Legal Framework for Phishing Simulations: A Compliance Guide for CISOs (GDPR, NIS2, DORA)

Launching a phishing simulation that is both legal and effective is one of the main challenges for any CISO. The key is not to avoid these crucial tests but to execute them under a robust framework that balances the need for business resilience with strict GDPR compliance.

Cybersecurity is already a strategic priority at the Board level. However, when it comes to measuring the human factor, the most effective tools—such as attack simulations—generate deep regulatory uncertainty. How can we test our human defenses realistically without violating employees’ fundamental rights under the GDPR?

This article clarifies that tension. We provide a clear and practical reference framework for implementing phishing simulation programs legally, effectively, and defensibly before regulators and employees. Consider this your complete guide to attack simulations to turn uncertainty into a solid, proactive cybersecurity compliance strategy.

The Key Legal Foundation: Legitimate Interest Under GDPR

To run a phishing simulation legally under the GDPR, the correct legal basis is the company’s “legitimate interest,” not employee consent. Requesting prior consent would invalidate the test’s effectiveness, while legitimate interest provides a firm and defensible foundation for protecting the organization’s critical assets—provided it is adequately documented through a Legitimate Interest Assessment (LIA).

Why Legitimate Interest and Not Consent?

Many security and HR leaders wonder: “Shouldn’t I ask my employees for permission before a phishing simulation?” The answer is a resounding no. Consent under the GDPR must be freely given and informed. If you warn employees that they will receive a phishing simulation on a specific date, the test loses all value. It would cease to be a realistic measure of vulnerability and would become a mere theoretical exercise.

The reality is that the company has a superior and legitimate interest in protecting itself. With more than 85% of data breaches involving a human component (according to Verizon’s 2023 DBIR), verifying human resilience is not optional—it is an obligation. This interest in protecting infrastructure and data is the appropriate legal basis under Article 6 of the GDPR.

For the legitimate interest to be valid,it is not enough to declare it; you must prove it. This is done through adocumented analysis known as a Weighting Test or LIA. This process consists ofthree logical steps:

The Three-Step Balancing Test (LIA – Legitimate Interest Assessment)

To validate the legitimate interest, it is not enough to declare it; you must demonstrate it. This is done through a documented analysis known as a Balancing Test (LIA), consisting of three logical steps:

Purpose (The “Why”)

Define the purpose of the processing clearly. It is not about “monitoring” employees but about specific objectives such as:

• Assessing and improving the organization’s resilience to social engineering attacks.
• Complying with NIS2 or DORA regulatory obligations.
• Training employees to recognize real threats and protect company assets.
• Continuously measuring the effectiveness of security controls.

Necessity (The “How”)

Justify why the phishing simulation is necessary to achieve that purpose. You must argue that no less intrusive alternative provides the same level of effectiveness. For example, theoretical courses or videos cannot measure real behavior during a threat—something simulations are explicitly designed to evaluate.

Balancing (The “Equilibrium”)

This is the most critical step. You must balance your organization’s legitimate interest against employees’ rights and freedoms. The key is showing that the impact on employee privacy is minimal, justified, and proportionate. For example, avoid deceptive lures on sensitive topics and ensure that collected data is strictly limited to what is necessary.

Documentation: The Key to Demonstrating Legitimate Interest

The Weighting Test (LIA) is not amental exercise; it is your main evidence of compliance with the GDPR. It must be a formal, dated document, reviewed by the Data ProtectionOfficer (DPO) and carefully filed. Before an inspection by the AEPD or anyother control authority, this document will be the first proof that they willrequest from you to justify the legality of your phishing simulation campaigns. Without it, your program has no legalbasis and is indefensible under the GDPR.

NIS2 and DORA: From Best Practice to Regulatory Obligation

New European regulations such as NIS2 and DORA elevate cyberattack simulations from best practice to demonstrable regulatory obligation. Training employees is no longer enough; regulators now require evaluating the effectiveness of that training and underlying security measures. Phishing simulations are the most direct tool for generating such evidence.

If your organization wonders “how does NIS2 affect employee management?”, the answer is validation. Audits will no longer accept a mere “training completed” checkbox.

