Engineering Hiring

DPO vs CISO under DORA: who owns the breach? Hiring implications

DORA, NIS2 and GDPR all live in the same incident. The CISO hire and the DPO hire have to lock together or breach response fails twice.

KICKFIND Editorial2 min read6 May 2026

# DPO vs CISO under DORA: who owns the breach? Hiring implications

A real ICT incident in an EU regulated entity now touches at least three regulators and at least two named officers - the CISO and the DPO. DORA adds the home-state financial-supervisor reporting clock. NIS2 adds the national CSIRT reporting clock. GDPR adds the supervisory-authority notification clock. They run at the same time, with overlapping but not identical scope.

The hiring implication is that the CISO and the DPO have to be wired to lock together under pressure. Two excellent solo hires who don't know each other's playbook is a breach response that fails twice.

What this means for the CISO hire

They need a **DORA incident classification model** they can defend - not a generic CVSS triage.
They need pre-agreed **decision rules** for who notifies which regulator, in what order, with what data.
They need to be **comfortable in the room** with a DPO and a lawyer simultaneously.
They need **engineering credibility** so the technical post-mortem is real.

What this means for the DPO hire

They need **GDPR 72h notification muscle memory** with a real breach in their history.
They need to **distinguish** an Article 33 controller notification from an Article 34 data-subject notification, in practice.
They need to **understand DORA enough** to know where their clock starts and ends.
They need a **working relationship template** with the CISO function - not just an org chart line.

Two hires, one playbook

If you are hiring both seats sequentially, screen the second hire against the first hire's incident playbook. Cultural and process compatibility here is not a soft factor.

Screening questions for the joint hire

*"Walk me through the last incident where you had to notify a supervisory authority. What was the timeline, what was the finding, what changed?"*
*"How do you handle a finding from one regulator that contradicts the position you have taken with another?"*

[Submit a brief](/submit-hiring-brief) and KICKFIND will calibrate the dual CISO / DPO screen.

DPO vs CISO under DORA: who owns the breach? Hiring implications

What this means for the CISO hire

What this means for the DPO hire

Two hires, one playbook

Screening questions for the joint hire

More from the blog

Hiring a Head of Regulatory Affairs for an EU PI or EMI

How to hire a Head of Compliance for an EU payment institution

MiCA crypto compliance hires: the role that did not exist 18 months ago

Hire GRC people who actually understand your regulator.