The April 18, 2026 NIS2 deadline has passed. The first EU administrative penalties were issued in Q1 2026. DORA has been in force for financial entities since January 2025. And there are two more major frameworks β the Cyber Resilience Act and the Critical Entities Resilience Directive β moving through enforcement phases simultaneously.
Europe is running the largest coordinated cybersecurity regulatory rollout in history, and most organizations are not ready.
That gap between regulatory obligation and organizational capability is whatβs driving one of the most sustained surges in European cybersecurity hiring in years. If you understand compliance-focused security work, or youβre willing to build that understanding, the opportunity is significant β whether youβre already in Europe or considering it.
What NIS2 and DORA Actually Require
Understanding why these regulations create demand starts with understanding what they actually demand from organizations.
NIS2: Security for Critical Infrastructure at Scale
The Network and Information Security Directive 2 (NIS2) applies to organizations operating in sectors classified as βessentialβ or βimportantβ β energy, transport, banking, health, drinking water, digital infrastructure, managed services, manufacturing, and more. The scope is substantially broader than the original NIS directive, pulling in an estimated 160,000 organizations across the EU.
What NIS2 requires organizations to do:
- Implement risk management measures β risk assessments, security policies, incident handling procedures, business continuity plans
- Report significant incidents to national authorities within 24 hours (initial notification) and 72 hours (full report)
- Address supply chain security β assessing and managing the security posture of vendors and technology providers
- Establish governance accountability β senior management is personally responsible for cybersecurity compliance
- Conduct regular security training and awareness programs
The personal liability clause for senior management is the provision getting the most attention from boards. Directors who fail to implement adequate cybersecurity measures face fines and, in some EU member states, temporary bans from management positions.
Penalties: Up to β¬10 million or 2% of global annual turnover for essential entities. Up to β¬7 million or 1.4% of global annual turnover for important entities.
DORA: Digital Resilience for Financial Services
The Digital Operational Resilience Act (DORA) applies specifically to the EU financial sector β banks, insurance companies, investment firms, payment service providers, crypto asset providers, and critically, their ICT third-party service providers (including cloud vendors and managed service providers serving financial clients).
What DORA requires:
- ICT risk management frameworks β documented, tested, and continuously updated
- Incident classification and mandatory reporting β with specific timelines and reporting templates
- Digital operational resilience testing β including threat-led penetration testing (TLPT) for significant financial entities
- ICT third-party risk management β contracts must include specific provisions, and regulators can directly supervise critical third-party providers
- Information sharing β financial entities are expected to participate in threat intelligence sharing arrangements
TLPT under DORA is particularly interesting from a career standpoint: it requires advanced red team exercises conducted against live production systems, performed by qualified external testers. This is not standard penetration testing. The demand for practitioners qualified to conduct DORA-compliant TLPT is already outpacing supply.
Why This Creates a Sustained Hiring Surge
Every regulation on this list requires organizations to do things they currently arenβt doing, with people they currently donβt have.
The compliance machinery that NIS2 and DORA require β risk assessments, incident reporting processes, third-party risk programs, governance frameworks, resilience testing β doesnβt run itself. It requires people who understand both the regulatory requirements and how to translate them into operational security programs.
Thereβs also a multiplier effect: organizations that were already struggling to find security talent are now subject to regulatory deadlines that turn βnice to haveβ security resources into legally required ones. The Netherlands, for example, requires all essential and important entities to complete formal self-assessments by June 2026. That timeline is creating immediate, non-discretionary demand.
Roles in Demand Right Now
NIS2 Compliance Manager
The most direct role created by NIS2 β responsible for gap assessments against NIS2 requirements, implementation roadmaps, evidence collection for regulatory audits, and ongoing compliance monitoring. In practice, this role requires a blend of technical understanding and policy/governance experience.
Salary range (Europe): β¬80,000ββ¬130,000 depending on country and organization size. Germany, Netherlands, and Ireland are the highest-paying markets.
