The EU Commission has presented a new action plan designed to bolster the cybersecurity of hospitals and healthcare providers, which includes the launch of a pan-European Cybersecurity Support Centre offering tailored guidance, tools, services, and training.
The plan was made public on January 15, 2025, after being first mentioned in July 2024 in the EU Commission’s Political Guidelines 2024-2029 document.
Its objective is to help healthcare entities mitigate the rapidly increasing cyber threats they face.
In 2023, EU member states reported 309 significant cybersecurity incidents affecting the healthcare sector – more than in any other critical sector.
Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy at the EU Commission, commented: “Modern healthcare has made incredible advances through digital transformation, which has meant citizens have benefited from better healthcare. Unfortunately, health systems are also subject to cybersecurity incidents and threats.”
Additionally, the cybersecurity measures in place in many European healthcare facilities are not strong enough, Christiane Kirketerp de Viron, Acting Director for Digital Security, Trust, and Cybersecurity at the EU Commission’s DG Connect, said during the Financial Times Cyber Resilience Summit Europe in November 2024.
“A large majority of hospitals have never done a security risk assessment,” De Viron said.
EU Cybersecurity Action Plan for Healthcare: Four Key Pillars
The action plan focuses on four pillars:
- Enhanced prevention through enhanced preparedness measures such as guidance on implementing critical cybersecurity practices; Cybersecurity Vouchers to provide financial assistance to micro, small, and medium-sized hospitals and healthcare providers; and cybersecurity learning resources for healthcare professionals
- Better detection and identification of threats: the new Cybersecurity Support Centre for hospitals and healthcare providers, established by the European Cybersecurity Agency (ENISA), will offer an EU-wide early warning service, delivering near-real-time alerts on potential cyber threats, by 2026
- Response to cyber-attacks to minimise impact, including through a rapid response service for the health sector under the EU Cybersecurity Reserve
- Cyber deterrence, including through the use of the Cyber Diplomacy Toolbox, a joint EU diplomatic response to malicious cyber activities
“Prevention is better than cure, so we need to prevent cyber-attacks from happening. But if they happen, we need to have everything in place to detect them and to quickly respond and recover,” said Virkkunen.
Other specific actions linked to these pillars will be rolled out progressively in 2025 and 2026.
The EU Commission will soon launch a public consultation on this plan, open to all citizens and stakeholders. The results will feed into further recommendations by the end of 2025.
