The European Commission announced on Wednesday an “action plan” to reduce the health sector’s vulnerability to cyberattacks, following what it said was four years in which the sector was hit by more attacks than any other industry in Europe.
The proposed actions include providing guidance to the healthcare sector and a list of services that the commission will not itself provide, but which entities in the sector can avail themselves of. The plan does not include any new funds for these actions, with the guidance instead directing the sector towards existing opportunities, despite acknowledging that funding for cybersecurity is “limited” and “a universal challenge across the EU.”
It follows Ursula von der Leyen, the president of the commission, pledging to produce this plan within the first 100 days of her second term in the wake of multiple cyberattacks impacting hospitals across the bloc, including in Romania, France, Belgium and Spain.
But the plan faces the same fundamental challenge that the commission often faces when trying to use its leverage over the market domain to improve the security domain, something that remains out of its grasp and in the sovereign hands of member states.
“Securing health systems is primarily a national competence,” the plan’s 23-page communication document acknowledges, while noting that health is defined as a critical sector under the EU’s NIS2 directive — legislation that requires entities operating in critical parts of national infrastructure to meet specific security standards.
As a directive rather than a regulation, NIS2 was not automatically implemented as an enforceable law in member states’ statute books. Although the directive was supposed to be implemented by domestic legislation by October 17 last year, to-date only six of the EU’s 27 member states have done so.
Attacks affecting hospitals and healthcare providers — with ransomware singled out in particular — have been cited as “causing direct harm to people, delaying medical procedures, causing gridlocks in emergency rooms” and potentially leading to the loss of life, although there have been no confirmed incidents of this happening.
Within the measures that the European Commission can adopt, its action plan tasks the EU Agency for Cybersecurity (ENISA) with establishing “a dedicated European Cybersecurity Support Centre for hospitals and healthcare providers.”
This support center will not actually offer any support itself, but will provide guidance and create “a comprehensive service catalogue catering to the needs of hospitals and healthcare providers, outlining the range of available services for preparedness, prevention, detection and response.”
According to the plan, member states will be asked to “consider” providing targeted support, for instance with cybersecurity vouchers — largely to be funded by the member states’ themselves, similar to the EU Innovation Vouchers scheme — that could be used to provide financial assistance to hospitals and healthcare providers.
In places the action plan describes problems that affect almost all economic sectors, noting that many healthcare entities lack the resources to effectively implement cloud services securely, and suggesting cloud service providers “should be encouraged” to include “baseline security measures as a standard feature” without providing any indication that a market intervention on the matter might be appropriate.
A spokesperson for the commission said: “Hospitals and healthcare providers may need to allocate resources to enhance their cybersecurity measures already. The Action Plan’s objective is precisely to support hospitals on these efforts, such as by EU funding opportunities, guidance, and sharing of best practices.
“The Commission’s aim is that these measures are feasible and cost-effective for healthcare providers. Cybersecurity should be seen not as an expense but as an investment in protecting patient care and data. Through programs like Digital Europe and Horizon Europe, hospitals can access financial support to upgrade their digital infrastructure,” they added.
The action plan will now go through a period of consultation, with member states and other stakeholders invited to contribute before the Commission refines its ideas “in the fourth quarter of 2025.”
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.
