Compliance and mandatory training has become a top-five L&D priority for SMBs in 2026, according to Thirst’s State of L&D Report, which surveyed L&D pros at small to medium-sized businesses.
Yet most organisations still manage it through spreadsheets, email reminders, and manual follow-up.
The gap between those two approaches matters more than it used to. With 64% of business leaders now expecting proof that training is working โ not just completed โ the question is no longer whether to run mandatory training programmes. It’s whether you can show they’re effective.
This article is written for L&D managers, HR teams, and anyone responsible for running a mandatory training programme across an organisation. It covers what mandatory and statutory training are, the specific types most organisations must provide, how to build a programme that holds up under scrutiny, and how to prove to leadership that compliance is working.
In this article
What is mandatory training?
Mandatory training is any training an employer requires employees to complete as a condition of employment or continued role performance. It is not necessarily a legal requirement, but it is compulsory under the organisation’s own internal policies.
It covers areas that carry significant operational or reputational risk if employees lack awareness: data protection, cybersecurity, conflict resolution, diversity and inclusion, role-specific processes, and the use of key business systems. The defining feature is that it is set and enforced by the employer, not by legislation, which is what distinguishes it from statutory training.
From an L&D management perspective, mandatory training typically falls into three categories: training required at induction (before or immediately after an employee starts), training required at regular intervals (annual refreshers), and training triggered by a change in role, process, or risk exposure.
What is statutory training?
Statutory training is legally required. It is set by government legislation and regulatory bodies, and failing to provide it exposes an organisation to fines, legal penalties, and in serious cases, enforced operational shutdown.
The primary legislative framework in the UK is the Health and Safety at Work Act 1974, which places a legal duty on employers to provide employees with adequate information, instruction, and training to carry out their work safely. Additional regulations โ including the Management of Health and Safety at Work Regulations 1999 and COSHH Regulations 2002 โ extend these requirements to specific hazards and risk categories.
Statutory requirements vary significantly by sector.
A care home must provide training on safeguarding, infection control, and manual handling. A construction firm must cover working at height and asbestos awareness. A food business must ensure food hygiene certification for relevant staff. The responsibility for identifying and delivering these requirements sits with the employer, not the employee.
Mandatory vs statutory training: key differences
Both are compulsory, both carry consequences for non-compliance, and both require tracking and renewal. The difference lies in who sets the requirement and what the consequence of failure looks like.
| Statutory training | Mandatory training | |
|---|---|---|
| Legally required | Yes | No (but required by employer) |
| Set by | Government and regulators | Employer or industry standards |
| Purpose | Legal compliance and workplace safety | Risk reduction and operational performance |
| Consequences of non-compliance | Fines, prosecution, operational shutdown | Business risk, reputational damage, disciplinary action |
| Examples | Fire safety, health and safety, first aid | GDPR, cybersecurity, DEI, role induction |
One important nuance worth noting: in some sectors, particularly health and social care, the terms are used interchangeably. In those environments, “mandatory training” is often used as a catch-all that covers both employer-set requirements and statutory obligations. Be clear in your own training documentation which category each programme falls into, because the consequences of non-compliance differ significantly.
Common types of mandatory training โ and which are legally required
The most common question L&D teams face when building a mandatory training framework is which programmes are legally required and which are employer-determined. Here is a straightforward breakdown of the types most organisations need to manage.
Is health and safety training mandatory?
Yes. Under the Health and Safety at Work Act 1974, employers must provide sufficient information, instruction, and training to enable employees to carry out their work safely. This is a statutory obligation. The specific training required varies by role and sector โ a construction worker needs significantly more than an office-based employee โ but every organisation must assess and address health and safety training needs across all roles.
Is fire safety training mandatory?
Yes. Under the Regulatory Reform (Fire Safety) Order 2005, employers must provide fire safety training when an employee starts their role and whenever their responsibilities or fire risk exposure changes.
All employees who work onsite should receive basic fire safety training. Designated fire wardens require more comprehensive training covering drills, risk assessments, and evacuation procedures.
Is GDPR training mandatory?
Not explicitly in law, but UK GDPR requires organisations to ensure that anyone processing personal data does so lawfully and securely.
Providing staff with GDPR training is the most reliable way to meet this obligation, and the ICO expects organisations to be able to demonstrate that staff have been appropriately trained. Annual refresher training for all staff who handle personal data is the standard most organisations apply.
Is first aid training mandatory?
Employers must ensure that adequate first aid cover is always available on site, under the Health and Safety (First Aid) Regulations 1981.
This does not mean every employee must be trained, but enough staff must hold current first aid certification to cover all working hours. The number required depends on the size of the workforce, the nature of the work, and the level of risk involved.
Is safeguarding training mandatory?
In education, health, and social care settings, safeguarding training is effectively mandatory regardless of whether a specific law names it. Schools, care homes, and youth organisations must meet their safeguarding obligations, and training all relevant staff is the standard route to demonstrating this. It is typically required at induction and renewed on a two to three-year cycle, with updates when legislation or guidance changes.
