As hospitals have been targeted in recent cyberattacks, HOPE is now closely monitoring the EU legislation in this field. A Directive on the security of network and information systems (the NIS Directive) was adopted by the European Parliament on 6 July 2016 and came into force in August 2016. Member States had 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services. The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.

On 13 September 2017 the Commission issued a proposal for a regulation on ENISA, the EU Cybersecurity Agency, and on Information and Communication Technology Cybersecurity Certification (”Cybersecurity Act”).

On 26 March 2018, the Commission published an impact assessment to consult stakeholders on a proposal to create a cybersecurity competence network with a European Cybersecurity Research and Competence Centre. The Council agreed on 8 June 2018 its general approach on the proposal, known as the Cybersecurity Act. The proposal also upgraded the current European Union Agency for Network and Information Security (ENISA) into a permanent EU agency for cybersecurity.

On 10 December 2018, an agreement was reached in a trilogue. The deal was approved in the ITRE meeting on 14 January 2019 and adopted by Parliament during the 12 March 2019 plenary with 586 votes to 44 and 36 abstentions. It was signed by the President of the European Parliament and of the Council on 17 April 2019. The final Cybersecurity Act was published on the official journal of 7 June 2019 and entered into force on 27 June 2019.

In relation to the Medical Devices Directive implementation, HOPE joined the Task-force on cybersecurity created in 2018. HOPE was invited to the working group to outline the structure of future EU guidance on cybersecurity.