Mandatory employee training programs are the courses HR has to deliver to keep the company legal under federal, state, and industry rules in 2026. The baseline for almost any U.S. employer boils down to four things: anti-harassment training, OSHA safety fundamentals, cybersecurity basics, and HIPAA training for anyone touching protected health information — plus a much longer list of state and industry add-ons depending on where you operate and who you hire.
The annoying part about 2026: several states expanded their requirements over the last 18 months, and the old "we do sexual harassment training every two years" checklist isn't enough anymore if you've got employees in California, New York, Illinois, or Washington.
What Training Is Federally Required for All U.S. Employers?
Federal rules set the floor, not the ceiling. Four buckets hit nearly everybody regardless of size or industry.
OSHA training is the big one. Under the General Duty Clause, every employer has to train workers on the hazards specific to their job, the emergency action plan, and how to report problems — even in industries without their own OSHA standard. Anybody working with regulated substances or equipment picks up extra requirements on top. Forklift operators. Employees with potential bloodborne pathogen exposure. People handling hazardous chemicals. Confined space workers. The OSHA 10-Hour General Industry course is the most common baseline for employers who want to go past the bare minimum in a non-construction setting.
HIPAA is mandatory for healthcare employers and their business associates, which is a bigger pool than most HR people realize. Billing vendors. IT providers. Cloud storage companies working with PHI. Anyone doing data processing for a covered entity. HHS doesn't dictate specific course content, but annual is the accepted cadence, and HIPAA Essentials hits what auditors typically ask for.
Anti-discrimination training technically isn't federally mandated by name. The EEOC treats documented training as evidence of good-faith compliance anyway, and larger federal contractors get pulled in through OFCCP rules around diversity and inclusion training tied to affirmative action obligations.
Cybersecurity is federal only for specific industries — financial services under GLBA, healthcare under HIPAA, defense contractors under CMMC — but most employers end up treating it as mandatory because ransomware has gotten worse every year. Password security training is the bare floor. Phishing simulations and social engineering training sit on top.
What States Have Their Own Mandatory Training Requirements?
This is where multi-state employers keep tripping. Ten states now run their own harassment training laws, each with its own quirks.
California hits the hardest. AB 1825 and SB 1343 together demand 2 hours for supervisors and 1 hour for non-supervisory employees every two years, at any employer with five or more people. New hires and newly promoted supervisors have to be trained within six months, not whenever the next company-wide cycle rolls around.
New York is close behind. The Combating Sexual Harassment in the Workplace Act wants annual training for every employee, and New York City layers its own rule on top for employers with 15-plus employees — including independent contractors who worked more than 80 hours.
Illinois runs annual training for every employee regardless of employer size under the Workplace Transparency Act. An additional bar-and-restaurant-industry module is required for hospitality, which catches a lot of restaurant groups off guard during their first audit.
Connecticut, Delaware, and Maine each require initial and ongoing training with slightly different triggers and hour counts. They feel similar on paper but aren't interchangeable in practice.
Washington state expanded its requirements in January 2025. Employees in isolated work settings — hotels, security, janitorial — now get mandatory training, and managers have a new mandate around retaliation and investigation procedures.
The Sexual Harassment Prevention for Managers course handles the patchwork of state rules in one place, which saves HR from running four different training tracks for the same four supervisors.
What Industry-Specific Training Is Mandatory?
Industry regulators stack their own requirements on top of the federal and state baseline. A quick tour of where that gets heaviest in 2026:
Construction employers are on the hook for the full OSHA construction standard (29 CFR 1926). Fall protection, scaffolding, electrical hazards, trenching, confined spaces — and that's before you get to OSHA 10-Hour or 30-Hour Construction, which most competent persons and supervisors need.
Healthcare adds HIPAA, bloodborne pathogens under 1910.1030, patient safety training, and whatever state-level nursing continuing education applies.
Food service runs on food handler and food manager certifications that vary by state and locality. California's ANAB-ANSI rule. New York City's Food Protection Certificate. Texas Food Manager. Illinois ServSafe. Add alcohol server certification in most states if the business pours beer or wine.
Financial services employers need anti-money-laundering training under the Bank Secrecy Act, SEC-regulated compliance training for broker-dealers and investment advisors, and SAFE Act training for anyone originating a mortgage.
DoD contractors need CMMC compliance training, insider threat awareness, and counterintelligence reporting — all of which tightened in 2024 and again in late 2025.
Transportation picks up DOT compliance training, hours-of-service training, hazmat awareness where applicable, and supervisor-level drug-and-alcohol training under 49 CFR Part 382.
Retail is the newer entrant. California's SB 553 is the aggressive one — it hits most employers and demands annual workplace violence prevention training plus a company-specific written plan. New York and Washington added their own versions in 2024 and 2025.
How Often Does Mandatory Training Need to Be Refreshed?
The refresh cycle changes by course, and the piece most HR teams miss is that they're running half a dozen cycles simultaneously.
