Susan Walsh and Rachel Hayes
William Fry lawyers Susan Walsh, Rachel Hayes and Louisa Muldowney consider the EU’s new cybersecurity plan for the health sector.
The European Commission has launched a targeted consultation on its action plan for the cybersecurity of hospitals and healthcare. The action plan was identified as a priority of the 2024-2029 Commission.
The action plan is the first sector-specific cybersecurity plan to enhance cybersecurity and resilience across the healthcare sector as it evolves to reflect a rapidly digitising society and swift technological advancements.
The healthcare sector reported more cyber incidents than any other sector in 2023. Such incidents can severely disrupt healthcare delivery, compromise patient safety, and expose sensitive data, leading to significant operational, financial, and reputational consequences for healthcare providers.
The consultation welcomes responses from various stakeholders, including healthcare professionals, healthcare authorities and cybersecurity industry players on key areas, including the prevention of cybersecurity incidents, capabilities for detecting cyber threats against the health sector, and plans for rapid response and recovery.
The deadline for contributions is 30 June 2025.
The action plan
The action plan prioritises four key pillars:
-
Prevention – strengthening the healthcare sector’s capacity to prevent cybersecurity incidents through enhanced preparedness measures, such as issuing guidance on critical cybersecurity practices and supporting healthcare providers in their implementation;
-
Detection – establishing an EU-wide early warning subscription service for the health sector through the ENISA Cybersecurity Support Centre for hospitals and healthcare providers;
-
Response – ensuring that the EU Cybersecurity Reserve includes a Rapid Response Service specifically tailored to the needs of the health sector; and
-
Deterrence – discouraging malicious cyber activities against health systems by applying measures from the Cyber Diplomacy Toolbox to deter threat actors.
A broader legal context
The European Health Data Space Regulation (EHDS), which entered into force on 26 March 2025, establishes a common EU framework for accessing, sharing, and reusing electronic health data. It supports both primary use — such as direct patient care — and secondary use for research, innovation, policymaking, and public health purposes.
For the EHDS to function effectively, cybersecurity is paramount. The secure exchange of sensitive health data across borders and systems depends on robust digital infrastructure and trust in data protection mechanisms. The action plan’s focus on strengthening hospital cybersecurity directly supports the EHDS’s objectives by helping ensure that health data can be shared safely and reliably across the EU.
The action plan comes amidst other developments in the EU cybersecurity landscape.
The NIS 2 Directive (NIS 2), which came into effect in October 2024, marks a significant overhaul of the EU’s cybersecurity rules. It expands the scope of regulated entities to include a wider range of healthcare providers, including hospitals, clinics, and even outpatient and rehabilitation centres. It imposes stricter obligations around risk management, incident reporting, and governance.
Under NIS 2, healthcare organisations must adopt comprehensive cybersecurity risk management measures and may face substantial penalties for non-compliance, including fines and personal liability for management.
Conclusion
The action plan marks a pivotal step in the EU’s efforts to strengthen cybersecurity in the healthcare sector, addressing the growing threat landscape with targeted, sector-specific measures.
By aligning with broader legislative initiatives such as the EHDS and NIS2, the action plan reinforces the EU’s commitment to building a secure digital health ecosystem.
The consultation allows participants to contribute to the recommendations the Commission plans to adopt to further refine the action plan by Q4 2025.
