What are the awareness obligations under NIS2 / the Dutch Cybersecurity Act?

Article 20 requires board training in cyber risks. Article 21 requires an information security policy including employee awareness. Both require demonstrable compliance.

Which sectors fall under the Dutch Cybersecurity Act?

Energy, transport, healthcare, finance, drinking water, digital infrastructure, government, space and more. Check the NCSC's NIS2 self-assessment tool to determine whether your organisation is obliged.

How can 2LRN4 help with Cbw compliance?

2LRN4 provides a demonstrable training programme for both board (Art. 20) and employees (Art. 21), including reports that serve as evidence for supervisory authorities.

NIS2 awareness for healthcare organizations

Healthcare organisations across Europe fall within the scope of the NIS2 directive as essential entities once they meet the sectoral thresholds (typically 50+ employees or €10M annual turnover). Each Member State implements NIS2 through its own national law, with its own sectoral healthcare framework on top: NEN 7510 in the Netherlands, B3S Gesundheit and § 75c SGB V in Germany, the PGSSI-S and HDS certification in France, the Esquema Nacional de Seguridad (ENS) in Spain, the eHealth-platform framework in Belgium and ELGA in Austria. GDPR applies in parallel to all patient data. The forthcoming European Health Data Space (EHDS) regulation adds another layer of harmonisation for cross-border health data exchange.

Which healthcare organisations fall within scope?

Under the NIS2 directive, hospitals, large outpatient clinics, laboratories of significant size, and pharmaceutical manufacturers and distributors are designated as essential or important entities once they meet the size thresholds (50+ employees or €10M annual turnover). National laws may add additional categories or lower thresholds for specific critical functions.

Several types of critical healthcare entities are designated regardless of size, for example trauma centres, burns units or national reference centres for high-complexity conditions. Member States designate competent authorities and CSIRTs that supervise the healthcare sector, typically combining the national NIS2 authority (BSI in Germany, ANSSI in France, CCN-CERT and INCIBE-CERT in Spain, CCB in Belgium, BMI in Austria) with the sectoral health ministry or authority.

Smaller healthcare providers (GP practices, dental clinics, individual specialists) usually fall outside direct NIS2 scope but face cascading requirements through supply chain clauses when they exchange data with NIS2-regulated entities.

Healthcare-specific risks

Healthcare combines several risk factors that make awareness particularly urgent:

Patient data. Health data is a special category of personal data under GDPR Article 9 and has high black-market value. A breach triggers both GDPR notification (to the national data protection authority) and NIS2 notification (to the national CSIRT).
Internet of Medical Things (IoMT). Infusion pumps, ventilators, imaging equipment and pacemakers often have long lifecycles and limited patching capabilities. Ransomware attacks can directly threaten patient safety, as shown by attacks on hospitals across Europe in recent years.
Continuity of emergency care. Unlike many sectors, a hospital cannot pause operations during remediation. Continuity plans must ensure patient care even with full IT failure, with fallback to paper, patient transfers and regional coordination.
Phishing and social engineering. Clinical staff work under time pressure and often hold broad access rights to the electronic health record. Targeted spear phishing of physicians or administrative staff is a common entry vector.
Shadow IT and BYOD. WhatsApp groups for handovers, personal email addresses for referrals, personal devices in consultations: structural weaknesses that awareness training must address explicitly.

Awareness approach for healthcare staff

A NIS2-compliant healthcare awareness programme combines generic security modules with sector-specific content. Most national healthcare standards explicitly require recurrent training and awareness, with measurable frequency and participation rates.

Role-based training. Differentiation between clinical staff (focus: patient data, EHR hygiene, recognising phishing), administrative staff (focus: CEO fraud, social engineering toward billing) and IT staff (focus: incident response, secure development).
Frequency. At minimum one full training per year, supplemented by quarterly micro-modules. For high-turnover environments (locums, temporary staff), a mandatory onboarding module within 2 weeks of starting.
Phishing simulations. Sector-specific scenarios: fake insurer emails, simulated colleague requests for EHR access, fake regulator or professional body messages.
Incident reporting. Low-friction reporting channel, ideally a button integrated in the EHR or a dedicated security mailbox. A just culture (no blame for honest reporting) is essential because under-reporting is a known issue in healthcare.
Board training. NIS2 requires the management body to undergo cybersecurity training themselves. For a hospital, this typically includes the CEO, medical director, nursing director and finance director, with traceable participation.

