What does the Cyber Security Act mean for your organisation in the healthcare sector?

What does the Cyber Security Act mean for your
organisation in the healthcare sector?

The digital resilience and cyber security of important
and critical sectors must be increased.

This includes the healthcare sector.

This is why the European Union has adopted
the Network and Information Security Directive, the NIS2.

In the Netherlands, this directive is being implemented
into national law as the Cyber Security Law.

This law will take effect in 2026, and
its obligations will apply immediately.

This means that from then on many organisations
in the healthcare sector will have to comply.

Therefore, it’s important to check in advance
whether your organisation falls under the Cyber Security Law,
so you can take the necessary steps
and ensure your organization is well-prepared.

Does your healthcare organisation
fall under the Cyber Security Law?

There are two criteria.

First, your organisation must belong
to one of the following sub-sectors:

healthcare providers, entities carrying out research and development of medicinal products, 
entities manufacturing basic products, manufacturers of medical devices in emergency situations.

Second, your organisation
should have at least 50 FTEs or...
it needs to have a turnover and a balance
sheet total of more than 10 million euros.

If your organisation meets these requirements,
it falls under the Cyber Security Law.

For larger organisations,
service disruptions are likely to have a greater impact on the economy and society.

This is why the law distinguishes between
important entities and critical entities.

The Health and Youth Care Inspectorate
supervises these entities.

For an important entity,
this happens after an incident,
or if there is a suspicion of non-compliance with the law.

Critical entities are supervised proactively.

Your organisation is critical
when it employs at least 250 FTE,
or when it has a turnover of more than 50 million euros
and a balance sheet total of more than 43 million euros.

Please note that an exception applies
to manufacturers of medical devices.

What are your rights and obligations as an entity?

Under the new law, 
organisations will have a registration obligation
and an obligation to report incidents.

If your organisation falls under the
law and a cyber incident occurs,
you have the right to receive support from Z-CERT,
the cyber security expertise center for the healthcare sector.

Organisations also have a duty of care,
which requires organisations
to conduct a risk assessment.

Based on this analysis, appropriate
measures must be taken,
such as access control policies, incident
management or cyber security training.

The well-known ISO 27001 or NEN 7510 standard framework
are a good starting point for many organisations.

Implementing these measures will take time.

This is why it’s best to act now.

Find out whether your organisation falls under the Cyber Security Law
and what steps you can take to be well-prepared.