The European Commission presented an action plan aimed at strengthening the Cybersecurity in hospitals and healthcare providersThis project, announced as a priority by President Ursula von der Leyen, seeks to protect the healthcare sector against increasingly frequent cyberattacks.
The plan strengthens the Hospitals' ability to prevent, detect and respond to cyberattacks in EuropeIts implementation promises a safer environment for patients and healthcare professionals. It also responds to the risks associated with digitalisation, which, although it improves healthcare, exposes healthcare systems to critical incidents.
In 2023, Member States reported 309 serious cyberattacks in the healthcare sector, more than in any other key sector. These incidents can disrupt medical procedures, delay treatment and endanger lives.
Main axes of the action plan
The Commission will promote best cybersecurity practices through specific guides and training programmes for healthcare professionals. cybersecurity bonds to financially support small and medium-sized hospitals. In addition, educational resources will be developed to increase the sector's preparedness against potential attacks.
In addition, a European-wide early warning service will be established to detect cyber threats in near real timeThis system, managed by ENISA, will be available in 2026 and will facilitate the rapid identification of risks.
The plan proposes a service of rapid response to mitigate the impact cyberattacks. This service will be part of the EU Cybersecurity Reserve, which coordinates actions with trusted private providers. It will also promote the implementation of national cybersecurity exercises and the creation of action manuals for dealing with incidents such as data hijacking.
The EU seeks Deterring cyberthreat perpetrators through cyberdiplomacy toolsThese measures include a coordinated diplomatic response to malicious activities.
Public consultation and next actions
The action plan will be implemented in collaboration with hospitals, Member States and cybersecurity experts. The Commission will soon launch a public consultation to receive input from citizens and stakeholders. The results will be incorporated into final recommendations by the end of the year.
Between 2025 and 2026, measures will be implemented progressively to ensure tangible results in cybersecurity in the healthcare sector.
The initiative is based on regulations such as the SRI 2 Directive, which classifies the healthcare sector as critical infrastructure. This directive complements the Cyber Resilience Regulation, which requires mandatory cybersecurity requirements for digital products and came into force in December 2024.
The Cyber Emergency Mechanism of the Cyber Solidarity Regulation also strengthens the response capacity to incidents, fostering cooperation between Member States.
