CAI Technology
Book a demo
Menu ☰
Annex I — Essential Entities · Health

🏥NIS2 for Health — deadlines, obligations, fines

Health fall under NIS2 (Directive (EU) 2022/2555 + Romanian Emergency Ordinance 155/2024). See Art.21 obligations, deadlines, max fines and compliance roadmap for Annex I.

Last reviewed: · CAI Technology · echipa Lexnomia + AEGIS

🎯 Who is covered

The healthcare sector (hospitals, healthcare providers, EU reference laboratories, manufacturers of basic medicines and of critical medical devices) is listed in Annex I to Directive (EU) 2022/2555 (NIS2) as a sector of high criticality [C2]. In Romania, the rules are transposed by OUG 155/2024 (Romanian Emergency Ordinance transposing NIS2), and DNSC (the Romanian National Cybersecurity Directorate) is the competent national authority supervising essential and important entities [C6]. On top of NIS2, hospitals process special categories of personal data (health data) under the restrictive GDPR Art. 9 regime [C7] and — if they operate connected medical devices — are direct customers of manufacturers regulated under MDR 2017/745 and IVDR 2017/746 [C9][C10]. In practical terms, for a hospital, compliance means a combined NIS2 + GDPR + MDR/IVDR stack — not one or the other.

Examples in Romania

Spitalul Clinic de Urgenta Bucuresti (Floreasca)Spitalul Universitar de Urgenta BucurestiSpitalul Clinic ColteaSpitalul Clinic Judetean de Urgenta ClujInstitutul Oncologic BucurestiInstitutul National de Boli Infectioase Matei BalsMedLifeReteaua Privata de Sanatate Regina MariaSanador

Applicability thresholds

Annex I of NIS2 covers healthcare providers (as defined in Art. 3(g) of Directive 2011/24/EU), EU reference laboratories (Art. 15 of Reg. 2022/2371), medicinal-product R&D entities, manufacturers of basic medicinal products, and manufacturers of medical devices considered critical during a public health emergency [C2]. Default threshold: medium and large entities (>= 50 employees or annual turnover / balance-sheet total >= EUR 10 million) qualify as essential; hospitals and below-threshold entities identified by DNSC as playing a critical role may be notified on a case-by-case basis [C2][C6].

📅 Regulatory timeline

  1. Adoption of the General Data Protection Regulation (GDPR, Reg. (EU) 2016/679) [C7][C8]

  2. Adoption of Regulations (EU) 2017/745 (MDR) and 2017/746 (IVDR) [C9][C10]

  3. GDPR enters into full application across the EU; Art. 9 protects health data; Art. 33 sets the 72-hour breach notification clock [C7][C8]

  4. Reference global incident: Conti ransomware paralyses HSE Ireland (estimated cost over USD 600 million)

  5. IVDR (Reg. (EU) 2017/746) enters into application [C10]

  6. Adoption of Directive (EU) 2022/2555 (NIS2) [C1]

  7. Publication of NIS2 in the Official Journal of the EU [C1]

  8. BackMyData / Phobos incident on the Hipocrate HIS (RSC) — 26 Romanian hospitals affected; the reference incident cited in the explanatory memorandum of OUG 155/2024 [C18]

  9. AI Act (Reg. (EU) 2024/1689) enters into force; AI systems used in medical devices are classified as high-risk [C12]

  10. EU deadline for transposing NIS2 into national law (NIS2 Art. 41) [C1]

  11. NIS1 (Directive 2016/1148) repealed; NIS2 takes effect [C1]

  12. Cyber Resilience Act (Reg. (EU) 2024/2847) enters into force [C11]

  13. Romania publishes OUG 155/2024 — NIS2 transposition; DNSC designated as competent national authority [C6]

  14. The European Commission adopts the European action plan on the cybersecurity of hospitals and healthcare providers (4 pillars + ENISA Health Cybersecurity Support Centre) [C15]

  15. CRA — reporting obligations for actively exploited vulnerabilities and severe incidents enter into application [C11]

  16. CRA — main obligations (security-by-design for products with digital elements) enter into application [C11]

📋 Key obligations

ICT risk-management framework — NIS2 Art. 21(2) minimum measures applied to a clinical setting

effort: high

A documented framework, all-hazards approach, covering risk policies, system security, incident handling, business continuity (with documented RTO/RPO for ICU, operating theatres, ER, pharmacy, laboratories), cryptography, MFA, training, access control and human resources security. NIS2 Art. 21(2) imposes the ten minimum measures (a-j), aligned with ISO/IEC 27001 and ISO/IEC 27002 [C3]. For hospitals, the ENISA Technical Implementation Guidance v1.0 (2025) remains the technical reference — not Reg. 2024/2690, which legally targets DNS, cloud, MSP and data-centre providers and not hospitals [C17]. The management body of the entity (board of directors, governing board, executive committee) approves and oversees implementation under NIS2 Art. 20, with personal accountability [C14].

