top of page
Search

The Regulation Is Here. Is Your Team Ready?


What NIS2 and the EU AI Act mean for hiring managers and business leaders

Two of the most significant pieces of European regulation in a generation are now in force. The NIS2 Directive (Directive (EU) 2022/2555) and the EU AI Act (Regulation (EU) 2024/1689) between them cover tens of thousands of organisations across the EU, touching everything from cybersecurity governance to how AI tools are used in the workplace. For many businesses, the compliance burden has arrived faster than the talent to address it.


At Interval, we work at the intersection of regulatory change and workforce planning. What we're seeing on the ground is consistent: organisations understand the obligations in theory but are struggling to translate them into the right hires and the right team structures. This article sets out what both frameworks require, why they have direct implications for how you build and resource your teams, and what a credible response looks like.


NIS2: Cybersecurity as a Governance Obligation

The NIS2 Directive, formally Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, entered into force across the EU in January 2023 with a transposition deadline of October 2024. Germany's national implementation — the Gesetz zur Umsetzung der NIS-2-Richtlinie — was published in the Federal Gazette in December 2025 and is now in force.


The directive establishes, in the European Commission's own description, "a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU" and "calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement." (European Commission — NIS2 Directive: securing network and information systems)


Who is in scope

NIS2 significantly expands the scope of its predecessor. It covers two categories of entity: essential entities and important entities, determined by sector and size. The sectors covered span energy, transport, health, financial market infrastructure, water, digital infrastructure, public administration, space, post and courier services, waste management, chemicals, food production, manufacturing, digital services and research.

For many organisations that previously sat outside the regulatory perimeter, NIS2 changes that position entirely.


What is required

The obligations under NIS2 are substantive. Under Article 21 of the Directive, covered entities are required to implement risk management measures including:

  • Risk analysis and information system security policies

  • Incident handling and response

  • Business continuity, backup management and disaster recovery

  • Supply chain security

  • Security in network and information systems acquisition, development and maintenance

  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

  • Cybersecurity training and basic cyber hygiene practices

  • Human resources security, access control policies and asset management

  • Use of multi-factor authentication and continuous authentication solutions

  • Secured emergency communications


The full text of Article 21 is available at: EUR-Lex — Directive (EU) 2022/2555


What this means for your team

This is not a compliance checkbox exercise that can be owned by a single person in the legal or IT department. NIS2 requires a governance approach that runs across the business, with accountability sitting at board and management level. In Germany specifically, management bears personal liability for failures to implement the required measures, with fines reaching up to €10 million or 2% of global turnover for essential entities.


The practical consequence is that organisations need people who understand both the technical and governance dimensions of cybersecurity. Security Operations Engineers, Information Security Risk and Compliance Specialists, GRC (Governance, Risk and Compliance) leads, and CISO-level professionals are in high demand. The pipeline is thin. Organisations that treat these as roles to fill reactively, after a regulatory trigger, will find themselves at the back of a very long queue.


The EU AI Act: A New Category of Compliance Risk

The EU AI Act — Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 — is the world's first comprehensive regulatory framework for artificial intelligence. It entered into force on 1 August 2024 and operates on a phased implementation schedule. The European Commission describes it as establishing "a risk-based set of rules for AI developers and deployers regarding specific uses of AI." (European Commission — AI Act)


The official text is available at: EUR-Lex — Regulation (EU) 2024/1689


A risk-based framework

The Act classifies AI systems into four categories. Prohibited practices have been enforceable since February 2025, including certain uses of biometric categorisation and emotion recognition in workplace settings. The critical deadline for most organisations is 2 August 2026, when the full obligations for high-risk AI systems under Annex III become enforceable.


High-risk systems under Annex III include AI used in employment and HR decisions: recruitment, candidate screening and ranking, performance monitoring, and certain decisions about promotion or termination. If your organisation uses any AI-assisted tooling in these areas, those tools are likely classified as high-risk under the Act and subject to its full compliance requirements.


What is required for high-risk systems

Organisations deploying high-risk AI systems must comply with requirements including:

  • Risk management systems for the lifecycle of the AI system

  • Data governance and management practices

  • Technical documentation and record-keeping

  • Transparency and provision of information to users

  • Human oversight measures

  • Accuracy, robustness and cybersecurity standards

  • Registration in the EU database of high-risk AI systems


For hiring managers and HR leaders, this has direct and immediate implications. AI tools already embedded in applicant tracking systems, CV screening platforms or workforce analytics tools may fall within scope. The obligation to ensure human oversight, maintain documentation and demonstrate that the AI system does not produce discriminatory outputs requires dedicated expertise that most HR functions do not currently have.


The extraterritorial dimension

It is worth noting that the AI Act has extraterritorial reach. Organisations outside the EU are covered if their AI systems are used in relation to EU-based individuals — including when recruiting EU candidates or evaluating EU-based employees. This makes the Act relevant well beyond European-headquartered businesses.


The Talent Implication: A New Type of Professional

Taken together, NIS2 and the EU AI Act are creating a new category of professional demand that sits at the intersection of technology, governance and regulatory compliance. It is not a pure IT role. It is not a pure legal or compliance role. It requires people who can move fluently between technical implementation and regulatory frameworks, and who understand what good looks like in a rapidly evolving environment.


The profiles most in demand right now as a direct consequence of these frameworks include:


Cybersecurity and information security specialists — particularly those with NIS2-specific experience, an understanding of risk management frameworks such as ISO 27001, and practical exposure to incident response and reporting obligations.

GRC professionals — Governance, Risk and Compliance leads who can translate regulatory requirements into operational programmes, manage relationships with regulators, and build internal audit and assurance functions.

AI governance and compliance specialists — a relatively new profile, but one growing quickly. Organisations need people who understand how AI systems are classified under the Act, can conduct conformity assessments, and can implement the human oversight and documentation requirements for high-risk systems.

Data and platform engineers with security awareness — technical professionals who understand that regulatory frameworks now extend into the architecture of systems, not just the policies written around them.

Programme and project managers with regulatory delivery experience — compliance programmes of this scale require experienced delivery leads who can manage cross-functional workstreams, engage with regulators, and report credibly to boards.


What a Credible Response Looks Like

For most organisations, the gap between regulatory obligation and current team capability is real. Closing it requires a deliberate approach to workforce planning, not just recruitment.


The organisations we work with that are handling this well tend to do a few things consistently. They map their obligations clearly before they hire, so they understand what skills they actually need rather than defaulting to a job title. They think across permanent hires, contract expertise and advisory support, recognising that different parts of the compliance programme require different engagement models. And they act early — the talent market for these profiles is competitive and moving quickly.


At Interval, we work across Technology, Strategy and Finance to help organisations build the teams that regulatory change demands. That means understanding the frameworks, knowing the talent landscape, and placing people who can actually deliver — not just tick a compliance box.


If you are working through your response to NIS2, the EU AI Act, or both, and want to understand what the right team structure looks like, we are happy to have that conversation.



References

 
 
 

Comments

bottom of page