NIS2: Training and Effectiveness Evaluation

The NIS2 Directive—required to be transposed by EU Member States by October 2024—significantly raises the bar for essential and important entities. Article 21 mandates that organizations adopt cybersecurity risk-management measures, including “policies and procedures regarding the use of cryptography” and, critically, “human resources security, access control policies, and asset management.”

The Directive goes further by explicitly requiring evaluation of the effectiveness of such measures. There is no more direct and objective way to measure the human factor’s effectiveness than through controlled simulations. These tests prove to regulators that you not only teach the theory but validate its real-world application.

DORA: Digital Operational Resilience Testing for the Financial Sector

For the financial sector and its critical ICT providers, the DORA Regulation is even more prescriptive. It requires an advanced operational resilience testing program, including Threat-Led Penetration Testing (TLPT).

Given that phishing is the main attack vector in 90% of incidents in the financial sector, phishing simulations become an essential component of these resilience tests. Ignoring them is not an option—it is a direct regulatory violation.

ISO 27001 and Other Frameworks: The Requirement for Continuous Awareness

Even beyond these regulations, established frameworks have long pointed in the same direction. ISO 27001, in Annex A (Control A.6.3), requires a program for awareness, training, and education in information security.

Simulations are the perfect tool to validate whether awareness translates into secure behavior and to identify training gaps. They are an essential element of continuous improvement required by these standards and a way to demonstrate compliance under NIS2, DORA, and ISO 27001.

Practical Guide: Legally Sound Implementation of a Phishing Simulation Campaign

To implement a legally robust phishing simulation campaign, it is essential to combine transparent communication with employees, strict data minimization, and strong evidentiary documentation. Success lies not only in technology but in a process that respects employee rights while meeting security and GDPR obligations.

Here is a four-step practical guide to ensuring your program is robust, defensible, and effective.

1. Communication and Transparency (Before and After)

Trust is the foundation of a positive security culture. Opaque or missing communication can lead to rejection and unnecessary labor conflicts.

Before the campaign: It is crucial to inform both employee representatives (works council) and employees in general. This does not mean revealing specific dates or lures (which would invalidate the test) but communicating the existence of a continuous cybersecurity training and evaluation program that includes practical simulations. This must be included in the company’s security policy.

After the campaign: Reporting results is equally important. These must always be presented in an aggregated and anonymous manner. The goal is to highlight collective improvement areas and celebrate successes—never shame individuals. The approach must be educational, not punitive.

2. Data Minimization: What to Collect and What Not to Collect

The GDPR’s data minimization principle is your best guide. You should collect only the information strictly necessary to fulfill the declared purpose in your LIA.

What to collect: Basic binary interaction data—Did the user open the email? Did they click the link? Did they enter credentials? Did they report the email?

What NOT to collect: Avoid collecting sensitive personal data or irrelevant information. Your goal is to generate aggregated risk metrics, not create individual behavior profiles. Data should be retained only for the minimum time necessary. The objective, in line with the GDPR, is to obtain aggregated metrics to plan your campaign calendar and improve training—not to create individual behavioral profiles. Data must be retained only for the minimum time necessary for analysis and reporting.

3. Red Lines: Simulations You Must Avoid

Not every lure is legally valid. Using topics that may cause disproportionate distress or affect employee dignity is the fastest path to invalidating your legitimate interest and facing legal issues.

Avoid lures related to:

• Sensitive employment topics (layoffs, payroll changes, bonuses)
• Personal or family health
• Tragedies or emotionally charged events

These themes are not only ethically questionable but also generate a level of stress that is not representative of a standard phishing attack and may be considered a violation of workers’ rights. If you need help designing an advanced and effective simulation plan, rely on experts.

4. Evidence Creation for Audits and Regulators

You must be able to demonstrate due diligence. Your phishing simulation program must be backed by a solid compliance dossier, your main asset in an internal audit or AEPD inspection.

Your dossier must include at minimum:

• Full, signed, dated LIA
• Internal security policy supporting the simulations
• Official communications to employee representatives
• Aggregated and anonymized reports, always aggregated and anonymised,demonstrating the analysis and improvement actions derived from the campaigns.

