EU Unveils Cybersecurity Action Plan for Healthcare

On January 15, 2025, the EU Commission released an Action Plan aimed at bolstering cybersecurity in hospitals and healthcare providers across the EU. This initiative addresses the escalating cybersecurity threats exacerbated by increased digitization in the healthcare sector. The Action Plan builds on existing EU cybersecurity legislation, such as the NIS Directive 2 (NISD2) and the Cyber Resilience Act, and aligns with the European Health Data Space Regulation adopted on January 21, 2025. The plan prioritizes prevention, detection, response, and deterrence of cyber threats.

The prevention measures include establishing a European Cybersecurity Support Centre for hospitals, launching pilots to develop best practices, and providing guidance on cybersecurity practices. A Cybersecurity Voucher system is proposed to assist smaller healthcare entities in implementing preventative measures. The Action Plan also emphasizes securing third-party ICT supply chains and enhancing the sector’s skilled workforce to reduce human error.

For threat detection, the Action Plan focuses on information sharing through the Support Centre and an EU-wide early warning service. Member States are encouraged to share cyber incident notifications with ENISA to improve situational awareness. The response strategies include a rapid response service under the Cyber Solidarity Act and developing a ransomware recovery subscription service. The plan suggests requiring entities to report ransom payments under NISD2 due to the high incidence of ransomware attacks.

To deter threat actors, the Action Plan fosters cross-border investigations and public-private cooperation. A Health Cybersecurity Advisory Board will be established to guide the Commission and Support Centre. The Action Plan will roll out progressively in 2025/2026, with consultations planned to refine the proposals further.