Preparing for the NIS 2 Directive: Impacts on the health sector

By 17 October 2024, all European Union (EU) Member States must complete the process of implementing the EU’s Network and Information Security 2 Directive ( “NIS 2” or the “Directive”) into their respective national laws. NIS 2 introduces cybersecurity risk management measures and reporting requirements for an expanded list of highly critical sectors.

NIS 2 will impact a wide spectrum of organisations, including the health sector. Where NIS 1 included certain parts of the healthcare sector, NIS 2 extends this to include a broader range of entities such as EU reference laboratories, manufacturers of certain medical devices and pharmaceutical products, together with organisations performing key research and development activities for pharmaceutical products.

This article considers the main aspects of NIS 2 and highlights the actions that healthcare and related sector organisations falling within its scope must take immediately to ensure their compliance when the Directive becomes effective in each respective EU Member State.

Key changes in NIS 2:

The Directive introduces several significant changes when compared to its predecessor, NIS 1. These changes represent a substantial expansion in the scope and depth of cybersecurity obligations and measures:

• Broader industry coverage: NIS 2 extends its reach to encompass a substantial number of new industry sectors. As a result, a more diverse range of businesses and organisations that were not previously subject to NIS 1 are now subject to its cybersecurity requirements.
• Direct management obligations: NIS 2 imposes direct responsibilities on an organisation’s management. Failure to comply with these obligations can result in severe penalties for the management.
• Cyber risk management requirements: NIS 2 specifies detailed cyber risk management measures that all organisations falling within its scope must implement.
• Emphasis on supply chain management: NIS 2 underscores the importance of cybersecurity at all levels of supply chains and supplier relationships. This means that organisations need to assess and enhance the security of their suppliers and service providers.
• Enhanced incident reporting: NIS 2 clarifies and strengthens incident reporting requirements.
• Empowered supervisory authorities: The Directive provides supervisory authorities with greater powers for overseeing and regulating organisations within its scope. This includes the power to conduct audits and inspections, especially for organisations categorised as “essential entities” under NIS 2.
• Increased sanctions for non-compliance: NIS 2 establish more severe sanctions for non-compliance. These sanctions may include fines, warnings, binding instructions, suspension of activities, prohibition of managerial functions etc.

It is important to note that while NIS 2 places a range of obligations on both Member States and organisations, this article focuses on the specific obligations that apply to healthcare organisations and entities in related health fields that fall within the scope of the Directive.

Implications for healthcare and related sectors:

Before the introduction of NIS 2, the NIS 1 Directive defined healthcare as “health services provided by health professionals to patients to assess, maintain or restore their state of health, including the prescription, dispensation and provision of medicinal products and medical devices”. Organisations falling within this definition were considered operators of essential services and were subject to stringent security obligations and enforcement.

NIS 2 extends its data security standards to all healthcare organisations covered by NIS 1, as well as additional subsectors, including manufacturers of medical device and in vitro diagnostic medical devices, together with medical devices considered critical during public health emergencies. These additional healthcare-related industries must now comply with the regulation.

Entities within scope

Healthcare entities including medical device manufacturers must determine whether they are subject to NIS 2 or not. To fall within the scope of NIS 2, organisations must: (i) provide their services or perform their activities in the EU; (ii) employ 50 or more people and have annual turnover of more than 10 million euros, and (iii) operate in one of the sectors listed in the annexes of the Directive.

Examples of healthcare organisations encompassed by NIS 2 include healthcare providers, EU reference laboratories, providers engaged in research and development of medicinal products, manufacturers of basic pharmaceutical products and manufacturers of medical and in vitro diagnostic medical devices.

In certain situations, healthcare organisations may be subject to NIS 2 regulations, regardless of their size and revenue. This applies when service interruptions could have a notable effect on public health or when an entity is classified as a “critical entity” according to the Directive on the Resilience of Critical Entities (EU) 2022/2557. These rules serve as a baseline, and individual Member States have the option to enact more stringent regulations when incorporating them into their national laws.

Essential or important entities

NIS 2 significantly is broader in scope than its predecessor, NIS 1. The Directive introduces a distinction between “essential” and “important” entities, each subject to distinct regulatory obligations.

Entities generally falling into the category of “important entities” are subject to ex-post controls (measures when there are indications/evidence of non-compliance), focusing on assessing compliance with NIS 2 requirements and based on actual activity.

Conversely, entities that meet the criteria for “essential entities” may be subject to a more comprehensive oversight regime, involving both ex-ante controls (measures based on anticipated activity) and ex-post control measures concerning their compliance with the Directive.

Crucially, both essential and important entities must adopt cybersecurity risk management measures as outlined in Article 21 of NIS 2.

Determining whether an organisation qualifies as an essential or important entity is not always straightforward, for example because in some instances it is left to the individual EU Member State to determine.

Consequently, assessments need to be conducted on a case-by-case basis.

The obligations of NIS 2:

NIS 2 imposes a comprehensive compliance framework on all organisations within its scope. Such organisations are required to adopt cybersecurity risk management measures that are appropriate and proportionate. These measures, which encompass technical, operational, and organisational aspects, are outlined in Article 21 of NIS 2 and include (as a minimum) the following:

• Policies on risk analysis and information system security

Organisations must establish policies governing risk analysis and security of information systems. These policies provide a framework for identifying and managing cybersecurity risks.

