European Commission Cybersecurity Action Plan: hindering hackers in the healthcare sector

Health data is vitally important, with huge value to patients, medical professionals and healthcare researchers. This data held by healthcare providers is also highly sensitive, and so this combination of value and sensitivity makes the data very attractive to criminals, to enact identity fraud or sell to malicious third parties on the dark web. As an example, in the EU, member states reported more healthcare data breaches than any other critical sector.  

It's therefore critical that the databases used by the healthcare industry, to allow practitioners to view vital information such as patient medical data, remain secure and functional.

In January 2025, in response to these statistics, the European Commission launched their cybersecurity action plan. This marks the start of their process to improve cybersecurity in the healthcare sector over the coming years. The action plan builds on existing EU legislation, the Network and Information Systems Directive 2, the Cyber Resilience Act and the Cyber Solidarity Act, all of which were enacted post Brexit, but with a more specific focus on the healthcare sector. In this article we highlight the four key elements of the action plan, how it might support the healthcare sector and explore whether the UK plans to adopt a similar plan.

Key elements of the European Commission's Cybersecurity Action Plan

To achieve its aims, the action plan focuses on four key pillars:

Enhanced prevention:

• EU Commission-issued guidance will be available for healthcare providers to take appropriate cybersecurity preventative measures.
• Member states will be encouraged to issue cybersecurity vouchers to their micro, small and medium sized healthcare providers to assist with the costs of appropriate cybersecurity. This would cover those businesses which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, or an annual balance sheet total not exceeding EUR 43 million.
• The EU will develop specific learning resources to educate healthcare professionals on cybersecurity.

Improved detection/threat identification:

• The European Union Agency for Cybersecurity will establish an EU-wide Cybersecurity Support Centre.
• This Cybersecurity Support Centre will develop a cyber early warning system that aims to implement near real-time reporting on cyber threats by next year.

Responses to minimise impact:

• The EU’s Cyber Solidarity Act developed the EU Cybersecurity Reserve. This provides private cybersecurity response services by sanctioned third-parties. The action plan proposes that the EU Cybersecurity Reserve will conduct national cybersecurity exercises with healthcare providers in member states and assist with developing specific response playbooks. 
• Member states will be encouraged to empower their healthcare providers to report ransom payments made to cyber criminals, with the intention that these entities can then be provided with cybersecurity support and appropriate follow-up from law enforcement. 

Deterrence:

• The introduction of a unified Cyber Diplomacy Toolbox to sanction/discourage potential cyber aggressors from harming the interests of the EU. This may mean blacklisting, freezing assets and travel bans against natural and legal persons responsible for malicious cyber activities.

The action plan will soon be open to consultation and feedback from EU citizens and stakeholders.

Will the UK adopt similar legislation?

The UK is planning similar legislation in the yet-to-be-drafted Cyber Security and Resilience Bill. The EU's action plan also closely follows the announcement of the European Health Data Space Regulation, a homogenising regulation to encourage data interoperability across the sector.

Note that whilst the Cybersecurity Action Plan is an EU initiative, if it's successful, this may encourage the UK to adopt a similar approach. It may also provide a useful point of reference on best practice in safeguarding patient data and hospital systems for UK healthcare providers.

How will the Cybersecurity Action Plan support the healthcare sector?

The introduction of this plan shows the European Commission’s cohesive and serious approach to healthcare cybersecurity across the EU, taking a more active stance against both real and perceived threats in response to the number of attacks. This should result in structured support to the healthcare sector to strengthen it against an increasing number of bad actors in the cyber space. 

The EU is looking to lead the way with their proactive approach to technology regulation. This seems likely to have a knock-on impact to UK healthcare providers, either through their international group entities or by the UK government adopting a similar approach. 

It will be important for healthcare providers to monitor the UK’s Cyber Security and Resilience Bill which states its intention is to build cyber resilience across the UK’s critical infrastructure. Whilst this bill appears promising, it remains to be seen whether it will offer the same level of support for the healthcare sector, particularly in light of current budget pressures.

If you're operating in the healthcare sector and would like to discuss implementing cybersecurity measures or need assistance with responding to a cyber-attack, please contact our commercial team.