How does NIS2 interact with GDPR when patient data is involved?

NIS2 and GDPR can apply to the same incident but serve different goals. NIS2 focuses on continuity and security of services and requires reporting to the CSIRT or competent authority within 24 and 72 hours. GDPR focuses on personal data protection and requires reporting to the data protection authority within 72 hours. A ransomware attack affecting patient records may trigger both regimes in parallel.

Do medical devices in use at a hospital fall under NIS2?

Yes, indirectly. Article 21 requires the hospital to manage the cybersecurity risks of the network and information systems it uses, which includes connected medical devices, imaging equipment, and clinical information systems. Manufacturers of medical devices that are considered critical in a public health emergency are themselves listed under Annex I.

What does board liability look like for a hospital director?

Article 20 holds the management body responsible for approving cybersecurity risk measures and overseeing their implementation. Executives must follow cybersecurity training and are expected to offer training to staff. Member states may impose fines and, in the case of essential entities, temporarily suspend individuals from management functions when serious breaches are linked to oversight failures.

Is ISO 27001 enough for a hospital under NIS2?

ISO 27001 is a strong baseline but not sufficient on its own. Hospitals typically need to extend their ISMS to cover medical device security, clinical continuity scenarios, NIS2 reporting workflows, and supply chain security obligations. ISO 27799 and IEC 80001 provide useful sector-specific guidance on top.

How quickly can a hospital reach NIS2 readiness?

A large hospital or university medical center typically needs between nine and eighteen months from gap assessment to audit-ready state, depending on the maturity of its existing security program. Smaller clinics with external IT providers can often reach readiness faster by leaning on their providers for parts of the control set.

What happens if we underreport a ransomware incident?

Underreporting or late reporting of a significant incident can lead to separate fines under NIS2 in addition to any GDPR penalties. More importantly, it undermines the trust of the national CSIRT and the patient community. The safer path is to report early under Article 23 with initial information and update the notification as the picture becomes clearer.

NIS2 zorginstelling, verplichtingen voor ziekenhuizen en labs

Key facts for healthcare

Healthcare is listed under Annex I. Most in-scope providers are classified as essential entities.
Maximum fines are up to 10 million euro or 2 percent of global annual turnover.
A single ransomware event can trigger both NIS2 and GDPR reporting, on different timelines.
Medical devices in clinical use are part of the hospital's Article 21 risk surface.
The management body is personally accountable under Article 20, including mandatory training.

Scope clarity: who is essential, who is important

Annex I of NIS2 covers the health sector under a single heading, but the practical scope is broader than just hospitals. The directive reaches across the care continuum, including manufacturers upstream of clinical delivery.

Healthcare providers, as defined in Directive 2011/24/EU. This primarily means hospitals and clinics providing cross-border or nationally significant care.
EU reference laboratories designated by the European Commission.
Entities carrying out research and development activities on medicinal products.
Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.
Entities manufacturing medical devices considered critical during a public health emergency, as referred to in the public health emergency critical devices list.

General practitioners, small clinics, and allied health providers are usually out of direct scope unless the member state specifically designates them. The line moves when a provider is deemed critical at national level, for example because it is the sole provider of a specialist service. Always confirm scope against the national transposition law, not only the directive text.

Top cyber risks for healthcare

Ransomware on hospitals

Hospitals are among the most frequently attacked ransomware targets in Europe. Downtime of the electronic patient record, radiology systems, or clinical messaging directly affects patient safety. Several high-profile incidents have forced ambulance diversions, cancelled surgeries, and extended outages lasting weeks. Article 21 treats continuity as a mandatory control area for exactly this reason.

Medical device security

Infusion pumps, imaging systems, patient monitors, and laboratory analyzers are network-connected and often run outdated operating systems. They cannot usually be patched on enterprise schedules. NIS2 does not ask the hospital to rebuild them, but it does require a documented approach: inventory, segmentation, monitoring, and compensating controls.

Patient data at rest and in motion

Electronic patient records, research data, and genomic information are high-value targets. Encryption, access control, and audit logging are foundational. NIS2 reinforces these expectations through Article 21 and aligns with GDPR on data security, although the two regimes have different triggers and recipients for reporting.

Third parties and clinical supply chain

Hospitals rely on EHR vendors, imaging PACS providers, medical device makers, cleaning and catering services, and a long tail of research collaborators. Each of these introduces potential access. Article 21 supply chain security duties apply to the full set.