Annually: HIPAA, cybersecurity awareness for financial services and DoD, most state harassment laws (NY, IL, WA, CA supervisors), SAFE Act re-certification, CMMC, workplace violence prevention in the states that require it.
Every two years: California harassment training for non-supervisors, most general OSHA refreshes, ethics for federal contractors, DEI training if it's written into the affirmative action plan.
Every three years: forklift operator re-cert under 1910.178, some bloodborne pathogens refreshers depending on exposure class, food manager certification in most states.
One-time or on-change: new hire onboarding, training triggered by a role change (non-supervisor to supervisor, for example, which fires off supervisor-specific harassment training in most mandatory states), training on new policies or updated regulations.
A mid-sized employer almost always has six to eight different refresh cycles running at once. That's why the "we track it in a spreadsheet" approach falls apart — not because spreadsheets are bad, but because nobody remembers to open them.
What Mandatory Training Do New Hires Need in Their First 30 Days?
New hire compliance is where HR teams lose the most ground in 2026. High turnover closes the window before anybody notices.
First day or two: safety orientation, emergency action plan, site-specific hazards, harassment and discrimination policy acknowledgement, basic cybersecurity and data handling, and code of conduct training. These are the ones auditors look for first. A new hire gets hurt in week two and there's no documented safety orientation? Automatic finding.
Within 30 days: full sexual harassment prevention training if the state requires it (California technically allows six months, but most employers do it earlier so it doesn't fall off the radar), diversity and inclusion awareness, and role-specific compliance training — HIPAA for healthcare roles, PCI-DSS for anyone touching card data, GLBA for financial services.
Within 90 days: any certifications specific to the role (forklift, food handler, CDL endorsements), deeper cybersecurity training beyond onboarding basics, and manager-level training if the new hire walks in at a supervisory level.
What Happens If You Skip Mandatory Training?
The consequences depend on what got skipped and who notices.
Direct fines are tier one. A missing OSHA training record runs $16,550 per serious violation or $165,514 per willful or repeat. A HIPAA training gap can trigger up to $2.1 million per category per year in willful neglect settlements. California harassment violations: $1,000 per employee per year in civil penalties plus FEHA enforcement.
Indirect costs hurt more. A workplace injury without documented safety training becomes both an OSHA case and a workers' comp case. A discrimination lawsuit without documented harassment training loses the Faragher/Ellerth defense. A data breach without documented cybersecurity training gets much harder to defend under reasonable security standards.
The quiet fourth cost is insurance. Commercial general liability and employment practices liability policies increasingly condition coverage on documented training. A missed cycle can affect renewal pricing and claim coverage — and nobody gets a heads-up about that until renewal time rolls around.
Get Your Team Trained — Without the Paperwork Headache
Mandatory training in 2026 isn't going to get simpler. A compliance platform with the required courses already built in saves HR from running six different vendors and stitching the records together by hand.
Three courses that hit the baseline almost every U.S. employer needs:
Sexual Harassment Prevention for Managers — meets CA, NY, IL, CT, Maine, and Delaware mandates.
OSHA 10-Hour General Industry Outreach — DOL-card-generating baseline for most non-construction workplaces.
Cybersecurity Password Security — covers the data hygiene required under most cyber-insurance policies and a growing list of state-level data protection laws.
Frequently Asked Questions About Mandatory Employee Training in 2026
What training is legally required for every U.S. employer?
No single federal list exists. The rules come from OSHA, HHS (HIPAA), EEOC, and state agencies. Most private employers end up needing some mix of safety training, harassment prevention training (required by law in ten states), and HIPAA or cybersecurity training if they handle regulated data.
How do I know which trainings apply to my company?
Map your workforce across three axes — industry (OSHA standards, DOT, FINRA), states where employees actually work (harassment, workplace violence, paid leave), and role-specific requirements (forklift, food handler, manager). Most employers with multi-state operations land on eight to fifteen simultaneous mandatory trainings.
Do part-time and seasonal employees need mandatory training?
Yes, in most cases. New York harassment training kicks in at 80+ hours per year. California pulls temporary workers in after 30 days. OSHA doesn't care whether the employee is full-time or part-time for safety training. Seasonal retail workers in California need workplace violence prevention training if the role meets the SB 553 threshold.
What's the deadline for delivering mandatory training?
Safety and core compliance training should happen before work starts when possible. Harassment training needs to land inside the state-specific window — six months in California, 60 to 90 days in most other mandatory states. Role-specific training has to be done before the employee performs the regulated task.
Can mandatory training be delivered online?
Yes. Every major regulator accepts online training as long as the content meets the standard and completion is documented. OSHA, HHS, EEOC, and state agencies all accept LMS-delivered training. A handful of certifications — CPR, forklift hands-on, respirator fit testing — need in-person components on top of the online coursework.
What records do I need to keep for mandatory training?
Employee name, training topic and regulation, completion date, delivery method, score if applicable, and an employee attestation. Retain per the underlying regulation — three to five years for most OSHA training, six for HIPAA, three for state harassment training in most states.
