> ⚖️ This article is general information - for specific decisions about your organisation, consult a qualified lawyer in your jurisdiction.

---

## TL;DR
You can run impactful phishing simulations in the EU without alienating staff or risking non-compliance by: 
1. using **legitimate interests** (not consent) as your primary legal basis and documenting a balancing test; 
2. engaging **works councils** early and codifying guardrails in a works agreement where required; 
3. prioritising **anonymization/pseudonymization**, **short retention**, and **transparent notices**; and 
4. running a DPIA if your context points to **high risk** (e.g., systematic monitoring).

---

## 1) Lawful basis: why **legitimate interests** usually beats consent
In the employment context, consent is **rarely freely given** because of the employer–employee power imbalance. The European Data Protection Board’s *Guidelines 05/2020 on Consent* underline that employee consent is valid only in **exceptional** circumstances without adverse consequences for refusal. For phishing simulations, a better fit is **Article 6(1)(f) legitimate interests**, documented with a **Legitimate Interests Assessment (LIA)** that weighs your security needs against employees’ rights and expectations.

**Good practice for the LIA**  
- Define the interest (security awareness; fraud prevention).  
- Map reasonable employee expectations (training is normal; covert profiling is not).  
- List mitigations (see Sections 3–5).  
- Record why consent would be inappropriate in your context.

References: EDPB *Guidelines 05/2020 on Consent*; GDPR Recital 47 (reasonable expectations).

---

## 2) Works councils: Germany & Austria in focus
If you operate in countries with strong co-determination, involve the works council before rollout.

- **Germany (BetrVG §87(1) No. 6):** the works council co-determines the *“introduction and use of technical devices designed to monitor employee behaviour or performance.”* Even simple dashboards can trigger this, so a **Betriebsvereinbarung** (works agreement) that sets scope, data handling, and safeguards is common practice.  
- **Austria (ArbVG §96(1) No. 3):** monitoring measures and technical systems that may affect human dignity require **works council consent** (or **individual consent** if no works council).

**What to include in the agreement/works policy**  
Purpose & scope, lawful basis, minimal data collected, **no disciplinary use** of metrics alone, who sees what, retention & anonymization schedule, vendor list (processors/sub-processors), employee rights, and an annual review clause.

Sources: Germany—BetrVG §87(1) no. 6 (official English text); analysis by Luther Law. Austria—Eurofound summary of ArbVG §96(1) no. 3; Schoenherr explainer.

---

## 3) Anonymization vs. Pseudonymization (and what it means for reports)
- **Anonymization** (GDPR Recital 26): once data is truly anonymous, GDPR no longer applies.  
- **Pseudonymization** (GDPR Art. 4(5)): data is still personal if it can be re-linked via separate keys; treat it accordingly.

**Privacy-centric reporting model**  
- Default to **aggregates by team/location**.  
- Use **stable random IDs** for trend analysis instead of names; keep the key separate with strict access control.  
- Show **individual results only to a small, need-to-know group** (e.g., security awareness lead + HR) and only when necessary for targeted coaching.  
- Never collect real passwords; if a user attempts to submit credentials, show a training page and **discard any entry**.

For a practical example of how a platform implements these concepts, see **AutoPhish’s anonymization** overview: https://autophish.io/anonymization

---

## 4) Retention: shorter is safer (and required by principle)
GDPR’s **storage limitation** principle requires keeping personal data in identifiable form **no longer than necessary** for the stated purpose. For phishing programs, many SMEs adopt a two-tier window:  
- **Operational window (e.g., 30–90 days):** identifiable data available for coaching and remediation.  
- **Post-campaign analytics:** thereafter **aggregate/anonymize**, keeping only non-identifiable trends for long-term KPI tracking.

Document this in your **Article 30 records of processing** and in your employee privacy notice.

---

## 5) Notices: be transparent and plain-language (Art. 13)
Before your first campaign, provide a short internal notice (or update your employee privacy policy) that explains: the **purpose** (security awareness), **lawful basis** (legitimate interests), what data you collect (e.g., email, department, click/report events), **retention**, who can access individual-level data (limited roles), **no disciplinary use** of single events, **employee rights** (access/objection), and a **contact** (DPO or privacy lead).

**Copy-paste starter (adapt to your context)**  
> We run periodic phishing simulations to build security awareness and reduce fraud risk. We process your name, work email, department, and simulation interactions (e.g., opened/reported/submitted). Our lawful basis is legitimate interests (GDPR Art. 6(1)(f)). Individual-level data is visible only to the security awareness team (and HR where necessary for targeted coaching). We keep identifiable data for **[X days]** and then aggregate/anonymize. We never store real passwords. You can exercise your data rights (access/objection, etc.) via **[contact]**. See **[link to your full employee privacy notice]**.

---

## 6) Do you need a DPIA?
A **Data Protection Impact Assessment (DPIA)** is required when processing is **likely to result in high risk** to individuals (Art. 35). Regulators and the EDPB note that **employee monitoring** may trigger a DPIA—especially where processing is systematic or involves vulnerable data subjects. If your programme introduces new tooling, large-scale metrics, or cross-border transfers, err on the side of conducting a DPIA.

**What to cover**: purpose/necessity, alternatives (less intrusive options), data flows, risks, mitigations (anonymization, minimization, role-based access, short retention, no-blame coaching), and a plan for periodic review.

---

## 7) Vendors & international transfers
If you use a platform provider, you’re the **controller** and they’re a **processor**; sign a **Data Processing Agreement** that meets **Article 28** requirements (security, sub-processor controls, assistance with data rights, deletion at end of service). If the provider or its sub-processors are outside the EEA, implement the **Standard Contractual Clauses** and perform a transfer risk assessment.