Other commonly required types of mandatory training
Depending on sector and role, organisations frequently require mandatory training across: manual handling, equality and diversity, cybersecurity awareness, conflict resolution, complaints handling, food hygiene, COSHH awareness, and role-specific system or process induction.
The list will vary significantly between a manufacturing business and a professional services firm โ which is why a role-differentiated training audit is the starting point for any effective compliance programme.
See how Thirst manages mandatory training
Role-based assignment, automated renewal reminders, and real-time compliance reports โ built for growing SMBs.
Why mandatory training matters in 2026
The pressure on L&D teams has shifted in a specific direction. According to Thirst’s 2026 State of L&D Report, proving ROI and measuring impact has overtaken learner engagement as the number one L&D challenge for the first time. That shift has direct implications for how mandatory training is designed, tracked, and reported upward.
At the same time, 76% of SMBs are entering 2026 with flat L&D budgets. The combination of rising expectations and constrained resources means every training programme needs to demonstrate measurable value, not just completion certificates.
There are four ways mandatory training delivers direct commercial value beyond box-ticking.
Reduced legal and regulatory exposure
Statutory training is non-negotiable โ and the organisational risk attached to mandatory training covering areas like GDPR and cybersecurity increasingly sits in the same category. Employers who cannot demonstrate they provided necessary training before an incident are significantly more exposed to liability claims and regulatory action.
Improved workforce performance
Employees who understand their responsibilities, systems, and working environment perform better.
A 130-person software company tracked training completion against ticket resolution speed and found a 19% productivity increase over six months โ evidence cited in Thirst’s 2026 report that connecting learning activity to business metrics produces results leadership responds to. Mandatory training, when tied to role performance rather than just policy compliance, becomes part of that evidence chain.
Higher retention
Employees who receive structured development from day one are more likely to stay.
Retention and attrition ranked among the top success metrics that business leaders use to evaluate L&D investment, according to the same report. An onboarding programme that includes well-designed mandatory training signals that the organisation takes development seriously before the first performance review.
Audit readiness
In regulated industries, training records are audited. An organisation that cannot produce current completion data across all required training faces not just reputational risk, but the prospect of failed audits and enforced remediation. The ability to generate a compliance report on demand is now a core operational requirement for any regulated employer.
How to build an effective mandatory training programme
Most organisations have some form of mandatory training in place. The gap between a functional programme and an effective one usually comes down to three things: relevance, structure, and renewal.
Audit what you have
Start with a clear picture of which training currently exists, who it applies to, when it was last updated, and what the actual completion rates are. Most organisations discover significant gaps at this stage โ particularly around refresher cycles, where training has technically been delivered but has since expired without triggering any renewal process.
Differentiate by role
Not every employee needs every module. Fire warden training is required for designated individuals, not the entire organisation.
COSHH awareness is essential for employees who work with hazardous substances, not for those who do not. Role-differentiated training reduces the burden on employees, increases the relevance of what they receive, and makes completion rates more meaningful as a compliance metric.
Set clear renewal cycles
Mandatory training is not a one-time event. GDPR awareness, cybersecurity training, and fire safety typically require annual renewal.
Role-specific training should be refreshed whenever processes or systems change. Building renewal cycles into the programme with automated reminders prevents the compliance gaps that routinely appear in the months following an initial rollout.
Connect training to induction
The most efficient point to deliver mandatory training is during onboarding. New employees are in learning mode, expectations are being set, and the organisation has a natural window to cover all statutory and mandatory requirements before someone becomes fully operational. Employee onboarding consistently ranks among the top L&D priorities for SMBs, according to Thirst’s 2026 research โ and mandatory training should sit at the core of every induction programme, not be treated as an afterthought.
Proving compliance is working
Completing training is not the same as demonstrating its impact. According to Thirst’s 2026 State of L&D Report, 64% of business leaders now expect proof that learning delivers results โ yet most mandatory training programmes are still measured by completion rates alone.
Completion tells you whether someone sat through a module. It does not tell you whether the organisation is safer, more compliant, or performing better as a result. Leadership’s scorecard has shifted to productivity, cost savings, retention, and compliance rates โ not attendee numbers.
Connect training to observable outcomes
Where possible, link training completion to a business metric you already track. If cybersecurity awareness training is delivered, does the rate of phishing click-throughs fall in the months that follow? If GDPR training is refreshed, do data handling incidents decrease? Correlating training activity with operational data is more compelling to leadership than percentage completion figures alone.
Report by role and deadline, not just in aggregate
A 90% overall completion rate looks strong in a headline. It becomes significantly less reassuring when the 10% who have not completed mandatory training are concentrated in the department with the highest regulatory exposure. Role-level and deadline-level reporting surfaces the gaps that aggregate numbers obscure.
