NIS2 enforcement is live across the EU and the UK Cyber Security and Resilience Bill is closing in on Royal Assent. The talent implications for CNI organisations are hitting harder than most anticipated.
← Back to Insights
The grace period is over. NIS2 is now in active enforcement across the EU. The UK's Cyber Security and Resilience Bill is working its way through Parliament. And the talent implications are hitting CNI organisations harder than most anticipated.
This is no longer a compliance planning exercise. It is a workforce problem.
Nineteen of the twenty-seven EU Member States have fully transposed NIS2 into national law. Germany, France, and Spain are still finalising their implementations, but enforcement has already begun. As of March 2026, an estimated 19,000 entities remain non-compliant. Fines of up to €10 million or 2% of global annual turnover are now in play for essential entities.
The European Commission has also proposed targeted amendments to NIS2 in early 2026, adding ransomware-specific incident reporting requirements and bringing operators of submarine data transmission infrastructure into scope. The directive continues to evolve even as organisations scramble to meet the baseline.
For UK organisations, the picture is different but no less pressing. The Cyber Security and Resilience Bill completed its Commons Committee Stage in February 2026 and will carry over into the new parliamentary session beginning 13 May. Royal Assent is expected later this year, with phased implementation through 2026 and 2027.
The Bill shares NIS2's ambitions but diverges in important ways. It directly regulates critical suppliers, something NIS2 does not, and introduces potentially higher penalties. UK businesses with EU operations or clients remain subject to NIS2 regardless, creating a dual compliance burden that demands both regulatory literacy and operational capacity.
The hiring implications are now impossible to ignore. In 2025, 40% of organisations reported that regulatory directives were influencing their hiring decisions. In 2026, that figure surged to 95%. That is a 55-point increase in a single year, and the fastest acceleration of any workforce metric in recent reporting history. NIS2 alone accounts for 30% of all regulatory hiring impact, making it the single largest driver of cybersecurity recruitment decisions globally.
For CNI organisations, this translates into acute demand across several disciplines. Governance, risk, and compliance professionals who can operationalise NIS2 and the UK Bill's requirements are in critically short supply. Security engineers who can close the control gaps identified during compliance assessments are being competed for across every regulated sector. Senior leaders who can translate regulatory obligation into board-level risk language are scarcer than ever.
The challenge is compounded by a skills readiness gap. Research indicates that 76% of existing cybersecurity staff lack the certified training needed to support NIS2 compliance effectively. Organisations are not just short of people. They are short of the right capability.
The organisations that navigate this well share a common approach. They treat regulation as a workforce planning trigger, not just a legal requirement.
That means mapping NIS2 and the UK Bill's obligations against current team capability and identifying gaps in GRC, incident response, OT security, and board-level leadership. It means building roles around resilience outcomes rather than generic job titles. And it means engaging the market early, before every other regulated organisation is competing for the same small pool of qualified candidates.
Waiting for Royal Assent to begin hiring is a strategic error. The talent market is already moving. Candidates with NIS2 implementation experience, CAF assessment capability, or dual IT/OT fluency are fielding multiple approaches. By the time the legislation is enacted, the strongest candidates will already be placed.
For UK-headquartered CNI organisations with European operations or supply chains, the dual regulatory landscape creates a specific hiring challenge. They need professionals who understand both frameworks. Not just the letter of each regulation, but the practical differences in reporting timelines, scope definitions, and enforcement mechanisms.
This is not a skillset that can be recruited through generic channels. It requires targeted identification of candidates who have worked across jurisdictions, who understand the operational reality of regulated environments, and who can build compliance programmes that satisfy both regimes without duplicating effort.
NIS2 and the UK Cyber Security and Resilience Bill are the most significant regulatory shifts in cybersecurity since the original NIS Regulations came into force in 2018. The compliance deadlines are live. The enforcement mechanisms are active. And the talent needed to meet these obligations is structurally scarce.
The cost of delay is not just regulatory risk. It is operational exposure. Critical roles left unfilled during a period of heightened regulatory scrutiny leave organisations without the capability to respond, report, and recover when it matters most.
Organisations that move now, with clarity on what they need and a process designed to reach the right people, will secure the capability they require. Those that wait will find the market has moved on without them.
The demand for experienced CISOs in critical national infrastructure far outstrips supply. We examine what's driving the gap, how organisations can compete for scarce talent, and why traditional hiring approaches are failing.
AI spending on network automation will reach $20 billion by 2028. For CNI operators, deploying AI effectively requires professionals who understand both the technology and the operational context of critical infrastructure.
Trusted by security leaders at
"I can't recommend Gyles and the team at Foundations enough. We struggled to find a suitable candidate for 5 months, Foundations found 3 perfect candidates in 24 hours."
Manager of EMEA & APAC Network Engineering, Equinix
