Turbocharging Europe’s healthcare cyber resilience: Four recommendations

Action plan recognizes action is needed beyond existing regulation 

The European Commission’s Action Plan on the Cybersecurity of Hospitals and Healthcare Providers recognizes that even more needs to be done to protect healthcare systems, building on existing regulations. It focuses on four pillars: prevention; detection; response and recovery; and deterrence. Recommendations to refine the action plan are expected in late 2025 following stakeholder consultation. 

Towards safer healthcare 

The report Towards Safer Healthcare was published in May 2025 by the independent Finnish Innovation Fund Sitra as a contribution to the EU consultation process. DNV Cyber was commissioned to contribute to the report. 

The authors acknowledge strengths in the initial EU plan while commenting that it lacks clear targets, budgets, defined private sector roles, and a statement that better governance coordination is needed. They observed that the integration of EU cybersecurity regulation remains uneven across Member States. 

“EU cybersecurity regulations and the European Action Plan on the Cybersecurity of Hospitals and Healthcare Providers must be applied appropriately to protect the whole sector consistently across the region,” said Lindroth. 

Recommendation: Consider cybersecurity a matter of national security 

“Healthcare is one of the most important aspects for citizens. Securing it from the threat of cyberattacks should be a matter of national security, said Markus Kalliola, Sitra’s Programme Director and co-author of the paper. “We’re not saying this should apply to every part of the healthcare system. But the main services should be included – for example, national health records of citizens and the main hospitals. The backbone of the healthcare system should have robust cybersecurity.” 

Recommendation: Establish a mandatory cybersecurity maturity model for healthcare organizations and provide direct funding to improve maturity 

“To increase maturity, we need to measure where we are now – locally or nationally – and then provide financial incentives to improve cybersecurity levels in a measurable way. Central funding is important, and EU money works best when used for collaboration among countries,” said Kalliola, suggesting that hospitals or regions could be financially incentivized to strengthen their cybersecurity, using a maturity model developed for cybersecurity. Inspiration for the model could be taken from the widely used HIMSS (Healthcare Information and Management Systems Society) EMRAM (Electronic Medical Record Adoption Model), which assesses hospitals’ overall digitalization. 

“We haven’t made financial calculations yet: it's more of a discussion opener. We need further analysis on where the funding should come from and how much is needed,” he added. 

Recommendation: Include cybersecurity skills in healthcare professionals’ basic education 

“Some healthcare professionals are now receiving cybersecurity education as part of their formal studies, but the effects won’t be evident until years after they enter the workforce,” said DNV Cyber’s Marianne Lindroth. “The healthcare sector is extremely busy, with most working hours devoted to patient care. Introducing mandatory cybersecurity skills education earlier – ideally during basic or vocational education – could be a crucial step in addressing the issue.”  

EU regulation does, in some cases, mandate cybersecurity training within healthcare organizations, such as within the scope of the Network and Information Security 2 (NIS2) Directive. But the EU does not directly mandate specific curricula or educational programs. It’s up to Member States to embed cybersecurity into healthcare education. 

Recommendation: Organize more pan-European cybersecurity exercises 

“We need a structured approach to ensure that pan-European cybersecurity exercises take place more regularly—perhaps even on an annual basis,” suggested Lindroth. “I conduct many cybersecurity exercises in my work. The first time, you just identify the problems, usually many. The second time, you can focus on what is better since the previous exercise and what still needs improvement. Iterative exercises enhance learning and knowledge sharing. They foster collaboration and new ideas between Member States.” 

Creating a stronger single cybersecurity market 

The report authors also call for a single market for cybersecurity services within Europe. 

“Cybersecurity services are not sold that well across borders, and the action plan is silent about how we improve the cybersecurity single market,” said Markus Kalliola. “Proposals such as procurement guidelines are needed, but not enough. We should have an in-depth analysis of the market entry burdens and reduce what is country-specific on cybersecurity; we could have a stronger single market.” 

Download the paper Towards safer healthcare: Insights on the European action plan on cybersecurity for hospitals and healthcare providers 

References 

1 ‘Towards safer healthcare: Insights on the European action plan on cybersecurity for hospitals and healthcare providers’. M. Kalliola (Sitra), M. Huovila (Nordic Healthcare Group) & M. Lindroth (DNV Cyber). Publ. Sitra, Helsinki, May 2025 [online].  

2 ‘Commission unveils action plan to protect the health sector from cyberattacks’. European Commission news release, 15 January 2025 [online].  

3 ‘7 of the biggest healthcare cyberattack and breach stories of 2024’. by Sidney Halleman, www.healthcaredive.com, 19 December 2024 [online].