Skip to main content

Demystifying Global Directives: How NIS2, DORA and More Will Reshape the Workforce

GovernmentPartnerEnterpriseInsightsCyber
February 3, 2026Luke Barton

For HR leaders and CISOs across EMEA, 2026 is not just another year of “more regulation.” It’s a turning point where cyber, risk and resilience requirements will directly dictate how you structure roles, hire talent, and develop your people. 

Across the region, several key regulations and frameworks are converging: 

  • Network and Information Systems Directive 2 (NIS2) 
  • Digital Operational Resilience Act (DORA) 
  • Cyber Resilience Act (CRA) 
  • European Cybersecurity Skills Framework (ECSF) 
  • Skills Framework for the Information Age (SFIA) 

Individually, they touch different areas of your organisation. Together, they push you towards a structured, evidence-based cyber skills strategy that HR and CISOs must jointly own. 

NIS2: From “training” to regulated capability 

NIS2 increases security requirements for “essential” and “important” entities across sectors such as energy, transport, health, digital infrastructure, public administration, and ICT services. 

More fundamentally, NIS2 signals a cultural shift in how regulators view cyber risk. Rather than focusing solely on whether an organisation has suffered an incident, the directive places accountability on preparedness – the presence of the right skills, controls, and decision-making structures before something goes wrong. 

Readiness, not reaction, becomes the benchmark. This reframes cybersecurity from a technical afterthought into a core organisational capability, one that must be deliberately designed, resourced and governed across the business. 

Workforce implications: 

  • Training as a compliance control
    NIS2 expects risk analysis, cyber hygiene, business continuity, and regular cybersecurity training. Training is no longer optional; it must be role-specific, documented, and auditable. 
  • Leadership accountability
    Senior management must approve and oversee cyber risk management. Boards and executives therefore need baseline cyber literacy, and HR will have to treat executive cyber education like any other mandatory compliance training. 
  • Cyber responsibility beyond the security team
    IT, OT, operations, HR, legal and procurement all need a defined cyber role. Job descriptions and objectives must explicitly embed cyber responsibilities across functions. 

Result: demand grows for security awareness specialists, GRC roles and OT/ICS security experts, plus more structured onboarding and annual training cycles.  

DORA: Operational resilience as a shared mandate 

DORA targets financial entities and their critical ICT providers, focusing on digital operational resilience: the ability to withstand, respond to and recover from ICT disruptions and cyber incidents. 

Workforce implications: 

  • Hybrid skill profiles 
    DORA requires ICT risk management, incident reporting, resilience testing, and third-party risk management. Talent must blend technology, risk, business continuity, and regulatory knowledge. This affects recruitment profiles and internal mobility. 
  • Formalised roles and responsibilities 
    CIO, CISO, CRO, risk, audit and frontline operations all have defined roles in resilience. HR should revisit job descriptions and RACI charts to ensure responsibilities are clear and defensible. 
  • Resilience as everyday culture 
    More staff will be involved in simulations, crisis exercises and cross-functional training. Soft skills (communication, decision-making under pressure) become as important as technical skills. 

Result: expanded resilience and vendor risk teams, closer HR-risk-technology collaboration, and increased competition for professionals with both financial regulation and cyber/IT risk experience. 

CRA: Cyber skills embedded in product and engineering 

The Cyber Resilience Act, in force since December 2024, with main obligations applying from December 2027, covers manufacturers, software developers, importers and distributors of digital products. 

Workforce implications: 

  • Security-by-design capabilities (secure coding, architecture, threat modelling, vulnerability handling) must be built into product, engineering, and DevOps roles. 
  • Product managers, release managers, and support teams will need at least foundational cyber and regulatory awareness. 
  • Cyber capability must be distributed across functions, not centralised only in the security team. 

Result: growing need for DevSecOps, secure software and firmware specialists, and product managers with security by design experience. Forward-looking organisations will start multiyear upskilling now. 

ECSF & SFIA: Turning regulation into skills and roles 

NIS2, DORA and CRA define what must be achieved; ECSF and SFIA help define who should do the work and with which competencies. 

  • ECSF describes 12 cyber roles with tasks, skills, and knowledge areas. 
  • SFIA provides a global framework for digital, IT and cyber skills at different levels. 

Together, they enable HR and CISOs to: 

  • Map regulatory requirements to specific roles and skill levels. 
  • Redesign job descriptions and career paths. 
  • Conduct skills gap analyses. 
  • Build role-based learning and certification pathways. 
  • Present robust evidence of organisational competence to auditors and regulators. 

What HR and CISOs Should Do Next 

  • Build a joint HR–CISO cyber workforce strategy aligned to NIS2, DORA and CRA. 
  • Update role profiles and job descriptions using ECSF/SFIA. 
  • Run a skills gap analysis in high-risk areas. 
  • Move from generic awareness to tiered, role-based training with recognised certifications. 
  • Use internal mobility and reskilling to fill cyber, GRC, DevSecOps and resilience roles. 

Regulatory timelines are fixed; talent pipelines are not. The organisations that act now, through a coordinated HR and CISO agenda, will be the ones that stay both compliant and resilient. 

Global Directives and CompTIA: Turning regulation into skills, roles, and certifications 

NIS2, DORA and CRA define what must be achieved; ECSF and SFIA help define who should do the work and with which competencies. To operationalise this, many organisations are also looking for industry certifications, such as Security+, CySA+, PenTest+ and SecurityX,  that can be clearly mapped to these frameworks. 

  • NIS2 increases security requirements for “essential” and “important” entities across sectors such as energy, transport, health, digital infrastructure, public administration, and ICT services. 
  • DORA targets financial entities and their critical ICT providers, focusing on digital operational resilience: the ability to withstand, respond to and recover from ICT disruptions and cyber incidents. 
  • CRA covers manufacturers, software developers, importers, and distributors of digital products. 
  • CompTIA certifications are mapped against these frameworks and the key directives, giving HR and CISOs a practical way to connect regulatory requirements → roles → skills → certifications. 

You can explore how CompTIA certifications align with NIS2, DORA, CRA, ECSF and SFIA, identify suitable pathways for different roles, or reach out to our team to talk about how you can comply at Global Skills Directives and Frameworks.