Who should read this: Healthcare IT Leaders, Compliance Officers, Pharmaceutical CISO, Medical Device Manufacturers
Healthcare systems across Europe are simultaneously critical infrastructure, custodians of sensitive personal data, and operational environments where cybersecurity lapses can directly endanger human life. The NIS2 Directive recognises this heightened risk profile by designating healthcare as a critical sector, subject to comprehensive cybersecurity obligations that go beyond data protection alone.
Annex I, Sector 5 of NIS2 defines the healthcare scope with specificity: the designation applies to healthcare providers (hospitals, clinics, care facilities) and healthcare service providers. The directive explicitly extends to manufacturers of medicinal products and medical devices, though with important nuance regarding their role in the supply chain versus direct service provision.
For healthcare organisations, NIS2 imposes obligations that reflect the life-critical nature of healthcare IT: implementing proportionate technical and organisational measures to manage cybersecurity risk, establishing governance structures that include board-level accountability, conducting risk assessments, managing third-party suppliers, and maintaining incident response and reporting procedures. This post unpacks these obligations, clarifies the scope of Sector 5, and provides practical guidance for healthcare entities preparing for NIS2 implementation.
Defining the Healthcare Sector Under NIS2
Annex I, Sector 5 lists the healthcare sector as encompassing: establishments such as hospitals and specialised treatment facilities that provide medical services to inpatients. The designation is functional rather than categorical: any provider delivering inpatient medical care falls within scope, regardless of sector (public, private, or non-profit) or size.
The directive recognises that healthcare entities depend on interconnected networks: electronic health record (EHR) systems, diagnostic imaging networks, pharmacy systems, patient monitors, and administrative systems. A breach, ransomware attack, or denial-of-service incident affecting any of these systems can disrupt clinical operations and threaten patient safety.
Pharmaceutical manufacturers and medical device manufacturers are explicitly listed as essential service providers where their activities contribute to the supply and continuity of medicines and medical devices. This inclusion is narrower than a blanket designation: a pharmaceutical company is an NIS2 essential service provider because its manufacturing and distribution networks are critical to healthcare continuity, not simply because it handles health data.
For medical device manufacturers, the designation depends on the device’s role in critical care. A manufacturer of implantable cardiac devices or ventilators would qualify; a manufacturer of general wellness wearables would not. The test is whether the manufacturer’s operations are essential to the provision of healthcare services.
Proportionate Risk Management Under NIS2
A cornerstone of NIS2 is proportionality: the directive requires entities to implement “appropriate” technical and organisational measures to manage cybersecurity risk proportionate to the risk they face (Article 21). For healthcare, this principle does not mean a minimalist approach; rather, it means that obligations scale with the organisation’s size, complexity, and the sensitivity of assets under management.
A small rural clinic and a large urban teaching hospital will have proportionately different risk management frameworks. The clinic may implement a streamlined risk assessment, vendor management process, and incident response procedure. The teaching hospital must establish comprehensive governance structures, conduct regular risk assessments across its complex network, implement advanced threat detection, and maintain detailed incident response and business continuity plans.
NIS2 does not specify technologies. It does not mandate that healthcare entities deploy particular intrusion detection systems, encryption standards, or authentication mechanisms. Instead, it requires entities to document their risk management approach, implement controls proportionate to their risk profile, and periodically review and update those controls.
However, healthcare does face baseline expectations. Patient safety and data integrity are non-negotiable. Controls should address the specific vulnerabilities of healthcare IT: legacy systems that cannot be updated, medical devices with fixed software configurations, network segmentation requirements between clinical and administrative systems, and supply-chain dependencies on device and software vendors.
Governance, Leadership Accountability, and Board Oversight
Article 21 of NIS2 requires that entities establish governance structures where senior management, including the board, has clear accountability for cybersecurity risk. For healthcare organisations, this is not aspirational; it is mandatory.
Board-level cybersecurity governance in healthcare should address:
Risk assessment and prioritisation: the board should understand which systems are most critical to patient safety and which assets face the greatest cyber risk. Imaging networks, pharmacy systems, and patient monitoring equipment merit distinct risk profiles.
Resource allocation: cybersecurity budgets compete with clinical equipment, staffing, and facilities maintenance. The board should make explicit decisions about cybersecurity investment levels, recognising that underfunding exposes the organisation to regulatory risk and patient safety risk.
Third-party risk management: healthcare entities depend on electronic health record vendors, medical device manufacturers, cloud service providers, and IT support vendors. The board should understand these dependencies, require attestations of vendor cybersecurity practices, and establish contractual frameworks for incident response.
Incident response and reporting: the board should establish a clear escalation procedure so that significant cybersecurity incidents reach senior leadership and trigger appropriate regulatory notification (discussed below).
For pharmaceutical manufacturers and medical device manufacturers, governance must similarly reflect the criticality of their operations. A manufacturing outage caused by ransomware affects medicine supplies across the EU. Device manufacturers must ensure that cybersecurity is integrated into product design and that post-market cybersecurity patches are deployed promptly.
Risk Assessment and Proportionate Controls
Article 21 requires entities to conduct risk assessments identifying threats, vulnerabilities, and the impact of potential breaches. For healthcare, this assessment should map clinical workflows to IT dependencies. Where does the EHR system integrate with pharmacy? How does the picture archiving and communications system (PACS) interface with clinical decision support? Where are single points of failure?
Risk assessments should then inform control selection. For a small clinic, this might mean:
Baseline access controls: unique user authentication with password or multi-factor authentication for all systems.
Patch management: a defined process for applying vendor security updates, prioritising critical and high-severity patches.
Incident response: a designated individual or team responsible for responding to cybersecurity incidents, with procedures for notifying competent authorities if incidents meet the “significant” threshold.
