NIS2 is here – What Lifesciences and healthcare providers need to know about Europe’s new cybersecurity regime

The new Network and Information Systems Directive (NIS2) came into effect on 18 October 2024, bringing with it an overhaul of how cybersecurity risk management is regulated in Europe.

The new Network and Information Systems Directive (NIS2) came into effect on 18 October 2024, bringing with it an overhaul of how cybersecurity risk management is regulated in Europe.

NIS2 introduces a package of measures aimed at reducing the risk of cyber-attacks and strengthening cyber resilience. This includes new incident reporting obligations, stricter security measures, and enhanced cyber incident response planning.

Against that backdrop, the EU’s life sciences and healthcare sectors are undergoing a legislative transition designed to facilitate the free flow and use of healthcare and MedTech data (including personal data) and foster greater integration between medical and healthcare technologies.

Given that sanctions for non-compliance under NIS2 are substantial—with fines of up to €10 million or 2% of worldwide turnover and, in some cases, sanctions against senior management and the C-suite—compliance with these new requirements within the context of the EU Health Data Space will be of paramount importance to organizations in these sectors.

This article, part of our NIS2 series, provides a high-level overview of what you need to know for your sector and the steps you should take now. For a more in-depth insight into NIS2 and its requirements, see our article here.

Note on the UK: This article focuses on the EU’s enhanced cybersecurity regime, which does not apply in the UK. For specific guidance on the UK’s approach to cybersecurity regulation, please contact a member of our Resiliency team.

What does this mean for the life sciences and healthcare sectors?

NIS2 imposes obligations on a broader range of entities, categorizing them as either ‘essential’ or ‘important’ entities.

Under the previous NIS1 framework, a limited number of healthcare organizations were regulated. However, NIS2 significantly expands the scope, covering a wide range of healthcare providers, including: hospitals & healthcare facilities, clinics, outpatient centres and mental health institutions. It also extends to so-called Primary and Secondary Care providers, including GP clinics, dental and orthodontic centres, physiotherapy and rehabilitation centres, as well as nursing homes and assisted living facilities.

In that regards, ransomware incidents such as the Hôpital Sud Francilien Attack in France (September 2022), which disputed patient admissions systems and resulted in the release of sensitive patient data, as well as the Hospital Clínic de Barcelona Cyberattack in Spain (March 2023), which cause significant disruption to hospital IT systems, led to the cancellation of surgeries and outpatient visits and the theft of 4.5 terabytes of sensitive health data, may face greater scrutiny under NIS2.

The same can be said for incidents such as the ransomware attack on the HSE in Ireland, which caused severe disruption to health services for a prolonged period, resulted in the data of 520 patients being leaked online, and incurred remedial costs estimated at €100 million. In fact the HSE incident highlight that, in many EU Member States, the distinction between public and private healthcare organizations is often blurred. While NIS2 does not automatically apply to public authorities, it is anticipated that many Member States will extend coverage to public healthcare entities, and some have already done so.

For the life sciences and MedTech sectors, cyber threats are becoming increasingly apparent, particularly as medical devices, equipment, and software become more integrated with IT networks. A BSI study into the cybersecurity of medical devices found that the rapid growth of IoT-enabled and smart medical devices has led to an increased attack surface and heightened security risks. Some notable cases include:

• The WannaCry Ransomware Attack (2017): The WannaCry ransomware attack severely impact the UK's National Health Service (NHS) in 2017, but also affected up to 70,000 devices, including critical medical equipment such as MRI scanners, blood storage refrigerators, and operating theatre equipment. This widespread disruption led to the cancellation of medical procedures and diverted emergency cases, underscoring the vulnerabilities in healthcare infrastructure.
• Misfortune Cookie Vulnerability in Medical Devices: Initially discovered in 2014 and resurfacing in 2018, this vulnerability allowed attackers to remotely hijack medical equipment by exploiting flaws in firmware. This could enable unauthorized access and manipulation of device functionality, posing severe risks to patient safety. 
• FDA Study on Cardiac Devices: The U.S. Food and Drug Administration (FDA) identified cybersecurity vulnerabilities in various well-known cardiac devices, warning that attackers could remotely access and manipulate these life-sustaining devices, putting patients at serious risk.
• Proliferation in MEDJACK: MEDJACK or “Medical Device Hijacking” refers to cyberattacks where hackers exploit vulnerabilities in medical devices (e.g., infusion pumps, pacemakers, and imaging systems) to infiltrate hospital networks. These attacks can disrupt device functionality, potentially leading to incorrect medication dosages or malfunctions, thereby endangering patient lives.

