This week, Hacking Healthcare™ catches up with the revision to the European Union’s Network and Information Security (NIS) Directive, NIS2. We review what NIS2 is, how Health-ISAC members may be affected, where NIS2 is in its implementation timeline, and what actions Health-ISAC members may wish to consider taking at this time.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

PDF Version:
TLP WHITE - 9.8.2023 -- Hacking Healthcare


Text Version:


Welcome back to Hacking Healthcare

The Health-ISAC Hobby Exercise 2023

Before we get to NIS2, the Health-ISAC is pleased to announce the 4th iteration of our Hobby Exercise on October 25th in Washington DC. The Hobby Exercise is an annual Healthcare and Public Health (HPH) event designed to engage the healthcare sector and strategic partners on significant security and resilience challenges. The overarching objective is to inform and provide opportunities for organizational continuous improvement while increasing healthcare sector resiliency.

Members wishing to know more or express an interest in participating should visit the following registration link:

NIS 2 Implementation Update

Health-ISAC will be holding several NIS2 sessions and discussions at the upcoming European Union (EU) Summit in Dubrovnik, Croatia. If you’re interested in attending, please click here for more information on how to register.

It’s been a while since we checked up on the revision to the European Union’s Network and Information Security (NIS) Directive, and we thought it might be a good to review how NIS2 stands to impact the healthcare sector, where along the implementation path NIS2 is for the various EU member states, and what healthcare entities may wish to consider doing at this stage to prepare for it.

Let’s start with a quick recap of what NIS2 is. The original NIS was the “first piece of EU-wide cybersecurity legislation” and was designed to improve cybersecurity across the EU, however, it fell a bit short on scope and its implementation was uneven and inconsistent across member states.[i] NIS2 is more stringent in its implementation and more comprehensive in who it applies to and what it seeks to address. For the healthcare sector, NIS2 will:


  • – Include broader and more consistent coverage of healthcare entities across EU member-states;
  • – Strengthen and harmonize cybersecurity requirements, including “Management Body” oversight and accountability;
  • – Streamline incident-reporting obligations to minimize over-reporting and the burden placed on private sector entities, and;
  • – Improve information-sharing, cooperation, and cross-border crisis management of cyber incidents.

NIS2 also complements the larger EU digital/cyber strategy elements found in the Cyber Resilience Act (CRA), the Digital Services Act (DSA), the Digital Markets Act (DMA), and others. EU member states were given until October 17, 2024, to successfully transpose the measures outlined in the NIS2 text into their own national laws, and member states were instructed to begin applying those measures as of October 18, 2024.

So where are we currently in the transposition process and what might Health-ISAC members consider doing at this time?


Action & Analysis
**Available with Health-ISAC Membership**



Tuesday, September 5th

No relevant hearings

Wednesday, September 6th

No relevant meetings

Thursday, September 7th

No relevant meetings

International Hearings/Meetings

No relevant meetings








Report Source(s)
Translate »