On 15 January, the Commission presented an EU Action Plan for strengthening the cybersecurity of hospitals and healthcare providers. This action plan was announced in the President's Political Guidelines. von der Leyen as a key priority in the first 100 days of the new mandate. The initiative is an important step in protecting the health sector from cyber threats. Improving the threat detection, preparedness and response capabilities of hospitals and healthcare providers will create a safer environment for patients and healthcare professionals.
Digitalisation is revolutionising healthcare. enabling better services for patients through innovations such as electronic health records, telemedicine and diagnostics based on artificial intelligence. However, cyber-attacks can delay medical procedures, create bottlenecks in emergency services and disrupt essential services that could directly affect lives in severe cases. Member States notified in 2023. 309 serious cyber security incidents affecting the health sector, more than in any other critical sector.
The action plan proposes, among other things, that ENISA, the EU cybersecurity agency, set up a pan-European Cyber Security Support Centre for hospitals and healthcare providers, providing them with tailored guidance, tools, services and training. The initiative builds on a broader EU framework to strengthen cybersecurity across critical infrastructure and is the first sector-specific initiative to deploy the full range of EU cybersecurity measures.
In short, the action plan focuses on four priorities:
- Improved prevention. The plan helps strengthen the health sector's capacity to prevent cybersecurity incidents through enhanced preparedness measures, such as guidelines for the implementation of key cybersecurity practices. Secondly, Member States may also introduce cybersecurity vouchers to provide financial assistance to micro, small and medium-sized hospitals and healthcare providers. Finally, the EU will also develop cybersecurity learning resources for healthcare professionals.
- Better detection and identification of threats. By 2026, the Cybersecurity Support Centre for Hospitals and Healthcare Providers will develop an EU-wide early warning service that will provide near-real-time alerts on potential cyber threats.
- responding to cyber-attacks to minimise impact. The plan proposes a rapid response service for the health sector under the EU Cybersecurity Reserve. Established by the Cyber Solidarity Act, the reserve provides incident response services from trusted private providers. As part of the plan, national cybersecurity exercises can be held together with the development of a handbook for health organisations to help them respond to specific cybersecurity threats, including ransomware. Member States are encouraged to require operators to report on ransom payments so that they can provide them with the necessary support and enable law enforcement authorities to follow up.
- Deterrence: Protecting Europe’s health systems through deterrence cyber threat actors from attacks against them. This includes the use of the Cyber Diplomacy Toolbox, a joint EU diplomatic response to malicious cyber activities.
The Action Plan will be implemented in cooperation with healthcare providers, Member States and the cybersecurity community. To further develop the most effective measures and ensure that patients and healthcare providers can benefit from them, the Commission will soon launch a public consultation on this plan, open to all citizens and stakeholders.
Next steps
The Action Plan is the start of a process to improve cybersecurity in the health sector. The specific measures will be progressively implemented in 2025 and 2026. The results of the consultation will feed into further recommendations by the end of the year.
Background
The EU is working in different areas to promote cyber resilience and protect its citizens and businesses from cyber threats in an increasingly digital and connected Europe. This action plan responds to the urgency of the situation and the unique threats facing the sector. It builds on the existing legislative framework in the area of cybersecurity. Hospitals and other healthcare providers are established as a sector of high criticality under the NIS 2 Directive. Cybersecurity framework of the NIS 2 Directive is closely linked to the Cyber Resilience Act; the first EU legislation mandatory cybersecurity requirements are laid down for products containing digital elements, which entered into force on 10 December 2024. The Commission’s Cyber Solidarity Act It also put in place a Cybersecurity Emergency Mechanism that reinforces solidarity and EU coordinated measures to detect, prepare for and respond effectively to evolving cybersecurity threats and incidents.
Ensuring a resilient and secure digital infrastructure is essential for full deployment the European Health Data Space; It will put citizens at the centre of healthcare and give them full control over their data.
English 
Croatian 
Italian 