The healthcare sector is increasingly vulnerable to cyber threats due to outdated systems, fragmented practices and risks associated with human errors. Despite advancements in regulatory efforts and technical solutions, implementation remains inconsistent. Emerging technologies such as artificial intelligence (AI) and quantum computing add both urgency and complexity to securing healthcare environments.
The EU’s expanding cybersecurity legislation is significantly impacting various sectors, including healthcare. The primary goal is to harmonise practices and enhance the resilience of critical entities, products and infrastructure. New instruments like the Directive on measures for a high common level of cybersecurity across the Union (NIS2), Cyber Resilience Act and AI Act broaden the scope of entities covered and introduce stricter requirements, raising the bar for compliance and emphasising the need for robust security in the interconnected digital landscape.
Europe has awakened to the need for taking further actions to protect healthcare. The European cybersecurity action plan for hospitals and healthcare providers, published by the European Commission in January 2025, arrives at a crucial time with several strong proposals to bolster healthcare security.
Sitra presents seven proposals for improving the preparedness of the EU and its member states against cyber threats. Building a single market for cybersecurity and making collaboration tangible through pan-European cybersecurity exercises are among the things to consider.
With all actions set to improve cybersecurity, clear targets are needed to measure the impacts. This applies to the Commission’s action plan proposals for the EU and member states, but also at the grassroots level in healthcare organisations and how cybersecurity maturity is measured and improved.
Improving cybersecurity resilience requires healthcare organisations to address all stages of cybersecurity – before, during and after incidents. Cybersecurity should be further integrated into comprehensive security, with adequate resources allocated to healthcare organisations. A well-functioning single market is part of cybersecurity resilience, and European companies must play a significant role in it.
Finland serves as a case study for how cybersecurity is organised in healthcare within an EU member state. In Finland’s comprehensive security model, cybersecurity responsibilities are distributed among various authorities. Healthcare organisations hold the primary responsibility, supported and guided by multiple authorities. Roles and responsibilities are clearly defined under normal circumstances, with the national cybersecurity strategy outlining priority actions.