European action plan on the cybersecurity of hospitals and healthcare providers - Timeline

Timeline
Interinstitutional Timeline

Opinion of the European Economic and Social Committee – Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions European action plan on the cybersecurity of hospitals and healthcare providers

EESC 2025/00633

OJ C, C/2025/4215, 20.8.2025, ELI: http://data.europa.eu/eli/C/2025/4215/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

ELI: http://data.europa.eu/eli/C/2025/4215/oj

Date of document:: 18/06/2025; Date of vote
Date of vote:: 18/06/2025
Date lodged:: 05/03/2025

Author:: European Economic and Social Committee
Responsible body:: Consultative Commission on Industrial Change, EESC_CCMI
Rapporteur:: Alain COHEUR
Co-rapporteur:: Hervé JEANNIN
Form:: Opinion
Term of office:: 2015-2020
Internal reference:: CCMI/244, AVIS-SECTION 2025/0633 FIN
Session:: 597

Treaty:

Treaty on the Functioning of the European Union

Legal basis:

12016E304

Link

Select all documents mentioning this document

Earlier related instruments:

52025DC0010 ESC Opinion

Instruments cited:

EUROVOC descriptor:

Subject matter:

Directory code:

13.20.60.00 Industrial policy and internal market / Industrial policy: sectoral operations / Information technology, telecommunications and data-processing
15.30.00.00 Environment, consumers and health protection / Health protection

HTML

PDF - authentic OJ

e-signature

How to verify the authenticity of the Official Journal

Official Journal
of the European Union

C series

C/2025/4215

20.8.2025

Opinion of the European Economic and Social Committee

Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions European action plan on the cybersecurity of hospitals and healthcare providers

(COM(2025) 10 final)

(C/2025/4215)

Rapporteur:

Alain COHEUR

Co-rapporteur:

Hervé JEANNIN

Advisor	LORIDAN Joyce (advisor to the rapporteur, Group III) CHEAH Hun Xhing Madeline (advisor to the co-rapporteur, Category 2)
Bureau decision	21.1.2025
Referral	European Commission, 5.3.2025
Legal basis	Article 304 of the Treaty on the Functioning of the European Union
Section responsible	Consultative Commission on Industrial Change
Adopted in section	4.6.2025
Adopted at plenary session	18.6.2025
Plenary session No	597
Outcome of vote (for/against/abstentions)	123/1/1

1. Conclusions and recommendations

1.1.

The EESC welcomes the level of ambition of the European action plan on the cybersecurity of hospitals and healthcare providers and the attention being given to this subject. The sector has been a critical target for threat actors. Health is personal and is organised locally in the Member States and its regions. Cybersecurity, however, is a priority for the European Commission, to protect the health of its citizens, the European Health Data Space, and the vast healthcare sector in the Member States encompassing diverse health entities such as hospitals, emergency services, and the pharmaceutical and biotechnology sectors, which are more and more connected to the outside world through telemedicine, patient portals, platforms and wearables. Improving cybersecurity in the health sector improves general security and resilience and contributes to the Preparedness Union.

1.2.

To improve the security measures in this area, the Committee is putting forward a set of proposals which fall into different categories:

1.2.1. Financial measures

1.2.1.1.

The EESC regrets that the issue of financial support for the implementation of the action plan currently remains unaddressed. This could lead to inequality in the level of protection patients receive, depending on the resources available to healthcare institutions. The EESC encourages the Commission to assure a thematic concentration for financial support via the cohesion funds.

1.2.1.2.

The EESC highlights disparities in investment in cybersecurity across the EU, noting that France alone intends to invest over EUR 1 billion annually; extrapolated EU-wide, this suggests a minimum need of EUR 7,5 billion per year. To prevent a cyberattack, hospitals should allocate around 10 % of their IT budgets to cybersecurity. The monitoring of the territoriality of investments should be taken into account.

The EESC notes the EUR 6 million in support for ENISA, but underlines that the funding is inadequate in view of the importance of what is at stake for the safety of hospitals, citizens and patients who, in the event of an attack, may no longer have access to diagnosis and treatment. ENISA should be invited to complement Threat landscape: health sector with a financial mapping of the cybersecurity investment state of play in the Member States.

Financial support for the European action plan should address investments in:

—	Prevention: securing devices and hospital infrastructure for infrastructure comprising 2,3 million hospital beds in the EU (1).

—	Education: awareness-raising and training of over 10 million health and social work personnel (2).

—	Remediation and recovery, which could reach multi-million euros per incident (3).

ENISA could receive fast-tracked loans for IT protection and cybersecurity tools. These funds should be dedicated to the health and social care sector, under specific conditions.

1.2.1.3.