• Incident handling

NIS 2 mandates the development of incident handling protocols. These protocols outline how an organisation should respond to and manage cybersecurity incidents effectively.

• Business continuity, such as backup management, disaster recovery and crisis management

Organisations are required to establish plans for business continuity. This includes managing backup systems, disaster recovery procedures and crisis management strategies to ensure that operations can continue even in the face of a cybersecurity incident.

• Supply chain security, including security-related aspects arising from the relationships between each entity and its direct suppliers or service providers

NIS 2 places a strong emphasis on supply chain security. This encompasses evaluating and addressing security-related aspects in relationships with suppliers and service providers. It ensures that the entire supply chain is secure, in order to prevent vulnerabilities that could be exploited.

• Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

The Directive requires organisations to consider security at every stage of the lifecycle of network and information systems, including acquisition, development and maintenance.

• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

Policies and procedures should be in place to assess the effectiveness of cybersecurity risk management measures. This step ensures that the measures put in place are achieving the desired level of security and risk mitigation.

• Basic cyber hygiene practices and cybersecurity training

Organisations must establish and promote basic cyber hygiene practices, as well as providing cybersecurity training to its employees.

• Policies and procedures regarding the use of cryptography and, where appropriate, encryption

NIS 2 requires the establishment of policies and procedures regarding the use of cryptography. Encryption should be implemented where appropriate to protect sensitive data and communication.

• Human resources security, access control policies and asset management

The Directive states that organisations must have in place proper management of human resources, access control policies and asset management, in order to ensure that access to critical systems and data is controlled and monitored.

• The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate

Organisations must, where appropriate, implement multi-factor authentication or continuous authentication solutions and have in place secure voice, video and text communication systems, along with secure emergency communication systems.

Notably, NIS 2 now permits organisations to take compliance costs into account in their decision-making process.

Enhanced incident reporting obligations:

Under NIS 2, both essential and important entities are subject to the same incident reporting obligations. Under the Directive, a reportable incident is an “event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems” that has a significant impact on the provision of their services. An incident is considered “significant” if:

• it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; or
• it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

In the first 24 hours after becoming aware of an incident, affected organisations must provide an “early warning”. This is an initial report that includes essential details of the incident, such as whether it is suspected of being caused unlawfully or maliciously and whether it has a cross-border impact.

Within 72 hours, organisations are required to follow up on the early warning by submitting a more detailed incident report.

Within one month, a comprehensive final report must be submitted, providing in-depth information about the incident.

Consequences of non-compliance:

Non-compliance with NIS 2 can result in various sanctions, including administrative fines, warnings, binding instructions, suspension of activities, prohibition of managerial functions etc.

Essential entities may face fines of up to 10 million euros or 2% of their global annual turnover, whichever is higher, while important entities could be subject to fines of up to 7 million euros or 1.4% of their global annual turnover.

How should organisations prepare?

In response to the requirements of NIS 2, organisations, especially those within the healthcare sector, need to take several proactive steps to ensure compliance and enhance their cybersecurity and resilience capabilities. Here is a breakdown of our recommended actions (non-exhaustive):

1. Map your exposure:

Organisations falling within the scope of NIS 2 should begin by mapping out the specific requirements that apply to their operations. It is important to gain a clear understanding of their obligations regarding cyber risk management and incident reporting. This assessment should take into account the possibility that different Member States have additional requirements and sector-specific regulations that complement NIS 2.

2. Find your gaps:

Many healthcare organisations, particularly those that were subject to NIS 1, may already have established processes to ensure cyber resilience. However, these existing processes might not align with the stricter requirements introduced by NIS 2. Therefore, it is essential for healthcare organisations and newly-covered medical device manufacturers to conduct a thorough gap analysis. Such an analysis will help to identify discrepancies between existing processes and the new obligations under NIS 2.

3. Budget for implementing changes:

Implementation of NIS 2 requirements may involve significant financial investments. The European Commission suggests that organisations already subject to NIS 1 should anticipate an increase of up to 12% in their ICT (information and communication technology) spending in the initial years following implementation of NIS 2. For organisations that were not previously subject to NIS 1, the estimated cost increase is higher, at 22%. Organisations should budget accordingly to ensure they have the resources needed to meet the requirements of the Directive.

4. Review supply chains

Organisations within the scope of NIS 2 should also assess their supply chains and consider the changes required in their supplier agreements. Amendments must be made to ensure that adequate security measures and protections are in place for future engagements. Organisations should establish mechanisms and requirements that extend their security standards to their suppliers.

5. Train employees

NIS 2 compliance entails enhancing cybersecurity awareness and practices to the employees at all organisational levels. Cybersecurity training programmes should be implemented to equip employees with the knowledge and skills required to identify risks and assess cybersecurity risk. This training is also crucial for management, as members of management bodies may be held personally liable if their organisation fails to meet its obligations under NIS 2.

In summary, organisations must prepare for NIS 2 by understanding the requirements, identifying gaps in their current practices, budgeting for increased ICT spending, reviewing and securing their supply chains, and ensuring that their employees are well educated in cybersecurity. Compliance with these measures is essential to meet the strict cybersecurity standards outlined in the Directive.

Setterwalls is, as always, staying informed about the latest developments related to the Directive and we are here to provide support and assistance to our clients as needed.