Cognitive Load and Compliance: A Human-Centric Framework for NIS2 in Latvian SMEs
Abstract
The transposition of the EU NIS2 Directive into Latvia’s National Cybersecurity Law (NKDL) significantly expands the scope of regulation: from ~1,000 to ~8,000 organizations, many of them SMEs without dedicated security teams. The aim of this paper is to develop a human-centric compliance framework for Latvian SMEs that operationalizes selected NIS2/NKDL cybersecurity requirements through a cognitive-load perspective. This paper frames NIS2 compliance as a cognitive ergonomics problem and develops a low-friction “NIS2 Compliance Starter Pack” that reduces response cost while preserving auditable evidence. Using a socio-technical synthesis, NKDL obligations are mapped to pragmatic controls and to workload indicators derived from the NASA Task Load Index (NASA-TLX). The developed framework prioritizes secure by default interventions - such as default multi-factor authentication, automated security nudges, and micro learning - over high-intensity training that often produces fatigue and workarounds. Sustainable cyber resilience is treated as an engineered property of the work system rather than a checklist outcome.
Keywords: NIS2 Directive, Human Factors, Cognitive Load, SMEs, Cybersecurity, NASA-TLX
DOI: 10.54941/ahfe1007408
Cite this paper
More from this volume
- A Human Factors-Cyber-Safety Framework for Risk and Requirements in Critical Infrastructure
- Eye tracking study to analyze context encoding during phishing decision making
- Enhancing Cybersecurity Learning Through Online Platforms and Gamified Approaches
- Privileged Learning for Instance Representation in Cognitive Models of Phishing Decisions
- Calibrating Trust in AI-Driven Cyber Defenses: Human Reliance, Resistance, and Decision Dynamics
- Governing the human factor in cybersecurity: A regulatory perspective
- Assessing Trust in Digital Service Engineering: An Empirical Case Study of Public CCTV Analytics in Germany
- Simulating the Threat: A Phishing Campaign to Enhance Cyber Resilience in a Large Organization
- Micro-Decisions Under Time Pressure and Dark Patterns in Digital Interfaces
- Designing an AI-Driven Framework for Human-Centered Cybersecurity Practices
- Beyond Security Awareness: A Scoping Review of Human Factors in SME Cyber Resilience Frameworks (2018-2026)
- The Human Factor in Cyber Resilience: Behavioural, Organisational and Sociotechnical Perspectives


AHFE Open Access