The EESC suggests exploring whether expenditure on cybersecurity for health could be taken into account for the general escape clause of the Stability and Growth Pact, and might be regarded as defence spending to protect the health of European citizens and critical health infrastructure. The investment required by health entities in ensuring cybersecurity for healthcare provision will be higher than in other sectors given the risk of incidents.

1.2.1.4.

Due to the fact that the total figures on the cost of cybercrime attacks on the healthcare sector in the EU are difficult to estimate (up to EUR 20 million in costs per attack in France), the EESC suggests investing in tracking and tracing costs so that the European Commission can better tailor investments, whether for crime hotspots, local areas in need of more help or understanding which security technologies or educational campaigns are the most effective.

1.2.1.5.

The EESC highlights the role of the data protection authorities in the Member States in ensuring that hospitals and other healthcare entities take appropriate security measures. Member States can play a role, in the event of a lack of preventive cybersecurity measures, by issuing fines (4).

1.2.2. Technical measures

1.2.2.1.

The EESC recommends:

—	raising awareness of basic digital hygiene practices (such as good system access control policies, disabling USB ports, using anti-virus for endpoints, separating unsecured devices, quarantining infected machines);

—	investing in digital twins for hospitals, healthcare systems or medical devices to facilitate assurance and testing;

—	providing technical assistance to medical units without IT services (e.g. through the provision of secure servers or security services by a centralised authority such as ENISA) which, because of their small size, are unable to invest in cyber security risks;

—	investing in strategic technical capabilities (e.g. security of operational technologies, the link between safety and security, forensic preparation, AI, etc.).

1.2.3. Process measures

1.2.3.1.

The EESC wishes to draw attention to a set of precautionary and preventive measures that should improve the level of protection in the healthcare sector and reduce the risk of cyberattacks:

—	Carrying out appropriate tests (resistance tests, penetration tests, etc.), not only at device and supplier level, but also at system level (when devices are integrated into healthcare systems) and at operational level.

—	The development of business continuity plans, updated and reviewed regularly, both internally and externally by independent auditors. These plans should also include the incorporation of a back-up or safety mode for hospitals and healthcare systems so that they can continue to operate.

—

Monitoring best practice in monitoring and remediation, including ensuring that there are adequate levels of response, including decentralised (within each hospital, provider or healthcare system, including home) and centralised (e.g. using national CSIRT or ISAC teams). The acquisition, as part of procurement practices, of the documentation needed to certify or validate the cybersecurity of equipment (e.g. that it complies with the cybersecurity regulations set out in the GDPR).

1.2.3.2.

In the EESC’s view, the Commission should consider, as part of the action plan, the certification of cybersecurity providers in order to contribute to the creation of a trusted ecosystem, while highlighting the financial burden currently placed on hospitals and healthcare institutions and thus warning against further cost increases.

1.2.3.3.

The EESC recognises that standardisation is very useful but also points out that it inevitably leads to a lack of resilience unless specific safeguards and countermeasures are put in place. The plan should be integrated with other physical and cyber resilience initiatives, including the Cyber Resilience Act.

1.2.4. Educational measures

1.2.4.1.

As education is a central pillar of the action plan, the EESC recommends continuous learning and training plans developed with the social partners, and mechanisms for knowledge transfer between the diverse entities and professional stakeholders to address challenges in cybersecurity, ethics, privacy and AI.

1.2.4.2.

When new IT tools are implemented, the EESC suggests ensuring a coherent institutional response to cyberattacks, protecting privacy and the proper management of data, as provided for under Member States’ legislation and collective bargaining arrangements with the social partners for collective contracts.

1.2.4.3.

The EESC estimates that to counter cybersecurity threats, healthcare education should include targeted cybersecurity training. Micro-credentials offer a flexible, cost-effective way to upskill professionals without altering core curricula. They enhance healthcare resilience and are a key focus of the Commission’s Union of Skills initiative.

1.2.4.4.

In the EESC’s view, tackling the cybersecurity workforce gap and low security levels in healthcare must be central to the EU Digital Decade revision. Strategic investment in multidisciplinary skills – cybersecurity, AI, forensic readiness, and medical device security – is essential to address complex threats and build long-term resilience.

1.2.4.5.

The EESC recognises that the digitalisation of health and well-being and potential threats of cybersecurity breaches can cause possible psychological distress for individual healthcare professionals and patients and requires the mainstreaming of fundamental cybersecurity literacy and skills for European citizens and healthcare professionals.

1.2.4.6.

The EESC recommends that the Commission fully exert its supportive and coordinating role by utilising EU funds to promote cybersecurity awareness campaigns on threat risks and prevention on the work floor through ‘digital hygiene’ recommendations.

2. General comments

2.1.

