If you learned the CISO market in the US, the UK and EU version will feel familiar for about two interviews and then quietly different in ways that cost you offers. The titles mean different things. The regulators sit in the room in a way the SEC still does not. The panels score you differently. And the money is structured differently enough that a naive comparison will either price you out or leave a third of the package on the table.
I run interview loops for senior security hires at a large technology company and compare notes regularly with peers hiring in London, Amsterdam, Frankfurt, and Stockholm. This guide covers the European deltas: market structure, the regulatory layer, interview style, and honest compensation comparisons. For the general process baseline, start with how CISOs get hired.
Titles mean different things here
The single most common mistake US candidates make when searching the UK market is filtering for “CISO” and concluding the market is thin. It is not thin. It is labeled differently.
In the UK, “Head of Information Security” and “Director of Information Security” carry CISO-equivalent scope far more often than they do in the US. A Head of Information Security at a FTSE 250 company frequently owns the full remit: strategy, budget, board reporting, incident command, regulatory relationships. The same title at a US company of similar size usually denotes a lieutenant two levels below the accountable executive. UK title inflation exists, but it runs years behind the US, and plenty of UK boards still consider “Chief” anything below the C-suite proper to be presumptuous.
Three practical consequences:
- Search strategy. Run your searches on “Head of Information Security”, “Director of Information Security”, and “Head of Cyber Security” alongside CISO; in the UK that roughly doubles your real pipeline. The reverse trap also exists: some UK “CISO” postings at smaller firms are security-manager roles wearing the title, so read the spec for board reporting and budget ownership. The VP of Security vs CISO framework for evaluating scope-versus-title applies directly, with the polarity flipped.
- Title negotiation. If a UK company offers Head of Information Security with genuine CISO scope, negotiating hard for the CISO title can read as status-seeking to a British panel and is often not worth the capital. Negotiate instead for a written commitment that you present to the board or a board committee directly, and for external representation rights with regulators and customers. Those preserve your market value better than three letters.
- CV translation. If you held CISO-scope work under a Head title and later target US roles, spell the scope out explicitly: team size, budget, board cadence, regulator interaction. US recruiters screening by title will otherwise underweight you.
The other structural difference is the interim market. Interim and fractional CISO work is a much larger, more institutionalized market in the UK than in the US, with established networks and specialist agencies that do nothing else, and it is a normal career mode for experienced UK CISOs rather than a euphemism for unemployment. Many permanent searches quietly run an interim in parallel, and interims convert to permanent often enough that a well-placed interim seat is a legitimate route to a permanent one.
The regulatory layer is interview material now
In US loops, regulatory questions are usually one interview among many. In UK and EU loops, especially in financial services, the regulatory layer runs through the entire process. You do not need legal-memo depth. You need interview fluency: the ability to explain what each regime demands, what it changes about the CISO job specifically, and what you would do in the first quarter. Here is that depth.
NIS2 is the one that changes the shape of the role. The directive applies to a wide set of “essential” and “important” entities across the EU, and its most consequential feature is management-body accountability: boards must approve cybersecurity risk-management measures, oversee their implementation, and undergo training, and member state implementations allow directors to be held personally liable for failures, up to temporary bans from exercising management functions. This is the European version of the D&O conversation US CISOs started having after the SEC actions, with one difference: NIS2 formally aims the liability at the management body, which makes the CISO the person who determines whether the board can demonstrate it discharged its duty. The winning interview framing is exactly that: “my job under NIS2 is to make the board’s oversight real and evidenceable.” Panels hear plenty of candidates recite the 24-hour early warning and 72-hour incident notification timelines; far fewer can talk about building the evidence chain that protects the directors.
DORA applies to EU financial entities (banks, insurers, investment firms, payment institutions, and their ICT third-party providers by extension). Interview fluency means being conversational on the ICT risk-management framework and who owns it, threat-led penetration testing (TLPT, built on the TIBER-EU framework, intelligence-led red teaming against production), the register of information for ICT third-party arrangements, and incident classification and reporting. A detail that separates candidates in real loops: the register of information is where most firms are quietly struggling, because it demands contract-level data about the entire ICT supply chain that procurement systems were never built to hold. If you can speak to operationalizing the register, versus buying a GRC module and hoping, you will stand out.
The UK is not NIS2. Post-Brexit, the UK runs its own track. For financial services, the FCA/PRA operational resilience regime is the center of gravity: firms must identify important business services, set impact tolerances (the maximum tolerable disruption, expressed in time and often in customer or market harm), and demonstrate through scenario testing that they can stay within them. UK FS panels probe whether you understand that this regime is about services, not systems: “we restored the server” is not “we stayed within impact tolerance for payments.” Outside FS, the UK’s Cyber Security and Resilience direction of travel broadly tracks NIS2 themes (wider scope, stronger incident reporting, supply chain focus) for UK critical services. You do not need to predict the final text; you need to show you are tracking it.
