in content lists or on the content page.
The EU needs to strengthen the single market for cybersecurity to make it easier for companies to sell cybersecurity services from one country to another. This would also encourage the companies to create specialised, healthcare focused cybersecurity services, which would not be viable in the current fragmented market, says a new Sitra report.
The healthcare cybersecurity market within the EU is substantial but fragmented. European growth companies have primarily operated on a local scale so far, but they have the potential to expand and serve customers across the continent, the report argues.
In recent years the EU has introduced numerous regulations to strengthen cybersecurity in Europe, which also impact healthcare.
“Despite advancements in regulatory efforts and technical solutions, implementation remains inconsistent. There is no time to lose in turning regulations into reality,” says Markus Kalliola, Sitra’s programme director. Kalliola leads Sitra’s Well-being solutions programme that strengthens the use of social and health data in Finland and Europe in a secure way in collaboration with the operators in the sector.
A well-functioning single market would foster the growth of the companies, facilitate the development of European cybersecurity expertise and increase cybersecurity maturity, all while reducing dependencies on expertise from outside Europe.
The healthcare sector is increasingly targeted by cyberattacks. Nation-state actors and their proxies aim to weaken the healthcare infrastructure by causing disruption and cybercriminals target healthcare organisations for financial gain.
Sitra’s working paper Towards safer healthcare – insights on the European action plan on cybersecurity for hospitals and healthcare providers analyses the European Commission’s plan published in January 2025 and presents proposals for improving the preparedness of the EU and its member states against cyber threats.
Cybersecurity should be a matter of national security
Healthcare cybersecurity should be viewed as safeguarding healthcare services as society’s vital function, not merely as information security, the report suggests.
Traditionally, cybersecurity has been seen as specific to organisations or partly sectoral. However, because of the changes in the security environment and because cyberattacks can be driven by malicious state actors and their proxies, cybersecurity should be considered a matter of national security.
To ensure that society’s vital functions are secured, cybersecurity collaboration between the public and private sectors is needed. In Finland, for example roles and functions of the key actors in society are defined to prepare for disturbances already during normal circumstance.
In addition to national measures, the report also suggests that the EU should organise pan-European cybersecurity exercises to enhance cooperation.
You might be interested in reading
Cyber threats in healthcare on the rise
Europe has awakened to the need to take further actions to protect healthcare. According to Kalliola, the Commission’s plan arrives at a crucial time.
“We welcome the EU’s action plan which features strong proposals to strengthen healthcare against cyber threats and serves as a good starting point for the discussion on reinforcing cybersecurity in Europe. With our insights, we aim to steer Europe towards adopting ambitious measures to improve the resilience of healthcare systems,” says Kalliola.
With all actions set to improve cybersecurity, clear targets and budgets are needed to measure the impact, the report suggests. This applies to the Commission’s proposals for the EU and member states, but also at the grassroots level in healthcare organisations and how cybersecurity maturity is measured and improved. Direct EU and national funding should be targeted at activities that improve cybersecurity maturity.
Sitra’s report also proposes that the European Commission and the member states should simplify the governance and reduce the number of separate bodies and networks which facilitate cyber security among healthcare providers.
The Commission is expected to publish the next version of the action plan by the end of 2025. The plan was announced in Commission President von der Leyen’s political guidelines as a key priority within the first 100 days of the new mandate.
This paper continues from Sitra’s previous work in developing healthcare in Finland and Europe. Our work has included laying the foundations of the
European health data space
Data space
A set of mutually agreed principles and rules for sharing and exchanging data within or between different sectors.
Open term page
Data space
.
Our security environment has transformed in recent years. Sitra examines security topics, for example through the means of foresight. We approach the transformation of the security environment as a broader societal issue those of overall security or readiness – phenomena linked to power, economy, technology, nature, and people. We strive to identify new developments that will impact the future.
