DORA, NIS2 and Cyber Resilience Act Jobs UK 2026: The Compliance Hiring Wave

The Short Answer

If you are scanning the UK market for DORA jobs UK, NIS2 cyber jobs UK or cyber resilience act jobs UK roles in 2026, the picture is unusually busy. Three overlapping pieces of EU regulation — the Digital Operational Resilience Act (DORA), the NIS2 Directive and the Cyber Resilience Act (CRA) — combined with the UK's own Cyber Security and Resilience Bill, have created what most recruiters describe as a sustained compliance hiring wave rather than a short-term spike.

DORA has been enforced since 17 January 2025 for financial services firms with EU operations, and most UK banks, insurers and asset managers with EU subsidiaries have spent the past 18 months building out dedicated teams. NIS2 transposition continues to vary across EU member states, but UK suppliers are increasingly being pulled into scope contractually. The Cyber Resilience Act applies in full from late 2027 and is already shaping product-security hiring. Domestically, the UK Cyber Security and Resilience Bill was introduced to Parliament on 12 November 2025, with Royal Assent broadly expected in late 2026.

Who is hiring? Tier-one banks (HSBC, Barclays, Lloyds, NatWest, Standard Chartered), London-based US institutions (JPMorgan, Goldman Sachs), the Big Four and challenger consultancies (PwC, Deloitte, KPMG, EY, BDO, Crowe), and UK regulators including the FCA, PRA and ICO. Typical 2026 salary bands sit at roughly £55,000–£80,000 for mid-level analysts, £85,000–£130,000 for senior managers and £140,000–£200,000+ for heads of resilience, with London commanding a clear premium over Edinburgh and Manchester.

What Are DORA, NIS2 and the Cyber Resilience Act?

These three regulations sit alongside each other but address different problems, and it is worth being precise because UK job descriptions sometimes conflate them.

The Digital Operational Resilience Act (DORA) is an EU regulation targeting financial entities — banks, insurers, investment firms, crypto-asset service providers, trading venues and their critical ICT third-party providers. It has been directly applicable across the EU since 17 January 2025. DORA harmonises rules on ICT risk management, incident reporting, resilience testing (including threat-led penetration testing) and third-party risk. It brings critical ICT third-party providers under direct EU oversight regardless of where they are headquartered, which is why UK cloud, SaaS and managed-services firms are now being audited by their EU financial-sector customers.

The NIS2 Directive is broader. It updates the 2016 NIS Directive and expands sectors in scope — energy, transport, banking, health, digital infrastructure, public administration, space, postal services, food production, manufacturing of critical products, digital service providers and more. The transposition deadline was 17 October 2024, although several member states are still finalising national laws into 2026. The UK is not directly in scope, but UK suppliers to EU entities are routinely pulled in via contractual flow-down.

The Cyber Resilience Act (CRA) is the EU's product-security regulation, imposing mandatory cybersecurity requirements on hardware and software products with digital elements placed on the EU market. Reporting obligations for actively exploited vulnerabilities apply from September 2026, with the main obligations applying in full from late 2027. The CRA is genuinely extraterritorial — any UK firm shipping connected devices, embedded software or commercial software into the EU has to comply.

The UK Cyber Security and Resilience Bill was introduced to Parliament on 12 November 2025. It does not implement NIS2 or DORA, but broadly modernises the UK NIS Regulations along similar lines: expanded scope (notably to managed service providers and data centres), tougher incident reporting, stronger supply-chain oversight, and direct regulation of certain critical suppliers. Royal Assent is widely expected in late 2026, with phased implementation likely running into 2028.

Why UK Firms Are Hiring for This Right Now

A common question we hear is some variant of: "Brexit happened — why does any of this affect UK hiring?" The short answer is that the regulations are extraterritorial in effect, even where they are not extraterritorial by design.

First, DORA's third-country provider regime means UK ICT firms designated as "critical" by the European Supervisory Authorities can be directly overseen from Frankfurt or Paris. Even where firms are not formally designated, their EU financial-sector customers must perform DORA-aligned due diligence, which translates into UK suppliers staffing up compliance and assurance functions.

Second, UK financial groups almost universally have EU subsidiaries. HSBC Continental Europe, Barclays Bank Ireland, Lloyds Bank Luxembourg, NatWest Markets in Frankfurt and Amsterdam — all are in DORA scope, and the easiest way to keep group-wide policies coherent is to apply DORA-equivalent controls in the UK head office too.

