NIS2 obligations for hospitals and healthcare providers 2026

Applicability: who falls under NIS2 and when

Annex I No. 5 NIS2 covers 'healthcare providers' as defined in Directive 2011/24/EU on patients' rights, i.e. hospitals, networks of medical centres, ambulatory providers, EU reference laboratories and manufacturers of basic pharmaceutical products.

Large enterprises with >= 250 employees or > EUR 50m revenue and > EUR 43m balance sheet are essential entities. Medium-sized hospitals from 50 employees or EUR 10m revenue are important entities.

The old KritisV threshold of 30,000 fully inpatient cases per year no longer separates 'in' from 'out'. Almost every full-service general hospital falls into at least one of the NIS2 categories.

Group-level counting applies: hospital networks, municipal holdings and faith-based providers are aggregated.

Relationship to KHZG, B3S and the German IT Security Act

The German Hospital Future Act (KHZG, § 14a KHG) already required hospitals to implement state-of-the-art IT security and to spend at least 15 percent of KHZG funds on cybersecurity. KHZG measures cover a large part of the NIS2 Art. 21 minimum measures, but not all.

The branch standard B3S Krankenhaus (DKG, recognised by BSI) remains a practical implementation framework. It addresses ISMS, business continuity, vulnerability management and patient data security, and maps well to NIS2 Art. 21.

Gaps versus KHZG/B3S are mainly: Art. 20 (formal management body resolution plus training duty), Art. 21(2)(d) supply chain security towards medical device manufacturers and cloud providers, and Art. 23 notification cascade to BSI (24h/72h/one month).

Ten concrete obligations for hospital IT

1. Risk analysis and information security policy at provider level, not just an IT concept. Approved by the management body.

2. Business continuity and crisis management with concrete recovery objectives (RTO/RPO) for core systems: HIS/EMR, RIS/PACS, laboratory, OR planning, pharmacy.

3. Incident handling with an escalation matrix up to the 24-hour BSI notification. Who decides between 'material' and 'reportable'.

4. Backup strategy with immutability (3-2-1-1-0): one immutable offsite backup per layer, monthly restore test of the HIS database.

5. Vulnerability management for medical devices (CE class IIa/IIb) and IT estate. Vendor patches, workarounds where no patch is available.

6. Cryptography: at-rest encryption for patient data, TLS 1.2+ for every clinical communication, key management.

7. Access control plus MFA for all admin accounts, remote access and VPN users. For clinical workstations, risk-based.

8. Supply chain security: every contract for a clinically relevant system (HIS, PACS, cloud diagnostics) needs minimum clauses on incident notification, audit right and sub-suppliers.

9. Training duty: management body annually, IT staff twice a year, clinical staff at least once per year for an awareness module.

10. Personnel security, asset inventory and authentication per Art. 21(2)(i) and (j).

Notification duties and BSI registration

Registration with the competent authority (in Germany: BSI, once the NIS2 transposition law is operational) is due within three months of entry into force. Data fields: provider, address, IP ranges, Member States of activity, contact points.

Incident notification follows the 24/72/one-month cascade: early warning within 24 hours, incident notification with first assessment within 72 hours, final report within one month. Status report on ongoing incidents.

Material incidents are ICT events that can cause serious operational disruption or financial loss, or significant non-material or physical harm to other persons. An encrypted HIS or a downed RIS/PACS hits that threshold almost every time.

Management body liability under Art. 20

Depending on the legal form, the medical director, the commercial director and (in Germany) the nursing director jointly constitute the management body under Art. 20.

Duty: formal approval of the cyber risk strategy as a resolution, regular training (at least annual), oversight of implementation. If training cannot be evidenced, personal liability becomes a real risk.

For essential entities, supervisors can impose administrative fines up to EUR 10m or 2 percent of worldwide group turnover, whichever is higher. Fines can attach to individuals.

Typical hospital-IT pitfalls

Legacy medical devices: devices with a 10+ year lifecycle often run on unsupported operating systems. Compensating controls are required (network segmentation, monitoring, documented risk acceptance).

Cloud diagnostics and telemedicine: providers headquartered outside the EU raise data residency questions. NIS2 clauses plus GDPR third-country review must run before any contract renewal.

Staff shortage: many hospitals run on 0.5-1.0 FTE for information security. NIS2 effort is real, an external ISB or MDR provider is often the pragmatic answer.

What DecisionOS does

The most expensive decisions in hospital IT, EDR selection, HIS cloud migration, backup provider with immutability, IAM with MFA rollout, are each audit-bearing decisions under NIS2. DecisionOS records them as Decision Memos mapped to Art. 21 minimum measures, with stakeholder alignment (CEO, medical director, ISB, DPO) and a readiness score. The result is a consolidated audit dossier that serves BSI audits and KHZG fund-use reviews at the same time.