Article   November 09 2023

The health sector - what’s new with NIS2?

With a wider coverage of sectors, stricter requirements for risk management and incident reporting and more hard-hitting penalties for non-compliance, the new NIS2 directive is the most comprehensive European cybersecurity directive yet. The health sector has already been a subject for NIS1, but here’s what both public and private organisations within the health sector need to look out for with the new NIS2 directive.

Information security
Computer screening in hospital

Image: (Royalty free)

The healthcare sector is one of the cornerstones of European society and economy.  With the potential for fatal real-life consequences in case of a successful cyberattack, the sector is deemed essential under the NIS2 Directive, subjecting it to the toughest requirements and obligations.

There healthcare sector is facing several cybersecurity challenges. A lack of digital standardization in combination with the handling of sensitive information being one of them.

Many healthcare organisations are also struggling with aging technology and insufficient resources. The sometimes fragmentated healthcare system is also hampered by several interconnected systems. Also pointed out as one main part of cybersecurity vulnerability is the fact that healthcare employees may not receive sufficient cybersecurity training, which increases the risk of human error and security breaches.

NIS2 comes with a wide range of implications for entities in this sector. Healthcare organizations are already subject to strict data privacy regulations and NIS2 adds an additional layer of cybersecurity regulations and stricter protection of patient data and prevention of health service disruption. In a shorter perspective the NIS2 directive has the potential to increase the cost of healthcare delivery, as organizations may need to invest in new technologies and processes to comply. However, in the long term, it is expected to lead to enhanced security, better protection of patient data, and increased trust in digital healthcare services.


Awareness training – one of 10 key cyberhygiene measures 

The NIS2 directive requires that the health sector and other essential and important entities implement 10 baseline security measures to address specific forms of likely cyberthreats.


  • Risk assessments and security policies for information systems.
  • Policies and procedures for evaluating the effectiveness of security measures.
  • Policies and procedures for the use of cryptography.
  • A plan for handling security incidents.
  • Security around the procurement of systems and the development and operation of systems.
  • Security procedures for employees with access to sensitive or important data.
  • A plan for managing business operations during and after a security incident.
  • The use of multi-factor authentication.
  • Security around supply chains and the relationship between the company and direct supplier.
  • Cybersecurity training and a practice for basic computer hygiene.


Cybersecurity training is not only ‘on the list’. It’s a well-known fact that awareness training is an essential part in creating the organisational security culture needed for organisations to be compliant with many of the other security measures mandated by NIS2. Without awareness training all year round, many of the operational procedures will eventually fail – due to human errors.

Our new updated 2024 editions of Information Security Awareness training is targeting all employees, managers, executives, and boards and is one part of being NIS2 compliant.

Or why not kickstart with our NIS2 Introdution course? This will give your management a better understanding of what your organisation need to be NIS2 compliant.

Article   November 09 2023