Healthcare
,
Industry Specific
,
Standards, Regulations & Compliance
Initiative Aims to Bolster Security of EU Member Hospitals, Healthcare Providers

Cyberattackers are targeting healthcare more than any other sector in Europe, and to combat this rising tide of threats, the European Commission has released a new “action plan” to strengthen the cybersecurity of hospitals and other healthcare providers in the European Union.
See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction
The plan includes the creation of a “pan-European” cybersecurity support center offering a repository of cyber guidance materials and other resources to the EU’s healthcare sector.
The commission said its action plan, announced last week, aims to help protect the EU healthcare sector from cyberthreats, especially disruptive ransomware attacks and data theft.
“Member states reported 309 significant cybersecurity incidents affecting the healthcare sector in 2023 – more than in any other critical sector,” the commission said. The action plan is also the commission’s first sector-specific initiative to deploy “the full range” of EU cybersecurity measures.
The commission said it will collaborate with EU member states and “relevant networks” to collect feedback on the plan’s proposals and make recommendations in the fourth quarter of 2025 on refining the action plan, which will be rolled out “progressively” over the next two years.
The action plan focuses on four priorities, the commission said. Those include:
- Enhanced prevention: Offering organizations guidance on implementing critical cybersecurity practices, member states providing “cybersecurity vouchers” for financial assistance to small and medium-sized hospitals and healthcare providers, and cyber training resources for healthcare professionals.
- Improved detection and identification of threats: The xybersecurity support center will develop an EU-wide early warning service delivering near-real-time alerts on potential cyberthreats to hospitals and healthcare providers by 2026.
- Response to cyberattacks to minimize impact: A rapid response service for the health sector under the EU Cybersecurity Reserve, which was established in the Cyber Solidarity Act. The plan includes playbooks and guidance for healthcare organizations to participate in cybersecurity exercises in how to respond to specific threats, including ransomware.
- Deterrence: Deterring cyberthreat actors from attacking European healthcare systems through measures such as the “Cyber Diplomacy Toolbox,” a joint EU diplomatic response to malicious cyber activities.
“By enhancing threat detection, preparedness and response capabilities of hospitals and health providers, the initiative will create a safer and more secure environment for patients and health professionals,” the commission said.
The commission’s action plan also calls for EU member states to request that critical infrastructure sector entities subject to the Network and Information Systems Directive 2 law – including healthcare organizations – to report on ransom payments made – or which they intend to pay – when reporting significant incidents to authorities under the NIS2 Directive.
The NIS2 Directive cybersecurity framework “works hand in hand with the Cyber Resilience Act, the first-ever EU legislation placing mandatory cybersecurity requirements for products that include digital elements,” which went into effect on Dec. 10, 2024, the commission said (see: European Council Adopts Cyber Resilience Act).
Among other mandates, the Cyber Resilience Act demands that manufacturers undertake “essential cybersecurity requirements” such as carrying out a risk assessment to determine cyber risks within their products, ensuring default data protection, and regularly providing information on flaws and patching them swiftly.
The new EU healthcare sector cybersecurity support center will be established by the European Union Agency for Cybersecurity – or ENISA, the commission said.
ENISA also will work to develop new cybersecurity procurement guidelines for hospitals and healthcare providers. Those guidelines will pertain to an array of third-party-related issues, including the “cloudification” of patient data storage, secure migration of electronic health data to cloud environments, and medical devices.
Beefing Up Cyber Info Sharing
Under the plan, EU member states are also “strongly encouraged” to share all cyber incident notifications with the ENISA cybersecurity support center to enable situational awareness among EU hospitals and other healthcare sector organizations.
The action plan also calls for “two-way” information sharing between the public and private sectors, facilitated by information sharing and analysis centers. “The Support Centre should step up support for the European Health ISAC with tools and information exchange, sectorial situational awareness reports, as well as fostering a trusted community for tactical and strategic collaboration,” the action plan said.
“Member states should encourage the development of national health ISACs.”
Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center in the U.S., said the EU commission’s action plan comes at a time when healthcare organizations still struggle to obtain enough funding to defend their networks properly.
“The problem is seen in the E.U., the U.S. and globally. Healthcare organizations need resources – not only the technology needed to protect those networks but also the experienced infosec professionals to run those systems,” he said.
“I’m glad the commission recognizes the value that ISACs bring to protecting organizations and improving security through information sharing and collaboration,” he said.
Those charged with protecting their digital infrastructures understand that by sharing information, they are not only protecting themselves but also strengthening the security of the entire digital ecosystem, Weiss said.
In 2023, the Health-ISAC partnered with the European Health ISAC to leverage “the global strength” of Health-ISAC’s membership through the visibility of threats in over 140 countries with the European Health ISAC’s strength of community and local perspectives, he said.
“We need to unite and stay vigilant against cyber threats,” he said. “By Health-ISAC and the European Health ISAC operating together in the EU, we can create a safer community where healthcare organizations benefit from improved visibility of threats and vulnerabilities, plus they benefit from sharing of best practices and other key insights that ultimately improve patient safety.”