Security

NIS2 in healthcare: What critical infrastructure operators need to know now

28. Oct 2025 | 5 min.

The revised EU Directive NIS2 significantly tightens cybersecurity requirements. With the German implementation law (NIS2UmsuCG), these regulations become binding — increasing the pressure on critical infrastructure operators. The healthcare sector in particular must now reassess and strengthen its cyber resilience, as the new rules cover a much wider range of actors and increase the personal liability risk for company management.

What is NIS2?

NIS2 is the new benchmark for cybersecurity in Europe. The Network and Information Security Directive (NIS2) significantly expands the group of obligated entities. This means stricter requirements, extended obligations, and considerably higher fines for non-compliance.

In the future, even companies not classified as critical infrastructure will automatically fall under the new regulation.

NIS2UmsuCG: Three New Categories Define Your Obligations

The German implementation law now distinguishes between three main groups. Your classification determines the scope of obligations and controls. The previous distinction of “critical infrastructure (KRITIS)” no longer applies:

Critical Facilities (top level): Large institutions of central importance – for example, hospitals with more than 30,000 inpatient cases per year.
Highly Important Entities (BWE): Companies with at least 250 employees or an annual turnover of more than €50 million that operate in health-related sectors.
Important Entities (WE): Mittelständische Organisationen mit mehr als 50 Beschäftigten oder einem Umsatz von über 10 Mio. €, sofern sie zu den relevanten Sektoren zählen.

The Covered Sectors: Who in the Healthcare Field is Subject to NIS2 Requirements?

NIS2 covers almost the entire healthcare supply chain. This includes hospitals and university clinics — often classified as critical facilities — as well as laboratories and analytics, and the supply of medicines, blood and plasma, and life-saving medical devices. In addition, the regulation encompasses the pharmaceutical sector (NACE C 21), medical device manufacturers, reference laboratories, and research and development.

The categorization of an organization (e.g., as “highly important” or “important,” with corresponding obligations) is ultimately determined by the size and revenue thresholds of the respective entity.

Eight Mandatory Areas of Action: What Specifically is Changing

Previous critical infrastructure operators, such as hospitals and laboratory networks, are familiar with the IT Security Act (IT-SiG). However, NIS2 goes deeper and tightens liability. Implementation requires additional technical and organizational measures (TOMs). The toughest changes concern the direct personal liability of management and a massive expansion of reporting obligations.

The Eight Areas of Action in Detail

Comprehensive Risk Management: Systematic analyses must fully cover all IT and OT systems as well as third-party providers and cloud services. Documentation must be updated regularly, not just every two years.
Clarified Attack Detection: SIEM, NDR, IDS/IPS, or XDR are now the standard. Active incident response processes and automated alerting are mandatory.
Mandatory Supply Chain Security: Security requirements must be bindingly passed on to suppliers and service providers. The supply chain becomes part of compliance.
IAM and Zero Trust: The introduction of zero-trust models, MFA, and audit-proof documentation of access is required.
Personal Liability of Management: Top management is liable in cases of gross negligence. Security strategy, ISMS, and risk analyses must be actively approved and supported by management.
Employee Awareness Becomes Mandatory: Regular training, phishing simulations, and awareness campaigns are now obligatory.
Business Continuity & Resilience: BCM and disaster recovery must be planned in detail, tested regularly, and aligned with cyber crisis scenarios.
Drastically Shortened Reporting Deadlines: Initial reports must be made within 24 hours (instead of 72 hours). Progress and final reports follow within 72 hours and after one month, respectively. Communication plans must be maintained.

Your NIS2 Roadmap: The Most Important Immediate Actions

NIS2 surpasses the IT Security Act 2.0 in depth, regulation, and proof-of-compliance requirements by far. Given the personal liability involved, swift action is now essential. Our recommendations for affected operators are as follows:

Hand ordnet Holzwürfel mit Häkchen-Symbol zu einer Checkliste

Clarify Governance: Immediately establish an NIS2-compliant governance structure and secure management buy-in.
Review ISMS Structures: Specifically align existing ISMS frameworks (e.g., ISO 27001) with NIS2 requirements.
Upgrade Technology: Enhance technical safeguards, especially attack detection (SIEM/XDR), IAM, and network segmentation.
Embed Crisis Processes: Plan, document, and regularly test incident response and business continuity (BCM) processes in detail.

Conclusion

NIS2 is more than just a regulation; it is a comprehensive strategic challenge that demands a new level of security in healthcare and involves the entire corporate leadership.

Sources

Further information

Wikipedia: NIS-2-Directive
Europäische Kommission: NIS2 Directive: Securing Network and Information Systems
PWC: Anforderungen der NIS-2 an die Gesundheitseinrichtungen
Dentons: Germany’s new cybersecurity law expands scope and increases obligations—with new sanctions
OpenKRITIS: NIS2-Umsetzungsgesetz
Dräger: NIS-2-Richtlinie: Was Krankenhaeuser jetzt wissen und tun muessen
Cisco Blog Germany: Staerkung der Cybersicherheit mit NIS-2
DGUVforum: Bedeutung der NIS-2-EU-Richtlinie für die Cybersicherheit

Discover More Blog Articles