NIS2 and GDPR: one incident, two regimes

Ransomware affecting patient records is the textbook case. Under NIS2 Article 23, the hospital must submit an early warning to the CSIRT or competent authority within 24 hours, a formal notification within 72 hours, and a final report within one month. Under GDPR Article 33, the hospital must notify the data protection authority within 72 hours. Affected patients may also need to be informed under GDPR Article 34.

The content of these reports differs. NIS2 emphasises service disruption, cross-border impact, and technical root cause. GDPR emphasises the categories and volume of personal data, affected individuals, and mitigation. A shared incident playbook that produces both streams of reporting from the same factual baseline is the pragmatic answer, and one of the deliverables Burak typically produces during an engagement.

Practical implication: assume that any significant ransomware, data exfiltration, or prolonged service outage involves both regimes and design your incident response process to serve both from day one. Legal, DPO, CISO, and communications should share one room during a crisis, not three.

Board liability in healthcare

Hospital boards have historically focused on patient safety, quality, and financial sustainability. Cybersecurity now sits on the same risk register with the same expectation of board engagement. Article 20 requires the management body to approve cybersecurity risk measures, to oversee their implementation, and to complete cybersecurity training. Members can be held personally accountable when serious breaches are linked to oversight failures.

In practice this means quarterly board-level reporting on cybersecurity risk, a documented training program for directors, and a clear decision trail when the board signs off on the information security policy. The same applies to university medical center supervisory boards and to the boards of group structures operating multiple hospitals.

A 30-day, 90-day, and 12-month roadmap for hospitals

First 30 days: clarity

Confirm scope per legal entity and register with the national competent authority.
Form a joint NIS2 and GDPR steering group with CISO, DPO, legal, clinical leadership, and a board sponsor.
Inventory high-criticality clinical systems, including EHR, radiology, lab, pharmacy, and key medical devices.
Review the existing incident response plan against Article 23 timelines and identify decision gaps.

Days 30 to 90: stabilise

Publish a management body-approved information security policy.
Deliver mandatory cybersecurity training to the management body.
Run a tabletop exercise simulating ransomware on the EHR, exercising both NIS2 and GDPR reporting.
Close top quick wins: MFA for clinical applications where feasible, offline EHR downtime procedures, and segmentation of known-vulnerable medical devices.

Months 4 to 12: sustain

Mature the medical device security program with inventory, risk rating, and vendor engagement on patching and monitoring.
Roll out supply chain security duties to vendor management, including contract clauses for EHR, PACS, and device makers.
Integrate NIS2 and GDPR reporting into a single incident management tool, with clear routing to CSIRT and DPA.
Run an internal audit against Article 21 and close findings before the first external supervisory review.

Frequently asked questions

Which healthcare organizations are in scope?

Annex I covers healthcare providers under the cross-border care directive, EU reference laboratories, medicinal product researchers, manufacturers of basic pharmaceutical products, and manufacturers of medical devices considered critical in a public health emergency. Size thresholds apply, and member states can designate additional providers as critical.

Are hospitals essential or important entities?

Hospitals meeting the size thresholds are typically essential entities under Annex I, with higher maximum fines and proactive supervision. Smaller or specialist providers may be classified as important, depending on national transposition.

How does NIS2 interact with GDPR?

Both can apply to the same incident. NIS2 targets service continuity and security, GDPR targets personal data protection. Reporting channels and timelines differ, so prepare a shared playbook that produces both streams from the same incident log.

Do medical devices fall under NIS2?

Medical devices are part of the hospital's Article 21 risk surface. In addition, manufacturers of medical devices critical in a public health emergency are directly in scope under Annex I.

What does board liability look like?

Boards must approve cybersecurity risk measures, oversee implementation, and complete training. Member states may impose personal fines and, for essential entities, temporarily suspend individuals from management functions where serious breaches trace back to oversight failures.

Is ISO 27001 enough?

ISO 27001 is a strong baseline but needs to be extended to cover medical device security, clinical continuity, NIS2 reporting workflows, and supply chain obligations. ISO 27799 and IEC 80001 provide healthcare-specific layers on top.

How quickly can we reach readiness?

Large hospitals typically need nine to eighteen months depending on maturity. Smaller clinics leaning on external IT providers can move faster by leveraging the provider's control set and focusing on clinical-specific risks.

What if we underreport an incident?

Late or missing reporting can lead to separate NIS2 fines, on top of any GDPR consequences, and damages trust with the national CSIRT and patient community. The safer path is to file an early warning with initial information under Article 23 and update as the picture clarifies.

NIS2 for Healthcare