Annex.I.4 NIS2

NIS2 Annex.I.4: Healthcare Sector Cybersecurity Requirements

What This Control Requires

Annex I identifies the health sector including healthcare providers as defined in Directive 2011/24/EU, EU reference laboratories, entities carrying out research and development activities of medicinal products, entities manufacturing basic pharmaceutical products and pharmaceutical preparations, and entities manufacturing medical devices considered as critical during a public health emergency.

In Plain Language

Ransomware shutting down a hospital is not a theoretical scenario - it has happened repeatedly, delaying surgeries and diverting emergency patients. Healthcare is classified as highly critical under NIS2 because cyber incidents in this sector can directly threaten lives, expose deeply sensitive patient data, and disrupt essential services that people depend on.

The cybersecurity landscape in healthcare is uniquely challenging. You are dealing with hundreds or thousands of connected medical devices, electronic health records containing the most sensitive category of personal data, complex supply chains spanning pharmaceutical and medical device manufacturers, and overlapping regulatory requirements from NIS2, GDPR, the Medical Device Regulation, and national health data laws. Balancing patient safety with security controls requires careful thought.

Cybersecurity maturity across the sector varies enormously. Large hospital groups tend to be further along, while smaller providers often lag behind. NIS2 applies to all healthcare providers meeting size thresholds, plus pharmaceutical manufacturers and medical device companies. The COVID-19 pandemic made it painfully clear how vulnerable the sector is and why resilience matters.

How to Implement

Run a full inventory of every connected medical device and clinical system. Record the device type, manufacturer, software version, network connectivity, and lifecycle status. Most healthcare organisations have far less visibility into their connected medical devices than they think.

Segment your networks with healthcare in mind. Separate clinical networks from administrative ones, put high-risk medical devices on dedicated segments, and control traffic flows between zones. For the most critical clinical systems, consider micro-segmentation.

Build a medical device security programme covering the full lifecycle: pre-procurement security assessment, ongoing vulnerability monitoring for deployed devices, coordination with manufacturers on patches and updates (in line with MDR requirements), compensating controls for devices that cannot be patched, and end-of-life planning for unsupported devices.

Protect electronic health records with layered controls. Go beyond encryption and access management - implement role-based access with break-glass emergency procedures, audit every access to patient records, deploy data loss prevention for health data, and ensure compliance with both GDPR and sector-specific health data rules.

Write incident response procedures that put patient safety first. Include clinical impact assessment for cyber incidents, safe degradation procedures when digital clinical systems fail, manual fallback processes for essential clinical functions, coordination protocols with medical staff on clinical risk during incidents, and patient notification plans.

For pharmaceutical manufacturers and research entities, secure intellectual property (drug formulations, clinical trial data) and manufacturing systems (GxP-regulated environments) against targeted attacks.

Ensure you meet sector-specific compliance obligations beyond NIS2, including MDR cybersecurity requirements, GDPR health data provisions, and national health data protection regulations.

Evidence Your Auditor Will Request

Connected medical device inventory with security status assessment
Healthcare network segmentation architecture documentation
Medical device security programme and manufacturer coordination records
Healthcare-specific incident response procedures with patient safety focus
Compliance mapping against healthcare sector regulations (MDR, GDPR health data)

Common Mistakes

Connected medical devices unknown to IT security team; no comprehensive inventory
Flat network architecture allows lateral movement between clinical and administrative systems
Medical devices running outdated operating systems with no vendor security support
Incident response procedures do not address patient safety implications
Health data protection relies solely on perimeter security without defense-in-depth

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.1	Related
GDPR	Art.9	Related
GDPR	Art.32	Related

Frequently Asked Questions

Are all hospitals in scope for NIS2?

Not automatically. Healthcare providers need to meet the standard size thresholds - generally medium and large enterprises. For hospitals, that typically means 50 or more employees or turnover above 10 million euros. That said, Member States can designate smaller healthcare providers if their disruption would significantly impact public health in the region.

How do we manage medical devices we cannot patch?

Wrap them in compensating controls. Isolate unpatched devices on dedicated network segments, monitor their traffic for anomalies, restrict access to authorised clinical users only, disable unnecessary network services, and maintain a replacement plan for when the security risk becomes unacceptable. Document all of this - auditors will want to see you have a deliberate strategy rather than simply ignoring the problem.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment