Healthcare Security: The EU’s Action Plan.

What the Action Plan Entails
The plan calls for a proactive, layered approach to cybersecurity. Hospitals and clinics are urged to conduct comprehensive risk assessments, update legacy IT systems, and train staff in cyber hygiene. An EU-wide early-warning system for healthcare, set to be operational by 2026, will help detect emerging threats swiftly. Additionally, robust incident response measures, such as a cyber “reserve” of emergency response teams and enhanced crisis management exercises, are emphasized. One key element of the plan is the requirement for mandatory reporting of cyber incidents to promote transparency and enable prompt intervention. Additionally, the plan calls for reporting any intentions to pay ransoms in the event of an attack, aiming to deter cybercriminals.
 

Impact on the Medical Sector
The action plan promotes a layered cybersecurity strategy built around four core capabilities: prevention, detection, response, and deterrence. Key measures include comprehensive risk assessments, improved incident reporting, enhanced cyber-training for healthcare staff, and the development of an EU-wide early-warning system expected to become operational by 2026.

• Risk Assessments and Upgrades: Institutions must review their IT systems, update legacy software, and enhance network security. Cybersecurity is no longer just an IT concern; it is essential for ensuring uninterrupted patient care and operational resilience.
• Staff Training: The emphasis on training is clear. All healthcare workers, from doctors to administrative staff, must be educated on safe cyber practices to reduce human error.
• Incident Response Preparedness: With new guidelines for robust incident response and regular security drills, hospitals will need to invest in backup systems and comprehensive recovery plans.

Medical technology providers, including software and hardware vendors as well as Managed Security Service Providers (MSSPs), must now build security into their products. This means designing “secure by design” solutions, implementing robust vulnerability reporting processes, and supporting healthcare clients with integrated cybersecurity services. Collaborative efforts between hospitals and tech providers ensure that every link in the healthcare chain is protected.
 

National Implementations across the EU
Although the action plan applies across the EU, implementation will vary significantly between Member States depending on their existing cybersecurity maturity and regulatory frameworks.

• The Netherlands: The Dutch have long been pioneers in cybersecurity. Their National Cyber Security Centre (NCSC-NL) and sector-specific guidance through Zorg-CERT position them well for the upcoming changes. Dutch hospitals already adhere to rigorous standards, including mandatory risk assessments and compliance with the NEN 7510 standard—tailored for the healthcare sector. Their proactive threat intelligence-sharing mechanisms are expected to integrate seamlessly with the EU’s new framework.
• Spain: Quickly aligning with EU mandates, Spain approved a draft law in January 2025 to strengthen national cybersecurity governance. The recently created Centro Nacional de Ciberseguridad (CNC) or National Cybersecurity Centre will serve as the key authority, ensuring hospitals meet new reporting requirements and undergo regular audits. Spanish healthcare organizations should expect stricter oversight and centralized incident reporting, alongside grants that now include cybersecurity upgrades.
• Estonia: Known as Europe’s digital frontrunner, Estonia’s nearly complete digitization of healthcare services necessitates stringent cybersecurity measures. The Estonian Riigi Infosüsteemi Amet (RIA) or Information System Authority enforces some of the strictest data security policies in the region. Estonia’s early adoption of blockchain-based security for electronic health records is a prime example of its commitment to secure digital healthcare. This robust foundation means Estonia is well-prepared to integrate and even exceed the EU’s new cybersecurity requirements.
• France: Already a leader in health cybersecurity, France’s CaRE program, launched in 2023, will see expansion under the new action plan. The program, backed by significant funding, provides hospitals with a vetted catalogue of cybersecurity tools and emphasizes coordinated procurement. French hospitals can anticipate enhanced regulations, tighter reporting obligations, and stronger integration with national cybersecurity agencies like Agence nationale de la sécurité des systèmes d’information (ANSSI).
• Germany: Germany’s approach involves updating its critical infrastructure protections. Although the transposition of the NIS2 Directive was initially slow, Germany aims to fully implement it by early 2025. Existing guidelines for large hospitals will expand to cover more healthcare providers, and the Bundesamt für Sicherheit in der Informationstechnik (BSI) or Federal Office for Information Security will likely play an even more active role. German hospitals should prepare for stricter incident reporting requirements and increased regulatory oversight, coupled with additional funding incentives for cybersecurity investments.
   

Timeline and Key Milestones
The plan is set to roll out rapidly:

• January 2025: Official announcement and stakeholder consultations begin.
• Mid 2025: Member States start transposing NIS2, and healthcare-specific guidelines are released.
• Late 2025: Key deliverables such as incident response playbooks and mandatory ransomware reporting protocols are implemented.
• Early to Mid-2026: Launch the EU-wide early warning service, providing near-real-time alerts on potential cyber threats. Implement the rapid response service under the EU Cybersecurity Reserve and roll out Cybersecurity Vouchers to eligible healthcare providers.
• Beyond 2026: Ongoing integration of cybersecurity practices into everyday healthcare operations, with periodic reviews and updates.
   

How Getronics Can Help
Adapting to these evolving cybersecurity regulations can be challenging. Getronics, with its deep expertise in IT managed services and healthcare technology, is uniquely positioned to assist organizations during this transition. Our services range from risk assessments and compliance consulting to 24/7 threat monitoring and rapid incident response. By partnering with Getronics, healthcare providers ensure they not only meet new regulatory requirements but also build a robust, resilient cyber defense that keeps patient care secure and uninterrupted.

Getronics has already made several strides into the healthcare industry. Supporting WI-FI 7 in hospitals, and exploring the role of AI in medicine.

Get in touch with Getronics today and let us help you navigate the complexities of cybersecurity in the evolving healthcare landscape.

Written by Getronics Global Head of Operational Security Rob Nidschelm.

UPDATE 27.08.2025:
Cyber criminals have made Europe’s healthcare sector one of their favourite targets, with ransomware and supply chain attacks putting hospitals and patients at serious risk.

Earlier this year, we shared our first take in Healthcare Security: The EU’s Action Plan.

This healthcare security update looks at how the plan is being phased in over the next two years and what healthcare organisations should expect beyond 2026. This plan is not just another piece of guidance. It is a coordinated EU-wide initiative designed to strengthen resilience, build skills, and provide rapid support in the event of an attack.

What the Action Plan Includes
A European Cybersecurity Support Centre

A dedicated centre will provide direct support to hospitals and other providers. It will act as a hub for incident preparedness, detection, and response. Pilot projects will be launched across member states to test best practices for cyber hygiene, risk assessment, and continuous monitoring.

Mapping the Regulatory Landscape

Healthcare organisations face a patchwork of legislation. The Action Plan includes a regulatory mapping tool to help providers navigate NIS2, GDPR, the Cyber Resilience Act, and other overlapping rules. In parallel, a coordinated risk assessment will be carried out with a focus on medical devices and cloud-based patient data.

Incident Response and the Cybersecurity Reserve

The Cyber Solidarity Act gives hospitals access to trusted private providers in times of crisis. A healthcare-specific cyber playbook will be created, alongside regular EU-level cyber exercises. With ransomware accounting for more than half of healthcare incidents in recent years, the importance of these measures cannot be overstated. Under NIS2, any ransom payments will also need to be reported.

Early Warning System

An EU-wide early warning service will provide near-real-time alerts of threats specific to the healthcare sector. Hospitals will share incident notifications with ENISA via the Support Centre, ensuring that intelligence is rapidly distributed.

Workforce and Governance

Cybersecurity teams in healthcare are chronically understaffed. According to ISC2, three-quarters of professionals highlight staffing gaps as a major risk. To address this, the healthcare security update introduces a European Health CISOs Network to connect leaders, share expertise, and build collective resilience.

Timeline of Key Actions
Phase 1: 2025–2026 (Initial Roll-Out)

Timeframe    Key Actions
January 2025: Official launch of the Action Plan; consultations with stakeholders begin.
Q2 2025: First pilot projects on hospital cyber hygiene and incident readiness.
Mid-2025: Establishment of the European Cybersecurity Support Centre.
Q3 2025: Roll-out of the EU-wide healthcare early warning service and threat alerts.
Q4 2025: First coordinated supply chain risk assessment; refined recommendations issued.
Early 2026: Release of the healthcare cyber incident response playbook; EU-wide cyber drills begin.
Throughout 2026: Ongoing deployment of respond and recover tools, including rapid response services and decryption repositories.
 

Phase 2: Beyond 2026 (Strategic Expansion)

Timeframe --   Key Actions
Late 2026 – 2027: Additional recommendations published by the Commission, building on pilot results and consultations.
Post-2026 Ongoing: Continued work of the Health Cybersecurity Advisory Board and national support centres.
2027 and Beyond: Development of a European cybersecurity single market, with clearer budgets, measurable targets, and expanded EU-wide cyber exercises.
2030–2035: Transition towards post-quantum cryptography adoption across critical healthcare systems.
Continuous: Integration of healthcare security into broader EU frameworks, including NIS2, the Cyber Resilience Act, and the Cyber Solidarity Act, with evolving mandates as required.
 

Broader Legislative Context
The Action Plan complements recent EU regulations that are reshaping the security landscape:

• NIS2 Directive (in force since December 2022): Expands requirements for essential sectors including healthcare, with harmonised rules for incident reporting.
• Cyber Resilience Act (CRA) (adopted October 2024): Focuses on products with digital elements such as medical devices, requiring vulnerability management and security updates.
• Digital Operational Resilience Act (DORA) (effective January 2025): Targets the financial sector but also impacts ICT service providers in healthcare ecosystems.
   

Why This Matters
Hospitals cannot afford downtime. A ransomware attack that takes patient records offline or disrupts connected devices can put lives at risk. The EU Action Plan represents a shift from reactive responses to structured resilience building. By creating a support centre, a CISO network, and a playbook backed by real-time intelligence, Europe is taking a major step toward safeguarding healthcare.

At Getronics, we help healthcare providers align with NIS2, DORA, ISO 27001 and sector-specific guidelines. Our Managed Security Services, threat intelligence, and incident response expertise can support organisations as they prepare for the new European landscape. Taking every healthcare security update seriously, to provide consistent, up-to-date support.