NIS2 for healthcare organisations: what do you need to do?

If you work in the healthcare sector, you have probably already heard about NIS2: the new European cybersecurity directive that will have a major impact on hospitals, mental healthcare providers, long-term care organisations and other healthcare institutions. Many healthcare organisations are asking themselves the same questions: does NIS2 apply to us? And if so, what do we actually need to do to comply?

Those questions are entirely understandable. Healthcare is already under significant pressure due to staff shortages, increasing digitalisation and stricter regulation. At the same time, cyberattacks on healthcare organisations are on the rise. Ransomware incidents, data breaches and outages of critical systems pose a direct risk to patient safety and the continuity of care. That is precisely why NIS2 is highly relevant for the healthcare sector.

Why NIS2 applies to healthcare organisations

The NIS2 Directive (Network and Information Security Directive 2) is European legislation that requires organisations in essential and important sectors to structurally strengthen their digital resilience. Healthcare is explicitly designated as a critical sector, because disruption can have immediate and serious societal consequences.

NIS2 distinguishes between two types of healthcare organisations:

Essential entities

These are healthcare organisations with:

• 250 or more employees, or
• an annual turnover of at least €50 million, or
• a balance sheet total of €43 million or more

These organisations are subject to stricter supervision and enforcement.

Important entities

These are healthcare organisations with:

• more than 50 employees, or
• an annual turnover or balance sheet total exceeding €10 million

They are also required to comply with NIS2, but under a slightly lighter supervisory regime.

Do you recognise your organisation here? Then NIS2 is no longer a future consideration, but a concrete legal obligation.

The three core NIS2 obligations for healthcare

1. Duty of care: structural cybersecurity measures

The duty of care lies at the heart of NIS2. Healthcare organisations must demonstrably implement appropriate technical and organisational security measures, based on risk assessments. This includes, for example:

• multi-factor authentication (MFA)
• encryption of patient data
• network monitoring and logging
• access control and patch management

Governance is just as important. Organisations must have policies in place for incident response, business continuity and supply chain security. Boards are explicitly held responsible. Cybersecurity is therefore no longer purely an IT issue, but a board-level responsibility.

2. Incident reporting obligation: rapid notification

In the event of a significant incident, a healthcare organisation must:

• submit an initial notification within 24 hours, and
• report to the competent authority and Z-CERT, the CSIRT for the healthcare sector

An incident does not have to involve a complete system shutdown. Disruptions that affect the availability, integrity or confidentiality of systems and have an impact on healthcare processes also fall under the reporting obligation.

3. Registration obligation: enabling supervision

Healthcare organisations that fall under NIS2 must register with the competent supervisory authority. For the healthcare sector, this is the Health and Youth Care Inspectorate (IGJ). This registration enables targeted supervision and enforcement.

NIS2 in healthcare: concrete steps to get started

1. Determine whether NIS2 applies to your organisation

Assess the size and nature of your organisation and set up a multidisciplinary project team involving IT, compliance, legal and board-level stakeholders.

2. Perform a NIS2-wide risk assessment

Go beyond NEN 7510 alone. NIS2 also requires insight into:

• supply chain risks
• dependencies on software and SaaS solutions
• business continuity scenarios

3. Implement the minimum security measures

The Dutch Cybersecurity Act (the national implementation of NIS2) defines ten mandatory duty-of-care measures. The Dutch National Cyber Security Centre (NCSC) provides practical guidance.

4. Assess suppliers and software continuity

NIS2 explicitly addresses dependencies on suppliers and critical software. Healthcare organisations must be able to demonstrate that they manage risks within their IT supply chain.

Digital escrow directly supports this requirement. By including escrow arrangements in contracts with software suppliers, healthcare organisations can ensure continued access to essential systems if a supplier goes bankrupt, is acquired or is no longer able to deliver. In this way, escrow demonstrably contributes to NIS2 compliance, business continuity and patient safety.

5. Invest in awareness

Cybersecurity requires involvement across the entire organisation. Ongoing training and awareness programmes are essential.

When does NIS2 need to be in place?

The European NIS2 Directive is already in force. The Dutch Cybersecurity Act is expected in Q2 2026. Waiting is not an option: once implemented, regulators will actively enforce compliance. Fines can reach up to €10 million or 2% of global annual turnover.

NIS2 and NEN 7510: how do they relate?

Many healthcare organisations already work in accordance with NEN 7510 or ISO 27001. This provides a solid foundation, but NIS2 goes further in areas such as:

• board-level liability
• supply chain security
• incident reporting
• regulatory supervision and enforcement

NIS2 should be seen as a reinforcement of existing standards, not a replacement.

Conclusion: NIS2 and digital continuity in healthcare

NIS2 is not just about legislation; it is about patient safety and continuity of care. Digital outages can have immediate consequences for life-saving processes. By investing now in cybersecurity, supply chain control and software continuity, healthcare organisations protect their patients, staff and operations.

Key takeaways

• NIS2 applies to the majority of Dutch healthcare organisations
• Boards are directly responsible for cybersecurity
• Healthcare organisations must report incidents to Z-CERT
• Suppliers and software continuity fall under the duty of care
• Digital escrow supports supply chain security and continuity
• Starting early helps prevent fines and disruption of care

Would you like to know how escrow solutions can support NIS2 compliance and risk management in healthcare? Feel free to contact Escrow4all or read more about digital escrow for healthcare organisations.