In 2020, ENISA reported a combined 47 % increase in cyberattacks across the EU compared to the previous year: in France, the number of declared cases doubled in 2021. ENISA has acknowledged the cybersecurity needs of the healthcare sector and welcomed the January 2025 European Commission action plan (aiming to continuously improve cyber resilience from 2025 onwards) to bring hospitals, clinics and health providers to a high level of protection against any attack on the IT or OT systems of these entities.

2.2.

Protecting individuals, businesses, and institutions from cyber risks is a key priority in the European Declaration on Digital Rights and Principles for the Digital Decade (5). The EESC emphasises the need for a comprehensive, cross-cutting EU cybersecurity policy to safeguard public health and the right to healthcare (6). The EESC encourages the Commission to adopt a rights-based approach to cybersecurity underpinned by EU (digital and constitutional) values and to recognise cybersecurity as a right just like other fundamental rights such as privacy and data protection and physical safety. The EESC advises against limiting cybersecurity to the protection of infrastructure, systems and data.

2.3.

Robotic systems and digital machines play an increasing role in surgery, in monitoring patient health, and in medical tests, potentially causing actual physical and mental harm should these digital systems not be safeguarded (against, for instance, the malicious miscalibration of surgical robots and backdoor triggers being put into AI diagnostic systems). The EESC calls for a much greater focus on legacy systems and the intersection between IT/OT, because complexity arises in the gap in standard processes and awareness. Addressing the challenges of this particular intersection requires a multi-disciplinary approach (including safety engineering), specialist knowledge and the ability to recognise and test for novel threats using novel tools and methodologies. The action plan should also look at ‘cyber-physical’ systems and the efforts made to address this area.

2.4.

The EESC calls on the Commission to clarify the scope of the healthcare providers impacted by the action plan. The action plan states that the health sector includes a broad number of entities and actors, comprising hospitals, clinics, care homes, rehabilitation centres and various healthcare providers, alongside the pharmaceutical, medical and biotechnology industry, medical devices manufacturers, and health research institutions. The EESC asks the Commission to specify whether this is their exhaustive understanding of the health sector and points out the health targets identified by ENISA (7). The Commission must take into account the indirect interaction with the broader ecosystem, including commercial well-being (e.g. fitness trackers, weight loss coaches, etc.).

2.5.

The European Commission strongly emphasises cooperation with technology firms and private for-profit organisations in cybersecurity service provision to ensure the protection of hospitals and the healthcare sector. While collaboration with the for-profit sector can offer valuable benefits for strengthening cybersecurity, caution must be exercised. Healthcare institutions need to be aware of potential conflicts of interest that may arise when commercial companies are involved in managing sensitive patient data. There might a risk that the commercial interests of these companies, such as profit maximisation, may take precedence over the protection of patient privacy and the integrity of medical data. We stress that European companies must comply with European legislation protecting patient privacy and the integrity of medical data (GDPR).

2.6.

The EESC would welcome the incorporation of ethical standards and privacy protection clauses into the European action plan.

2.7.

The EESC encourages the Commission to enhance the mandate of the Computer Security Incident Response Teams (CSIRTs) by improving coordination, streamlining communication, and strengthening cross-border cooperation among European hospitals for more effective threat-intelligence sharing. Strengthening IT security in healthcare through the pooling and professionalisation of cybersecurity expertise will enhance the sector’s overall cyber resilience and preparedness against the evolving threat. Strengthening OT security and hardening medical systems through integrated safety and security engineering will likewise raise the floor on what cyberattacks are likely to occur.

2.8.

A cyber security toolkit could provide a comprehensive set of resources, best practices and tools designed to help large and small healthcare organisations protect themselves against digital threats. Implementing simulations and real-world scenarios can enhance learning and help staff understand the practical implications of cybersecurity breaches.

2.9.

The number of people allowed to access external networks on the web and bring in external data should be limited. We know that humans can be the most fragile factor in protecting a computer system. Therefore, human-centric systems (potentially powered by AI) should be put in place to spot attacks and deliver training on how to mitigate insider threats. Ideally, the workstation(s) should be disconnected from the hospital network so that the attack only affects the PC itself and the minimum data duplicated. Once the data is verified for viruses, the computer is disconnected from the external network and connected to the hospital network for data transmission. PCs are updated every morning with the day’s patient data.

2.10.

If employees need to access the unsecured web, this must be done via PCs not connected to the hospital network and without the possibility of backup or data transfer.

2.11.

Provision should be made for a possible internal threat in a hospital (although limited to 2 % of incidents (8)), with a risk-based approach to what might be the most appropriate level of surveillance, whether that is through computer networks, physical surveillance such as cameras, or through access control points such as through employee passes. Social dialogue within hospitals and the health sector must avoid evolving from surveillance to intrusion.

2.12.

