website.documents.preview·NIS2 for Healthcare

website.documents.printTip

Confidential · For external distributionorizon.one

Sector Compliance Guide · 2026

NIS2 for Healthcare Providers

A practical compliance guide for hospitals, clinics, laboratories, medical-device manufacturers and the wider healthcare sector — distilled from the EU NIS2 Directive and its national transpositions.

For Hospital CIOs, CISOs & Compliance Leads

Publication

April 2026

Audience

Hospitals, Clinics, MedTech

Version

1.0

Pages

01 · Overview

Executive Summary

NIS2 classifies hospitals, healthcare providers, EU reference laboratories, pharmaceutical R&D, drug manufacturers and certain medical device makers as ESSENTIAL entities. Essential status carries the highest penalty ceiling, the strictest oversight model and proactive ex-ante supervision by national authorities. Healthcare is also one of the most-attacked sectors in Europe — making NIS2 compliance both a legal requirement and an operational necessity.

Tier 1

Essential

Hospitals = highest tier of NIS2 obligations

~5%

Healthcare cyber spend

Average % of IT budget across EU healthcare

20+ d

Avg downtime

Hospital ransomware incidents (2024-2025)

6+ wk

MTTR

Median time to restore full operations

Key takeaways

Hospitals are essential entities under Annex I of NIS2. The supervisor can inspect proactively, even without an incident.
Maximum administrative fine is EUR 10 million or 2% of global annual turnover — whichever is higher. Personal liability of management bodies applies.
Healthcare is the second-most attacked sector in the EU. Ransomware against hospitals causes patient-care disruption, not just data loss.
Italy has transposed NIS2 through D.Lgs. 138/2024, with ACN as the national competent authority and CSIRT for the healthcare sector.
Article 21 measures must be implemented and evidenced today. The October 2024 transposition deadline has passed; full enforcement is active.

Who should read this

Hospital CIOs and CISOs responsible for NIS2 compliance and supervisor relationships.
DPOs and compliance officers in healthcare organisations mapping NIS2 against the GDPR regime.
Medical device manufacturers assessing whether they fall under NIS2 essential or important entity status.
Health authority procurement officers selecting cybersecurity tooling for the national health service.

02 · Scope

Healthcare Entities in NIS2 Scope

NIS2 Annex I, Sector 5, captures the healthcare sector at essential-entity level. The directive uses a deliberately broad definition that covers public and private hospitals, laboratories, R&D and certain medical device manufacturers. Below the size threshold, entities may still be designated by the Member State as critical.

Hospitals (public & private)

Including private clinics with emergency departments. Ownership form does not matter for NIS2 status.

EU reference laboratories

Laboratories designated by the Commission for cross-border health threats.

Pharmaceutical R&D entities

Organisations conducting research and development of medicinal products.

Pharmaceutical manufacturers

Manufacturers of basic pharmaceutical products and pharmaceutical preparations.

Critical medical device makers

Manufacturers of medical devices deemed critical during a public health emergency under MDR Article 22.

Healthcare service providers

Other entities providing healthcare services as defined in Directive 2011/24/EU Article 3(g).

Essential entity status

A non-public hospital with an emergency department and meeting the size criteria has the same NIS2 obligations as a teaching hospital affiliated with a public university. NIS2 does not distinguish by ownership.

03 · Threat landscape

The Healthcare Threat Landscape

Healthcare is consistently among the top three most-attacked sectors in Europe. Ransomware against hospitals is no longer rare and increasingly causes operational disruption to patient care, not just data loss. The numbers below are illustrative orders of magnitude drawn from public ENISA and ACN reports.

Ransomware

54%

Most common attack type — full operational disruption

Data breach

22%

Targeted theft of clinical and personal records

DDoS

11%

Disruption of public-facing portals and EHR access

Insider threat

Disgruntled or compromised staff with privileged access

Supply chain

Compromise via medical device or software vendor

Patient safety is the bottom-line consequence of any sustained healthcare cyber incident. Cancelled surgeries, diverted ambulances and reverted-to-paper workflows have measurable mortality impact in published academic studies.

