February 7th, 2025
Introduction: NIS 2 and Its Significance
The NIS 2 Directive is a cornerstone in the European Union’s strategy to strengthen cybersecurity across Member States. Adopted in 2023, this revised directive builds upon its 2016 predecessor to address the escalating complexities of digitization and evolving landscape of cyber threats. NIS 2 broadens its scope significantly, encompassing not only traditional sectors like energy, transport, and banking but also expanding to healthcare, digital infrastructure, and even the manufacturing of medical devices and pharmaceuticals.
A primary objective of NIS 2 is to harmonize cybersecurity standards across Member States while ensuring that medium and large-sized organizations adopt robust risk management practices. For the healthcare sector, this directive is particularly critical, given the sector’s reliance on interconnected systems and the sensitivity of patient data. By enforcing stricter compliance and accountability measures, NIS 2 aims to mitigate risks and enhance the resilience of essential services across the EU.
What are the deadlines for implementing the NIS 2 Directive?
To facilitate the implementation of NIS 2, the directive outlines key deadlines and milestones:
- 17 October 2024: Member States must transpose the NIS 2 Directive into national legislation, ensuring that all covered entities understand their obligations
- 17 January 2025: Member States are required to notify the European Commission of the administrative sanctions applicable to essential and important entities that fail to comply with the directive
- 17 April 2025: Member States must finalize and publish a comprehensive list of essential and important entities within their jurisdictions, including domain name service providers and other critical entities
- 17 October 2027: The European Commission will evaluate the directive’s implementation across Member States and submit a report to the European Parliament and Council
In addition, the directive mandates:
- Technical and Methodological Standards: The Commission will define specific technical and methodological requirements to guide the implementation of cybersecurity measures
- Sanction and Reporting Frameworks: Clear guidance will be provided to Member States on identifying significant incidents and ensuring compliance with reporting timelines
- Operational Assessments: The CSIRT network will periodically evaluate the operational progress made in enhancing cooperation and resilience
These timelines underscore the urgency for healthcare entities to prepare proactively for compliance.
European Cybersecurity Legislation: An Interconnected Framework
The NIS 2 Directive is part of a broader EU cybersecurity framework that emphasizes interconnected resilience across various sectors. Key elements of this framework include:
- Cybersecurity Act: Establishes ENISA (the European Union Agency for Cybersecurity) and an EU-wide cybersecurity certification framework for ICT products, services, and processes. This initiative enhances trust and transparency in the cybersecurity capabilities of digital solutions
- Proposal for a Cyber Solidarity Act: Introduces a Cybersecurity Alert System to detect and share warnings, bolster preparedness, and coordinate incident response among Member States
- Cyber Resilience Act: Focuses on ensuring manufacturers and service providers meet high cybersecurity standards for their products, addressing vulnerabilities in the supply chain and digital ecosystems
- DORA (Digital Operational Resilience Act): Specifically targets the financial services sector, mandating secure operational resilience to mitigate risks to critical financial infrastructures
- CER (Critical Entities Resilience): Aims at enhancing the resilience of critical entities across sectors like healthcare, transport, and energy to protect essential services from physical and digital threats
- Sector-Specific Regulations: Includes initiatives tailored to telecommunications, automotive, and other industries, addressing their unique cybersecurity challenges
This cohesive approach ensures that diverse industries can collaborate and maintain a unified standard for cybersecurity resilience, reinforcing the EU’s digital security landscape.
Hospitals and other critical entities in the healthcare sector stand at the forefront of NIS 2’s regulatory impact. As essential services, they must navigate new compliance requirements, address unique cybersecurity challenges, and make significant operational adjustments to meet the directive’s standards.
The compliance landscape for hospitals includes:
- Comprehensive cybersecurity policies: Hospitals need detailed policies that integrate cybersecurity into their governance framework. This includes addressing vulnerabilities in medical devices, electronic health records, and digital infrastructure
- Enhanced accountability: Hospital management and boards of directors have increased responsibility for implementing and overseeing cybersecurity measures. They must ensure compliance with NIS 2 and take a proactive approach to risk management
- Operational adjustments: Healthcare facilities must adapt workflows to include strong incident detection and response protocols. This may involve interesting in advanced monitoring tools, staff training, and collaboration with external cybersecurity experts
Cybersecurity challenges for hospitals include safeguarding sensitive patient data against ransomware attacks, managing the risks posed by interconnected medical devices, and securing supply chain relationships with third-party vendors. Addressing these challenges necessitates a strategic and ongoing commitment to building cyber resilience.