CISO and Deputy CISO
NIS2 places personal liability on management for cybersecurity failures. Organizations that previously functioned without a formal CISO are now actively hiring for the role β not to build security programs from scratch, but to own the liability that NIS2 imposes on senior leadership. This has meaningfully expanded the market for CISO roles in mid-market European companies.
Salary range: β¬150,000ββ¬280,000 for established markets (Germany, Netherlands, UK post-Brexit equivalents under UK GDPR). Significant variation by sector.
Data Protection Officer (DPO) with Security Depth
DPO requirements under GDPR overlap significantly with NIS2 data handling obligations. Organizations are now looking for DPOs who can speak credibly to both data protection and broader cybersecurity risk β not just legal compliance specialists.
Salary range: β¬90,000ββ¬150,000.
ICT Third-Party Risk Manager
DORAβs third-party risk requirements are detailed and operationally intensive. Organizations need people who can review vendor contracts against DORA requirements, conduct third-party risk assessments, and manage the ongoing monitoring obligations DORA imposes. Cloud providers serving financial clients are also hiring heavily for roles that help their financial services customers achieve DORA compliance.
Salary range: β¬85,000ββ¬140,000.
Resilience Officer / Operational Resilience Lead
A newer title emerging specifically from DORAβs digital operational resilience requirements. Responsible for designing and managing resilience testing programs, mapping critical business services to their underlying ICT dependencies, and ensuring that recovery time and recovery point objectives are tested against regulatory standards.
Salary range: β¬100,000ββ¬160,000.
TLPT Practitioner (Threat-Led Penetration Tester)
DORA requires threat-led penetration testing for significant financial entities, conducted by qualified external providers following frameworks like TIBER-EU. The demand for practitioners with both offensive security skills and the documentation/methodology discipline that TIBER-EU requires is acute. This is a premium specialization.
Salary range: β¬120,000ββ¬200,000+ for senior practitioners. High freelance/consultancy rates for TIBER-qualified testers.
How US-Based Security Professionals Can Position for These Opportunities
The European compliance market is not closed to US-trained professionals β but it rewards specific preparation.
Build regulatory fluency first. Deep familiarity with NIS2 and DORA is more important than specific European work experience. Read the actual directive text and implementing legislation. ENISA (the EU Agency for Cybersecurity) publishes extensive guidance documents for free β this is your curriculum.
Certifications that translate:
- CISM (CISSP is well-recognized but CISM maps more directly to NIS2 governance requirements)
- ISO 27001 Lead Implementer or Lead Auditor β ISO 27001 aligns closely to NIS2 technical requirements, and many European organizations are using ISO 27001 as their compliance framework
- CRISC β Risk-focused, directly relevant to NIS2 and DORA risk management obligations
- TIBER-EU knowledge β Not a certification but a framework. Demonstrating familiarity with TIBER-EU positions you for DORA testing work
Target the right sectors. NIS2 hits energy, utilities, transport, healthcare, and managed services hardest. DORA owns financial services. Both sectors in Europe are actively hiring with regulatory deadlines adding urgency.
Consider the UK market. Post-Brexit, the UK has its own equivalent regulations (UK GDPR, and the Network and Information Systems Regulations). While technically separate from EU NIS2/DORA, the skill set transfers almost entirely β and UK salaries for compliance-fluent security professionals are competitive with Western European markets.
Remote and hybrid work has expanded the geography. Not every NIS2/DORA role requires relocation. European organizations β particularly in professional services, managed services, and technology sectors β are hiring compliance and GRC specialists remotely. US professionals with European regulatory fluency who are willing to work EU business hours have real options without relocating.
The regulatory enforcement is not theoretical anymore. Penalties are being issued, self-assessment deadlines are live, and organizations that delayed building internal compliance capability are now scrambling. The professionals who built NIS2 and DORA expertise before it became universally required are the ones fielding the calls.
That window hasnβt fully closed yet β but itβs narrowing fast.
