access to your systems, sites or information, the practical question an auditor or client will ask is simple: can you show they were trained?

What does NIS2 actually require on training?

Two distinct things. First, the management body must follow training and oversee the organisation's cybersecurity risk-management measures; that duty is explicit and personal (Article 20). Second, the organisation's risk-management measures must include cyber hygiene practices and cybersecurity training for staff (Article 21). The first is about the boardroom. The second is about everyone whose behaviour can cause or prevent an incident, and on a production or logistics floor that includes the flexible shell.

Does "staff" include agency workers?

NIS2 does not carve temporary workers out of risk management. The measures are risk-based: if a person can plug in a USB stick, click a phishing link, hold a door open or photograph a screen, they are part of your risk surface regardless of whose payroll they sit on. Most organisations already accept this logic for safety training; cyber hygiene now follows the same path.

Who pays and who organises it?

The law assigns the obligation to the in-scope entity; the market decides the logistics. In practice three models are emerging: the client trains everyone who enters, the staffing agency delivers workers pre-trained as a service differentiator, or a shared credential is used that the worker carries between assignments. The third model avoids retraining the same person at every new gate, which is why verifiable credentials are gaining ground for contingent workforces. See how that works on our EdXactly Pass page.

What evidence will be asked for?

Names and dates are the minimum. Increasingly, supply-chain questionnaires ask for current evidence: who is trained, to what, and until when. A spreadsheet of last year's attendance answers yesterday's question. A live register with expiry dates answers this year's.

Last reviewed: June 2026. This article is general information and is not legal advice.