CISO Hiring: Regulatory Drivers 2026 (DORA, NIS2, FCA)

The Chief Information Security Officer role has been redefined more substantially in the past three years than in the preceding decade. The change is not primarily technological — although the threat landscape has evolved significantly. It is regulatory. The Digital Operational Resilience Act came into force across EU financial services in January 2025. The NIS2 Directive extended cyber obligations to a much wider range of sectors and organisations across EU member states from October 2024. The FCA and PRA’s operational resilience requirements took full effect in March 2025. Taken together, these frameworks have elevated the CISO from a technology function head to a board-facing accountability holder with direct regulatory exposure in a growing number of businesses.

This guide is written for boards, CEOs, and HR leaders at organisations that are hiring or replacing a CISO under the 2026 regulatory environment. It covers what DORA, NIS2, and the FCA’s operational resilience framework specifically require of the CISO function, how those requirements change the candidate profile, what the market rate looks like now that the role carries regulatory accountability, and the most common mistakes in CISO appointments. For the Exec Capital CISO search service, see our CISO Recruitment page.

Adrian Lawrence FCA — Founder, Exec Capital

Fellow of the Institute of Chartered Accountants in England and Wales (ICAEW FCA) | ICAEW-Registered Practice | Technology and security executive search since 2018

The conversation that reveals most about a CISO candidate is about the last significant security incident they managed. Not their frameworks and protocols — the incident. What happened, how they found out, what the board meeting looked like, what they said to the CEO, and what changed afterwards. The regulatory environment in 2026 means the CISO will face an incident that requires them to notify a regulator, communicate to a board under pressure, and make decisions in real time that have legal consequences. A candidate who has been through that and come out well is worth more than any certification. A candidate who has not been through anything difficult is an unknown quantity at the moment it matters most.

Discuss your CISO search with Adrian →

What DORA requires — and what it means for the CISO

The Digital Operational Resilience Act applies to financial entities operating in the EU — banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party service providers — with effect from 17 January 2025. For UK-headquartered firms with EU operations or EU-regulated subsidiaries, DORA creates direct compliance obligations regardless of UK regulatory status post-Brexit.

DORA’s five pillars — ICT risk management, ICT-related incident reporting, digital operational resilience testing, third-party ICT risk management, and information sharing — each create specific requirements that land in the CISO’s domain. The ICT risk management framework must be documented, board-approved, and reviewed at least annually. Material ICT incidents must be classified and reported to the relevant competent authority within defined timeframes — initial notifications within four hours of classification, intermediate reports within 72 hours, and final reports within one month. Advanced resilience testing, including threat-led penetration testing, must be conducted by qualifying entities at least every three years using approved testers.

The CISO implications are direct. DORA requires the management body — the board — to define, approve, and oversee the ICT risk management framework and to bear ultimate responsibility for ICT risk. The practical consequence is that the CISO must be able to brief the board on ICT risk in terms that allow the board to exercise that responsibility meaningfully. A CISO who produces technical security reports that board members cannot parse is failing a DORA requirement, not merely an internal communication standard. The board accountability dimension of DORA makes CISO appointments at DORA-subject firms materially different from those where cyber is a function-level concern.

What NIS2 changes — and how it extends the CISO’s reach

The NIS2 Directive came into force for EU member states in October 2024, significantly extending the scope of the original NIS Directive. Where NIS1 applied primarily to operators of essential services (energy, transport, water, health, digital infrastructure), NIS2 extends to a much broader set of sectors including postal services, food production, waste management, and a wider range of digital services. It also applies to medium and large organisations in those sectors, not just those designated as critical infrastructure.

UK organisations with EU operations must assess NIS2 applicability to their EU entities. The UK has its own NIS regime — the Network and Information Systems Regulations 2018 — and the Government has signalled its intention to update this through the Cyber Security and Resilience Bill, which will expand NIS scope and tighten incident reporting requirements in alignment with the direction of EU NIS2. UK organisations that are scoping CISO appointments now need to factor in the UK’s evolving NIS framework as well as NIS2 for EU operations.

The most significant change NIS2 introduces for CISO hiring is the personal accountability provision: NIS2 requires member states to ensure that management bodies of essential and important entities can be held personally liable for non-compliance with cybersecurity risk management measures. This extends the regulatory accountability chain to the C-suite and board level in a way that was not present under NIS1. The CISO who is the functional owner of the cybersecurity risk management programme needs to understand this accountability structure and to be capable of ensuring the management body can demonstrate the governance required to meet it.