Study on Cyberattacks Targeting Hospitals in 2024
Between January and September 2024, hospitals worldwide saw a sharp increase in cyberattacks, revealing the sector’s rising vulnerability.
- Global statistics: an average of 2,000 attacks per week targeted hospitals globally, marking a 32% rise from previous years
- European context: European hospitals suffered 1,686 cyberattacks, a 56% increase
Several high-profile attacks illustrated the severity of the threat:
- May 2024: Hôpital de Cannes – Simone Veil (France)
- August 2024: Val-de-Reuil (France)
- September 2024: Bobingen and Schwabmünchen (Germany)
These statistics, sourced from Check Point Research and reported by 01net.com, underscore the urgent need for hospitals to strengthen their cybersecurity frameworks to combat escalating threats.
Dealing with Insider Threats and Third-party Risks
One of the most neglected areas of cybersecurity in the healthcare sector is the insider threat and the risk of third-party breaches. As healthcare organisations store vast amounts of sensitive patient data and proprietary research information, healthcare organizations must:
- Mandate strict access control: Role-based permissions should dictate who has access to sensitive systems
- Conduct regular security audits of third-party vendors: Ensure that external partners adhere to the same stringent cybersecurity requirements
- Monitor user behavior analytics (UBA): Deploying AI-enabled solutions to highlight behavioral anomalies that might signal nefarious insider activities
How to Implement Zero Trust in Healthcare? A realistic approach
A Zero Trust approach is becoming a necessity for healthcare cybersecurity. Key strategies include:
Never trust, always verify all users and devices before access is granted.
A method of dividing the network into smaller, isolated segments to prevent a potential breach from propagating through to other parts of the network
Monitoring a Real time threat on the most critical end points by using EDR (Endpoint Detection & Response) solutions
Adopting Zero Trust principles can greatly help healthcare organisations to strengthen their cyber resilience and reduce their attack surface.
NIS 2 Security and Reporting Obligations
NIS 2 establishes stringent requirements for entities to implement effective technical, operational, and organizational measures to manage and reduce cybersecurity risks. These measures include fostering vulnerability disclosures and providing regular training to build awareness and preparedness. Entities must enforce robust access control mechanisms, such as multifactor authentication, to ensure the security of systems and data. A strong focus is placed on supply chain security, with entities required to address risks linked to their vendors and partners. Additionally, Member States or the European Commission may require the use of certified ICT products, services, or processes to enhance security standards. To support collective cybersecurity efforts, the Cooperation Group coordinates risk assessments targeting critical ICT supply chains, promoting a unified and proactive risk management approach across the EU.
Furthermore, entities must adhere to strict reporting obligations for significant incidents, ensuring timely communication with CSIRT or competent authorities. An early warning must be issued within 24 hours of identifying a suspected incident with potential cross-border implications, providing immediate notice of emerging threats. Within 72 hours, a detailed incident notification must follow, outlining the severity, impact, and indicators of compromise. A final report is required within one month, offering comprehensive details about the event, or progress updates if the incident is still ongoing. Entities are also obligated to notify service recipients of significant incidents or threats without undue delay. In certain situations, public disclosure of incidents may be necessary, depending on their nature and impact. These measures aim to enhance transparency, support timely responses, and improve cross-border coordination in managing cybersecurity incidents.
Penalties for Non-Compliance
NIS 2 introduces administrative fines for non-compliance:
- Essential Entities: Fines up to €10,000,000 or 2% of global annual turnover, whichever is higher
- Important Entities: Fines up to €7,000,000 or 1.4% of global annual turnover, whichever is higher
Conclusion: Practical Steps to Prepare
Healthcare organizations must act now to align with NIS 2 and related regulations such as CER and DORA. Practical steps include:
- Determine Scope
- Update Internal Policies
- Enhance Vendor Management
- Manage Obligations
- Maintain Compliance
Identify services, products, and entities affected by the directive
Revise procedures, incident response plans, and training programs
Strengthen due diligence and procurement practices
Update contracts, engage with regulators, and review insurance coverage
Monitor legal developments, ensure governance, and coordinate with other frameworks like GDPR
Proactive preparation will ensure compliance and enhance resilience against future threats, safeguarding both operations and patient trust.
Victoria Derumier