Recommended controls: NIS2 Art. 21(2)(a-j)ISO/IEC 27001:2022ISO/IEC 27002:2022ENISA NIS2 Technical Implementation Guidance v1.0NIS2 Art. 20

Incident reporting on two parallel tracks — NIS2 Art. 23 + GDPR Art. 33

effort: high

For a hospital under NIS2 where a cyber incident also touches patient data, the same event triggers two parallel reporting flows. NIS2 Art. 23 to CSIRT/DNSC: early warning within 24 hours of awareness, incident notification within 72 hours, final report within one month [C4]. GDPR Art. 33 to ANSPDCP (the Romanian Data Protection Authority): notification of the personal-data breach within 72 hours of awareness, where there is a risk to the rights and freedoms of natural persons [C8]. The two 72-hour clocks run independently — the start point may differ (awareness of a "significant incident" vs. awareness of a "personal data breach"). In practice, the CISO and DPO share a single runbook feeding both the DNSC and ANSPDCP filings simultaneously, with no duplicated work and no delay to either.

Recommended controls: NIS2 Art. 23(4)GDPR Reg. 2016/679 Art. 33EDPB Guidelines 9/2022 v2.0 (personal data breach notification)OUG 155/2024

Health-data security — GDPR Art. 9 + security-by-design in HIS/EHR/LIS

effort: high

Health data is a special category of personal data — GDPR Art. 9(1) prohibits processing, subject to the exceptions in Art. 9(2): explicit consent, medical care / diagnosis, substantial public interest in public health, scientific research, etc. [C7]. Implementation required by NIS2 Art. 21(2)(h) (cryptography) plus GDPR Art. 32 (technical and organisational measures) includes encryption in transit (TLS 1.3) and at rest for HIS/EHR/PACS/LIS, segregation of clinical and administrative networks, persistent audit logging, minimum retention for identifiable data, and pseudonymisation/anonymisation for research. The agreement with the HIS vendor or cloud provider becomes a DPA plus security-clause contract — not just an IT service agreement.

Recommended controls: GDPR Art. 9, 32, 35 (DPIA obligatoriu pentru date de sanatate)NIS2 Art. 21(2)(h)ISO/IEC 27799 (security management in health)

Operational continuity for life-supporting systems — ICU, ER, operating theatres

effort: high

For a hospital, business continuity means ICU patients are not left without monitoring, operating theatres can intervene 24/7, and the pharmacy can dispense medication. NIS2 Art. 21(2)(c) imposes business continuity and crisis management as minimum measures [C3]. In practice: working offline plans (paper forms, manual laboratory routing, clinical decisions without the HIS), annual exercises with tabletops and simulations, immutable offline backups (rotated and restore-tested), multi-site redundancy for imaging and laboratories. The BackMyData / Hipocrate lesson (February 2024) is that hospitals with recent functioning backups resumed operations rapidly; those that had not tested their backups spent days or weeks in manual mode [C18].

Recommended controls: NIS2 Art. 21(2)(c)ISO 22301:2019 (business continuity management)OUG 155/2024ENISA Health Threat Landscape recommendations

Clinical ICT supply chain and connected medical devices — NIS2 Art. 21(2)(d) + MDR 2017/745

effort: high

Hospitals do not just buy IT: they buy CT and MRI scanners, ICU monitors, infusion pumps, connected defibrillators, PACS systems, laboratory systems (LIS) — all with firmware, software and connectivity. NIS2 Art. 21(2)(d) requires supply-chain security [C3]. MDR (Reg. 2017/745) imposes essential cybersecurity requirements on manufacturers of devices with software, including risk management and security-by-design (Annex I, sections 14.2(d) and 17.2) [C9]; IVDR (Reg. 2017/746) extends these to in-vitro diagnostic devices from 26 May 2022 [C10]. Concretely: contract clauses with each manufacturer (patching SLA, SBOM, vulnerability disclosure), a technical inventory of devices with IP / firmware, network segregation for classes of non-patchable devices, and behavioural monitoring for anomalies. The Düsseldorf lesson (2020): a backdoor on Citrix CVE-2019-19781 sat for ~9 months on the network and ultimately contributed to the death of a patient transferred to another hospital.