Against that backdrop, with the advent of NIS2, cybersecurity is no longer just an IT concern—it is now a critical regulatory and operational priority for the life sciences and healthcare sectors. 

Registration

With NIS2 comes a new mandatory registration requirement. A regulated entity will be required to register with its competent authority and provide key details about where the organisation provides its services, its IP ranges, and (where applicable) the identity and contact information of its designated representative. 

Providers and suppliers located outside Europe with no legal presence will need to appoint a local representative.

Incident management

NIS2 represents a significant cultural shift in how organizations approach incident management, as well as the personnel responsible for responding to cyber incidents.
One of the most significant aspects of NIS2 is its strict breach reporting requirements, which mandate that affected entities report cybersecurity incidents to the relevant authority within 24 hours of detection, followed by more detailed reporting at set intervals.

For healthcare providers and life sciences organizations, this may present a new challenge, particularly for those unaccustomed to such rapid response timelines. Many cyber incidents in the sector involve highly sensitive patient data, medical research, or critical healthcare systems, making compliance with NIS2’s stringent reporting requirements essential. 

Given the interconnected nature of healthcare IT systems and supply chains, a cyber incident at one organization could trigger cascading disruptions across hospitals, research institutions, and suppliers. To mitigate these risks, organizations must proactively strengthen their incident response frameworks and ensure timely detection, reporting, and mitigation in line with NIS2’s compliance mandates.

Interplay with the EU Health Data space: Increased Integration = Increased Cyber Risk

The healthcare and life sciences sectors are undergoing a major regulatory transformation, with NIS2 forming just one component of a broader push to enhance data security, resilience, and interoperability across the EU. A crucial piece of this evolving framework is the European Health Data Space (EHDS), alongside other key regulations such as the Data Governance Act (DGA) and the Data Act. Together, these initiatives aim to facilitate secure, efficient, and innovative uses of health data while introducing new compliance and cybersecurity challenges.

When considering cyber governance and resilience in healthcare & life sciences, it is also important to factor in the broader regulatory landscape shaping these industries. Key regulatory developments include:

• European Health Data Space (EHDS): The EHDS seeks to establish a unified framework for accessing, sharing, and utilizing electronic health data across the EU. It enables cross-border healthcare, medical research, and AI-driven innovations, creating a secondary use system where non-identifiable health data can be shared for research, policy-making, and development of new treatments.
• Data Governance Act (DGA): The DGA provides the legal foundation for data-sharing mechanisms, including in highly sensitive sectors like healthcare. It sets rules for data intermediaries, ensuring they operate in a trustworthy and secure manner while facilitating access to data for public and private entities.
• Data Act: This legislation grants greater control and portability over non-personal data, including data generated by medical devices, health tech platforms, and connected wearables. It encourages interoperability between healthcare providers, researchers, and innovators, fostering a data-driven health ecosystem.

While these legislative initiatives incentivize integration, interoperability, and data-sharing, they also broaden the attack surface for cyber threats. As the free flow of sensitive health and life sciences data accelerates across borders and organizations, NIS2 plays a critical role in ensuring that the underlying digital infrastructure remains secure, resilient, and resistant to exploitation.

With expanded data access comes greater cybersecurity vulnerabilities, making robust risk management, compliance strategies, and security-by-design approaches essential for all organizations operating in these sectors.

Cyber Resiliency of Medical Equipment

For manufacturers of medical devices, equipment, and associated software, NIS2 is just one piece of a growing regulatory landscape designed to enhance cyber resilience and patient safety. As the sector continues to embrace connected health technologies, AI-driven diagnostics, and smart medical devices, compliance with broader cybersecurity regulations will become essential.

Key Cyber Product Legislation Impacting Healthcare & Life Sciences include:

• Cyber Resilience Act (CRA): The CRA establishes baseline cybersecurity requirements for connected devices and software. For medical device manufacturers, this means ensuring that any networked or digital product meets security-by-design principles, regular software patching, and secure lifecycle management to prevent cyber vulnerabilities.
• Medical Devices Regulation (MDR) & In-Vitro Diagnostic Regulation (IVDR): These regulations impose strict safety, performance, and cybersecurity requirements on medical devices and diagnostic tools. Under MDR and IVDR, manufacturers must demonstrate compliance with cybersecurity best practices, particularly for networked and software-driven medical technologies.
• EU AI Act: Many AI-powered medical devices and digital health solutions will fall under the scope of the AI Act, particularly high-risk AI applications used for diagnostics, treatment recommendations, and robotic surgery. Organizations must ensure compliance with both AI governance and cybersecurity requirements.
• Radio Equipment Directive (RED): Applies to wireless and connected medical technologies, ensuring they meet cybersecurity, interoperability, and privacy standards before being placed on the market.

