The European Commission has launched a targeted consultation (consultation) on its action plan for the cybersecurity of hospitals...

William Fry is a leading corporate law firm in Ireland, with over 350 legal and tax professionals and more than 500 staff. The firm's client-focused service combines technical excellence with commercial awareness and a practical, constructive approach to business issues. The firm advices leading domestic and international corporations, financial institutions and government organisations. It regularly acts on complex, multi-jurisdictional transactions and commercial disputes.

The European Commission has launched a targeted consultation (consultation) on its action plan for the cybersecurity of hospitals and healthcare (Action Plan). The Action Plan was identified as a priority of the 2024-2029 Commission.

The Action Plan is the first sector-specific cybersecurity plan to enhance cybersecurity and resilience across the healthcare sector as it evolves to reflect a rapidly digitising society and swift technological advancements. The healthcare sector reported more cyber incidents than any other sector in 2023. Such incidents can severely disrupt healthcare delivery, compromise patient safety, and expose sensitive data, leading to significant operational, financial, and reputational consequences for healthcare providers.

The consultation welcomes responses from various stakeholders, including healthcare professionals, healthcare authorities and cybersecurity industry players on key areas, including the prevention of cybersecurity incidents, capabilities for detecting cyber threats against the health sector, and plans for rapid response and recovery. The deadline for contributions is 30 June 2025.

The Action Plan

The Action Plan prioritises four key pillars:

Prevention – Strengthening the healthcare sector's capacity to prevent cybersecurity incidents through enhanced preparedness measures, such as issuing guidance on critical cybersecurity practices and supporting healthcare providers in their implementation;

– Strengthening the healthcare sector's capacity to prevent cybersecurity incidents through enhanced preparedness measures, such as issuing guidance on critical cybersecurity practices and supporting healthcare providers in their implementation; Detection – Establishing an EU-wide early warning subscription service for the health sector through the ENISA Cybersecurity Support Centre for hospitals and healthcare providers;

– Establishing an EU-wide early warning subscription service for the health sector through the ENISA Cybersecurity Support Centre for hospitals and healthcare providers; Response – Ensuring that the EU Cybersecurity Reserve includes a Rapid Response Service specifically tailored to the needs of the health sector; and

– Ensuring that the EU Cybersecurity Reserve includes a Rapid Response Service specifically tailored to the needs of the health sector; and Deterrence – Discouraging malicious cyber activities against health systems by applying measures from the Cyber Diplomacy Toolbox to deter threat actors.

A Broader Legal Context

The European Health Data Space Regulation (EHDS), which entered into force on 26 March 2025, establishes a common EU framework for accessing, sharing, and reusing electronic health data. It supports both primary use—such as direct patient care—and secondary use for research, innovation, policymaking, and public health purposes. For the EHDS to function effectively, cybersecurity is paramount. The secure exchange of sensitive health data across borders and systems depends on robust digital infrastructure and trust in data protection mechanisms. The Action Plan's focus on strengthening hospital cybersecurity directly supports the EHDS's objectives by helping ensure that health data can be shared safely and reliably across the EU.

The Action Plan comes amidst other developments in the EU cybersecurity landscape. The NIS 2 Directive (NIS 2), which came into effect in October 2024, marks a significant overhaul of the EU's cybersecurity rules. It expands the scope of regulated entities to include a wider range of healthcare providers, including hospitals, clinics, and even outpatient and rehabilitation centres. It imposes stricter obligations around risk management, incident reporting, and governance. Under NIS 2, healthcare organisations must adopt comprehensive cybersecurity risk management measures and may face substantial penalties for non-compliance, including fines and personal liability for management.

Conclusion

The Action Plan marks a pivotal step in the EU's efforts to strengthen cybersecurity in the healthcare sector, addressing the growing threat landscape with targeted, sector-specific measures. By aligning with broader legislative initiatives such as the EHDS and NIS2, the Action Plan reinforces the EU's commitment to building a secure digital health ecosystem.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.