ISC2 Welcomes the EU Action Plan for the Cybersecurity of Hospitals and Healthcare Providers

The plan focuses on improving threat detection, preparedness and crisis response in the healthcare sector by providing sector-specific guidance, tools, services and cybersecurity training for hospitals and healthcare providers.

The EU Action Plan for the Cybersecurity of Hospitals and Healthcare Providers was one of the top priorities for the first 100 days of the new European Commission. It is a strategic initiative that aligns with ISC2’s mission to develop robust cybersecurity practices where they are most needed.

ISC2’s Proactive Engagement and Insight Contribution

In anticipation of the EU Action Plan, ISC2 proactively engaged EU stakeholders. This key initiative references ISC2’s estimate of a 300,000 cybersecurity workforce gap across EU member states, demonstrating the impact of ISC2’s research. “We are delighted to see the impact of our research in informing EU policies. We remain committed to providing evidence-based insights in shaping the EU’s cybersecurity strategies,” said Tara Wisniewski, executive vice president, Advocacy, Global Markets and Member Engagement at ISC2.

Top Challenges for Cybersecurity Practitioners in the Healthcare Sector

EU cybersecurity practitioners within the healthcare sector expect worker and skill shortages to become the top challenge over the next two years. The severity of workforce shortages is highlighted by 75% of respondents to the 2024 ISC2 Workforce Study, who stated that staffing gaps put their organizations at significant risk of experiencing a cyberattack.

According to EU cybersecurity respondents working in healthcare settings, the most pronounced skills gaps are in penetration testing, cloud computing security, risk management and zero trust implementation. Considering the current and future challenges facing this sector, the Commission’s Action Plan is timely and pivotal.

Hospitals and other healthcare providers are classified as highly critical under the NIS2 Directive. The Cyber Resilience Act further increases compliance requirements for connected devices and supply chains, adding to the sector’s regulatory burden. The healthcare sector’s ability to meet these regulatory demands is constrained by persistent workforce shortages and a lack of specialized skills.

Addressing Challenges with Targeted Workforce Development

Leveraging initiatives such as the European Cybersecurity Skills Framework (ECSF) can play a significant role in addressing both the workforce and skills gaps. ECSF is a familiar tool for almost two thirds of the EU healthcare cybersecurity professionals and is widely regarded as relevant by the workforce.

EU’s strategic policy initiatives, such as the EU Cyber Skills Academy, can be more instrumental in developing entry- and junior-level candidates. Nearly a quarter of EU organizations have no entry-level staff on their security teams. A further 13% have no junior-level staff. These figures suggest the workforce gap will continue to grow, as companies will struggle to secure enough talent in the future. This highlights the critical importance of developing new pathways into cybersecurity to secure a thriving digital economy across the EU.

Looking Ahead

ISC2 supports the EU Action Plan’s focus on prevention, detection, response, recovery, and deterrence. To advance these efforts, ISC2 will work alongside EU institutions to support skill-building initiatives. ISC2 also looks forward to collaborating with the Cybersecurity Support Centre and the European Digital Infrastructure Consortium to strengthen cybersecurity in healthcare and ensure a safer digital environment within the EU healthcare sector.

Related Insights

• Understanding the European Cyber Resilience Act
• How NIS2 Will Impact You and Your Organization
• EU Cyber Solidarity Act – What You Need to Know