NIS2 in Healthcare: Hospitals and Outpatient Care

April 27, 2026· Category: NIS2· As of: 2026-05-02· Reading time: ~5 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

Hospitals, outpatient centers (MVZ), rehab clinics, care services from 50 employees and EUR 10M turnover
KRITIS hospitals (>30,000 inpatient cases per year) carry additional duties
Health data is GDPR Art. 9 special category: a NIS2 incident often triggers a parallel data-protection notification
Specific risk surface: medical-device cybersecurity, OR-room IT, lab information systems, patient apps
Audit cadence: KRITIS hospitals every 2 years

1. Who is in scope?

Hospitals, MVZ outpatient centers, rehabilitation clinics, and ambulatory care services qualify as essential entities once they exceed 50 employees AND EUR 10M turnover. KRITIS hospitals (more than 30,000 inpatient cases per year) carry additional KRITIS Ordinance duties on top of NIS2.

2. Dual regulation: NIS2 + KRITIS

KRITIS Ordinance Section 6 adds extra requirements for large hospitals, including biennial mandatory audits and stricter incident-reporting timelines. NIS2 (Section 30 BSIG) layers on top, not as a replacement.

3. GDPR Art. 9 sensitivity

Health data is GDPR Art. 9 special-category data. A NIS2 incident touching patient records typically triggers two parallel notifications: BSI under Section 32 BSIG and the data-protection authority under GDPR Art. 33 within 72 hours.

4. Specific measures

Medical-device cybersecurity per IEC 81001-5-1 and the FDA / EU MDR cyber annex
OR-room IT segmentation from corporate networks
Laboratory Information Systems (LIS) hardening
Patient apps and portals: secure-by-design, OWASP MASVS

5. Supply-chain audit specifics

Prioritize medical-device manufacturers and cloud providers running the hospital information system (HIS / KIS). Patch SLAs, vulnerability-disclosure clauses, and incident-notification commitments are the must-haves in supplier contracts.

6. Penalties

Standard NIS2 fines (up to EUR 10M or 2% of global turnover) apply, with separate GDPR fines on top in case of personal-data breaches. Management liability under Section 38 BSIG attaches to the hospital's managing director or board.

Summary

Healthcare combines the highest data sensitivity with the most fragmented IT estate. The practical NIS2 program leans on ISO 27001 plus IEC 81001-5-1 for medical devices, with explicit dual-notification playbooks for cyber and GDPR.

View NIS2 Kit →

Frequently Asked Questions

From how many employees are nursing homes affected?

From 50 employees + EUR 10 million. Small homes are not affected.

Fines?

EUR 10 million / 2% as with all NIS2 + GDPR fines in the event of a data breach.

Sources

Directive (EU) 2022/2555 — NIS2 (health sector) (As of: 2026-05-02)
BSIG 2025 (consolidated) (As of: 2026-05-02)
Regulation (EU) 2016/679 — GDPR (Art. 9 health data) (As of: 2026-05-02)

Tools & self-assessments

NIS2 Readiness Check Assess your NIS2 readiness in 10 minutes. Fining Calculator Estimate the potential fine exposure for your organisation. NIS2 Self-Test Am I in scope? Check thresholds and sector criteria. NIS2 Mandatory Measures Audit 10 mandatory measures from Section 30 BSIG with maturity rating.