Sectoral healthcare frameworks per Member State

Each Member State combines NIS2 with its own sectoral healthcare framework. The following overview is non-exhaustive but covers the main European jurisdictions:

Netherlands: NEN 7510-1/2:2017 for information security in healthcare, Wegiz for electronic data exchange, supervised by IGJ.
Belgium: federal eHealth-platform for secure exchange and authentication, eID-based access, supervised by CCB with the FOD/SPF Public Health as sectoral authority.
Germany: B3S Medizinische Versorgung im Krankenhaus (BSI-recognised sector standard from DKG), § 75c SGB V for hospital IT security, Patientendaten-Schutz-Gesetz (PDSG) for the electronic patient record, supervised by BSI and Land health ministries.
Austria: NISG 2024, GTelG 2012 for telematics, ELGA for the national electronic health record, supervised by BMI and BMSGPK.
France: PGSSI-S (general security policy for health IS), HDS certification for health data hosting, operational supervision by CERT Santé under the ANS, in coordination with ANSSI for NIS2.
Spain: Esquema Nacional de Seguridad (ENS) per Royal Decree 311/2022, Plan de Salud Digital, supervised by CCN-CERT (public sector and critical), INCIBE-CERT (private sector) and AEPD for data protection.

Cross-reference: the European Health Data Space (EHDS)

In parallel with NIS2, the EU is rolling out the European Health Data Space (EHDS) regulation, which creates a harmonised framework for cross-border exchange of electronic health data (primary use by patients and clinicians, and secondary use for research, innovation and policy-making). EHDS does not replace NIS2 or national healthcare frameworks; it adds a layer of interoperability requirements and patient rights at EU level.

For multinational healthcare groups and pharmaceutical companies, EHDS will require alignment of data infrastructures, consent mechanisms and security controls across Member States. Awareness training for clinical and administrative staff should anticipate EHDS requirements alongside national NIS2 transposition.

In practical terms, a healthcare organisation operating across several EU countries should map: (1) the national NIS2 transposition law in each country of operation, (2) the sectoral healthcare framework in each country, (3) the GDPR/national data protection regime, and (4) emerging EHDS obligations. An integrated compliance programme handles all four in a coordinated manner.

From explanation to action

See how 2LRN4 turns this topic into a workable security awareness programme with measurable results.

View the NIS2 page

Sources

FAQ

Which thresholds apply to hospitals under NIS2?

Hospitals are typically designated as essential entities once they exceed 50 employees or €10M annual turnover, which applies to almost all general and university hospitals across Europe. Specific critical entities may be designated regardless of size. National competent authorities publish sectoral guidance on scope determination.

Does NIS2 replace national healthcare security standards?

No. National sectoral standards (NEN 7510 in the Netherlands, B3S in Germany, PGSSI-S in France, ENS in Spain, eHealth-platform in Belgium, ELGA in Austria) remain in force. NIS2 adds a regulatory layer with specific notification, governance and supervisory obligations. In practice, an organisation that complies with the national sectoral framework already covers a substantial part of NIS2 technical and organisational requirements.

What is the notification obligation in a ransomware attack?

Significant incidents must be reported to the national CSIRT in three phases: early warning within 24 hours, intermediate report within 72 hours, final report within one month. If patient data is compromised, GDPR notification to the national data protection authority within 72 hours applies in parallel. Some Member States have sectoral healthcare CSIRTs (e.g. CERT Santé in France) that act as the first reporting channel.

Who is liable for a healthcare data breach?

Under NIS2, the management body is responsible for approving and overseeing risk management measures and may be held personally liable for serious breaches. Under GDPR, the healthcare organisation is the data controller and faces fines up to 4% of global turnover. In some Member States (e.g. Germany), personal liability of the board under the national NIS2 law combines with civil liability toward the hospital trust and potential criminal consequences for gross negligence.

How often should healthcare staff complete awareness training?

NIS2 and national healthcare standards do not impose a fixed frequency, but the practical norm is one full training per year supplemented by quarterly micro-modules. For high-turnover environments (locums, temporary staff), a mandatory onboarding module within 2 weeks of starting is recommended. Participation must be documented and auditable.

How does EHDS interact with NIS2 for healthcare?

EHDS and NIS2 are complementary: EHDS sets interoperability and patient rights at EU level for cross-border health data, while NIS2 sets cybersecurity baselines. EHDS will progressively impose technical and organisational requirements on healthcare providers, in addition to NIS2 risk management and incident reporting. An integrated compliance programme addresses both.