Healthcare Security: The EU’s Action Plan.

In January 2025, the European Commission officially announced its new European Action Plan on the Cybersecurity of Hospitals and Healthcare Providers, aiming to fortify Europe’s healthcare security. This strategic initiative builds on the EU’s existing cybersecurity framework, most notably the NIS2 Directive, and focuses on four key pillars: Prevent, Detect, Respond & Recover, and Deter. It directly responds to the alarming rise in cyberattacks targeting the healthcare sector, which reported 309 significant incidents in 2023 alone, surpassing all other critical sectors.

What the Action Plan Entails

The plan calls for a proactive, layered approach to cybersecurity. Hospitals and clinics are urged to conduct comprehensive risk assessments, update legacy IT systems, and train staff in cyber hygiene. An EU-wide early-warning system for healthcare, set to be operational by 2026, will help detect emerging threats swiftly. Additionally, robust incident response measures, such as a cyber “reserve” of emergency response teams and enhanced crisis management exercises, are emphasized. One key element of the plan is the requirement for mandatory reporting of cyber incidents to promote transparency and enable prompt intervention. Additionally, the plan calls for reporting any intentions to pay ransoms in the event of an attack, aiming to deter cybercriminals.

Impact on the Medical Sector

Healthcare is increasingly targeted by cyberattacks, and the EU action plan comes as a necessary measure to mitigate this risk. For hospitals, the plan translates into immediate and long-term changes:

• Risk Assessments and Upgrades: Institutions must review their IT systems, update legacy software, and enhance network security. Cybersecurity isn’t just an IT issue, it’s essential for ensuring continuous patient care.
• Staff Training: The emphasis on training is clear. All healthcare workers, from doctors to administrative staff, must be educated on safe cyber practices to reduce human error.
• Incident Response Preparedness: With new guidelines for robust incident response and regular security drills, hospitals will need to invest in backup systems and comprehensive recovery plans.

Medical technology providers, including software and hardware vendors as well as Managed Security Service Providers (MSSPs), must now build security into their products. This means designing “secure by design” solutions, implementing robust vulnerability reporting processes, and supporting healthcare clients with integrated cybersecurity services. Collaborative efforts between hospitals and tech providers ensure that every link in the healthcare chain is protected.

National Implementations across the EU

While the action plan is an EU-wide mandate, its implementation varies by country:

• The Netherlands: The Dutch have long been pioneers in cybersecurity. Their National Cyber Security Centre (NCSC-NL) and sector-specific guidance through Zorg-CERT position them well for the upcoming changes. Dutch hospitals already adhere to rigorous standards, including mandatory risk assessments and compliance with the NEN 7510 standard—tailored for the healthcare sector. Their proactive threat intelligence-sharing mechanisms are expected to integrate seamlessly with the EU’s new framework.
• Spain: Quickly aligning with EU mandates, Spain approved a draft law in January 2025 to strengthen national cybersecurity governance. The recently created Centro Nacional de Ciberseguridad (CNC) or National Cybersecurity Centre will serve as the key authority, ensuring hospitals meet new reporting requirements and undergo regular audits. Spanish healthcare organizations should expect stricter oversight and centralized incident reporting, alongside grants that now include cybersecurity upgrades.
• Estonia: Known as Europe’s digital frontrunner, Estonia’s nearly complete digitization of healthcare services necessitates stringent cybersecurity measures. The Estonian Riigi Infosüsteemi Amet (RIA) or Information System Authority enforces some of the strictest data security policies in the region. Estonia’s early adoption of blockchain-based security for electronic health records is a prime example of its commitment to secure digital healthcare. This robust foundation means Estonia is well-prepared to integrate and even exceed the EU’s new cybersecurity requirements.
• France: Already a leader in health cybersecurity, France’s CaRE program, launched in 2023, will see expansion under the new action plan. The program, backed by significant funding, provides hospitals with a vetted catalogue of cybersecurity tools and emphasizes coordinated procurement. French hospitals can anticipate enhanced regulations, tighter reporting obligations, and stronger integration with national cybersecurity agencies like Agence nationale de la sécurité des systèmes d’information (ANSSI).
• Germany: Germany’s approach involves updating its critical infrastructure protections. Although the transposition of the NIS2 Directive was initially slow, Germany aims to fully implement it by early 2025. Existing guidelines for large hospitals will expand to cover more healthcare providers, and the Bundesamt für Sicherheit in der Informationstechnik (BSI) or Federal Office for Information Security will likely play an even more active role. German hospitals should prepare for stricter incident reporting requirements and increased regulatory oversight, coupled with additional funding incentives for cybersecurity investments.

Timeline and Key Milestones

The plan is set to roll out rapidly:

• January 2025: Official announcement and stakeholder consultations begin.
• Mid 2025: Member States start transposing NIS2, and healthcare-specific guidelines are released.
• Late 2025: Key deliverables such as incident response playbooks and mandatory ransomware reporting protocols are implemented.
• Early to Mid-2026: Launch the EU-wide early warning service, providing near-real-time alerts on potential cyber threats. Implement the rapid response service under the EU Cybersecurity Reserve and roll out Cybersecurity Vouchers to eligible healthcare providers.
• Beyond 2026: Ongoing integration of cybersecurity practices into everyday healthcare operations, with periodic reviews and updates.

How Getronics Can Help

Adapting to these evolving cybersecurity regulations can be challenging. Getronics, with its deep expertise in IT managed services and healthcare technology, is uniquely positioned to assist organizations during this transition. Our services range from risk assessments and compliance consulting to 24/7 threat monitoring and rapid incident response. By partnering with Getronics, healthcare providers ensure they not only meet new regulatory requirements but also build a robust, resilient cyber defense that keeps patient care secure and uninterrupted.

Getronics has already made several strides into the healthcare industry. Supporting WI-FI 7 in hospitals, and exploring the role of AI in medicine.

Get in touch with Getronics today and let us help you navigate the complexities of cybersecurity in the evolving healthcare landscape.

Written by Getronics Global Head of Operational Security Rob Nidschelm.