For a large healthcare system, proportionate controls will be more extensive:
Advanced access controls: role-based access control, privileged access management, and monitoring of administrative activity.
Network segmentation: separation of clinical networks from administrative networks, isolation of medical devices from general IT infrastructure, and controlled interfaces between systems.
Continuous monitoring: security information and event management (SIEM) systems detecting anomalous behaviour, intrusion detection on network segments, and endpoint detection and response (EDR) on clinical workstations and servers.
Supply-chain security: vendor risk assessments, contractual requirements for security incident notification, and procedures for managing vendor-provided patches and updates.
Third-party management is particularly important for healthcare. Hospitals do not develop their own EHR systems; they procure them from vendors such as Epic, Cerner, or Medidata. Medical device manufacturers such as Philips and GE provide diagnostic and monitoring equipment. Cloud providers such as AWS and Microsoft host patient data. NIS2 requires that these third-party relationships be managed with cybersecurity obligations clearly allocated via contract.
Incident Response, Reporting, and the Significant Incident Threshold
Article 23 of NIS2 requires essential service providers (including healthcare) to report incidents to competent authorities and CSIRTs without undue delay and in any case within 24 hours of detecting a significant incident. Importantly, NIS2 does not define “significant” with a bright-line rule; instead, it establishes criteria in Article 23(3).
An incident is “significant” if:
It has resulted in a widespread disruption of the delivery of the essential service (for healthcare, this clearly includes disruption of clinical operations).
It has substantially compromised the availability, integrity, or confidentiality of networks or information systems used to provide the essential service.
It has had a substantial impact on critical functions or generated a substantial operational or security impact.
For healthcare, the significance threshold is correspondingly high. A ransomware attack that encrypts the EHR and forces hospitals to revert to paper records would meet the threshold. A data breach affecting patient records would likely meet it. A distributed denial-of-service attack temporarily slowing a non-critical administrative system would not.
Once an incident meeting the threshold is identified, healthcare entities must notify their national competent authority and the national CSIRT within 24 hours. The notification should include essential information: what happened, when it was detected, the estimated impact, and immediate containment measures. Follow-up reporting may provide additional detail as the investigation progresses.
Healthcare organisations should establish clear incident response procedures defining who decides whether an incident is significant, who initiates notification, and what information is provided to authorities. This decision should not wait for a full forensic investigation; initial notification should be prompt, with additional detail provided as investigations progress.
Specific Considerations for Pharmaceutical Manufacturers and Medical Device Manufacturers
Pharmaceutical manufacturers and medical device manufacturers face additional considerations. Their role is part of the healthcare supply chain: a cybersecurity incident affecting their operations ripples across hospitals and patients.
For pharmaceutical manufacturers, NIS2 obligations focus on manufacturing continuity and supply-chain integrity. A ransomware attack that halts a production line for a critical drug affects healthcare providers and patients across the EU. Proportionate controls should include:
Manufacturing system security: industrial control systems (ICS) securing recipes, batch records, and production equipment require air-gapping, access controls, and monitoring.
Supply-chain resilience: contracts with raw material suppliers, third-party manufacturers (contract manufacturers), and logistics providers should include cybersecurity expectations and incident notification requirements.
Distribution system integrity: ensuring that medicines are not counterfeit and that distribution channels are secure.
For medical device manufacturers, NIS2 obligations interact with broader product security requirements under the Cyber Resilience Act (CER) and existing product safety regulations (MDR, IVDR). A device manufacturer must ensure that:
Devices are designed with security-by-default, incorporating secure boot, authentication, and encryption appropriate to the device’s function.
Known vulnerabilities are addressed through firmware updates, and mechanisms are established to deploy patches to devices in clinical use.
Post-market surveillance detects security vulnerabilities, and remediation is rapid.
Clinical integrations (e.g., a device connecting to an EHR) are documented and tested.
Member State Discretion and Sector-Specific Guidance
Importantly, NIS2 grants Member States discretion in defining the threshold for designating entities as essential service providers. Some Member States may set a minimum size threshold (e.g., hospitals with more than 50 beds), whilst others may include all healthcare providers. Compliance officers should monitor their Member State’s implementation to understand which entities within their organisation fall within scope.
Some Member States may publish sector-specific guidance clarifying expectations for healthcare cybersecurity. For example, guidance might specify that network segmentation between clinical and administrative systems is a proportionate control for all hospitals, or that vulnerability assessments should be conducted at least annually.
Member States may also establish specific communication channels or incident reporting platforms. Instead of notifying a generic competent authority, healthcare entities might report to a healthcare-specific authority or CSIRT with technical expertise in healthcare systems.
Key Takeaways
- Healthcare is designated as critical infrastructure under NIS2 (Annex I, Sector 5), along with pharmaceutical manufacturers and certain medical device manufacturers. Proportionate cybersecurity obligations apply based on organisational size and risk profile.
- Governance must be board-level and explicit, with clear accountability for cybersecurity risk management, resource allocation, third-party oversight, and incident response.
- Risk assessments should map clinical workflows to IT dependencies, identifying single points of failure and prioritising controls that protect patient safety and data integrity.
- Incident reporting is mandatory for “significant” incidents (those substantially disrupting services, compromising system integrity, or generating substantial operational impact) within 24 hours to competent authorities and national CSIRTs.
- Third-party management is critical: contracts with vendors, device manufacturers, and cloud providers should clearly allocate cybersecurity responsibilities and require incident notification.
- Pharmaceutical and medical device manufacturers are essential service providers whose cybersecurity practices directly affect healthcare continuity; supply-chain security and post-market vulnerability management are proportionate obligations.