04 · Article 21

Article 21 Measures Adapted for Healthcare

The ten Article 21 cybersecurity risk-management measures apply across all NIS2 sectors but their practical implementation varies. The list below describes how each measure typically applies in a hospital or large healthcare provider.

Risk analysis & policies

Risk assessment that explicitly accounts for medical device risks, EHR systems, clinical-process disruption and patient-safety impact, not just data confidentiality.

Incident handling

Incident response with explicit clinical-impact assessment and coordination with clinical leadership for ICU and operating-theatre disruptions.

Business continuity

Tested fall-back to paper-based workflows for clinical operations. Backup of EHR data with verified restoration. Manual triage protocols for emergency departments.

Supply chain security

Medical device cyber risk, EHR vendor risk, MSP risk. Particular attention to legacy medical devices that cannot be patched.

Secure development

Where the entity develops its own clinical software, secure development life cycle and integration with MDR/IVDR conformity assessment.

Effectiveness assessment

Penetration testing of clinical environments under safe conditions. Tabletop exercises that include clinical leadership.

Cyber hygiene & training

Phishing-resistant training for clinical staff. Specialised training for the management body — Article 20 requires this and applies to hospital boards.

Cryptography

Encryption of EHR data at rest and in transit. Particular attention to medical device communication protocols.

HR security & access control

Role-based access aligned with clinical roles. Joiner/mover/leaver process integrated with HR and clinical credentialing.

MFA & secure communications

MFA on all administrative access and on remote access by physicians and on-call staff. Secure messaging between clinical teams.

05 · Incident reporting

Incident Reporting Timeline

Healthcare entities follow the standard NIS2 24h/72h/1-month reporting timeline. The trigger is the same — a "significant incident" — but the threshold should explicitly include patient-safety impact, not just data confidentiality.

≤ 24 hours

Early warning

Notify the national CSIRT (ACN in Italy, CCN-CERT/INCIBE in Spain). Indicate whether malicious activity is suspected and any cross-border patient impact.

≤ 72 hours

Incident notification

Updated assessment with severity, clinical-impact assessment, indicators of compromise where available.

≤ 1 month

Final report

Detailed analysis with clinical impact data, root cause, mitigation status and lessons learned for the broader healthcare sector.

In addition to NIS2 reporting, healthcare incidents involving personal data trigger GDPR notification within 72 hours to the data protection authority. Many also trigger sector-specific reporting to national health authorities. A unified incident playbook is essential.

06 · Supply chain

Supply Chain Security in Healthcare

Supply chain risk in healthcare is acute. The typical hospital relies on dozens of medical device vendors, an EHR vendor, multiple SaaS clinical applications, an MSP for IT operations and several specialised laboratories. Many of these touch patient-safety-critical systems. Some run on legacy operating systems that cannot be patched without invalidating the manufacturer's certification.

NIS2 Article 21(2)(d) explicitly requires entities to take into account supply-chain security in their relationships with direct suppliers and service providers. For healthcare entities this means a structured assessment of each supplier's security posture, contract clauses that mandate breach notification and a documented strategy for the legacy device problem.

Concrete obligations

Maintain an up-to-date inventory of all medical devices, clinical software vendors and managed-service providers with access to clinical systems.
Assess each supplier's cybersecurity posture before contract signature and on a defined cadence thereafter.
Include security clauses in contracts: breach notification timelines, vulnerability disclosure obligations, audit rights, end-of-support commitments.
Document a compensating-control strategy for legacy medical devices that cannot be patched — typically network segmentation and detection.
Treat compromise of a critical supplier as a reportable incident under NIS2 where the impact threshold is met.
Coordinate with the Member State's healthcare cybersecurity initiatives (Italy: ACN + Agenas; Spain: CCN-CERT + Ministry of Health).

