2LRN4 security awareness platform
NL · EN
← Back to knowledge base

NEN 7510 and awareness in healthcare

Practical guidance on nen 7510 awareness for organizations that want to improve secure behavior structurally.

Current

From insight to action

See how to turn this topic into a practical awareness program with training, phishing simulations and clear management reporting.

Book demo View the primary solution page

NEN 7510 is the Dutch standard for information security in healthcare. Since 2024 most healthcare providers also fall under the Dutch Cybersecurity Act (Cbw — the NL implementation of NIS2) as essential entities. Awareness training is a requirement in both frameworks, but the focus differs. NEN 7510 emphasises patient data and professional secrecy; the Cbw emphasises organisational measures and board accountability. How do you build an awareness programme that satisfies both without duplicate administration?

Why healthcare has a dual framework

Healthcare organisations must comply with both NEN 7510:2024 (information security in healthcare) and the Cyberbeveiligingswet (Cbw). NEN 7510 is not a law but a sector standard — supervised by IGJ as a practical interpretation of Wkkgz duty-of-care requirements.

The Cbw is on top a national law with specific organisational, technical and governance requirements. Healthcare entities designated as essential (most hospitals, mental health, long-term care) are bound by Cbw articles 21 (duty of care) and 24 (board training).

In practice the two frameworks overlap by 60-70%: both require risk management, incident handling, awareness, supplier management. The remaining 30-40% differs in emphasis.

NEN 7510 awareness requirements

NEN 7510 references ISO 27001/27002 for the general structure but adds healthcare-specific requirements:

  • §7.2.2 (Awareness, education and training): all staff must receive appropriate training, periodically refreshed
  • §9.2 (Access policy): staff must know which patient data they are/are not allowed to access
  • §16.1 (Incident management): staff must recognise and report data breaches
  • NEN 7510-2 (extension): sector-specific risk management guidelines for electronic patient data

Sector-specific awareness themes

Generic awareness content works less well in healthcare. What is recognised as "phishing" elsewhere has a specific context here: an EHR notification asking for re-authentication, a supplier requesting urgent authorisation, a parent calling and impersonating a physician.

Effective healthcare awareness covers: patient data and professional secrecy, breach detection and reporting, BIG fraud (impersonation of registered professionals), USB infection on wards, MDM/BYOD for mobile workplaces, and social engineering for front-desk and triage staff.

Audience segmentation is crucial. A nurse on a ward, an administrator, and a medical director have different risks and need different reflexes.

Board training: NEN 7510 vs Cbw art. 24

NEN 7510 requires board involvement with the ISMS but does not specify mandatory board training. The Cbw does: article 24 requires demonstrable board training, with personal liability for culpable negligence.

For healthcare boards a Cbw-compliant programme automatically covers NEN 7510 board involvement better than the reverse. Start with the stricter of the two (Cbw art. 24) and let NEN 7510 board engagement follow.

One programme, two reports

The biggest pitfall when combining NEN 7510 and Cbw is duplicate administration. The fix: one awareness programme with one reporting layer, where every participation is linked to both NEN 7510 controls and Cbw articles. For IGJ supervision export per NEN 7510 control; for Cbw supervision per Cbw article.

Modern security awareness platforms support this dual mapping out of the box. Per training event you record which NEN 7510 paragraph and which Cbw article it satisfies — plus audience, date, supplier and evaluation. At audit time you select the relevant view.

From explanation to action

See how 2LRN4 turns this topic into a workable Cbw programme with training, phishing simulation and board reporting.

View the platform page

Related in the knowledge base

Sources

FAQ

Is NEN 7510 mandatory for healthcare providers?

Not a law per se but de facto mandatory because IGJ supervises it as practical interpretation of Wkkgz duty-of-care requirements.

Which framework is heavier — NEN 7510 or Cbw?

The Cbw has more formal weight (national law, personal board liability). NEN 7510 is more detail-rich on healthcare-specific topics. Both must be complied with.

Do all healthcare organisations fall under the Cbw?

Most do — hospitals, mental health, elderly care, disability care and larger primary care networks are designated as essential. Small GP practices (<50 staff) typically fall outside but still must follow GDPR and NEN 7510.

How often must awareness training be repeated?

NEN 7510 says "periodically". Practical guidance: at least annually, with onboarding for new staff and additional training after incidents.

Difference between NEN 7510 and ISO 27001?

NEN 7510 is based on ISO 27001/27002 but adds healthcare-specific requirements. Not interchangeable.

How does this relate to GDPR?

GDPR is the legal basis for personal data processing. NEN 7510 gives practical interpretation for healthcare. A data breach can trigger GDPR (DPA), NEN 7510 (IGJ) and Cbw (CSIRT) reporting simultaneously.

Next step

Use this article as the foundation and then see how 2LRN4 turns this topic into audience segmentation, training and reporting.

Book demo More articles