5 Myths About NIS2 and Cybersecurity Hiring, Debunked

It would be lovely if it were. It is not.

Article 20 of NIS2 does something the old directive politely avoided: it makes the management body personally responsible for approving and supervising cybersecurity risk measures. Fines can reach €10M or 2% of global annual turnover, and in serious cases, members of management can be temporarily banned from holding managerial functions. Germany, France, the Netherlands and Poland all kept that language when they transposed the directive. So no, this isn't a clause that lives quietly in the IT basement.

I once watched a CTO sign off on a brand-new security team in about the time it takes to order lunch. "Strong CVs," he said. Eighteen months later, sitting across from an auditor, "strong CVs" was not the bulletproof answer he'd hoped for. The question on the table was simpler and far less comfortable: what evidence do you have that this team can actually do the job?

Bottom line: Verifying competence before you sign the offer letter costs a fraction of one disputed audit finding — and it keeps your board's name off the part of the report nobody wants to read aloud.

You know the video. Everyone clicks through it during lunch, muting the narrator, hunting for the "next" button like it owes them money.

Read Article 21 together with the European Commission's Implementing Regulation 2024/2690 (October 2024), and a quieter requirement emerges — the one nobody summarizes correctly. You have to be able to show an auditor, on demand, that the people working on in-scope systems have verified, documented competence appropriate to their role; that the verification is ongoing, not a one-time handshake at onboarding; and that the evidence is reproducible — run the same check again, get the same answer. The regulation even points to ENISA's European Cybersecurity Skills Framework as the reference for what "competent for this role" actually means.

In other words: the lunchtime video is a lovely gesture. It is not a competence record. Not in 2026, not in 2027.

Bottom line: A platform that runs role-specific tests and stores timestamped, re-runnable reports does roughly 80% of your audit prep for you — turning a multi-week scramble into an afternoon of clicking "export."

Ah, the certificate. Beautiful font. Impressive logo. Tells you a person sat an exam on a Tuesday in 2019 and has, technically, owned the certificate ever since.

Which brings me back to my friend's "Senior SOC Analyst." Wonderful interview. Right vocabulary, right acronyms, the confident nod. He just couldn't actually do the work — and in cybersecurity, that's not an awkward HR conversation. That's system access, privileged credentials, and a person you now have to carefully un-hire. An auditor doesn't care how the CV reads. An auditor wants to see the candidate solve the problem, today, in a way you can show again next quarter.

Bottom line: An objective check at the hiring stage costs less than a single bad security hire — and a bad security hire is one of the most expensive mistakes a regulated company can make.

Reader, it is hard.

The (ISC)² Workforce Study put the global cybersecurity talent gap at 4.8 million people in 2024. In the EU alone, ENISA estimates a shortfall of around 700,000 specialists, and NIS2 is widely expected to add to that demand as 160,000 newly-covered organizations all reach for the same talent at once. Salaries are climbing. Your competition now includes companies that, until last year, didn't employ a single security professional and suddenly need five.

In a market this tight, the bottleneck isn't usually the budget. It's your existing security team, the very people you keep pulling out of real work to sit on yet another technical interview. Every hour your best analyst spends grading a stranger's take-home test is an hour they're not defending you.

Bottom line: The companies that win this race are the ones that verify competence fast and objectively — at hire and continuously — without setting fire to their senior team's calendar. Speed and a free senior team: that's the saving.

I love the optimism. I do.

Here's what the audit actually looks for, based on the playbooks emerging in Germany (BSI) and Poland (CSIRT-MON): the list of in-scope roles; the documented competence requirements for each; the documented evidence for each individual, as of the audit date; how often you re-verify; and proof that competence gaps get tracked and closed.

Now picture producing all of that from a folder of PDF certificates dated 2019. Congratulations — that's an excellent cardio workout, sprinting to your lawyer's office. Picture producing it instead from a system that runs the tests, generates the reports, and stamps each one with a date. One of those mornings ends in coffee. The other ends in a meeting nobody enjoys.

Bottom line: Continuous, timestamped evidence means the audit prep is already done before the auditor emails — saving you weeks of panic and dramatically lowering the odds of that 2%-of-turnover conversation.

If you're a recruiter, NIS2 just quietly rewrote your job: you're no longer screening CVs, you're producing audit-grade evidence. If you're a CEO or on a management board, the directive put your name on the line in a way it never was before. And if you're an engineer who's tired of being yanked into interviews — there's good news buried in here for you too.

I'm a co-founder of cp.center, so I'll be honest about my bias: we built our platform precisely for this moment. Deep cybersecurity coverage — SOC, incident response, threat hunting, malware analysis, forensics, red team, blue team, cloud — with hands-on labs on real Azure machines, reproducible timestamped reports, and private instances so candidate data never leaves your environment. We're not the only possible answer to "how do you verify competence." But we'd rather hear from you now than six weeks before an audit, at panic o'clock.

You can run three tests for free, no credit card, and see for yourself what audit-grade competence verification actually looks like: cp.center.

And if you take nothing else from this: the next time someone waves a CV and says "trust me, they're senior" — ask them the auditor's question. It's a good habit. It might even save you a folder of certificates dated 2019.