---

## 8) NIS2: if you’re in scope, training is no longer optional
For entities covered by the **NIS2 Directive**, management must oversee cybersecurity risk-management measures (Art. 20) and ensure appropriate training and incident processes (Art. 21). Even if you’re not in scope, the bar NIS2 sets is a useful benchmark for SMEs.

---

## 9) A practical, privacy-first architecture (that still works)
- **Data in:** name, email, team, and manager (optional). No personal emails; no special categories.  
- **During campaign:** collect only **event data** (delivered, clicked, reported, submitted). If a user tries to enter credentials, show training and capture **no secrets**.  
- **Access control:** the awareness team can see cohorts and anonymized IDs
- **Retention:** 30–90 days for identified data → auto-anonymize; keep aggregates for year-over-year trends.  
- **Outputs:** exec report shows **rates and trends**, not names.  
- **Governance:** LIA + (if needed) DPIA on file; Article 30 register updated; works agreement approved.

---

## Final thoughts
Privacy-friendly phishing training is not a contradiction. With the right lawful basis, genuine worker representation, and technical guardrails like anonymization and short retention, your programme can **protect people and their data** while measurably reducing risk. When in doubt, get legal advice tailored to your facts.

## Legal references (Germany & Austria)

*   **Germany — Works Constitution Act (BetrVG) §87(1) no. 6 (official English text)**  
    [Gesetze im Internet – Works Constitution Act (Betriebsverfassungsgesetz – BetrVG), English translation](https://www.gesetze-im-internet.de/englisch_betrvg/englisch_betrvg.html)
    
*   **Analysis by Luther Law**  
    [“Perennial issue: software vs. co-determination (Section 87 (1) No. 6 BetrVG)” — Luther Law](https://www.luther-lawfirm.com/en/newsroom/blog/detail/dauerbrenner-software-vs-mitbestimmung-87-abs-1-nr-6-betrvg)
    
*   **Austria — Eurofound summary of ArbVG §96(1) no. 3**  
    [Eurofound: Employee monitoring and surveillance — Austria](https://apps.eurofound.europa.eu/legislationdb/employee-monitoring-and-surveillance/austria)
    
*   **Schoenherr explainer (ArbVG §96(1) no. 3)**  
    [“Whistleblowing Hotline – Implementation Only with Employee Consent?” — Schoenherr](https://www.schoenherr.eu/content/whistleblowing-hotline-implementation-only-with-employee-consent)
    

---

## Further reading

*   **EDPB _Guidelines 05/2020 on Consent_**  
    [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb\_guidelines\_202005\_consent\_en.pdf](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf)
    
*   **GDPR Recital 26 (anonymous data)**  
    [https://gdpr-info.eu/recitals/no-26/](https://gdpr-info.eu/recitals/no-26/)
    
*   **GDPR Article 4(5) (pseudonymization)**  
    [https://gdpr-info.eu/art-4-gdpr/](https://gdpr-info.eu/art-4-gdpr/)
    
*   **GDPR Article 5 (principles)**  
    https://gdpr-info.eu/art-5-gdpr/
    
*   **GDPR Article 13 (information to be provided)**  
    https://gdpr-info.eu/art-13-gdpr/
    
*   **GDPR Article 28 (processors)**  
    https://gdpr-info.eu/art-28-gdpr/
    
*   **GDPR Article 30 (records of processing activities)**  
    https://gdpr-info.eu/art-30-gdpr/
    
*   **GDPR Article 35 (Data Protection Impact Assessment)**  
    https://gdpr-info.eu/art-35-gdpr/
    
*   **NIS2 Directive (Articles 20–21)**  
    EUR-Lex — Directive (EU) 2022/2555 (NIS2)
    
*   **AutoPhish — Anonymization overview (product-side controls)**  
    [https://autophish.io/anonymization](https://autophish.io/anonymization)

Phishing emails might not be glamorous, but they’re the sneaky tricksters of the cyber world. They show up in inboxes pretending to be important messages — an invoice, a password reset, maybe even a fake LinkedIn invite. And unfortunately, they still work all too often. In fact, **74% of security breaches involve the human element**, with phishing being one of the top ways attackers break in [[1]](https://www.phishingbox.com/resources/phishing-facts)[[2]](https://www.phishingbox.com/resources/phishing-facts).

That’s why businesses of all sizes are turning to **phishing simulations** — basically “practice phishing attacks” that train employees to spot suspicious messages in a safe environment. Think of it like a fire drill, but for your inbox. The goal is to help employees build instincts and transform them into a “human firewall.”

But here’s the question: when it comes to running phishing simulations, should you **do them manually** (crafting fake phishing emails yourself or with the help of consultants) or rely on an **automated platform** (a service that does the heavy lifting for you)? Each approach has its perks and pitfalls. Let’s explore both in a way that’s insightful, practical, and just a bit more fun.

---

## Why Phishing Simulations Matter (Beyond Scaring Your Staff)

The idea is simple. Your company sends out a fake phishing email. If an employee clicks or submits their login details, it’s not a disaster — it’s a teaching moment. And unlike boring PowerPoint slides about security, these simulations stick. People remember what fooled them, and they get better at spotting the real thing next time [[3]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish)[[4]](https://www.cynet.com/cybersecurity/phishing-simulation-how-it-works-and-5-tools-to-get-you-started/).

On top of that, regulators are watching. Standards like the EU’s **NIS2 Directive** don’t just want firewalls and antivirus software — they expect proof that your staff are trained and tested regularly [[6]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish). A solid phishing simulation program means you can check both boxes: better security and compliance.