FCA operational resilience — what changed in March 2025

The FCA and PRA’s operational resilience framework, introduced through PS21/3, required FCA-regulated firms to identify their important business services, set impact tolerances for disruption to those services, and demonstrate by 31 March 2025 that they could remain within those tolerances during severe but plausible operational disruption. From March 2025, regulated firms are expected to be able to evidence this capability — not merely to have completed the mapping exercise.

For the CISO, the FCA operational resilience framework creates three specific responsibilities that were not as clearly articulated before 2021. First, the CISO must ensure that the firm’s important business services are mapped to their underlying technology systems and third-party dependencies in a way that makes the impact tolerance analysis credible. Second, the CISO must own the cybersecurity dimension of the firm’s scenario testing for operational resilience — demonstrating that the firm can survive a severe cyber incident and recover within the relevant impact tolerance. Third, the CISO must ensure that the firm’s ICT risk posture is reported to the board in terms that support the board’s regulatory accountability for operational resilience.

The FCA’s enforcement approach to operational resilience failures is still developing, but the direction is clear: boards that cannot demonstrate active engagement with operational resilience — including cyber resilience — are exposed. The CISO who does not understand this governance requirement, or who treats it as a compliance documentation exercise rather than a genuine board accountability function, is not adequately equipped for the 2026 regulatory environment.

How the regulatory environment changes the candidate profile

The cumulative effect of DORA, NIS2, and FCA operational resilience requirements is to elevate the CISO from a technical security leader who provides assurance to the board, to a regulatory accountability holder who is part of the governance chain that the regulator will scrutinise in the event of a material incident. This shifts the candidate specification in three concrete ways.

Board communication capability is now a genuine requirement, not a nice-to-have. The CISO who is technically outstanding but cannot brief a board of non-technical directors in a way that allows them to exercise their regulatory accountability is inadequate in the 2026 regulatory context. This capability needs to be assessed specifically in the interview process — not assumed from seniority or title.

Regulatory literacy — specifically knowledge of DORA obligations, NIS2 scope, and FCA operational resilience requirements — is now baseline competence for CISO appointments in financial services and regulated sectors. A CISO who needs to be briefed on what DORA requires when they join is behind before they start.

Incident response leadership at the regulatory interface — the capability to manage a material cyber incident including regulatory notification, board communication, and external stakeholder management — is now an experience criterion rather than a theoretical capability. The regulatory timelines under DORA for incident notification leave no room for a CISO who is learning this process in real time during an incident.

Market rate — CISO, UK 2026

Context	Scope	Base Salary
Tier 1 bank or large regulated firm	DORA-subject, board-facing, large team	£200,000 – £350,000+
Mid-market financial services	FCA-regulated, DORA applicable, 200–1,000 staff	£130,000 – £200,000
NIS2-subject enterprise	Essential/important entity, EU operations	£120,000 – £190,000
Scale-up / technology company	Growing security function, pre-regulated	£100,000 – £160,000 + equity

The most common mistakes in CISO appointments

Hiring a technical security expert without testing board communication capability is the most frequent mistake in sectors where the regulatory environment has elevated the board accountability dimension of the role. Technical depth is necessary but insufficient. The interview process for a 2026 CISO appointment should include at minimum one exercise where the candidate is asked to brief a non-technical director on a significant cyber risk or incident scenario. The quality of that communication tells you more than any technical question.

Ignoring the regulatory literacy dimension produces CISOs who must learn the DORA, NIS2, or FCA operational resilience requirements on the job — which in an incident context means learning them under the worst possible conditions. Regulatory literacy should be assessed directly in the interview, not assumed from sector experience.

Structuring the CISO role too far below board level in DORA-subject or FCA-regulated firms creates a governance gap. If the CISO reports to the CTO who reports to the CEO, and the board’s cyber accountability is exercised through two layers of reporting, the firm is unlikely to satisfy a regulator’s expectation that the management body is actively engaged in ICT risk governance. In most regulated environments, the 2026 CISO should have direct board access, whether through a formal reporting line or through regular attendance at the board’s audit and risk committee.

CISO Recruitment

Exec Capital places CISOs and security leadership across financial services and regulated sectors. We assess board communication capability and regulatory literacy as part of every search. Shortlist within 5–7 working days.

Tell us about your CISO requirement →
or call 020 3834 9616

Related Guides and Services

CISO Recruitment — our CISO search service
CTO Recruitment — Chief Technology Officer search
CRO Recruitment — Chief Risk Officer search for regulated businesses
Chief AI Officer Recruitment — AI leadership including AI risk and governance
FCA Regulated Firm Recruitment — all senior appointments at regulated businesses

Sources

CISO Recruitment | CTO Recruitment | CRO Recruitment | FCA Regulated Firms | Chief AI Officer

CISO Hiring: Regulatory Drivers 2026 (DORA, NIS2, FCA)