Skip to Content

Legal Obligations for Healthcare Providers | Healthcare Providers as Operators of Essential Services

The NIS Directive (1) concerning measures for a high common level of security of network and information systems across the Union, recognises healthcare providers (HCPs) – hospitals and private clinics – as Operators of Essential Services (OES), i.e. operators considered ‘essential for the maintenance of critical societal and/or economic activities’ and where ‘an incident would have a significant disruptive effect on the provision of an essential service’. The Directive further formalises international co-operation and delegates responsibilities to the established Member State Co-operation Group and ENISA for delivering guidelines which are relevant and provide valuable support to OES.

In January 2020, the NIS Cooperation Group agreed on the proposal made by the eHealth Network, supported by DG SANTÉ and DG CONNECT, to create a work stream dedicated to healthcare (WS12), where the main goal is to exchange and promote best practices based on the experiences of Member States in addressing identification, mitigation and management of cyber risks in the health sector, especially when implementing the NIS Directive. Work Stream 12 is now operational and focuses on producing reference documents to assist all Member States in their efforts to implement the NIS Directive, aiming at a common sufficient security level of health-related digital and cyberspace technologies, and of their use, in the EU. Future updates of this Cybersecurity Guide will provide navigation support to documents published by the WS12 groups.

This Cybersecurity Guide provides navigation support to documents published by these groups.

While national governments have the responsibility to promote a culture of risk management, risk assessment and the implementation of appropriate security measures through appropriate regulatory requirements, responsibilities in ensuring the security of network and information systems as such lie, to a great extent, with operators of essential services and digital service providers.

National computer security incident response teams (CSIRTs) are a key component of the protection of the digital community from cyber threats. The NIS Directive establishes an EU Network of national CSIRTs for information exchange and mutual assistance and is expected to improve cybersecurity incident response; reduce resource impacts for implementing good security processes; and support the development of a unified international view of good cybersecurity practices for the health sector.

1. Directive (EU) 2016/114811 of the European Parliament and of the Council

luctus amet, libero. libero ipsum libero