---

## Manual Phishing Campaigns: Handcrafted, With Love (and Effort)

So what happens if you go the manual route?

- **What it is:** Your IT/security team (or hired consultants) brainstorm phishing scenarios, design emails, send them out, and later track who clicked. Maybe it’s a fake invoice. Maybe it’s a spoofed “CEO request.” Creativity is the name of the game.
- **The good:** Manual campaigns can be incredibly realistic. A consultant who knows your business can craft spear-phishing emails that reference actual projects or internal lingo. These hyper-tailored simulations feel *uncomfortably real* — which is exactly the point.
- **The bad:** They’re expensive and time-consuming. Niche providers often charge **$3–$6 per employee per month** [[8]](https://caniphish.com/phishing-simulation), which adds up fast. Doing it in-house? It may seem “free,” but your team still spends hours designing lures, setting up domains, and crunching results. Open-source tools like GoPhish are powerful, but they require ongoing maintenance [[10]](https://autophish.io/blog/open-source-phishing-simulation-tools-vs-managed-solutions-a-technical-and-business-comparison).

Scalability is another headache. Most companies that go manual manage only a couple of campaigns a year — often tied to Cybersecurity Awareness Month. That’s better than nothing, but far from the continuous reinforcement employees really need.

And let’s be honest: creativity runs dry. After a few tries, the “fake Amazon receipt” or “password reset” gets old. Without fresh ideas, employees start recognizing the pattern, which defeats the purpose.

**Bottom line:** Manual campaigns are great for highly targeted, one-off exercises. But for regular training across the whole company, they can drain resources and don’t scale well.

---

## Automated Phishing Platforms: Set It, Forget It, Train Continuously

Now let’s talk about automation.

**Automated phishing platforms** (think KnowBe4, Hoxhunt, Cofense, or newer players like **AutoPhish**) are SaaS tools built to make phishing simulations easy, scalable, and consistent. Instead of your team manually drafting emails and logging clicks, the platform handles:

- Crafting realistic phishing emails (often from a large template library, updated with the latest scam trends [[16]](https://caniphish.com/phishing-simulation)).
- Sending them out at scale, on a schedule you set.
- Tracking exactly who clicked, reported, or ignored.
- Delivering instant feedback or training to employees who fall for it.

Some platforms even use **AI** to generate unique phishing lures that evolve over time, so employees can’t just memorize a fixed set of templates [[18]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

### The Big Advantages
- **Efficiency & scale:** Send thousands of emails with a few clicks. Whether you’ve got 50 or 5,000 employees, the platform can handle it without extra work.
- **Affordability:** Pricing is usually **$0.45–$1.25 per employee per month** [[22]](https://caniphish.com/phishing-simulation). Compare that to the millions a real breach might cost (average global cost: $4.45M in 2024 [[23]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish)) — it’s a bargain.
- **Consistency:** You can schedule monthly or even weekly tests. Some platforms randomize delivery so employees don’t learn to expect them at a certain time.
- **Data & insights:** Automated platforms provide dashboards, trend analysis, and compliance-ready reports. Want to know if your finance department is click-prone or if your awareness is improving quarter over quarter? Easy [[26]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Low burden:** Instead of your team writing fake emails, they just review results. It’s a massive time-saver.

### A Nice Bonus: Just-in-Time Training
If an employee clicks, the platform can instantly show them a quick educational page: “Oops! Here’s what you missed.” That immediate feedback turns mistakes into teachable moments. Manual follow-ups can’t always deliver that consistency.

---

## Side-by-Side: Manual vs. Automated

| Factor              | Manual Campaigns (In-House/Consultants) | Automated Platforms |
|---------------------|------------------------------------------|----------------------|
| **Cost**            | High ($3–$6/user/month or staff time)   | Lower ($0.45–$1.25/user/month) |
| **Scalability**     | Hard to scale beyond occasional tests   | Scales easily to thousands |
| **Frequency**       | Infrequent (annual or quarterly)        | Continuous (monthly, weekly, randomized) |
| **Realism**         | Can be highly tailored, spear-phishy    | Broad range of realistic, evolving templates |
| **Customization**   | Unlimited but resource-heavy            | Flexible, with plenty of built-in options |
| **Team Burden**     | Heavy (time, creativity, reporting)     | Light (review dashboards, tweak settings) |
| **Reporting**       | Basic, often static                     | Detailed dashboards, compliance-ready data |

---

## Which Should You Choose?

It depends on your goals and resources:

- **Manual** makes sense if:
  - You want one-off, highly targeted tests (like spear-phishing execs).
  - You already have a skilled red team that enjoys this work.
- **Automated** makes sense if:
  - You want continuous, scalable training for your whole staff.
  - You’re an SME without endless budget or staff hours.
  - You need compliance-friendly reports at the click of a button.

Most companies use automation for their **day-to-day training**, and occasionally sprinkle in manual campaigns for special cases. That’s often the sweet spot.

---

## Why SMEs in Particular Should Care

Small and mid-sized businesses are juicy targets for attackers but often lack security staff. Hiring consultants is pricey. Running manual campaigns internally eats up scarce time. That’s why automated phishing testing — especially from platforms designed with SMEs in mind, like **AutoPhish** — is so appealing [[24]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

AutoPhish, for instance, offers:
- **AI-powered, ever-fresh phishing emails** [[19]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Automated scheduling** (monthly, quarterly, or custom) [[25]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Quick setup** (under 30 minutes) [[28]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **GDPR-friendly design** with no sensitive data stored [[35]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

It’s basically enterprise-grade security awareness made accessible for businesses without enterprise budgets.

