NIS2 Directive

NIS2 widened the EU cyber-resilience perimeter, raised the management body's accountability and changed how incidents get reported. Critical for any entity in scope - and DORA does not replace it for financial entities.

Hire NIS2 talent Join the talent pool

The Network and Information Security Directive 2 (Directive EU 2022/2555) replaces NIS1 and widens the EU cyber-resilience perimeter to essential and important entities across most regulated industries. Member states were required to transpose it by October 2024.

For hiring, NIS2 changed two things: the management body now carries personal accountability for risk decisions, and incident reporting runs on a 24h / 72h / 1-month clock that overlaps with DORA and GDPR. The InfoSec hire that holds is the one who can run those clocks together.

Regulators in scope

ENISAnational CSIRTsnational competent authorities per member state

Industries most affected

EnergyHealthcareBankingFinancial market infrastructureDigital service providersPublic administrationManufacturing

What it actually requires

NIS2 in practice.

Operational scope - the work a GRC hire actually owns under this framework day to day.

Cyber risk management measures proportionate to the size and risk profile of the entity.
Incident-reporting obligations: early warning within 24h, incident notification within 72h, final report within 1 month.
Supply chain security including supplier-side cyber posture.
Management body accountable for risk decisions - personal liability is real.
Cybersecurity training and hygiene programme.

GRC role families that own it

Who you hire for NIS2.

NIS2 touches more than one seat. KICKFIND can run the full hiring loop for any of these.

Hire signals

What KICKFIND screens for.

Concrete proof points we look for in NIS2hires. CV name-drops without specifics don't pass our screen.

Has stood up a NIS2-compliant incident classification + reporting playbook.
Knows how to run the NIS2 clock alongside DORA / GDPR clocks without losing one.
Has trained a management body on their NIS2 personal-liability exposure.
Has a working relationship with a national CSIRT, not just a contact.

Red flags we filter out

What disqualifies a NIS2 hire.

Patterns that look right on paper but fail under regulator scrutiny. Caught at intake before any client sees them.

Confuses NIS2 scope with DORA scope - they overlap but do not replace each other.
Cannot draft an early-warning notification from cold.
Treats supplier cyber posture as a procurement question.

Screening questions

How we screen, in practice.

“Walk me through the last incident you reported under NIS2. What clocks were running at the same time, and how did you avoid double-reporting?”
“How do you classify an incident that touches both NIS2 and DORA scope? Which regulator does the first call go to?”
“Describe the management body training you ran. What did the C-level pushback look like?”

Why specialist hiring

Why NIS2 is a clock-management hire, not a CISO hire

Most CISO recruiters miss the cross-clock problem. An incident in scope for NIS2 will usually also be in scope for DORA, GDPR or both. Three regulators, three clocks, one team. Hire the wrong profile and the third clock is the one that misses.

KICKFIND screens NIS2 hires for working CSIRT relationships and for a documented playbook that handles the clock overlap. Specialist over generalist matters here because cross-clock failures end up on the supervisor's permanent file.

We ask for the last cross-clock incident the candidate ran and what each regulator received.
Management-body training experience screened explicitly - the personal-liability conversation is harder than it looks.
Sector-flexible: NIS2 covers energy, healthcare and public administration as well as financial market infrastructure - our bench reflects that.

Hire NIS2 talent How KICKFIND works

From the NIS2 hiring blog.

Engineering Hiring
DPO vs CISO under DORA: who owns the breach? Hiring implications
DORA, NIS2 and GDPR all live in the same incident. The CISO hire and the DPO hire have to lock together or breach response fails twice.

Ready when you are

Hire GRC people who actually understand your regulator.

Submit a structured GRC hiring brief in under 5 minutes. We come back with a calibration call and a real plan, not a sales pitch.

Submit a hiring brief Or talk to KICKFIND