Recommended controls: NIS2 Art. 21(2)(d)MDR Reg. 2017/745 Anexa I 14.2(d) + 17.2IVDR Reg. 2017/746MDCG 2019-16 Guidance on Cybersecurity for medical devices

📰 Real incidents, concrete lessons

Romanian Soft Company (RSC) — the Hipocrate (HIS) system, 26 hospitals in Romania

2024 · Romania

Type: BackMyData ransomware (Phobos family); vector RDP / access via a third-party ICT supplier

Impact: 26 spitale afectate (printre care Spitalul de Pediatrie Pitesti, primul care a raportat pe 10 februarie 2024); criptare date HIS; cerere de rascumparare 3,5 BTC (~157.000 EUR / ~180.000 USD la momentul atacului — februarie 2024). Majoritatea spitalelor afectate aveau backup-uri recente, restaurare relativ rapida. Incidentul a fost invocat in nota de fundamentare a OUG 155/2024 ca justificare directa a transpunerii NIS2 in Romania.

Lesson: Compromise of a single software vendor (RSC) propagated the incident to 26 public hospitals. NIS2 Art. 21(2)(d) and OUG 155/2024 require continuous contractual assessment and monitoring of critical ICT providers in healthcare; network segregation plus tested offline backups saved most of the units.

Public source ↗

Universitätsklinikum Düsseldorf (UKD)

2020 · Germany

Type: DoppelPaymer ransomware; exploit of Citrix CVE-2019-19781 (Shitrix), latent backdoor since December 2019

Impact: Spitalul a iesit din sistemul de urgenta; o pacienta de 78 ani a fost transferata la un spital la ~32 km distanta si a decedat in timpul transportului — primul caz public de deces direct asociat unui atac ransomware. Procurorii din Koln au deschis o ancheta pentru omor din culpa. Operatorii DoppelPaymer au furnizat ulterior cheia de decriptare cand au realizat ca au lovit un spital.

Lesson: Poor patch management (~9 months between the Citrix patch and exploitation) within a critical clinical perimeter contributed to the first death publicly linked to a ransomware attack. NIS2 Art. 21(2)(e) and MDR Annex I 17.2 require vulnerability handling and security-by-design for clinical devices and systems.

Public source ↗

Synnovis — joint venture Synlab UK / Guy's and St Thomas' / King's College Hospital

2024 · United Kingdom (NHS London)

Type: Qilin ransomware (3 June 2024); encryption of the Synnovis network + data exfiltration

Impact: Servicii de patologie pentru NHS Londra blocate. La King's College + Guy's and St Thomas' — 1.134 operatii planificate si 2.194 programari ambulatorii anulate in primele 13 zile. Analize de sange in capitala operationale la ~10% din capacitate. Cerere de rascumparare 50 mil. USD, refuzata. Peste 900.000 pacienti cu date potential exfiltrate.

Lesson: A single compromised pathology provider paralysed two of London's largest NHS trusts. NIS2 Art. 21(2)(d) and the 2025 EU Action Plan on healthcare call for detailed maps of dependency on critical clinical providers (laboratories, imaging, pharmacy).

Public source ↗

Change Healthcare (UnitedHealth Group / Optum)

2024 · United States

Type: BlackCat / ALPHV ransomware (detected 21 February 2024); entry presumed via Citrix without MFA

Impact: Cea mai mare bresa de date medicale din SUA. Intreruperi majore in procesarea retetelor, decontari medicale si plati pentru providers. UnitedHealth a furnizat peste 9 miliarde USD in finantare-puente catre furnizorii afectati. Impact financiar 2024 estimat la 1,90-2,05 USD/actiune. Date PHI/PII confirmate exfiltrate (22 screenshots publicate pe dark web). Call-center dedicat pentru 2 ani de credit monitoring gratuit clientilor afectati.

Lesson: ICT concentration risk in healthcare (one claims processor handling about a third of the US) propagated the incident to thousands of hospitals and pharmacies. NIS2 Art. 21(2)(d) and the 2025 EU Action Plan call for concentration testing on critical providers and continuity scenarios assuming a large provider goes down.