---

## Wrapping It Up

Phishing is going to keep evolving — attackers aren’t taking a holiday. The best way to stay ahead is to keep your people trained, sharp, and a little skeptical of unexpected emails.

- Manual campaigns are like gourmet, handcrafted training. Impressive, but pricey and limited.
- Automated platforms are like meal kits: reliable, affordable, and scalable. You get variety and consistency without slaving away in the kitchen.

For most businesses, especially SMEs, **automation wins hands down**. It keeps the program running, delivers continuous learning, and doesn’t overload your team. And if you ever want to spice things up with a bespoke spear-phishing test, you can always add a manual one on top.

In the end, what matters most is that you’re testing, training, and turning your employees into your first line of defense. After all, in cybersecurity, a well-trained workforce might just be the cheapest (and smartest) insurance you’ll ever buy.



## Introduction

Cybersecurity budgets are often tight—especially for small and mid-sized enterprises (SMEs). Executives want to know: *Is our investment in security awareness training actually paying off?*  
While phishing simulations and staff education seem like obvious choices, proving their **return on investment (ROI)** can be tricky.

In this article, we break down **how to measure ROI** for security awareness programs, the metrics that matter, and why **AI-driven phishing simulations** can deliver better long-term value.

> 💡 *This article is for informational purposes and does not constitute financial or legal advice.*

---

## Why Measuring ROI in Cybersecurity Is Difficult

Unlike marketing campaigns or sales initiatives, cybersecurity investments aim to prevent bad things from happening. That means ROI is often measured by **losses avoided**—which can be hard to quantify until a breach occurs.

According to the [2024 IBM Cost of a Data Breach Report](https://www.ibm.com/reports/data-breach), the global average cost of a data breach is **$4.45 million**, with phishing as the second-most common cause. For SMEs, even a fraction of that cost can be devastating.

The challenge is to **translate risk reduction into measurable savings**.

---

## The ROI Formula for Security Awareness Training

A common approach to calculating ROI in cybersecurity awareness programs is:

```
ROI (%) = [(Estimated Losses Avoided – Program Costs) / Program Costs] × 100
```

### Step 1: Estimate Potential Losses
- **Data breach costs**: Legal fees, regulatory fines (e.g., GDPR penalties), recovery costs, lost business
- **Operational disruption**: Downtime, lost productivity
- **Reputational damage**: Lost customers, decreased trust

Example: If your estimated potential loss from a phishing attack is €200,000 and effective training can reduce that risk by 70%, your *losses avoided* figure is €140,000.

### Step 2: Calculate Program Costs
- Vendor/platform subscription (e.g., AutoPhish license)
- Internal training time
- Administrative overhead

### Step 3: Run the Formula
If your annual training program costs €20,000 and avoids €140,000 in losses, the ROI is:

```
ROI = [(140,000 – 20,000) / 20,000] × 100 = 600%
```

---

## Metrics That Matter

To make ROI reporting credible, track **both leading and lagging indicators**:

### Leading Indicators (Preventive)
- Phishing simulation click rates
- Reported suspicious email rates
- Training completion rates

### Lagging Indicators (After Incidents)
- Number of phishing incidents per quarter
- Mean time to detect (MTTD) and respond (MTTR)
- Regulatory fines or customer churn after incidents

**Why it matters:** Regulators like the [UK ICO](https://ico.org.uk/) and [ENISA](https://www.enisa.europa.eu/) increasingly expect organizations to show evidence of employee training and proactive risk management.

---

## Case Studies and Industry Evidence

- [**KnowBe4’s 2024 Benchmarking Report**](https://www.knowbe4.com/resource-center/phishing): found that after initial training and simulated phishing, users’ “phish‑prone percentage” dropped from a higher baseline to just 18.9% within 90 days, and further to 4.6% after 12 months.
- [**UK ICO vs. Interserve (2022)**](https://www.theguardian.com/business/2022/oct/24/outsourcer-interserve-fined-4-point-4m-cyber-attack-failings-data-breach-personal-information): A £4.4M fine was issued after a phishing attack. Lack of training and poor patching were cited as key failings. Demonstrating a history of phishing simulations could have reduced liability.
- **US FTC Guidance**: The [FTC](https://www.ftc.gov/business-guidance/small-businesses/cybersecurity) emphasizes training as a baseline security measure—failure to do so can result in enforcement action.


---

## Manual Training vs. AI-Driven Simulations

| Feature                          | Manual/Consultant-Led | AI-Driven (e.g., AutoPhish) |
|----------------------------------|-----------------------|-----------------------------|
| Cost per Campaign                | High                  | Low (subscription)          |
| Frequency                        | Usually Yearly        | Monthly or Continuous       |
| Customization                    | Limited               | High (industry & role-based)|
| Realism                          | Moderate              | High (AI-generated emails)  |
| Reporting & Analytics            | Manual                | Automated                   |
| Scalability                      | Low                   | High                        |

**Why it matters:** With AI-driven phishing simulations, you can run **more frequent, more realistic** campaigns at a fraction of the consultant cost—while collecting data that directly supports your ROI calculation.

---

## Making the Business Case

When presenting ROI to leadership, emphasize:

1. **Risk Reduction**: Quantify the drop in phishing success rates after training.
2. **Regulatory Compliance**: Demonstrate how training supports GDPR/NIS2/FTC expectations.
3. **Cost Efficiency**: Compare the program cost to potential breach costs.
4. **Operational Continuity**: Highlight reduced downtime from security incidents.


