Europe’s hospitals faced nearly 300 cybersecurity incidents in 2024, making healthcare the most targeted essential sector. Widely attributed to Russian-linked groups, major incidents cost around EUR 300 000 each — but the damage goes far beyond financial losses. The European Commission’s 2025 Action Plan on the Cybersecurity of Hospitals and Healthcare Providers is a critical step towards protecting EU healthcare from hybrid threats. Samuel Goodger and Elizabeth Kuiper of the European Policy Centre outline the priorities for ensuring the plan’s successful implementation.

The growing number of cyberattacks against the EU’s health infrastructure form part of broader hybrid warfare intended to intimidate, destabilise and test European resolve, chiefly led by Russia. As digital health and artificial intelligence reshape healthcare provision, the cyberattack surface expands in tandem. Since 2023, pro-Russia hacker groups – such as Killnet and Anonymous Sudan – have launched coordinated attacks on hospitals and health authorities in Denmark, the Netherlands, Spain and Sweden. In 2024 alone, at least 289 cybersecurity incidents affected EU healthcare providers – more than in any other essential sector.

The cost of inaction is staggering. Major incidents cost an average of EUR 300 000 each, meaning the cumulative burden on health systems may reach billions.

Disinformation, for instance shared on social media, can also multiply attacks’ impact. When hospitals are targeted, false claims about patient data breaches can amplify public anxiety, erode trust in healthcare institutions and compound the already-concerning effects of low health literacy.

Why healthcare?

Several factors make health systems attractive targets. Personal health records enable identity theft or extortion. Fragmented IT environments – legacy systems alongside modern infrastructure – contribute to vulnerabilities. Supply-chain dependencies create additional entry points, as one system’s breach can cascade into others.

Cybersecurity preparedness in healthcare varies dramatically across the EU. While some Member States have mature ecosystems – such as the Dutch Z-CERT, which provides sector-specific threat intelligence and incident response – others lack health-specific expertise. This fragmentation creates vulnerabilities that hostile actors can exploit. Limited cross-border threat-intelligence sharing allows attackers to reuse the same vulnerabilities across countries.

Workforce shortages also exacerbate such gaps: in 2024, the EU lacked an estimated 300 000 cybersecurity professionals. The problem is particularly acute in healthcare, where roughly two-thirds of cybersecurity roles are filled by non-specialist IT professionals.

AI - A pivotal opportunity

In these circumstances, the Commission’s January 2025 Action Plan on the Cybersecurity of Hospitals and Healthcare Providers is a critical step forward. Building on substantial existing legislation – such as NIS2, GDPR and the European Health Data Space Regulation – the Plan charts a path to protect EU health systems through four pillars: Prevent, Detect, Respond and Recover, and Deter.

Today’s AI-based tools offer significant defensive potential: continuous surveillance, subtle compromise detection, alert prioritisation and automated early threat containment. However, adversaries also benefit from such evolutions – for instance by manipulating AI models with adversarial inputs or data poisoning. Ensuring system integrity therefore requires continuous monitoring and secure development pipelines. Validation by human analysts remains crucial for accountability.

AI also significantly strengthens disinformation actors. By analysing stolen data, attackers can generate phishing emails tailored to individuals’ specific roles. During incidents, coordinated disinformation can erode public confidence precisely when trust is most fragile.

Recommendations

Prior to further action by the Commission to implement the action plan, we identify six priorities:

First, leverage AI for threat detection and response. Health systems should pilot specialised AI for automated vulnerability management and behavioural analysis. Closed but explainable AI systems are preferable, to reduce data leakage risks.

Second, enhance cross-border threat intelligence. The Commission must establish vulnerability watch systems contextualised in clinical workflows. International cooperation should be strengthened through the International Counter Ransomware Initiative and G7.

Third, strengthen joint procurement for supply-chain security. Establishing common procurement mechanisms at EU level would aggregate demand and facilitate oversight of secure-by-design requirements.

Fourth, address the workforce capacity crisis. Healthcare workers themselves are both the first line of defence and a key vulnerability. Cyber hygiene training must include counter-disinformation skills and recognition of AI-enhanced social engineering attacks.

Fifth, target disinformation risks. The Commission should develop healthcare-specific AI literacy initiatives explaining decision-making processes and privacy implications. Citizens must be empowered to distinguish genuine communications from manipulated content.

Sixth, ensure adequate funding is available. In addition to redirecting existing resources, public investments should qualify under the Stability and Growth Pact’s escape clause. The EU should explore creating a dedicated EUR 10 billion Resilience Fund for sectors most exposed to cyber threats.

Ensuring the cyber resilience of EU health systems requires a shift towards a collaborative, proactive approach. This means moving beyond fragmentation and favouring integrated, innovative collective action. By capitalising on AI, deepening cross-border cooperation, investing in workforce development and empowering patients, the EU can transform the healthcare sector from a vulnerable target to resilient infrastructure.

Samuel Goodger is Policy Analyst, and Elizabeth Kuiper is Associate Director at the European Policy Centre. This article draws on their November 2025 Policy Brief 'From ransomware to statecraft: Protecting EU healthcare in the new threat landscape'.

The European Policy Centre (EPC) is an independent, not-for-profit think tank dedicated to fostering European integration through analysis and debate, supporting and challenging decision makers at all levels to make informed decisions based on evidence and analysis, and providing a platform to engage partners, stakeholders and individuals in EU policy making and in the debate about the future of Europe.