GDPR breach mechanics still differ meaningfully from the US model, and panels test it. One regulation, 72 hours to the supervisory authority, a risk-based threshold for notifying individuals, and fines calibrated to global turnover: a different operational problem from the US patchwork of state laws. For a US candidate, the tell that you have done your homework is knowing the European decision is less about “which states” and more about the harm-based judgment call on individual notification, made under a 72-hour clock, ideally with a lead supervisory authority relationship already warm before the incident.
How the loops actually differ
The structural process is recognizable: recruiter screen, hiring-executive conversation, panel rounds, a presentation, references. See the full interview guide for the general playbook. The differences are in texture, and they are the ones that quietly kill US-calibrated candidates.
Structured competency interviews are real and scored. Especially in financial services, government-adjacent organizations, and larger UK corporates, expect interviews built around defined competencies with standardized questions and written scoring. “Tell me about a time you influenced a decision at board level against resistance” is not an icebreaker; it is scored against a rubric. Prepare six to eight tight, evidenced stories and let the interviewer’s structure lead. Freelancing charismatically through a structured interview scores poorly even when it feels great in the room.
Calibrate the confidence register. UK and Northern European panels are less impressed by US-style self-promotion. The candidate who narrates every achievement as a personal triumph gets marked down as lacking self-awareness; the same delivery in a US loop reads as executive presence. The adjustment is not false modesty, which panels also detect. It is precision: claim exactly what you did, credit the team where the team did it, and let specifics carry the weight. Dutch and Nordic panels additionally test whether you can take direct challenge without getting defensive, because directness is the local norm.
The presentation round is just as common. A 30-60 minute presentation to a panel, usually “your assessment of our security posture and your first 90 days,” is a fixture in UK and EU searches at this level. The 90-day plan framework applies directly; the European adjustment is to weave the applicable regulatory regime into the plan rather than bolting it on as a compliance slide, because at least one panel member is there specifically to check that.
References are taken more formally. UK referencing at executive level is often a documented process, sometimes with written references and, in regulated FS, regulatory references: for roles under the Senior Managers and Certification Regime (SM&CR), previous regulated employers must disclose conduct issues in a mandated format. Two implications: never shade the truth about how a previous role ended, and know early whether the role is an SMF-designated function (some UK CISO seats are, most are not), because that adds a regulator-facing fitness-and-propriety layer to the hire.
Notice periods reshape the entire timeline. UK and EU executives commonly carry three to six month contractual notice periods, enforced, sometimes via garden leave. Everyone in the market knows this, so a six-month lead time does not scare off employers the way it would in the US. But it changes your strategy: start conversations earlier than feels natural, expect searches to run six to nine months end to end, and understand that the interim market exists partly to bridge these gaps. If you are used to two-weeks-notice velocity, do not read a slow-moving process as low interest.
The search-firm landscape. The same global executive search firms run the top of the market in London, Amsterdam, and Frankfurt as in New York. Below them sits a proportionally bigger layer of strong UK and EU cyber-specialist boutiques and interim networks that carry a large share of the real flow, particularly for Head-of-InfoSec-titled roles and interim work, so relationships with two or three of these specialists matter more here. Add the interim networks to your map even if you only want permanent roles, because they hear about permanent searches early.
The money, honestly compared
Framing first: these are typical ranges I and peers observe in live searches, not survey data, and individual outcomes vary widely with sector, scope, and scarcity.
UK permanent. At mid-to-large companies, UK CISO base commonly runs £160K-£280K, with a bonus of 20-50% of base. Equity is the sharp difference from the US: outside of tech companies and pre-IPO firms, UK equity grants at this level are modest, often a fraction of base in restricted shares vesting over three years, and many traditional UK corporates offer none at all. Pension contributions and car allowances show up as real line items in a way US candidates find quaint until they price them. London financial services pays a distinct premium: the same scope that pays £180K base in a Midlands manufacturer can pay £250K-£320K base with a materially bigger bonus in a London bank or trading firm, and the top of the London FS market goes well beyond these ranges.
EU permanent. Wider variance than the UK, with a clear geographic pattern: DACH (Germany, Austria, Switzerland, with Switzerland its own even higher tier) and the Nordics pay toward the top of the European range, the Netherlands and Ireland sit close behind (Ireland inflated by the concentration of US tech EMEA headquarters), France and Belgium mid-pack, and Southern Europe (Spain, Italy, Portugal) meaningfully lower for equivalent scope. Also price the tax and social-charge wedge: a headline number in Germany or France nets very differently from the same number in Switzerland or the UK.
Against the US. For equivalent scope, US total compensation commonly runs 1.5-2.5x the UK. The gap is not primarily base salary; London FS base salaries are competitive with much of the US market. The gap is equity culture. A US tech or late-stage CISO package is often half or more equity; the UK equivalent outside tech simply has no comparable component. This is why Europeans moving into US-paying roles experience it as a step change, and why US candidates moving to Europe need to renegotiate their own expectations honestly rather than anchoring on their last W-2. The mechanics of negotiating each component are in the compensation negotiation guide; everything there applies, just with more weight on base, bonus, pension, and notice-period terms, and less on equity.