---

## Final Thoughts

Measuring ROI for security awareness training isn’t just an accounting exercise—it’s a way to prove that your investment is **reducing real-world risk** and **protecting your bottom line**.

**Key Takeaways**:
- Use a clear ROI formula that includes avoided losses
- Track both leading and lagging security metrics
- Run frequent, realistic phishing simulations for maximum impact
- Document results for compliance and executive reporting

With platforms like **AutoPhish**, SMEs can **maximize training impact**, **minimize costs**, and **generate clear ROI evidence**—turning security awareness from a “nice to have” into a proven business asset.


For small and mid-sized businesses (SMEs), a single phishing email can trigger a cascade of serious consequences: stolen credentials, data loss, reputational damage—and legal action. But is your company legally responsible if an employee falls for a phishing scam?

The answer depends on where you operate and what kind of data is at stake. Across the **European Union (EU)**, the **United Kingdom (UK)**, and the **United States (US)**, laws and expectations vary—but one theme is consistent: **preventative measures matter**.

In this article, we’ll explore:

- What the law says in different jurisdictions
- When companies are held accountable for employee mistakes
- How training and phishing simulations reduce risk

> ⚖️ **This is not legal advice. Always consult a qualified lawyer in your jurisdiction for specific guidance.**

---

## EU: GDPR and NIS2—Training as a Legal Obligation

In the European Union, data protection is governed primarily by the **General Data Protection Regulation (GDPR)** and, more recently, by the **NIS2 Directive**.

### GDPR: The 72-Hour Rule and Beyond

Under Article 33 of the GDPR, organizations must notify their national Data Protection Authority of a personal data breach within **72 hours** of becoming aware of it, unless the breach is unlikely to result in a risk to individuals.

If an employee falls for a phishing email that exposes personal data (e.g., customer emails, HR records, financial details), the organization **must**:

- Notify the regulator
- Potentially notify affected individuals (if the risk is “high”)
- Document the incident and mitigation steps taken

What matters is not whether the phishing attack was sophisticated—it’s whether the company had **adequate safeguards** in place.

### NIS2: Security for Essential and Important Entities

The **NIS2 Directive**, in force since 2023, raises the bar further for businesses in sectors like logistics, transport, finance, health, and digital services. It mandates:

- Cybersecurity risk management
- Regular employee training
- Incident reporting obligations
- Fines for non-compliance

The takeaway? Even if your employee made a mistake, **your liability may hinge on how well you prepared them**.

**Source**: [ENISA Threat Landscape 2024](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024)

---

## UK: GDPR Clone and Real-World Penalties

Post-Brexit, the UK retained the GDPR framework in the form of the **UK GDPR** and the **Data Protection Act 2018**. Most of the obligations are identical to those in the EU:

- Report data breaches within **72 hours**
- Inform affected individuals if there’s a “high risk” to them
- Maintain an internal record of all breaches and decisions

### Case Study: Interserve Fine (£4.4M)

In 2022, the **ICO** fined **Interserve** £4.4 million after a phishing attack exposed over 100,000 employee records. The ICO cited poor training, outdated software, and insufficient monitoring as key failings—not the employee’s mistake.

In the UK, **employers are expected to create a culture of security awareness**. That means:

- Regular training
- Incident simulations
- Logging and documenting risks and responses

**Source**: [ICO Enforcement Action](https://ico.org.uk/action-weve-taken/enforcement/interserve-group-ltd-en/)\
**Best practice**: [NCSC Small Business Guide](https://www.ncsc.gov.uk/collection/small-business-guide)

---

## US: A Patchwork of Laws with One Message—Act Fast

The United States lacks a single national breach notification law, but all **50 states** have their own statutes. These generally require:

- Notification to affected individuals
- Often within **30 to 60 days** of discovery
- Some states require notification to regulators

States like California, New York, and Colorado have **more stringent requirements**, particularly when sensitive data is compromised.

### Federal Action via the FTC

The **Federal Trade Commission (FTC)** can penalize companies for “unfair or deceptive practices”—including poor cybersecurity. In recent years, the FTC has made it clear that **employee training and phishing prevention** are part of reasonable cybersecurity.

- In 2021, the FTC launched a warning campaign targeting businesses that don’t train employees on social engineering.
- In several enforcement cases, failure to act on known phishing risks was cited as negligence.

**Source**: [FTC Data Breach Response Guide](https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business)

---

## Are You Liable? It Depends on Preparation

While laws vary, the general legal consensus across jurisdictions is:

- You **may not be directly liable** for an employee clicking a phishing link
- But you **can be held liable** if you didn’t take reasonable steps to prevent or mitigate the impact

**What counts as reasonable steps?**

- Documented security training
- Regular phishing simulations
- Strong access control and monitoring
- Clear response plans

Courts and regulators assess whether the breach was **foreseeable** and whether you were **negligent** in preventing it.

> A trained, well-informed team is your best legal defense.

---

## How Phishing Simulations Help

Phishing simulations aren’t just an IT tool—they’re a **compliance and legal risk management tool**.

**Benefits include:**

- Demonstrating due diligence during audits
- Reducing the chance of real-world breaches
- Educating employees with real-life examples
- Logging metrics and improvements over time

Platforms like **AutoPhish** make this easy for SMEs:

- AI-generated phishing tests
- Fully GDPR-compliant
- No real data capture
- Ongoing metrics for accountability

> “We train our people” is a good story. “We simulate, report, and improve” is a better one.