Third, NIS2 supply-chain obligations push compliance down the chain. A German Kritis-listed manufacturer cannot tick its NIS2 supplier-risk box without evidence from its UK-based MSP, cloud reseller or cybersecurity consultancy.

Fourth, the penalties focus minds. NIS2 caps fines at the higher of €10 million or 2% of global annual turnover for essential entities, and CRA fines reach up to €15 million or 2.5% of global turnover for the most serious breaches. UK boards have generally concluded that a permanent compliance hire is cheaper than a regulatory finding.

Finally, the UK Cyber Security and Resilience Bill is creating its own demand. MSPs, data centre operators and digital infrastructure firms are anticipating direct UK regulation for the first time, and they are hiring ahead of Royal Assent rather than after.

Which UK Roles Exist?

The job titles in this space are still settling, and we'd encourage candidates to read job specifications closely rather than relying on titles. That said, six recognisable patterns have emerged in the 2026 UK market.

• DORA Compliance Lead / Programme Manager. Owns end-to-end DORA implementation for a financial entity or critical third-party provider. Reports into a CRO, CISO or Head of Operational Resilience. Heavy on policy mapping and regulator engagement.

• ICT Risk Manager. A more technical seat focused on DORA Article 6–15: ICT risk frameworks, asset inventories, vulnerability management and resilience testing. Sits inside a second-line risk function.

• Third-Party / Supply-Chain Risk Analyst. Runs DORA Article 28–30 register-of-information work, NIS2 supplier assurance, and contractual remediation. High-volume: hundreds of suppliers to assess.

• Cyber Resilience Architect. Designs the technical controls underpinning operational resilience — recovery patterns, segmentation, immutable backups, threat-led penetration testing scopes.

• NIS2 Transposition Specialist. Mostly at consultancies and UK firms with multi-jurisdictional EU footprints. Tracks national transposition laws (Germany's NIS2UmsuCG, France's transposition law, Ireland's National Cyber Security Bill).

• CRA Product Security Engineer. Embedded in product teams. Owns secure-by-default configurations, SBOMs, vulnerability disclosure and CRA technical documentation for CE marking.

What Do These Roles Pay?

Compliance-focused cyber roles tend to pay below pure-tech cyber (think red teamers or detection engineers) at equivalent seniority, but they typically come with strong stability, predictable hours and clearer career ladders. Based on UK recruiter conversations and advertised salaries in 2026, indicative London bands look broadly like this:

• Third-Party Risk Analyst (1–4 years' experience): £50,000–£70,000 in London; roughly 10–15% lower in Edinburgh, Manchester or Leeds.

• ICT Risk Manager / DORA Analyst (mid-level): £70,000–£95,000 in London; £60,000–£80,000 regionally.

• DORA Compliance Lead / Cyber Resilience Architect (senior): £100,000–£140,000 base, with bonuses of 15–30% typical at tier-one banks.

• Head of Operational Resilience / Head of ICT Risk: £140,000–£200,000+ base in London, with total compensation frequently above £250,000 at the largest financial groups.

• CRA Product Security Engineer: £80,000–£130,000 depending on whether the role is closer to product engineering (higher) or to compliance (lower).

Consultancy day rates for interim DORA and NIS2 specialists have generally tracked between £700 and £1,400 per day through the first half of 2026, with the upper end reserved for candidates who can combine regulatory fluency with hands-on resilience-testing experience.

Top UK Employers Hiring

The hiring base is wide, but a few clusters dominate the volume.

UK and international banks with EU operations: HSBC, Barclays, Lloyds Banking Group, NatWest Group and Standard Chartered have all been building out resilience and ICT-risk functions across London, Edinburgh and Manchester. Among US banks with London hubs, JPMorgan and Goldman Sachs have been particularly active on DORA and operational resilience hiring.

Consultancies and audit firms: PwC Risk Assurance, Deloitte Cyber, KPMG, EY, BDO and Crowe all run dedicated DORA, NIS2 and operational resilience practices. These firms are the easiest entry point for candidates without prior compliance experience.

UK regulators and public-sector bodies: the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) continue to expand cyber and operational-resilience supervision teams, and the Information Commissioner's Office (ICO) has been recruiting around the intersection of cyber incidents and data-protection enforcement.

Tech and infrastructure firms: UK-headquartered managed service providers, data centre operators and SaaS firms with EU customers are hiring, often for their first dedicated compliance hires in anticipation of the Cyber Security and Resilience Bill.

