CISO (Chief Information Security Officer): Salary and Responsibilities in 2026

The CISO (Chief Information Security Officer) is the executive responsible for cybersecurity at a company. They define the security strategy, lead the defence team (SOC, AppSec, GRC), manage critical incidents, and own the security topic at the C-suite and board level.

The CISO is not just a technician: they are a leader who speaks to the CEO, negotiates the security budget, and bears legal responsibility in the event of a major breach.

Job profile last updated on 18/06/2026.

Why hire a CISO?

Any scale-up that exceeds 100–200 people or handles sensitive data (health, finance, defence, B2B data) needs a dedicated CISO. Client requirements (SOC2, ISO 27001), regulatory pressure (GDPR, NIS2, DORA, AI Act), and the cyber threat landscape (ransomware, targeted phishing, supply chain attacks) can no longer be managed on a "best-effort basis by the CTO."

Without a CISO, certifications stall, security budgets are under-invested, and cyber risk is carried by the CEO alone by default.

The CISO in the NIS2 era: a role under regulatory pressure

Since the NIS2 directive came into force in October 2024, the nature of the CISO role has changed fundamentally. It is no longer just a technical or organisational challenge — it is now a legal obligation for which company leaders are personally accountable. NIS2 significantly expands the scope of entities subject to cybersecurity requirements (from ~500 entities under NIS1 to more than 15,000 under NIS2 across the EU), covering essential sectors (energy, transport, health, finance, water, digital infrastructure) and so-called "important entities" (postal services, waste management, chemicals, food, critical manufacturing).

Concretely, NIS2 imposes three major changes that the CISO must drive: the obligation to report incidents within 24 hours to the competent national authority (followed by a full report within 72h), the personal liability of senior management in the event of non-compliance with security requirements (potentially including a temporary ban on holding office), and the implementation of documented, auditable cyber risk management measures. This regulatory pressure makes the CISO an essential interlocutor at the C-suite level, often positioned with a direct reporting line to the CEO.

On the recruitment front, NIS2's entry into force triggered a sharp rise in demand for CISOs and GRC (Governance, Risk, Compliance) professionals across Europe. Companies newly subject to the directive found themselves urgently needing to structure their security governance. The shortage of qualified profiles — capable of combining technical expertise, regulatory mastery, and executive communication — has intensified further. Recruitment timelines for this profile regularly exceed 4 to 6 months.

For financial sector players, DORA (Digital Operational Resilience Act) adds a further layer of requirements since January 2025: mandatory digital operational resilience testing (notably TLPT — Threat-Led Penetration Tests), mapping of dependencies on critical third-party providers, and formalised business continuity plans. Finally, the AI Act introduces new compliance workstreams for CISOs regarding high-risk AI systems. In 2026, the CISO must therefore simultaneously steer three major regulatory frameworks — NIS2, DORA, and the AI Act — which demands a dedicated internal organisation (compliance committee, regulatory dashboards, legal interlocutors) and often an expansion of the GRC team.

What role does the CISO play?

The CISO typically reports to the CEO, COO, or General Manager. They manage a security team (variable by company size: SOC, AppSec engineers, GRC analysts) and coordinate with IT, Tech, and Legal teams. They define the security plan, sponsor certifications, and coordinate incident response.

They are also the external point of contact on security: auditors, clients in security questionnaires, authorities (data protection authorities, national cyber agencies), and cyber insurers.

What are the CISO's missions?

• Define the security strategy: 3–5 year roadmap, maturity model (NIST CSF, ISO 27001).
• Manage certifications: SOC2, ISO 27001, HDS, PCI DSS, depending on sector.
• Run the SOC and incident response: detection, investigation, remediation, crisis communication.
• Drive risk governance: risk assessment, treatment plan, security committee.
• Manage the security team: hiring, organisation, skills development.
• Ensure compliance: GDPR, NIS2, DORA, AI Act, sectoral compliance.
• Build security culture: training, phishing simulations, company-wide security awareness.

What are the key skills?

• 10+ years of experience in cybersecurity, including 3+ in management
• Mastery of standards and frameworks (ISO 27001, NIST CSF, SOC2, GDPR)
• Real technical knowledge (offensive and defensive: pentest, IR, AppSec, IAM)
• Crisis management experience (a breach, a ransomware attack, an external audit)
• Management and budget skills
• Legal and regulatory sensitivity

Soft skills

Executive communication (speaking to the board, to a journalist after an incident), composure under crisis, the ability to say no to the business (refusing a risky shortcut), pedagogy to grow internal security culture, and leadership under regulatory pressure.