Interim day rates. UK interim CISO rates commonly run £1,000-£1,800 per day, with the upper end for regulated FS, crisis engagements, and post-incident parachutes. Engagements typically run three to twelve months. Do the arithmetic before dismissing interim work: at £1,400 a day on 220 days you out-earn most permanent packages, offset by zero equity, no paid gaps, and (post-IR35) most engagements running inside IR35 or through umbrella arrangements, which takes a real bite out of the headline rate. Experienced interims price that in; new entrants forget to.
Personal liability: the European D&O conversation
NIS2 and DORA have given Europe its own version of the personal-liability conversation US CISOs started having after the high-profile enforcement actions. The exposure is structured differently: European regimes formally target the management body and the entity, not the CISO by name. But in practice you are the officer whose documentation, risk acceptances, and briefings determine whether the directors can defend themselves, and in some member state implementations and in SM&CR-designated UK roles, the accountability can reach you directly.
Before signing any UK or EU CISO offer, get answers in writing on:
- D&O coverage. Confirm you are covered as an officer under the company’s D&O policy, whether the role is board-level or not, and whether coverage survives your departure for conduct during your tenure (run-off cover).
- Indemnification. A contractual indemnity for actions taken in good faith within the role, to the extent local law permits. This is standard for directors; make it standard for you.
- Where risk acceptance formally lives. Under NIS2 the management body approves the risk-management measures. Get the governance document that says so, because a company whose paperwork quietly makes the CISO the sole risk acceptor has transferred the board’s liability to you.
- SM&CR status (UK FS). If the role is a designated senior management function, understand the statement of responsibilities you will sign before you sign it, not after.
- Regulatory reporting authority. Who decides whether an incident is notified to the regulator, and can that person overrule you? If a non-security executive can veto a legally required notification, that is your liability being manufactured.
A company that gets awkward when you raise these is telling you something. The broader pattern-matching for that conversation is in the offer red flags guide, and the questions above belong on the diligence checklist alongside the ones there. There are contract and diligence checklists in the templates library you can adapt for the European specifics.
Crossing the Atlantic in either direction
US candidates into EU seats. Two realities first. Work authorization: without an EU passport or UK right to work, you need sponsorship, and while the UK Skilled Worker route and various EU national schemes cover senior security roles, sponsorship adds friction that makes companies prefer a comparable local candidate. Your US experience needs to be clearly differentiating (scale, sector depth, regulatory battle scars) to overcome it. Second, the comp reset: expect total compensation well below your US package for equivalent scope, offset by what does not show up in the number (healthcare, five-plus weeks of holiday people actually take, pension, and an employment contract with real notice and severance terms rather than at-will employment). Candidates who frame the move as a lifestyle-and-scope trade do fine; candidates who try to negotiate a US package into a European structure mostly generate polite rejections.
EU candidates into US-paying remote roles. The reverse arbitrage exists: US companies hiring European security leaders remotely, sometimes at US-adjacent compensation. Go in with clear eyes. Most such arrangements run through an employer-of-record or local entity, which usually means localized (lower) pay bands over time; equity taxation across jurisdictions is messy enough to warrant an hour with a cross-border tax adviser before you sign; and the seats skew toward BISO, field-CISO, and deputy-style roles rather than the accountable seat, because boards increasingly want the accountable executive in a compatible time zone and legal jurisdiction. A US-paying remote role can be a great earnings phase; it is less reliably a step toward the top seat.
What separates prepared candidates
The details that generic advice misses, and that panels in this market actually notice:
- Answer the DORA question at the register-of-information level, not the acronym level. Everyone can name TLPT and the reporting timelines. Almost nobody talks about the third-party register being a data problem that procurement cannot solve alone. The candidate who does sounds like they have lived it.
- Frame NIS2 as board-evidence engineering. “I keep the directors defensible” lands harder with European panels than any recitation of notification windows, because the directors interviewing you are the ones carrying the liability.
- Use the notice period as a diligence window, not dead time. Three to six months of garden leave before a start date is normal here. The strong candidates use it to meet the team, read the audit and pen-test history, and arrive with a real plan; the ones who treat it as vacation start from zero in month one.
- In the UK, negotiate board access instead of the CISO title. A written board-reporting commitment under a Head of Information Security title is worth more than a CISO title with a reporting line into IT middle management, and British panels respect the candidate who knows the difference.
The market is different, not harder. Candidates who translate their scope honestly, learn the regulatory layer at fluency depth, and recalibrate the confidence register do well on either side of the Atlantic. Candidates who assume it is the US market with different currency symbols spend a year finding out otherwise.