Feb 62025

EU Commission Launches Cybersecurity Action Plan for Hospitals and Healthcare Providers

Francesca Blythe and Eleanor Dodding
, ,

On January 15, 2025 the EU Commission published an action plan with an aim to support cybersecurity in hospitals and healthcare providers in the EU (the Action Plan). The Action Plan is another response by the EU to the increasing cybersecurity threats facing all industries, including the health sector. The Commission notes that this risk has increased due to, amongst other factors, the increased digitisation of healthcare, which has allowed attack surfaces to grow. It also comes following a number of high-profile incidents which have impacted healthcare providers in the EU. The Action Plan is intended to build on the new EU cybersecurity legislation, such as the NIS Directive 2 (NISD2) and the Cyber Resilience Act, and feed into the full deployment of the European Health Data Space Regulation which was adopted on January 21, 2025. See our blog post here.

The Action Plan focusses on the following priorities: (i) prevention of cyber-attacks; (ii) detecting and identifying threats; (iii) responding to cyber-attacks; and (iv) deterring cyber threat actors.

Prevention of Cyber-Attacks

Acknowledging that there is variation in the cybersecurity preparedness of entities in the sector due to many factors (e.g., private sector vs. public sector, size and resources as well as the level of adoption of technology), the Action Plan puts forward several measures to strengthen prevention, including:

  • Establishing a “user-friendly, easy-access” dedicated European Cybersecurity Support Centre (Support Centre) for hospitals and healthcare providers through the lifecycle of an incident (e.g., preparedness, prevention, detection, and response).
  • The Commission will launch pilots across the EU to develop best practices for cyber hygiene, security risk assessment and the use of state-of-the-art cybersecurity solutions to address continuous monitoring, threat intelligence and incident response. The results of such pilots will help develop the above service catalogue which the Support Centre intends to provide.
  • Providing guidance on critical cybersecurity practices, as well as training, a framework for maturity assessments specific to healthcare and procurement guidelines, amongst other organisational measures.
  • A regulatory mapping tool which would aim to minimize the administrative burden for those in the sector who are subject to multiple, competing laws and regulation in the area.
  • Introducing a “Cybersecurity Voucher” system for micro, small, and medium-sized hospitals and healthcare providers which would help towards the cost of implementing such preventative measures.
  • A particular focus of the Action Plan is the risk posed by third parties and ICT supply chains and the Action Plan proposes, for example, that the NIS Cooperation Group should perform a coordinated security risk assessment to assess both the technical and strategic risks related to medical device supply chains and corresponding mitigating measures. It is suggested that this may also inform the development of Procurement Guidelines by the Support Centre, reflecting trends such as the cloudification of patient data storage and the need for secure migration.
  • The Action Plan also acknowledges the importance of a skilled workforce in the sector, both in the context of leaders in cybersecurity and the workforce more generally to reduce human errors as a contributor to incidents.

Detecting and Identifying Threats

A key focus here is information sharing to enhance threat detection and awareness, via the Support Centre, as well as an EU-wide early warning subscription service for the health sector, delivering near-real-time alerts. Member States will be encouraged to share all cyber incident notifications from hospitals and healthcare providers with the ENISA Support Centre to develop situational awareness. The Action Plan also puts forward a requirement for the Support Centre to develop a tailored framework for cybersecurity maturity assessments that are specific to healthcare

Responding to and Recovering from Cyber-Attacks

Noting that it is imperative to recover quickly from such attacks for patient safety and other purposes, the Action Plan put forward a number of proposals to help minimise impact:

  • Providing a rapid response service under the Cyber Solidarity Act where incident response services will be provided by trusted private service providers.
  • Producing a cyber incident response playbook tailored to healthcare and practical testing based on real life experience, and facilitating a wide roll-out of national cybersecurity exercises to test playbooks and strengthen incident response protocols.
  • Developing a ransomware recovery subscription service and broadening the repository of decryption tools to help those in the sector avoid paying ransoms by using such tools and enhancing their ability to get data back online.
  • The Action Plan notes that ransomware accounted for 54% of analysed cybersecurity incidents in the health sector in 2021–2023. With this in mind, a key proposal made by the Action Plan is to suggest that entities subject to NISD2 should be required to report on any ransom payments made.

Deterring Threat Actors

The Action Plan seeks to foster cross-border investigations through enhanced sharing of indicators of compromise, and increased cybercriminal investigations. The Action Plan highlights that public-private cooperation with healthcare providers, other health sector entities and the relevant cybersecurity industry players is essential for successful implementation. For example, the Commission, supported by ENISA, will set up a joint Health Cybersecurity Advisory Board to advise the Commission and the Support Centre in the field.

Next Steps

Following the publication of the Action Plan, proposed actions will be rolled out progressively throughout 2025/2026. As such, there are no immediate obligations imposed by the Action Plan on the health sector.  However, the Commission plans to run consultations with key stakeholders this year to feed into further actions and recommendations to refine the Action Plan by the end of this year.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Francesca Blythe

London

fblythe@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
EDPB Adopts Report on GDPR Right of Access Following 2024 Coordinated Enforcement Action

On January 20, 2025, the European Data Protection Board (EDPB) adopted a report on the implementation of the right of access by controllers under the GDPR (the Report). The right of access was the subject of the EDPB’s third coordinated enforcement action (CEF) in 2024 which involved 1,185 controllers of varying size, industry, and sectors. The Report provides useful recommendations for controllers on how to comply with access requests, including guidance on how long access request documentation should be retained, the importance of maintaining internal documentation, and how to avoid a ‘one size fits all’ approach. The Report emphasizes that access requests should be handled on a case-by-case basis, considering the broad scope of the right and the limited exemptions.

With New Technologies Come New Risks: FINRA Issues 2025 Regulatory Oversight Report

Last week, the Financial Industry Regulatory Authority (FINRA) published its 2025 Annual Regulatory Oversight Report. The 80-page report hits on a number of familiar themes and subjects and includes two new areas of focus: 1) risks arising from the use of third-party vendors, including cybersecurity and data privacy risks, and 2) extended-hours trading services, which have become increasingly common across the industry. FINRA offers new observations regarding registered index-linked annuities (RILAs) in the context of Reg BI obligations. The report also reflects FINRA’s increased scrutiny of risks associated with emerging technologies, with a particular focus on generative artificial intelligence (AI) tools. Additionally, although much of the report repeats items included in prior years, it provides useful, comprehensive checklists reflecting FINRA’s views on the various topics and risk areas covered. Efforts to operationalize some of the items raised can present unique challenges, and we encourage you to reach out to a Sidley contact to talk further about particular concerns raised in the report.

Data Privacy and Cybersecurity Outlook for 2025: What Financial Services Firms Need To Know

Last year saw many developments across the worldwide data privacy and cybersecurity landscape, including in the EU/UK, and this momentum shows no sign of slowing in 2025. The EU General Data Protection Regulation (GDPR) enters its seventh year in May 2025. New cybersecurity and operational resilience legislation and related guidance are coming into force to regulate new and challenging technologies, several of which will affect financial services firms.