Public source ↗

⚠️ Typical threats

  • • Ransomware pe spitale (vezi HSE Irlanda, Düsseldorf)
  • • Furtul de date pacient (RO Q4 2024 — multiple)
  • • Disruption ATI / sala operație prin atac IT

💰 Maximum fines

NIS2 + GDPR amenzi cumulative — până la 20 mil EUR sau 4% cifră afaceri

📊 Romania compliance status

Sector vulnerabil. Spitalele de top (Floreasca, Coltea, MedLife, Regina Maria) în lucru. Sub 30% conformitate sector.

🛡️ How CAI Technology helps

AEGIS — Observability + SecOps with AI

Unified SIEM for on-premise DCs: logs + metrics + threat detection + AI incident analysis.

ARTEMIS — AI Pentest · Hunt · Reveal · Strike

Autonomous pentest platform with 5 AI agents and 6 audit types. From 2€ per scan, no subscription.

CAI-AUTH — Post-Quantum Identity Provider

OIDC IdP built in Romania with post-quantum cryptography (hybrid post-quantum signatures). Patent Pending.

Lexnomia — EU Compliance Audit Platform

Self-serve compliance audit across 7+ EU regulations: GDPR, NIS2, DORA, EU AI Act, ISO 27001, CRA, DSA.

📚 Adjacent regulations with overlap

GDPR — Regulamentul (UE) 2016/679 · Directly applicable from 25 May 2018; ANSPDCP is the supervisory authority in Romania [C7][C8]

Health data is a special category — GDPR Art. 9(1) prohibits processing, subject to the exceptions in Art. 9(2) [C7]. Art. 33 requires notification of the breach to ANSPDCP within 72 hours [C8]. Key difference from NIS2: GDPR is triggered by a personal-data breach, NIS2 by a significant cyber incident — the two can coincide but do not have to. Sanctions are cumulative with those under NIS2.

MDR — Regulamentul (UE) 2017/745 · Directly applicable from 26 May 2021 [C9]

For any hospital operating medical devices with software (CT, MRI, pumps, ICU monitors, connected defibrillators), the manufacturer has essential cybersecurity obligations under MDR Annex I 14.2(d) and 17.2 [C9]. The hospital, as user, must keep an inventory of the device fleet, segregate networks and contractually require an SBOM and a patching policy. MDCG 2019-16 is the principal technical guidance.

IVDR — Regulamentul (UE) 2017/746 · Directly applicable from 26 May 2022 [C10]

Extends the MDR regime to in-vitro diagnostic devices (biochemistry, haematology, microbiology analysers, interpretation software). Software driving or influencing an IVD device falls under the same class as the device. For hospital and medical laboratories, IVDR and GDPR Art. 9 apply alongside NIS2 Art. 21(2)(d).

Cyber Resilience Act — Regulamentul (UE) 2024/2847 · In force since 10 December 2024; main obligations applicable from 11 December 2027, active-vulnerability reporting from 11 September 2026 [C11]

The CRA explicitly excludes medical devices covered by MDR/IVDR (Art. 2(2)(a)), because those remain under Annex I MDR/IVDR. It remains relevant, however, for generic IT products used in hospitals (non-MDR HIS systems, terminals, facility IoT, administrative software, card readers, access-control systems, connected cameras). The hospital becomes a demanding buyer: products with digital elements must carry CRA conformity before being placed on the EU market.

AI Act — Regulamentul (UE) 2024/1689 · In force since 1 August 2024; obligations for high-risk AI applicable in tranches 24-36 months later [C12]

For hospitals using clinical AI (radiology decision support, triage, mortality prediction, therapeutic decision support, AI-enabled IVDs), AI systems classified as high-risk under Annex III or through harmonisation with MDR carry additional obligations: risk management, quality data sets, transparency, human oversight, logs. The AI Act applies cumulatively with MDR and GDPR Art. 9 — in practice, AI-assisted clinical decision-making remains under the physician's and the institution's responsibility.

Frequently asked

I run a public emergency hospital — am I in scope of NIS2?

Yes. NIS2 Art. 2 and Annex I explicitly list healthcare providers (as defined in Art. 3(g) of Directive 2011/24/EU) as a sector of high criticality [C2]. If you are a medium or large entity (>= 50 employees or >= EUR 10 million turnover / balance-sheet total), you are an essential entity. Below-threshold hospitals can still be notified on a case-by-case basis by DNSC if they play a critical role in the national health system [C2][C6]. In Romania, OUG 155/2024 and DNSC handle registration, supervision and enforcement.

