DORA (Digital Operational Resilience Act)

DORA went live in January 2025. Every regulated EU financial entity is now in scope for ICT risk management, incident reporting, threat-led penetration testing and third-party register. The hire that lasts is the one who has shipped a DORA programme, not the one who has read the regulation.

Hire DORA talent Join the talent pool

The Digital Operational Resilience Act (Regulation EU 2022/2554) is the operational-resilience anchor for EU financial services. It came into force in January 2025 and made ICT risk a board-level, supervised obligation rather than an internal IT concern.

For hiring, DORA changed the CISO job description in three ways: third-party risk became a programme rather than a checkbox, incident reporting became a clock-managed obligation across at least one EU regulator, and threat-led penetration testing became a peer-reviewed exercise rather than an internal audit.

KICKFIND screens for actual ownership of DORA scope - the candidate has authored an Article 6 governance framework, classified a real incident under Article 18, or owned the Article 28 third-party register. The hire that fails is the one who has read the regulation and never run the workshop.

Regulators in scope

ECB / SSMEBAESMAEIOPAFCABaFinBanca d'ItaliaCentral Bank of Ireland

Industries most affected

FintechPaymentsBankingInsuranceAsset managementFX brokersProp tradingCASPs (under MiCA)

What it actually requires

DORA in practice.

Operational scope - the work a GRC hire actually owns under this framework day to day.

ICT risk management framework owned by the management body with documented policies.
ICT third-party risk register and concentration risk analysis under Article 28+ requirements.
Incident classification + reporting against the EU 24h / 72h / 1-month windows.
Threat-led penetration testing (TLPT) for designated entities every three years.
Operational resilience testing programme - tabletop, scenarios, recovery time objectives.
Information sharing with peers under the cyber threat intelligence community provisions.

GRC role families that own it

Who you hire for DORA.

DORA touches more than one seat. KICKFIND can run the full hiring loop for any of these.

Hire signals

What KICKFIND screens for.

Concrete proof points we look for in DORAhires. CV name-drops without specifics don't pass our screen.

Has personally authored a DORA gap assessment + remediation roadmap.
Has classified a real ICT incident under the DORA taxonomy and submitted the report.
Has run a tabletop with C-level and the board, not just an IT exercise.
Has negotiated a DORA-compliant clause set with a major ICT vendor.
Has been part of a TLPT engagement on either side (entity or testing firm).

Red flags we filter out

What disqualifies a DORA hire.

Patterns that look right on paper but fail under regulator scrutiny. Caught at intake before any client sees them.

Treats DORA as ISO 27001 with a new badge.
Cannot name a single Article they have shipped a control around.
Outsources every TPRM decision to consultants with no internal capability transfer.
Slide-deck CISO with no engineering credibility.

Screening questions

How we screen, in practice.

“Walk me through the last DORA incident-classification call you owned end-to-end. What was the finding and what changed?”
“Pick one of your top-five ICT third parties. What clauses were the hardest to land and what was the supervisor's view?”
“What does your TLPT plan look like for the next 36 months? What scope are you protecting, and what scope are you accepting risk on?”
“Describe a moment you killed a vendor decision on DORA grounds. What was the commercial side's reaction?”

Why specialist hiring

Why a generalist agency under-delivers on DORA hires

Most cyber recruiters can shortlist CISSP holders. Very few can tell a real DORA programme owner from a candidate who has run a SOC. The screen sits in the gap between the cert and the regulation.

KICKFIND screens DORA candidates against Article scope, regulator interactions, and the named ICT third-party register they actually maintained. That is the difference between a hire that survives the first ECB / national-supervisor review and one that ends up rescoped within six months.

We have a verified bench of EU-licensed-entity CISOs who have owned a DORA gap assessment + remediation cycle, not just attended a DORA workshop.
Screening questions are tied to Articles 6, 17, 18, 26 and 28 - we ask for specifics on the file the candidate defended.
Confidential roles for significant institutions and CTPP-designated entities are handled under tight NDAs - client name disclosed only after first screening match.

Hire DORA talent How KICKFIND works

From the DORA hiring blog.

Engineering Hiring
DPO vs CISO under DORA: who owns the breach? Hiring implications
DORA, NIS2 and GDPR all live in the same incident. The CISO hire and the DPO hire have to lock together or breach response fails twice.

Ready when you are

Hire GRC people who actually understand your regulator.

Submit a structured GRC hiring brief in under 5 minutes. We come back with a calibration call and a real plan, not a sales pitch.

Submit a hiring brief Or talk to KICKFIND