---

## Final Thoughts: Document Everything

When it comes to phishing-related incidents, **your documentation is your insurance policy**. If a regulator calls, you need to show:

- When training took place
- How simulations were conducted
- How quickly you responded to the breach
- Whether affected users were notified (and when)

✅ Keep records\
✅ Update your policies regularly\
✅ Work with legal and IT together

The law may forgive a mistake—but **not a lack of preparation**.

> 🧑‍⚖️ Always consult legal counsel to align your cybersecurity program with local laws and sector-specific requirements.



## Introduction

In 2025, phishing remains the #1 cause of data breaches worldwide. Yet for many European businesses—especially small and mid-sized ones—employee training remains reactive at best. With the rise of AI-generated phishing, tightening EU cybersecurity regulations, and increasing liability for companies, one thing is now crystal clear:

**Phishing simulations are no longer a “nice-to-have"—they are a business necessity.**

This article explores the trends, regulations, and risks that are making phishing simulations essential for all European businesses.

---

## Phishing in 2025: Smarter, Scarier, and More Common

Phishing attacks have evolved. They're no longer clumsy scams from suspicious Gmail accounts. Instead, attackers now use:

* **AI-generated emails** that mimic internal communication styles
* **Real-time data** from LinkedIn or leaked credentials
* **Targeted spear phishing** aimed at decision-makers

According to the [ENISA Threat Landscape 2024 report](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024), phishing was involved in **over 60% of initial access breaches** in the EU in 2023–24. And this number is rising.

---

## The Legal Perspective: NIS2, GDPR, and Cyber Insurance

### 🛡 NIS2 Directive: Cybersecurity Now a Legal Obligation

As of 2024, the [NIS2 Directive](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive) is fully in effect across the EU. It expands the scope of cybersecurity regulations to **more than 160,000 organizations**, including:

* Medium-sized enterprises (50+ employees)
* Businesses in finance, energy, health, and digital infrastructure
* Public sector suppliers

Among the key requirements:

* **Security awareness training for staff**
* **Incident reporting within 24 hours**
* **Management-level responsibility**

Failing to provide such training—including phishing simulations—can result in **fines up to €10 million** or **2% of global turnover**.

### 🔒 GDPR: Consent, Breach Notification, and Accountability

Even outside NIS2-covered sectors, the GDPR requires businesses to:

* Prevent unauthorized access to personal data
* Report data breaches within 72 hours
* Prove they’ve taken appropriate safeguards

If a phishing email leads to a data breach involving personal data (e.g., HR files, customer info), companies may be found non-compliant if **no preventive measures**, such as employee testing, were in place.

### 🗞 Cyber Insurance Requirements

More insurers now require regular **employee security awareness testing** as a condition for cyber insurance coverage. Without this, claims may be rejected or premiums raised significantly.

---

## Why Traditional Training Fails

Many companies still rely on:

* Annual security webinars
* PDF handouts
* Static “test your knowledge” quizzes

But these approaches fall short because:

* **Real phishing emails aren’t multiple-choice**
* **Employees forget training within weeks**
* **Attackers adapt faster than training materials**

In contrast, **phishing simulations provide real-time behavioral insight**—how people react under pressure, not just what they *know*.

---

## Benefits of Regular Phishing Simulations

Here’s why automated, realistic phishing simulations (like those offered by [AutoPhish](https://autophish.io)) are changing the game:

### ✅ Behavior-Based Training

Simulations teach through **realistic practice**, reinforcing instincts rather than just information.

### 📊 Trackable KPIs

Monitor:

* Open rates
* Click-throughs
* Form submissions
* Reporting behavior

This data lets you **target weak points**—by department, role, or region.

### ↻ Continuous Improvement

Monthly or quarterly tests keep security **top of mind**, not just once a year.

### 💼 Management Reports

Show leadership and auditors measurable progress and risk reduction over time.

---

## Common Objections—and Why They Don’t Hold Up

---

**Objection:** “Our team is too small for this.”  
**Reality:** SMEs are **most vulnerable** and often targeted first.

---

**Objection:** “It might embarrass employees.”  
**Reality:** AutoPhish avoids shaming. It's about **learning, not blaming**.

---

**Objection:** “We outsource IT security.”  
**Reality:** Employee behavior can’t be outsourced. It’s part of your **internal responsibility**.

---

## Best Practices for Phishing Simulations

1. **Start simple**, then increase complexity gradually
2. Use **different vectors** (email, SMS, collaboration tools)
3. Send from **external-looking domains** to simulate real attackers
4. Include **educational feedback** after each test
5. Test **high-risk roles** more frequently (HR, Finance, Executives)

---

## How AutoPhish Can Help

AutoPhish offers **automated phishing campaigns** powered by AI. Our key features:

* 🧠 Realistic, natural-language phishing emails
* 🕵️ Spear phishing simulation for management roles
* 📈 Dashboards to track employee progress
* 🔐 GDPR-compliant, EU-based infrastructure
* 📨 No real email credentials ever collected

Try it at [autophish.io](https://autophish.io)

---

## Conclusion: It’s Time to Act

Phishing isn’t just an IT issue—**it’s a people issue**. And in 2025, the stakes are higher than ever.

✅ Your customers expect strong security
✅ Regulators demand proactive measures
✅ Insurance providers need proof of resilience
✅ Your reputation depends on prevention

**Start simulating. Start improving. Start protecting.**

---

### Further Reading

* [ENISA Threat Landscape 2024](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024)
* [European Commission – NIS2 Directive](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive)


Cybersecurity training often fails where it matters most: behavior. While companies spend millions on firewalls and endpoint protection, a single click by an employee on a well-crafted phishing email can still bypass all defenses.

Traditional training methods—annual seminars, slide decks, compliance checkboxes—are not enough. They lack context, repetition, and most importantly: realism.