For the EESC it is imperative that EU hospitals have incident management and business continuity plans including incident response procedures, back-up communication solutions and disconnected back-ups to respond quickly and effectively in the event of an attack. A vital part of incident management and business continuity plans is frequent stress tests, simulating cyberattack scenarios in a virtual environment that would enable the degree and level of impact of a cyberattack to be measured and the response capabilities of a healthcare establishment to be verified. The adapted involvement of employees, and providing them with concrete skills in this regard is crucially important.

2.13.

The EESC suggests developing a digital simulator, featuring attack and response scenarios that are easy to deploy and use. This simulator could be used as a demonstration tool for awareness-raising, information and educational events.

2.14.

Conduct attack simulation exercises on a frequent basis and see how the service restoration plan is being applied and improve procedures for the next fiscal year by either increasing the number of people trained in these restoration plans or by establishing simpler and more explicit instructions for example.

2.15.

In the event that an attack has not been detected and has caused severe damage to the services due to its sophistication, it is necessary to apply a degraded mode with a temporary return to manual mode so as not to block operations at the beginning of an attack. People must be trained to know how to organise the service via paper until the IT department is restored. A manual entry of the actions undertaken will be made a posteriori.

2.16.

Any equipment with a microprocessor (and/or documentation attached to equipment) installed in a hospital must be checked beforehand by the internal cybersecurity risk owner to check that there is no virus implanted beforehand. We accept that not all hospitals will be able to resource a full internal department for cybersecurity. We suggest that the risk owner (similar to a GDPR data controller) could be the one responsible for sign-off, supported by tech vendors, their IT department and/or by members of this initiative.

2.17.

The EESC calls for attention to be given to medical units without IT services, and asks for the role of ENISA to be clarified here as regards providing software or secure servers; it encourages pioneering hospitals to exchange and contribute to the cybersecurity learning of smaller entities.

2.18.

The European action plan could incorporate the use of ethical hackers and non-profit organisations as a standard practice, by facilitating formal collaborations or programmes that enable healthcare institutions to leverage this external expertise without incurring significant financial burdens. This would not only enhance overall cybersecurity but also contribute to a broader culture of collaboration and knowledge-sharing within the sector.

2.19.

The EESC suggests, as provided for under Member States’ legislation, using collective bargaining and collective contracts to ensure a coherent institutional response to cyberattacks, the protection of privacy, and proper data management, alongside consolidating social dialogue and involving the social partners in the monitoring and control of the processes regarding cyberattacks and data privacy for employees and patients. We highlight the need to discuss cybersecurity-induced psychological stress risk in a social dialogue framework.

2.20.

The ‘spear and shield’ theory means that attackers move faster than defenders and criminal innovation is likewise picking up speed. Within the centres of help, apart from threat intelligence there should also be horizon-scanning and future-proofing activities. For example, ransomware threat actors may not only be performing their normal breaches of data, but even in the cases where access is restored, may have compromised data integrity selectively (particularly if the target is strategic).

2.21.

Cybersecurity now spans many worlds other than just software and connectivity. It also includes elements of physical systems as well as AI. Integration of assurance processes and mandated requirements such as in MDR, or the EU AI Act should be prioritised.

2.22.

We recommend maximum placement of sensitive data preferably in sovereign European public medical clouds, with double or triple verification for data access by authorised persons. This also greatly helps to quickly restore service after a penetration into computer systems.

Brussels, 18 June 2025.

The President

of the European Economic and Social Committee

Oliver RÖPKE

(1) Healthcare resource statistics – beds – Statistics Explained.

(2) Calculated as 13,1 million employees in 2021.

(3) E.g. analysis of 6 incidents in Portugal found a financial impact of between EUR 115 882,96 and EUR 2 317 659,11 for these few events alone, e.g. healthcare breach incidents in the US have an average cost of USD 10,1 million, e.g. the WannaCry attack cost the UK National Health Service almost GBP 6 million.

(4) Belgium, 17 December 2024, DPA decision to fine a Belgian hospital EUR 200 000 for under-investment in cybersecurity resulting in a breach.

(5) 2022 Joint Declaration on Digital Rights and Principles for the Digital Decade – Chapter V: Safety, security and empowerment – A protected, safe and secure digital environment.

(6) Opinion of the European Economic and Social Committee – Forging a European Flagship Initiative for health (Own-initiative opinion) (OJ C, C/2025/105, 10.1.2025, ELI: http://data.europa.eu/eli/C/2025/105/oj).

(7) ENISA (2023) Threat landscape: health sector – targets.

(8) ENISA (2023) Threat landscape: health sector – threat actors and motivation, p. 18-23.

ELI: http://data.europa.eu/eli/C/2025/4215/oj

ISSN 1977-091X (electronic edition)

Top