Enhanced audit

One critical aspect of NIS2 that will significantly impact healthcare and life sciences organizations is the introduction of enhanced audits. These new measures will change how regulated entities approach information security management, governance, and assurance practices, particularly given the sector’s reliance on sensitive patient data, interconnected medical systems, and critical supply chains.

Under NIS2, EU Member State regulators will conduct regular and, in some cases, unannounced audits to assess an organization's cybersecurity posture, risk management frameworks, and overall compliance with the directive. These audits will go beyond basic compliance checks, requiring organizations to demonstrate proactive security strategies, incident response preparedness, and supply chain security oversight.

For healthcare and life sciences organizations, the concept of regulatory oversight and audit is not new. Existing frameworks under the various medical devices regulations and which already impose strict audit and compliance obligations, particularly regarding data security, patient confidentiality, and system integrity. However, NIS2 expands these requirements significantly, introducing sector-specific cybersecurity obligations that many organizations may be encountering for the first time.

Given that the same regulatory bodies responsible for overseeing compliance under MDR, IVDR, and GDPR are likely to be granted equivalent audit powers under NIS2, organizations will need to closely monitor how these overlapping regulatory regimes interact. The enhanced audit provisions under NIS2 go further than existing frameworks by requiring in-depth evaluations of critical infrastructure resilience, supply chain security, and incident response capabilities, ensuring that healthcare and life sciences entities maintain a robust security posture against evolving cyber threats.

Another critical aspect of NIS2 audits is its cost recovery mechanism. NIS2 enables regulators to impose costs on organizations found to be non-compliant. This means that if an audit reveals gaps in security practices, the organization may not only face corrective action plans (with potential daily fines for non-conformity) but will also bear the costs of the regulatory audit itself. Given the financial pressures already facing healthcare providers, pharmaceutical companies, and medical device manufacturers, this could represent a significant compliance burden for those unprepared for the heightened scrutiny.

Balancing NIS2 Compliance with Sector-Specific Cyber Regulations

For medical technology and software providers, NIS2 compliance cannot be viewed in isolation—it must be integrated into a broader regulatory strategy that aligns with the Cyber Resilience Act, MDR/IVDR, and AI governance requirements.

Key challenges for medical device manufacturers include:

• Ensuring secure-by-design product development that meets both NIS2’s infrastructure security mandates and the CRA’s product security requirements.
• Navigating overlapping incident reporting obligations under NIS2, MDR/IVDR, and the Cyber Resilience Act.
• Implementing robust supply chain security for software and hardware components used in medical technologies.

As healthcare and life sciences organizations expand their digital footprint, manufacturers must adopt a holistic cybersecurity compliance strategy—one that accounts for NIS2, product security legislation, and sector-specific regulatory demands.

We have ISO27001 – do we need to do anything?

In short – yes.

While it is true that both NIS2 and ISO 27001 (and other information security management frameworks such as ISO 22301) aim to enhance an organisation’s cybersecurity and resiliency, NIS2 is fundamentally different in its scope.

The mandatory controls required under NIS2 are more granular in nature and will apply to a wider part of an organisation (including entities that would typically be segregated under ISO 27001).

In addition, due to the stringent requirements around incident management, reporting and audit, it is highly unlikely an organisation will be able to simply rely on its ISO 27001 certification to achieve NIS2 compliance.

However, those organisations with ISO 27001 (particularly the 2022 version) will already have in place a strong governance framework and an ISMS onto which NIS2 controls can be added.

What you need to do now

1. Familiarise yourself with the key requirements of NIS2 – you can read our more in-depth article here as a starting point.
2. Undertake a scoping assessment to assess in more detail whether your business is likely to be in scope of NIS2, bearing in mind its size, sector, the nature of its business, and the Member States in which it operates or into which it provides services.
3. Keep track of the specific NIS2 implementation timeline for your home country – very few Member States were able to implement national implementing laws before the 17 October deadline.
4. Determine and complete registration requirements – for entities with a broad reach across Europe this may be a complicated assessment, potentially requiring multiple registrations.
5. Conduct a gap analysis between NIS2 measures (specifically those required in your home country), against your current cybersecurity posture and implement a rectification and improvement plan.
6. Review and update existing incident management handling processes – you can read more about some of the changes to incident classification here.
7. Start your vendor management process now, given the significant time it often takes to cascade compliance throughout the supply chain.
8. Consider whether key customers are likely to be impacted, and how this should be reflected in key contracts (particularly in B2B settings).
9. For manufacturers and providers of medical equipment and software, maintain a watching brief on current and upcoming cybersecurity legislation targeting IoT devices, and begin preparatory work to lay the foundation for future compliance.