Skills and Certifications UK Employers Want

Hiring managers in this space typically look for a mix of regulatory literacy, audit fluency and at least some technical credibility. The certifications that appear most often in 2026 UK job specifications include:

• CISA (Certified Information Systems Auditor) — the default credential for ICT audit and risk roles, and frequently a hard requirement at the Big Four.

• CRISC (Certified in Risk and Information Systems Control) — popular for ICT risk and third-party risk roles.

• ISO 22301 lead implementer or lead auditor — useful for business continuity and operational resilience work.

• ISO 27001 lead implementer or lead auditor — still the most widely cited information-security management credential.

• ITIL Foundation or Practitioner — appears in roles that touch service management, change management and incident response handovers.

• CISM, CISSP — appear at senior levels, particularly where the role bridges into security strategy.

Beyond certifications, employers flag four skill clusters: detailed knowledge of EU regulations (DORA RTS, NIS2 implementing acts, CRA technical documentation), third-party risk management at scale, incident-reporting workflows aligned to EU tiered timelines, and the ability to translate between auditors, regulators and engineers. Bilingual candidates (English plus French, German or Dutch) tend to command a small premium in roles serving EU subsidiaries.

Frequently Asked Questions: DORA NIS2 Jobs UK

Do I need a financial-services background to work on DORA in the UK?

Not necessarily, but it helps. Pure compliance hires from outside financial services do get made, particularly at consultancies, but most UK banks prefer candidates who already understand the regulatory architecture (FCA, PRA, SS2/21 operational resilience rules) into which DORA slots. Candidates from telecoms, utilities or critical national infrastructure can often translate effectively.

Are NIS2 jobs in the UK real, given the UK is outside the EU?

Yes, in two ways. First, UK suppliers to EU entities are pulled in via contractual flow-down. Second, the UK Cyber Security and Resilience Bill creates a domestic regime that is broadly NIS2-adjacent, so familiarity with NIS2 transfers well. We'd avoid roles advertised as "NIS2 specialist" without any UK context, because they may actually be EU-based positions misrouted to UK boards.

How does the Cyber Resilience Act differ from DORA in hiring terms?

CRA roles sit much closer to product and engineering teams than DORA roles. If you enjoy SBOM tooling, secure development lifecycles and vulnerability disclosure, CRA work is likely to feel more natural than DORA's policy-heavy environment. The two communities currently overlap less than you might expect.

Where in the UK are these roles concentrated?

London dominates, particularly for financial-services roles, but Edinburgh has a strong cluster around Lloyds, NatWest, RBS Group and Standard Life, and Manchester has been growing around the back-office and risk hubs of several major banks. Belfast and Glasgow are also worth tracking for consultancy delivery roles.

Will the UK Cyber Security and Resilience Bill replace DORA or NIS2 considerations for UK firms?

Almost certainly not. The Bill is a domestic modernisation of the existing NIS Regulations rather than a full equivalent of NIS2, and it does not touch financial-services operational resilience in the way DORA does. UK firms with EU exposure will likely need to track all four regimes in parallel through at least 2027.

Can I move from a generalist GRC role into DORA or NIS2 work?

Yes, and this is currently one of the more reliable transitions in UK cyber. Candidates with ISO 27001 audit experience, supplier-assurance backgrounds or operational-risk experience generally upskill into DORA or NIS2 within 6–12 months, often via a consultancy stint. CISA or CRISC qualifications materially accelerate that move.

Summary

The 2026 UK market for DORA jobs UK, NIS2 cyber jobs UK and cyber resilience act jobs UK roles is shaped by overlapping EU regulation, the impending UK Cyber Security and Resilience Bill, and persistent demand from financial services, consultancies and regulators. Salaries sit broadly between £50,000 for junior analysts and £200,000+ for heads of resilience, with London commanding a premium over Edinburgh and Manchester. Employers consistently ask for CISA, CRISC, ISO 22301 and ISO 27001 alongside genuine fluency in the underlying EU regulations. For candidates moving from generalist GRC, audit or operational risk, the route in is unusually clear — and the work is unlikely to dry up before the next wave of UK and EU rules lands in 2027–2028.

Looking for live UK cyber compliance vacancies? Browse the latest DORA, NIS2 and Cyber Resilience Act roles on cybersecurityjobs.tech — the UK's specialist cyber job board.