Digitalisation has fundamentally changed the way hospitals and clinic groups work in recent years. Today, core clinical processes, networked medical technology, management systems and external service providers are closely interlinked. This networking increases efficiency and opens up new possibilities in patient care, but at the same time entails considerable risks. Cyber attacks on medical facilities are steadily increasing, and hospitals are now among the preferred targets. High dependence on IT systems, sensitive patient data and very little leeway for system failures make these facilities particularly vulnerable.
The European NIS 2 Directive responds to this growing threat. It aims to significantly increase the resilience of critical facilities. For hospitals, this represents a paradigm shift: information security is no longer just an IT issue, but is becoming an integral part of corporate management. In future, management and executive boards will not only assume organisational responsibility, but will also have a personal duty to implement effective security measures and monitor compliance with them.
Hospitals as ‘essential entities’
According to NIS 2.0, hospitals and hospital groups are classified as ‘essential entities’. This applies regardless of ownership or size and includes public, non-profit and private providers. Larger hospital groups also fall within the scope of application without restriction.
Implementation in Germany is carried out via the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which came into force on 6 December 2025. The aim is to establish an appropriate, effective and verifiable level of security in critical facilities. The primary focus is not on compliance with technical specifications, but on a systematic, risk-based approach that is actively managed by senior management. The focus is on identifying and assessing risks and minimising them with appropriate organisational and technical measures.
New obligations for company management
The NIS 2 Directive deliberately shifts responsibility from the IT department to management. Management can no longer rely on delegation, but must take control and oversight of information security itself. The central tasks can be divided into four core areas:
Firstly, clear governance and organisational structures must be created. This means that responsibilities must be clearly defined, sufficient human and financial resources must be provided, and information security must be integrated into existing management and control structures. An information security management system (ISMS) can be a proven tool for this, but the actual effectiveness of the measures is crucial.
Secondly, the focus is on continuous risk management. Hospitals must regularly identify and assess their cyber-related risks. The focus is not only on traditional IT systems, but also on core medical processes, networked medical technology and dependencies on service providers and software vendors. Management is responsible for ensuring that these risks are known and taken into account in all relevant decisions.
Thirdly, NIS 2.0 requires the implementation of preventive and resilience-promoting measures. Hospitals must avoid security incidents and be prepared for such events. This includes emergency and recovery concepts, backup and recovery strategies, and regulations for dealing with security incidents. Particular attention is paid to ensuring that patient care remains secure even in the event of IT failures.
Fourthly, monitoring, control and documentation of information security must be carried out systematically. Management should be regularly informed about the status of security measures, review structured reports, analyse key performance indicators and maintain comprehensible documentation. This documentation is not only relevant for operational activities, but also essential for protection against regulatory authorities and in the event of liability.
Personal liability risks
A key difference from previous regulations is the clear allocation of liability. NIS 2.0 provides for heavy fines in the event of violations and explicitly emphasises the responsibility of senior management. The decisive factor here is not the incident itself, but organisational negligence. Personal liability arises when known risks are ignored, no adequate security organisation is established, or supervisory and control obligations are violated. Anyone who does not actively manage the implementation of security measures or monitor compliance with them exposes themselves to considerable legal, economic and reputational risks.
Typical vulnerabilities in hospitals
Analyses show recurring patterns in many hospitals. Information security is often treated as a purely IT issue, responsibilities between IT, medical technology, data protection and management are unclear, and complex digitisation projects, such as those within the framework of the KHZG, are often understaffed. Historically grown system landscapes are in great need of modernisation, and management’s awareness of cyber risks is often insufficient. These weaknesses are predominantly organisational in nature and are therefore clearly the responsibility of the management and the board of directors.
Recommendations for action for management
A pragmatic approach to implementing NIS 2.0 begins with clarifying who is affected and what their obligations are. Management must recognise information security as a core task and derive the corresponding requirements. Clear responsibilities should then be defined both at management level and within the organisation. An objective assessment of the security situation is then necessary to evaluate the maturity of the organisation. Based on this analysis, measures can be prioritised, with the focus on critical risks and patient-relevant processes, not on technical details. Finally, transparency should be created through regular reporting and reliable documentation. This structured approach enables management to fulfil its responsibilities without getting bogged down in operational details.
Conclusion: Information security as an integral part of hospital management
NIS 2.0 makes it clear that information security is not an isolated project among many other tasks, but an integral part of responsible hospital management. Company management must actively manage risks, establish effective structures and document decisions in a comprehensible manner. Early action not only reduces legal and economic risks, but also strengthens organisational resilience and the safety of patient care. NIS 2.0 thus offers not only regulatory requirements, but also an opportunity to anchor information security sustainably in hospital management and to shape the digital transformation securely.
The experts at Adiccon support hospitals in implementing the requirements of the NIS 2 Directive in a practical manner and successfully integrating information security management into existing management and operational structures.