This is where **Phishing Simulations-as-a-Service (PhaaS)** comes in. By automating realistic, behavior-driven phishing tests, platforms like **AutoPhish** provide organizations with a modern, cost-effective way to improve security awareness.

---

## What Is Phishing Simulations-as-a-Service (PhaaS)?

Phishing Simulations-as-a-Service refers to cloud-based platforms that simulate phishing attacks to test and train employees. Unlike one-time workshops or static quizzes, these platforms provide:

- Recurring email simulations
- Role-based targeting (e.g., HR, finance, executives)
- Analytics on user behavior (who clicked, reported, or ignored)
- Just-in-time learning after each simulation

These simulations mimic real phishing threats in tone, structure, and design—often using AI to adapt and diversify content.

The goal isn’t to “trick” employees—it’s to help them **build lasting instincts** through exposure to safe, yet realistic scenarios.

---

## Why PhaaS Is Superior to Traditional Training

### 1. Behavior-Based Assessment

Conventional training tests knowledge. PhaaS tests behavior. This distinction is critical: employees don’t fall for phishing because they lack information, but because they fail to apply it in real-time.

### 2. Continuous Improvement

Cybersecurity is not a one-time event. Regular testing ensures that awareness remains high and adapts to evolving threats. Monthly or quarterly phishing campaigns establish cybersecurity as an ongoing responsibility.

### 3. Measurable Risk Reduction

With each test, you gain actionable data:

- Click-through rates
- Reporting rates
- Repeat offenders
- Departmental risk profiles

This data enables targeted interventions and compliance reporting.

### 4. Cost Efficiency

According to IBM's "Cost of a Data Breach 2024" report, the average breach costs €4.45 million globally. Phishing simulations reduce breach likelihood at a fraction of that cost. Services like AutoPhish offer predictable pricing and automated delivery—ideal for small and mid-sized enterprises (SMEs).

### 5. Smarter Than Manual Campaigns by Consultants

While cybersecurity consultants can craft bespoke phishing campaigns, they are often expensive, limited in scope, and hard to scale. AutoPhish, by contrast:

- **Delivers fresh, relevant campaigns regularly** using AI-generated content
- **Frees up CISOs and security teams** to focus on critical threats and incident response
- **Avoids reliance on manual creativity**, which is difficult to sustain long-term
- **Costs significantly less**, while providing higher frequency and consistency

For companies without a dedicated security awareness team, AutoPhish provides enterprise-grade simulation capability out-of-the-box.

---

## How AutoPhish Delivers PhaaS

AutoPhish is a European phishing simulation platform designed to be:

- Automated and scalable
- GDPR-compliant
- Powered by AI for content generation

### Key Features:

- **AI-generated phishing emails** that evolve over time
- **Spear phishing simulations** for high-risk roles
- **Detailed reports** for CISOs, IT admins, or DPOs
- **Education modules** triggered after interaction with phishing attempts
- **No credential capture**—simulations are safe by design

The platform runs monthly or custom-timed campaigns and includes industry-specific templates (e.g., banking, logistics, health care).

---

## The Science Behind Effective Phishing Simulations

Behavioral science supports learning by doing. Research by the National Cyber Security Centre (UK) and MITRE suggests that repeated exposure to simulated threats:

- Builds cognitive familiarity
- Encourages pattern recognition
- Improves threat detection over time

Moreover, simulations allow for **safe failure**. Employees who fall for a test receive immediate, contextualized feedback, turning a mistake into a microlearning moment.

---

## Compliance and Legal Considerations

Under the **NIS2 Directive**, businesses in the EU must:

- Implement risk management and security training measures
- Ensure incident readiness and reporting

Phishing simulations qualify as part of these compliance strategies—especially when:

- Conducted regularly
- Accompanied by training feedback
- Documented for audits

AutoPhish is fully compliant with GDPR. It collects no personal data beyond internal login metadata (e.g., email address) and does not store passwords or real user inputs.

---

## Getting Started

Launching a PhaaS program with AutoPhish typically takes less than 30 minutes:

1. Define your target group(s)
2. Schedule campaigns (monthly, quarterly, ad hoc)
3. Monitor results via dashboard
4. Share learnings with employees

No installation is required, and the platform integrates with standard email environments like Microsoft 365 and Google Workspace.

---

## Conclusion

Phishing Simulations-as-a-Service is not just a trend—it’s a necessary shift in how businesses approach cybersecurity training.

By simulating realistic threats, reinforcing behavior, and enabling continuous improvement, PhaaS helps companies reduce risk without overloading their teams.

**AutoPhish** makes this process simple, safe, and scalable—helping your employees become the firewall.

---

## Further Reading & Sources

- IBM Security: [Cost of a Data Breach 2024](https://www.ibm.com/reports/data-breach)
- ENISA: [Threat Landscape 2024](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024)


## Introduction

It only takes one click.

One employee, one moment of distraction, and one well-crafted phishing email can lead to credential theft, ransomware deployment, or even full-blown data breaches.

In 2025, phishing emails are no longer filled with broken English or Nigerian prince tropes. They’re polished, personalized, and scarily realistic—often generated or enhanced by AI. And they’re getting through.

In this article, we’ll break down the anatomy of a modern phishing email, highlight the tactics used, and explain what your employees are likely to miss. We’ll also offer tips to detect them—and explain why phishing simulations remain the best defense.

---

## Common Types of Phishing Emails

### 1. **Credential Harvesters**
These mimic login pages for Microsoft 365, Google Workspace, Dropbox, etc. A fake login page captures the user's email and password.