Track currency, not just completion history
Training completed 18 months ago and since expired is not a compliance record โ it is a liability. The most meaningful compliance metric is the percentage of employees who are currently certified, not the percentage who completed training at some point in the past. An LMS that tracks certification expiry dates and renewal cycles makes this visible in real time rather than surfacing it during an audit.
How technology makes mandatory training manageable
Managing mandatory training manually โ through spreadsheets, calendar reminders, and email follow-ups โ works on a very small scale. As organisations grow, the administrative overhead becomes unsustainable, and the compliance risk grows with it.
A learning management system built for SMBs addresses this at three levels. Automated scheduling and reminders mean renewal deadlines are flagged before they lapse, not after. Role-based assignment means the right training reaches the right people automatically when a new employee joins. Real-time compliance reporting means the data is always current โ when an audit arrives, or leadership asks for evidence, it is available immediately.
Teams using AI-assisted L&D workflows reclaim an average of four to six hours per week, according to Thirst’s 2026 State of L&D Report โ time redirected from administration to the strategic work that actually improves training quality and outcome. For L&D teams managing compliance across a growing workforce, that difference is significant.
Thirst: built for compliance-ready teams
Thirst is an AI-powered learning platform for growing SMBs. It handles the full mandatory training lifecycle โ from role-based assignment and automated renewal reminders to real-time compliance dashboards that give leadership the evidence they need.
Rated 4.8 on Capterra and 4.8 on G2. Trusted by ClarusWMS, Ombar, Yellow Card and more.
Frequently asked questions
What is mandatory training in the workplace?
Mandatory training is any training an employer requires employees to complete, regardless of whether it is legally enforced.
It typically covers areas such as GDPR, cybersecurity, DEI, and role-specific procedures. While not legally mandated in the way statutory training is, it is compulsory under the organisation’s internal policy and is designed to reduce operational and reputational risk.
What is the difference between mandatory and statutory training?
Statutory training is required by UK law, such as health and safety training under the Health and Safety at Work Act 1974.
Mandatory training is required by the employer, not by legislation, covering business-specific needs like data protection or onboarding processes. Both are compulsory for employees, but statutory training is set by the government and regulators, while mandatory training is set by the organisation itself.
Is health and safety training mandatory?
Yes. Under the Health and Safety at Work Act 1974, employers must provide adequate training to enable employees to carry out their work safely. This is a statutory requirement. The specific training required varies by role and sector, but every employer must assess and address health and safety training needs across their workforce.
Is fire safety training mandatory?
Yes. Under the Regulatory Reform (Fire Safety) Order 2005, employers must provide fire safety training when an employee starts their role and whenever their responsibilities or fire risk exposure changes.
All employees who work onsite should receive basic fire safety training. Designated fire wardens require more comprehensive training.
Is GDPR training mandatory?
GDPR training is not explicitly required by law, but UK GDPR requires organisations to ensure that staff processing personal data do so lawfully and securely.
Providing regular GDPR training is the most reliable way to meet this obligation. The ICO expects organisations to demonstrate that staff have been appropriately trained, and annual refresher training is the standard most organisations apply.
How often should mandatory training be refreshed?
Most mandatory training should be reviewed at least annually. GDPR, cybersecurity, and fire safety awareness are typically refreshed every 12 months. Role-specific training should be updated whenever processes, systems, or responsibilities change. According to Thirst’s 2026 State of L&D Report, only 10% of SMBs review their learning strategy monthly โ a gap that creates untracked compliance risk in the periods between formal reviews.
Do employers have to pay for mandatory training?
Yes. Where training is required for an employee to carry out their role safely and effectively, employers are expected to cover the cost and provide the training during working hours.
For statutory training โ legally required under UK law โ employer funding is not optional. If an employer requires training to be completed in an employee’s own time, this is legally complex and, in most cases, requires compensation.
How do you track mandatory training completion?
A learning management system is the most reliable method. It records completions automatically, flags overdue renewals, and generates real-time compliance reports for leadership and auditors. With 64% of business leaders now expecting proof of learning impact, according to Thirst’s 2026 State of L&D Report, automated compliance tracking has moved from a convenience to a strategic requirement.
Does mandatory training count as CPD?
Mandatory training can count as CPD if it is recorded and reflected on in the same way as other professional development activities.
The key distinction is that CPD is typically chosen to enhance skills, while mandatory training is required for baseline role performance. Many professional bodies accept mandatory training as part of a CPD record when appropriate documentation is kept.
Got 2 minutes?
If your organisation is managing mandatory training through spreadsheets and email reminders, there’s a better way.
Thirst is an AI-powered learning platform built for growing SMBs โ with role-based training assignment, automated renewal reminders, and real-time compliance dashboards that give leadership the proof they’re looking for.
Take a guided tour today and see how Thirst handles mandatory training from induction to audit.
For more L&D insights, resources and information, discover the Thirst blog.
You may also enjoy:
What is Compliance Training? A Complete Guide | What is Induction Training? Benefits, Types & Best Practices | DEI Training: What You Need to Know
