Due to the proliferation of digital infrastructures and tools deployed across settings, cybersecurity has become a major concern for hospitals and healthcare services. Especially since COVID-19, many hospitals are targeted by cyber-criminals, including denial-of-service, ransomware, and other attacks that can be triggered by phishing e-mails or security breaches. Over the last decade, HOPE has closely followed the evolving EU Cybersecurity Framework and contributed its expertise to policymakers.
One of the most recent and relevant elements is the European Action Plan on the cybersecurity of hospitals and healthcare providers, released in January 2025. The Action Plan revolves around four pillars containing actions to prevent, detect, respond, and recover from incidents, and deter threat actors from engaging in cybercrime. In its stakeholder response, HOPE welcomed its comprehensive, collaborative scope, but stressed the urgent need to ensure adequate funding concomitant with the size of the threat. HOPE also called for avoiding the duplication of already existing networks performing specific tasks, as well as overlapping reporting obligations.
An opinion adopted by the European Committee of the Regions in July 2025 underlines the urgent need for comprehensive measures to counter cyber-threats and argues for enhanced practices and procedures to protect IT systems and increased training across the healthcare sector. Cyber-attacks risk delaying treatment, disrupting emergency services, and eroding patients’ trust.
The 2016 NIS Directive concerning measures for a high common level of security of network and information systems across the Union was the first EU legislation designed to boost the overall level of cybersecurity. It designated ENISA – the European Union Agency for Cybersecurity, operational since 2005 – as the secretariat of the national Computer Security Incident Response Teams (CSIRTs) network for the exchange of information on cyber threats and incident response. It also created the European cyber crisis liaison organisation network (EU-CyCLONe) for the coordinated management of large-scale incidents or crises. The NIS Cooperation Group was set up to facilitate strategic cooperation and information exchange among Member States, the European Commission, and ENISA, and to issue non-binding guidelines and recommendations to support the Directive’s implementation.
The 2019 Cybersecurity Act gave ENISA a permanent mandate, more resources, and new tasks. These included setting up and informing the public about the European cybersecurity certification framework for ICT products, services and processes, as well as increasing EU operational cooperation, including handling Member States’ cybersecurity incidents upon request. A targeted amendment adopted in January 2025 enables European certification schemes for ‘managed security services’ covering incident response, penetration testing, security audits and consultancy. In April 2025, the Commission launched a public consultation to evaluate and revise the Cybersecurity Act (see HOPE inputs).
Likewise, the NIS Directive was revised to meet evolving needs. The NIS2 Directive came into force in January 2023, containing a wider scope, clearer rules, and stronger supervision tools. It requires Member States to enhance their cybersecurity capabilities, introduces risk management measures and reporting requirements to entities from additional sectors, and stipulates rules for cooperation, information sharing, supervision, and enforcement of measures. Member States must adopt national strategies including policies for supply chain security, vulnerability management, and cybersecurity education and awareness, ensuring adherence of operators of essential services. Senior managers are held accountable for non-compliance with risk management measures. However, most Member States failed to transpose it into national law by October 2024, citing technical and other reasons.
Similarly, the Directive on the resilience of critical entities (CER), which expands the scope of the original CER Directive to 11 sectors and aims to strengthen resilience against various threats (natural hazards, terrorism, insider threats, sabotage, etc.) also experienced transposition delays, further exposing limited capacities at the national level.
Complementing NIS2 and the EU’s broader Cybersecurity Strategy (2020), the Cyber Resilience Act (CRA) enhances cybersecurity standards of products that contain a digital component, requiring manufacturers and retailers to ensure cybersecurity throughout the lifecycle. It protects individuals and entities by making it easier to identify hardware and software products with the proper cybersecurity features. The regulation applies to all products connected directly or indirectly to another device or network except for those already covered by existing rules (e.g., medical devices). Products must be CE marked to indicate compliance with the requirements. The CRA entered into force in December 2024, and its main obligations apply from December 2027 (see HOPE Position).
The Cyber Solidarity Act entered into force in February 2025, designed to strengthen capacities to detect, prepare for and respond to significant and large-scale cybersecurity threats and attacks. The Act introduces a European Cybersecurity Shield, a key element of which is a European Cybersecurity Alert System to improve the detection, analysis and response to cyber threats. This entails national and cross-border Security Operations Centres using AI and data analytics to detect and share warnings across borders. Another feature is the Cybersecurity Emergency Mechanism supporting preparedness by testing healthcare entities for potential weaknesses, creating an EU Cybersecurity Reserve made up of private providers’ incident response services deployed at the request of Member States or the Union, and fostering mutual assistance among Member States. It also establishes a Cybersecurity Incident Review Mechanism to assess and review specific incidents upon request.
Feeding into the Commission’s legislative and non-legislative work, Council conclusions on the future of cybersecurity were adopted in May 2024, inviting the Commission and Member States to step up implementation, clarify roles and responsibilities, and ensure multistakeholder cooperation. They followed previous Council conclusions including on developing the EU’s cyber posture (May 2022), the EU’s cybersecurity strategy and joint cyber unit (2021), and cybersecurity of connected devices (2020).
In relation to the implementation of the Medical Devices Regulations, HOPE joined the task force on cybersecurity created in 2018 and was invited to outline the structure of future EU guidance.
In light of an increasingly complex geopolitical environment and recognition of the defence-cybersecurity nexus, EU cybersecurity funding has been progressively increased. In June 2025 the Commission launched two new calls for proposals, the first under the Digital Europe Programme, with a budget of €55 million (€30 million of which will support the Cybersecurity Action Plan for Hospitals), the second under Horizon Europe with €90.5 million for developing generative AI for cybersecurity, new tools and processes, privacy-enhancing technologies and post-quantum cryptography.
In its 2023-2030 regional digital health action plan, WHO/Europe also stresses the importance of developing awareness and practical guidance in cybersecurity risk management and privacy-enhancing technologies. A 2025 guide, Cybersecurity and privacy maturity assessment and strengthening for digital health information systems, provides a framework for countries and organisations to develop risk assessment strategies that align with their specific needs, goals, and regulatory requirements.