What is the salary of a CISO?

A CISO in France typically earns €90K–€150K gross annual + 15–25% variable. In a sensitive sector (banking, defence, health, critical infrastructure) or a unicorn, the base salary exceeds €180K. Equity (warrants, RSUs) in startup/scale-up contexts.

How does a CISO's career evolve?

Evolution towards Group CISO in a large group, COO, or board security advisor. Some join a consulting firm (Wavestone, Big4) as a cyber Partner, or become a high-day-rate independent consultant. A few exit into security startups (as CEO of a cyber company).

Are you a technical professional looking to discover new career opportunities? Don't miss our latest job openings.

Looking to hire a new team member for your company? We can help. Bluecoders specialises in tech recruitment. Contact us.

FAQ about the CISO role (Chief Information Security Officer)

What is the difference between a CISO and a Head of Security?

The Head of Security is more of an operational and technical role: they manage the security team, run AppSec, SOC, and GRC projects, and report to a CISO or the CTO. The CISO is an executive: they sit on the C-suite, define the 3–5 year security strategy, manage the overall security budget, and engage the company's legal liability. In early-stage scale-ups, a single profile often combines both roles.

At what point should a company hire a CISO?

Trigger signals: exceeding 100–200 employees or handling sensitive data (health, finance, defence), receiving security questionnaires from clients that block deals, starting an ISO 27001 or SOC2 certification, facing NIS2 or DORA regulatory pressure, or suffering a cyber incident that reveals the absence of security governance. Below that threshold, a Head of Security or senior Security Engineer may suffice.

What is the salary of a CISO in France in 2026?

A CISO at a scale-up typically earns between €90,000 and €150,000 gross per year, with a variable of 15 to 25%. In a sensitive sector (banking, defence, health, critical infrastructure operator) or a unicorn, the base can exceed €180,000. Equity packages (warrants, RSUs) are frequently added in startup/scale-up contexts to align interests over time.

What certifications are essential for a CISO?

The most recognised certifications: CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), ISO 27001 Lead Implementer or Lead Auditor. For regulated markets: CDPSE (privacy), PCI QSA (payments), HDS (health). Technical certifications (CEH, OSCP) are useful early in a career but secondary for a CISO who must first master governance and executive communication.

How does a CISO manage a major security incident?

Crisis management follows an incident response plan prepared in advance: detection (SOC/SIEM), containment (isolation of compromised systems), eradication (malware removal, patching), recovery (restoration from clean backups), and post-mortem. The CISO coordinates the technical teams but also the crisis communication: leadership, clients, authorities (data protection authorities, national cyber agencies), cyber insurers, and sometimes media. Preparation (simulation exercises, continuity plans) is as critical as the response itself.

What regulations must a CISO master in 2026?

The regulatory landscape has tightened considerably: GDPR (personal data protection, with fines up to 4% of global revenue), NIS2 (network and information system security for essential and important entities, since October 2024), DORA (digital operational resilience for the financial sector, since January 2025), AI Act (obligations on high-risk AI systems). In certain sectors: HDS (health), PCI DSS (payments), and national cyber agency requirements for critical infrastructure operators.

How is the CISO role evolving in the face of growing cyber threats?

The threat evolves rapidly: ransomware-as-a-service, supply chain attacks, AI-generated phishing, and vulnerabilities in cloud and IoT environments. The CISO must integrate new disciplines: AI security (prompt injection, data poisoning), cloud security (CSPM, CNAPP), and OT/IoT resilience for industrial companies. The role is becoming increasingly strategic and legally exposed — some jurisdictions already impose personal liability on the CISO in the event of a breach.

What is the difference between NIS2 and DORA?

NIS2 is a horizontal directive that applies to essential and important entities across many sectors, imposing baseline cybersecurity requirements (risk management, incident reporting, supply chain security). DORA is sector-specific to financial entities (banks, insurers, asset managers, payment institutions) and goes further on operational resilience: mandatory threat-led penetration tests (TLPT), third-party ICT risk management, and digital operational resilience testing programmes. For a CISO in the financial sector, both frameworks apply simultaneously.