Risks and Sanctions: The Consequences of Poor Execution

A poorly executed phishing simulation can lead to serious consequences, from GDPR fines to labor conflicts. The biggest risk is not the simulation itself but ignoring the legal framework.

GDPR Sanctions: Beyond Fines

Authorities like the AEPD can impose:

• Warnings and corrective orders
• Processing prohibitions
• Reputational damage

All of which directly impact operations and trust.

Labor Implications: Conflicts and Worker Rights

The employment law front  is equally critical, as a poorly executed phishing simulation canhave direct legal consequences, both for non-compliance with the GDPR and laborregulations. A simulation that uses disproportionate lures or that has not beenproperly communicated to the RLT can be considered a violation of the worker'sright to privacy and dignity, set out in the Workers' Statute.

This can lead to a complex scenario withseveral possible consequences:

●     Complaints to the Labour andSocial Security Inspectorate, which can initiate itsown sanctioning procedure against the company.

●     Individual lawsuits by the affected workers, claiming compensation for damages.

●     Deterioration of the workenvironment, generating distrust and hostility towardsthe security department and the management itself.

‍

Frequently Asked Questions about the Legal Framework of PhishingSimulations

Legal Bases (GDPR)

Is it legal to carry out phishingsimulations on employees inSpain?

Yes, it is legal if it is based on thecompany's "legitimate interest" to protect its security, isdocumented by a Weighting Test (LIA) and the principles of data minimisationand transparency are respected.

Do I need my employees' consentfor a phishing simulation?

No, consent is not the proper legal basisas it would invalidate the effectiveness of the test. The correct basis islegitimate interest, which must be duly justified and documented by thecompany.

What exactly is a Weighting Testor LIA?

It is a documented risk analysis,required by the GDPR, in which an organization demonstrates that its legitimateinterest for a phishing simulation overrides the rights ofindividuals.

What evidence should I submit to a regulator about my simulations?

You must submit the Weighting Test (LIA)document, the internal policy that covers the simulations, the communicationsto the workers' representatives and the aggregated and anonymised resultsreports.

Specific Regulations (NIS2 and DORA)

Does NIS2 explicitly force me to do phishing simulations?

It does not mention the word "phishing,"but it does require "evaluating the effectiveness" of cybersecurityrisk management measures. Simulations are the most recognized and accepted wayby industry and regulators to meet this assessment requirement.

What is the difference betweenDORA and NIS2's approach to testing?

DORA is more specific to the financialsector and requires a very detailed resilience testing program, includingTLPTs. NIS2 is broader and establishes a general principle of"effectiveness evaluation", leaving more flexibility in the "how".

Practical Implementation andMistakes to Avoid

What is the biggest legal mistakewhen launching a phishing campaign?

Using decoys with very sensitive topics(health, payroll, dismissals) or collecting more personal data than strictlynecessary. This can override legitimate interest and lead to legal and labordisputes.

Do I have to inform the WorksCouncil before each phishing simulation?

Not of each specific campaign, as itwould lose the surprise factor. However, you should inform them of theexistence of the simulation program in general, its objectives and the legalframework under which it operates.

Labor Implications and Penalties

Can I use the results of asimulation to sanction an employee?

No. The goal of a phishing simulation iseducational and risk assessment, not disciplinary. Using the results tosanction an employee would be disproportionate and open the door to seriouslabor disputes.

Can an employee refuse toparticipate in a phishing simulation?

No, if the simulation is supported by avalid legitimate interest and is part of the company's security measures. It isnot a voluntary activity, but an organizational security measure.

What is the most likely penaltyfor a poorly designed phishing campaign?

Although millionaire fines are possible,the most common sanction for a first offense is usually a formal warning fromthe supervisory authority (such as the AEPD), ordering the company to correctits methodology.

Does the LIA protect me from anyGDPR sanctions?

A well-executed LIA is your best defenseand demonstrates due diligence. However, it does not exempt you from complyingwith the rest of the principles of the GDPR. It's a necessary, but not theonly, component of your compliance strategy.