The NIS2 Directive is reshaping governance requirements across essential and important entities. We assess the surge in demand for GRC professionals and what it means for hiring strategies.
← Back to Insights
The Network and Information Security Directive 2 (NIS2) has landed. For UK organisations operating in or trading with the EU, this is not aspirational. It is mandatory, and the scope is broader than almost anyone expected.
NIS2 doesn't just apply to critical national infrastructure—it extends to essential services and "important entities" across key sectors. It introduces personal liability for senior management. It mandates supply chain security assessments. And it has triggered a talent scramble that is reshaping recruitment across CNI.
NIS2 represents the most significant expansion of cyber security regulation in Europe since the original NIS Directive. The scope now encompasses more sectors: energy, transport, water, digital infrastructure, health, finance, and others. Essential service operators and important entities must meet new governance standards.
The requirements are substantive. Board-level oversight of cyber risk. Supply chain due diligence. Incident reporting within 24 hours of discovery. Security measures across people, process, and technology. And here's the hard part: personal liability for senior management if the organisation fails to meet requirements.
That last point has boards paying attention. When the CISO's security failure becomes the CEO's personal liability, cyber risk suddenly moves from IT to the boardroom.
This regulatory expansion has triggered intense demand for governance, risk, and compliance professionals. Organisations need individuals who can translate regulatory requirements into operational security programmes, manage audit relationships, and communicate risk to boards in business terms.
The challenge is acute: experienced GRC professionals with CNI sector knowledge are already scarce. NIS2 has amplified the competition. Every regulated entity in Europe is now competing for the same small pool of talent. Senior GRC professionals who understand both regulatory frameworks and critical infrastructure environments can write their own ticket.
The salary pressure is significant. A GRC lead with CNI experience can command £80,000 to £150,000 depending on seniority and sector experience. A GRC director or Chief Risk Officer can demand significantly more. And they're being courted by competitors across your sector.
If you're responsible for meeting NIS2 compliance, you need to start recruiting now. Here's what works.
Hire experienced GRC leads who can set strategic direction. This person will define your compliance programme, manage your audit relationships, and translate regulatory requirements for your board. You need someone who's done this before—in your sector ideally, but certainly in similar operational environments.
Develop existing security professionals into compliance roles. You may have talented security engineers or analysts who can grow into GRC work with targeted training. This is slower than external hire, but it builds capability and retention within your team.
Use interim consultants to bridge immediate gaps. A GRC consultant working with you for 3-6 months can help define your compliance programme, identify gaps, and guide the transition to permanent staff. This buys you time to recruit the right permanent hire.
Starting early is not optional. By the time you realise you're under-resourced, the talent you need has already been hired by your competitors. The candidates you need are being courted now, by every regulated entity in your sector.
NIS2 is not a one-time compliance project. It is an ongoing regulatory obligation with escalating requirements and increasing enforcement. Organisations that treat it as a checkbox—hire someone to build a compliance framework, declare compliance, move on—will find themselves exposed when regulators come calling or when the framework doesn't adapt to evolving threats.
The organisations that will succeed are those that embed compliance into their security culture from the start. That means hiring the right talent, investing in their development, and treating GRC as a core security function, not a peripheral compliance operation.
For CNI organisations, NIS2 also represents an opportunity. Candidates who see that you're taking regulatory compliance seriously, that you've invested in GRC capability, and that you're building a mature, governance-driven security function, are more likely to take you seriously as an employer. In a tight talent market, demonstrating genuine commitment to compliance and risk management is a competitive advantage in recruitment.
The demand for experienced CISOs in critical national infrastructure far outstrips supply. We examine what's driving the gap, how organisations can compete for scarce talent, and why traditional hiring approaches are failing.
The UK government's decision to block Nvidia's acquisition of ARM underscored that technology sovereignty is a national security issue. For CNI organisations, the implications extend to supply chain assurance and specialist talent.
Trusted by security leaders at
"I can't recommend Gyles and the team at Foundations enough. We struggled to find a suitable candidate for 5 months, Foundations found 3 perfect candidates in 24 hours."
Manager of EMEA & APAC Network Engineering, Equinix