How do NIS2 and GDPR stack up for a Romanian hospital?

Neither exempts you from the other. NIS2 (horizontal cybersecurity) imposes ten minimum risk-management measures and reporting of significant incidents within 24h / 72h / 1 month to DNSC [C3][C4]. GDPR (horizontal data protection) requires notification of a personal-data breach to ANSPDCP within 72 hours, where there is a risk to the rights of natural persons [C8]; health data is a special category under Art. 9 [C7]. In practice: a single event can trigger both channels, but the start point and the trigger threshold may differ. The CISO and DPO share a single runbook that feeds the DNSC and ANSPDCP filings simultaneously.

What counts as a `significant incident` for a hospital under NIS2?

NIS2 Art. 23(3) defines a significant incident as one that has caused or is capable of causing severe operational disruption or financial loss for the entity, or that has affected or is capable of affecting other persons through considerable material or non-material damage [C4]. In operational terms, for a hospital: total or partial loss of HIS, EHR or PACS for several hours; the central lab going down; encryption of imaging systems; patient-data exfiltration; compromise of a critical connected device (ICU monitor, ventilator). When in doubt, file an early warning within the first 24 hours — you can retract later if it turns out to be minor.

Incident reporting deadlines to DNSC and ANSPDCP — what exactly?

Two parallel channels. NIS2 (to CSIRT/DNSC, under OUG 155/2024): early warning within 24 hours of awareness, incident notification within 72 hours, final report within one month (Art. 23) [C4]. GDPR (to ANSPDCP, if the incident also involves a personal-data breach): notification within 72 hours of awareness of the breach (Art. 33) [C8]. The two 72-hour clocks run independently — the moment of awareness can differ. Practical recommendation: build a single process that feeds both filings automatically, with separate escalation flows to the CISO and the DPO.

We have an MSP running our HIS — are we covered?

Outsourcing does not exempt you from NIS2. Compromise of an ICT provider is one of the most common causes of healthcare incidents — the 2024 BackMyData example hit 26 hospitals through the compromise of Romanian Soft Company (RSC), the Hipocrate vendor [C18]. NIS2 Art. 21(2)(d) requires supply-chain risk management, including contractual clauses (incident-response SLA, audit rights, exit strategy, controlled sub-outsourcing) [C3]. The hospital remains legally responsible for data and for patient services — ICT outsourcing transfers the operations, not the liability.

We have CT, MRI, pumps and connected ICU monitors — how do MDR and NIS2 apply together?

MDR (Reg. 2017/745) imposes essential cybersecurity requirements on the device manufacturer under Annex I 14.2(d) and 17.2 (risk management, security-by-design, software development life cycle, information security) [C9]. NIS2 Art. 21(2)(d) requires the hospital, as user, to manage the ICT supply chain — meaning it must demand an SBOM, a patching policy, MFA on service interfaces and network segregation. Concretely: keep a technical device inventory (IP, firmware version, manufacturer), dedicate a VLAN to medical devices, run behavioural monitoring, and write audit rights and patching deadlines into the service contract. MDCG 2019-16 is the technical guidance for the manufacturer; you, as hospital, demand compliance.

What is the maximum fine for an essential hospital?

Under NIS2 Art. 34: at least EUR 10 000 000 or 2% of total worldwide annual turnover, whichever is higher, for essential entities [C5]. For important entities: EUR 7 000 000 or 1.4% [C5]. Note: NIS2 sanctions stack with those under GDPR Art. 83 (up to EUR 20 000 000 or 4% of turnover, whichever is higher), with national healthcare-sector sanctions and with personal liability of management (NIS2 Art. 20) [C14]. For Romanian public hospitals, the effective ceiling is set by OUG 155/2024 and the DNSC implementing rules.

Who is personally liable on the hospital's management body?

NIS2 Art. 20 requires the management body (board of directors, executive committee, hospital manager) to approve cybersecurity risk-management measures, oversee implementation and accepts that they can be held personally liable [C14]. The directive allows Member States to impose temporary bans on holding management positions in essential entities. In Romania, OUG 155/2024 has transposed these provisions [C6]. Practical implementation: a board resolution or executive-committee decision approving the cybersecurity risk-management framework — signed, dated, archived — plus an annual report presented to the board by the CISO and DPO.

🔗 Official sources

Are you in the health sector?

Free NIS2 audit for companies with 50+ employees. We reply within 24 business hours.

Request audit →