NIS2 Is a People Problem
The NIS2 directive sets new requirements for cybersecurity governance, incident response and supply chain security. But the biggest challenge isn't technology — it's finding the right people. In this article we break down which roles organisations actually need.
The Essential Roles
1. CISO / Security Officer
NIS2 requires security governance at board level. A CISO is no longer optional for organisations that fall under the directive. Scarcity: very high. Advice: consider interim for the first 6-12 months while searching permanently.
2. GRC Manager / Compliance Officer
Responsible for the compliance framework, gap analysis and audit preparation. Scarcity: high. Advice: permanent if you need structural compliance capacity.
3. Incident Response Specialist
NIS2 requires notification within 24/72 hours. You need people who master this process. Scarcity: medium to high. Advice: combination of permanent team + retainer with a CSIRT partner.
4. Security Awareness Trainer
The human factor remains the biggest vulnerability. Scarcity: medium. Advice: can be permanent or via external partner.
5. Third-Party Risk Manager
Supply chain security is a core component of NIS2. Scarcity: very high — this role is relatively new. Advice: interim to set up the framework, then permanent.
The Market Reality
The shortage of NIS2-qualified professionals is significant. Organisations that start recruiting now have a head start. Wait until the deadline and you'll be competing with thousands of other organisations for the same limited talent pool.