Security Training Compliance: Which Regulations Require It?

One of the most common questions we hear from small business owners is straightforward: "Am I actually required to train my employees on cybersecurity, or is it just a nice-to-have?" The answer, for a growing number of businesses, is that it is a legal or contractual requirement. And even when it is not explicitly mandated, failing to provide training can expose you to liability, insurance complications, and regulatory scrutiny.

flowchart TD
    A["Compliance Framework"] --> B["Identify Requirements"]
    B --> C["Design Training Program"]
    C --> D["Deliver to All Staff"]
    D --> E["Track Completion"]
    E --> F["Generate Evidence"]
    F --> G["Submit for Audit"]
  

This article breaks down the major regulations, standards, and frameworks that require or strongly recommend security awareness training. If your business falls under any of these, training is not optional — it is a compliance obligation.

HIPAA: Healthcare and Protected Health Information

If your business handles protected health information (PHI) — whether you are a healthcare provider, health plan, clearinghouse, or a business associate of any of these — HIPAA requires security awareness training.

The HIPAA Security Rule (45 CFR 164.308) specifically mandates:

• Security awareness and training program: You must implement a security awareness and training program for all members of your workforce, including management.
• Periodic security reminders: Regular updates and reminders about security policies and procedures.
• Protection from malicious software: Training on procedures for guarding against, detecting, and reporting malicious software.
• Login monitoring: Training on procedures for monitoring login attempts and reporting discrepancies.
• Password management: Training on procedures for creating, changing, and safeguarding passwords.

HIPAA does not specify exact training frequency, but the Office for Civil Rights (OCR) expects training at hire and periodically thereafter. Most compliance experts recommend at least annual training with quarterly reminders.

In 2025, OCR settled with a dental practice for $350,000 after a phishing attack exposed patient records. The investigation revealed the practice had never conducted security awareness training — a clear HIPAA violation that contributed to the breach.

PCI DSS: Payment Card Data

If your business accepts credit card payments, PCI DSS Requirement 12.6 explicitly requires security awareness training. The standard mandates:

• A formal security awareness program for all personnel upon hire and at least annually thereafter.
• Training must cover the threats and vulnerabilities that could impact the security of cardholder data.
• Personnel must acknowledge at least annually that they have read and understood the security policy and procedures.
• PCI DSS v4.0 added a requirement for training to specifically address phishing and social engineering threats.

For more on PCI DSS compliance broadly, see our PCI DSS compliance guide for small businesses.

GDPR: European Data Protection

The General Data Protection Regulation does not contain an explicit "you must train employees" provision. However, Article 39 requires that Data Protection Officers (where appointed) oversee "awareness-raising and training of staff involved in processing operations." And Article 32 requires organizations to implement "appropriate technical and organisational measures" to ensure data security — which regulators consistently interpret to include staff training.

In practice, GDPR enforcement actions frequently cite lack of employee training as a contributing factor in data breaches. Supervisory authorities across Europe have made clear that:

• Training is considered a fundamental organizational measure under Article 32.
• Employees who handle personal data must understand data protection principles.
• Regular refresher training is expected, not just onboarding sessions.
• Failure to train can increase fines when breaches occur.

SOC 2: Service Organizations

If your business provides services to other companies — particularly SaaS providers, managed service providers, or cloud-based service companies — your customers may require you to be SOC 2 compliant. SOC 2 is based on the AICPA Trust Services Criteria, and the Common Criteria include a clear training requirement.

Specifically, CC1.4 requires that the organization "demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives." This includes:

• Security awareness training for all employees.
• Training on specific security policies and procedures relevant to each role.
• Documented training records showing completion dates and topics covered.
• Annual or more frequent training cycles.

SOC 2 auditors will specifically ask for evidence of your training program, including completion records and training content.

State Privacy Laws and Industry-Specific Regulations

Beyond the major frameworks, a growing number of state laws and industry-specific regulations require or strongly recommend security training:

State Laws

• New York SHIELD Act: Requires businesses handling New York residents' private information to implement a data security program that includes employee training.
• Massachusetts 201 CMR 17.00: One of the strictest state data protection laws, explicitly requiring "ongoing employee training" as part of a written information security program.
• California CCPA/CPRA: Requires businesses to "implement and maintain reasonable security procedures," which regulators interpret to include training.
• Texas Identity Theft Enforcement and Protection Act: Requires businesses to implement and maintain reasonable procedures, including training, to protect sensitive personal information.

Industry-Specific

• GLBA (Gramm-Leach-Bliley Act): Financial institutions must train employees on information security policies and procedures.
• FERPA: Educational institutions must train staff on protecting student records.
• CMMC (Cybersecurity Maturity Model Certification): Defense contractors must provide security awareness training to all users of organizational systems.
• FTC Safeguards Rule: Updated in 2023, it requires financial institutions to provide security awareness training and to use qualified individuals to oversee the security program.

Cyber Insurance Requirements

Even if no regulation directly applies to your business, your cyber insurance policy almost certainly has security training expectations. Insurance applications increasingly ask:

• Do you provide security awareness training to all employees?
• How frequently is training conducted?
• Do you conduct phishing simulations?
• Can you provide documentation of training completion?

Answering "no" to these questions can result in higher premiums, coverage exclusions, or outright denial. And if a breach occurs and you cannot demonstrate that training was in place, your insurer may deny or limit your claim.

A 2025 survey by the Insurance Information Institute found that 78% of cyber insurance underwriters consider security awareness training a "significant factor" in policy pricing, and 43% now require it as a condition of coverage.

What Good Compliance Training Looks Like

Meeting the training requirements across these various regulations does not mean running separate programs for each one. A well-designed security awareness training program can satisfy multiple requirements simultaneously. Here is what auditors and regulators expect to see:

1. Regular cadence: Training at hire and at least annually thereafter. Monthly or quarterly micro-training modules are even better.
2. Relevant content: Training should cover the specific threats relevant to your industry — phishing, social engineering, password security, data handling, physical security, and incident reporting.
3. Phishing simulations: Simulated phishing exercises test whether training is actually changing behavior. Many regulations and insurance policies now expect these.
4. Documented completion: You need records showing who completed training, when, and what topics were covered. This is your evidence during an audit or breach investigation.
5. Role-based training: Employees who handle sensitive data, manage systems, or have elevated access should receive additional targeted training.
6. Updated content: Training materials should be reviewed and updated at least annually to reflect current threats and regulatory changes.

For a deeper analysis of the business case for training, see our article on the ROI of cybersecurity awareness training.

Your Compliance Training Action Plan

Here is how to get started or improve your existing program:

1. Identify which regulations apply to your business. Consider the data you handle (health, financial, payment card, personal), the industries you serve, and the states where your customers reside.
2. Review your cyber insurance policy. Check for training requirements or recommendations in your policy terms, application, and any supplementary questionnaires.
3. Choose a training platform that covers the topics required by your applicable regulations and provides documented completion tracking. Cyber Learning Hub is designed specifically for this purpose.
4. Set a training schedule. At minimum, conduct training at hire and annually. Ideally, add quarterly phishing simulations and monthly micro-training modules.
5. Document everything. Keep records of training dates, attendees, topics covered, quiz scores, and phishing simulation results. Store these records for at least three years.
6. Review and update annually. Each year, review your training program against current regulatory requirements and update content to address emerging threats.

Security awareness training is no longer a best practice reserved for large enterprises. It is a regulatory requirement for most businesses and a practical necessity for all of them. The good news is that meeting these requirements does not have to be complicated or expensive. With the right platform and a consistent approach, you can satisfy multiple compliance obligations while genuinely reducing your risk of a breach.