> 🧠 **Example:** “We’ve detected unusual login activity. Please verify your account.”

### 2. **Business Email Compromise (BEC)**
An attacker spoofs or compromises a legitimate account and requests invoice payments, sensitive data, or wire transfers.

> 🧠 **Example:** “Can you process this urgent payment before 2 PM? I’m traveling.”

### 3. **Malware Delivery**
Emails contain malicious attachments (PDF, ZIP, or Excel) that install malware or ransomware when opened.

> 🧠 **Example:** “Invoice Q2 - Please see attached.”

### 4. **Fake HR/IT Notices**
Mimic internal announcements to prompt password resets or policy reviews.

> 🧠 **Example:** “Security policy update - All employees must review by Friday.”

---

## Dissecting the Phishing Email: Key Components

Let’s break down a typical phishing email and the deceptive elements used.

### 🔍 1. **The From Address**
- Looks like: `support@m1crosoft.com` or `alerts@dropbox-files.net`
- **Trick:** Domain spoofing or using lookalike characters (e.g., “rn” instead of “m”)

### 💬 2. **The Subject Line**
- Designed to trigger urgency or fear: 
    - “URGENT: Account Suspension Notice”
    - “Action Required: Tax Form Submission”

### 🧠 3. **The Body Content**
- Uses real company logos and signatures
- May include links to cloned websites
- Often uses common templates (like O365 messages)

### 🔗 4. **The Call to Action (CTA)**
- Example CTAs: “Verify Now,” “Reset Password,” “Download File”
- Usually masked behind a hyperlink or button

### 🧠 5. **Psychological Triggers**
Phishing relies on cognitive manipulation, such as:
- **Urgency**: “Act fast or lose access”
- **Authority**: “Sent from CEO or IT”
- **Fear**: “Security violation detected”
- **Greed**: “Bonus payout now available”

---

## Real-World Example: A Closer Look

**Subject:** `Re: Updated Contract – Action Needed`

> *Hi Max,
>
> Please find attached the final version of the NDA.
>
> Let me know once it’s signed so I can forward it to legal.*

**Attachment:** `NDA_v2.pdf.exe`

**From:** `janet@consultant-corp.eu`

**Analysis:**
- Impersonates a known contact
- Includes plausible business language
- The file is actually an executable

If the user downloads and opens it—ransomware installs silently in the background.

---

## What Employees Miss—And Why

Despite annual training, phishing emails still succeed. Here’s why:

- 📬 **Inbox fatigue**: Dozens of emails per day dull awareness
- 🧠 **Cognitive overload**: Multitasking lowers scrutiny
- 👤 **Trust in appearance**: Visual cues like logos are persuasive
- 💼 **Social engineering**: Exploits role-specific routines (e.g., HR, accounting)

According to [Verizon’s 2024 DBIR](https://www.verizon.com/business/resources/reports/dbir/), 74% of breaches involve the human element.

---

## Red Flags to Train For

- ❌ Unusual sender domain or misspellings
- ❌ Generic greeting: “Dear user” or “Hello customer”
- ❌ Unexpected urgency: “Account locked”
- ❌ Suspicious attachments or shortened URLs
- ❌ Requests for personal info or login re-entry

Encourage employees to follow the S.T.O.P. method:

**S**: Scrutinize the sender  
**T**: Think before clicking  
**O**: Observe unusual tone or urgency  
**P**: Preview links before clicking

---

## Why Simulations Work Better Than Training Alone

### ✅ Real-World Practice
Simulations mimic real attacks and test **actual behavior**, not theoretical knowledge.

### 📈 Measurable Results
Track who clicks, reports, or fails to notice—and provide targeted coaching.

### 🔁 Habit Building
Regular testing keeps awareness fresh and reinforces good habits.

---

## How AutoPhish Helps

At [AutoPhish](https://autophish.io), we craft **hyper-realistic phishing emails** tailored to your business context using AI and real-world templates. Features include:

- 🧠 Personalized email content per industry or role
- 📬 Monthly (or other interval) campaigns with dynamic templates
- 🔍 Click, open, and report tracking
- 📚 Instant learning feedback for employees

Fully GDPR-compliant and hosted in the EU.

---

## Final Thoughts

Modern phishing emails are no longer obvious scams—they are **quietly convincing**. And when it comes to cybersecurity, **your weakest link is still human behavior**.

By understanding what makes phishing emails work—and what your employees miss—you can proactively strengthen your defenses.

**Train minds, not just checkboxes. Simulate, analyze, repeat.**

---

### Further Reading
- [Verizon DBIR 2024](https://www.verizon.com/business/resources/reports/dbir/)
- [ENISA Threat Landscape 2024](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024)


Blog

Datenschutzgerechtes Phishing-Training: Betriebsräte, Einwilligungen und GDPR-Grundlagen

Automatisierte Phishing-Tests vs. manuelle Kampagnen: Was ist das Beste für dein Unternehmen?

Open-Source Phishing-Simulationstools vs. Managed Solutions: Ein technischer und geschäftlicher Vergleich

Messung des ROI von Sicherheitsschulungen

Bin ich haftbar, wenn mein Mitarbeiter auf einen Phishing-Angriff hereinfällt?

Warum Phishing-Simulationen für europäische Unternehmen im Jahr 2025 nicht mehr optional sind

Phishing-Simulationen-as-a-Service erklärt: Smarteres Mitarbeitertraining mit AutoPhish

Die Anatomie einer modernen Phishing-E-Mail: Was deine Mitarbeiter jeden Tag übersehen

Bereit, deine menschliche Firewall zu stärken?