07 · National framework

National Framework: Italy & Spain

NIS2 is a directive, not a regulation, which means each Member State transposes it into national law. Italy and Spain have built their national frameworks around the directive while adding sector-specific guidance for healthcare. Understanding the national layer is essential — that is who hospital CIOs deal with day-to-day.

Italy — D.Lgs. 138/2024 + ACN + Agenas

D.Lgs. 138/2024 transposes NIS2 into Italian law. ACN (Agenzia per la Cybersicurezza Nazionale) is the competent authority and national CSIRT. Healthcare-specific guidance is coordinated with Agenas (Agenzia Nazionale per i Servizi Sanitari Regionali). Hospitals must register with ACN, undergo periodic assessment and report incidents on the standard 24/72h/1-month timeline.

Spain — INCIBE-CERT + CCN-CERT + Sanidad

Spain operates a dual-CSIRT model: INCIBE-CERT for the private sector and CCN-CERT for public-sector entities. Healthcare is split — public hospitals interact mostly with CCN-CERT, private hospitals with INCIBE-CERT. The Ministry of Health coordinates sector-specific guidance and incident response for the SNS (Sistema Nacional de Salud).

Italian hospital CIOs should engage early with ACN. The agency runs sector-specific exercises and offers technical guidance documents that go beyond the directive. Spanish hospital CIOs should clarify their CSIRT relationship (CCN vs INCIBE) and align their incident response playbook accordingly.

08 · Implementation

Implementation Roadmap

A phased approach works better than attempting to implement everything at once. The phases below assume the entity is starting from a typical hospital baseline — some controls in place but no formal NIS2 programme.

Phase 1 — Scope & registration (0-3 months)

Register with the national competent authority (ACN in Italy, INCIBE/CCN in Spain).
Complete the gap assessment against the ten Article 21 measures.
Inventory medical devices, clinical software and IT suppliers with access to clinical systems.
Brief the management body on personal liability under Article 20 and schedule mandatory training.

Phase 2 — Critical controls (3-9 months)

Implement MFA on all administrative and remote-clinical access.
Deploy network segmentation isolating legacy medical devices.
Stand up a tested incident response playbook aligned to the 24/72h/1-month timeline.
Renegotiate critical supplier contracts to add NIS2 security clauses and breach notification terms.

Phase 3 — Continuous operations (9-18 months)

Annual penetration testing of clinical environments.
Tabletop exercises with clinical and management leadership.
Continuous evidence collection for ACN/CCN audits.
Regular review of medical device vendor compliance and end-of-support roadmap.

09 · The Orizon platform

How Orizon Supports Healthcare Compliance

Orizon already supports several Italian and European hospital systems on their NIS2 journey. The platform is sovereign by construction — patient and clinical data never leaves the EU — and the tooling maps directly to the Article 21 measures.

RECON — External Attack Surface

Article 21 #1, #5, #6

Continuous discovery of the hospital's external attack surface, including patient portals, telemedicine endpoints and supplier-provided systems.

Fireline — Penetration Testing

Article 21 #6

Safe, scoped testing of clinical environments. Reports formatted for ACN and Agenas review.

Aware — Security Awareness

Article 21 #7

Phishing-resistant training tailored for clinical staff and dedicated curriculum for hospital boards (Article 20).

Oversight — Managed SOC

Article 21 #2, #3

24/7 monitoring of clinical environments with healthcare-specific detection use-cases. Integrated incident notification orchestration.

Compliance Automation

Article 21 #1, #6

Continuous evidence collection mapped to NIS2 Article 21, ACN guidelines and ISO 27001.

Next steps

Book a NIS2 healthcare scoping assessment with our compliance team.
Request a free RECON scan of your external attack surface — patient portals included.
Get a copy of our healthcare incident response playbook template.

Get in touch

Contact: [email protected] · orizon.one/solutions/nis2-compliance · EU sovereign infrastructure.