This week, Health-ISAC®‘s Hacking Healthcare® examines a new report from the European Union Agency for Cybersecurity (ENISA) to assess what it says about the cybersecurity maturity and criticality of various sectors in the EU. We break down how the health sector measures up to other sectors and where ENISA thinks there is room for improvement.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
PDF Version: TLPWHITE Hacking Healthcare 3.14.2025
Size : 196.1 kB Format : PDF
Text Version:
Welcome back to Hacking Healthcare®.
ENISA Launches NIS360 Report – Health Sector in the “Risk Zone” Despite Improvements
What is the NIS360 Report?
The NIS360 2024 report was published on March 5, and it “assesses the maturity and criticality of sectors of high criticality under the NIS2 Directive, providing both a comparative overview and a more in-depth analysis of each sector.”[i] The intent of NIS360 is to aid EU and member state-level entities in identifying areas for improvement and prioritization, and to facilitate the tracking of sector progress over time.
Methodology
The report is based on a variety of EU-level inputs (e.g. Eurostat) and survey participation from over 1300 EU entities across 22 (sub)sectors, including 150 healthcare entities and 22 sector-specific or sector-agnostic national authorities with some relation to healthcare. It uses a refined version of the original NIS360 methodology which plots along dimensions of maturity and criticality.
This method was first piloted in 2023 and an explanation of the revised version used in this report can be found in Annex A, but at a high-level, NIS360 assesses a sector’s maturity and criticality.
Maturity was measured along dimensions of:[ii]
- Operational Preparedness: Including the “level of preparedness of the sector to handle large-scale incidents and crises”
- Collaboration and Information Sharing: Including the level of sharing within and between authorities and sector entities at the national and EU level.
- Policy Framework and Guidance: Including an evaluation of policy and legislative frameworks that “drive” cybersecurity objectives.
- Risk Management and Good Practices: Including to “the level of understanding of cyber risks and steps taken towards their mitigation by sector entities, national authorities, and at the EU level”
Criticality was measured along dimensions of:[iii]
- Socio-Economic Impact of Significant Incidents: Including the “potential socioeconomic impact in the event of a significant incident.”
- Dependency on ICT: Including how reliant sector entities are on ICT systems for their core functions and operations.
- Time Criticality: Including “how quickly the impact of a significant incident affecting the sector would be felt in society and the economy and/or impact to other sectors, taking into account the existence of alternatives and the time sensitivity of the sector’s operations.”
Non-Healthcare Key Findings
Before we get to the health sector specifically, it’s worthwhile to examine some of the key findings of other critical sectors that the health sector relies upon.[iv]
- Electricity, telecommunications, and banking were all rated as being significantly mature, befitting their criticality and the amount of “regulatory oversight, global investments, political focus, and robust public-private partnerships” they have been subject to.
- Digital infrastructure (e.g. internet services, cloud services, data centers, etc…) also rate highly in maturity, but have “challenges to navigate due to their inherent heterogeneity, cross-border nature, and the inclusion of previously unregulated entities within their scope.”
Health Sector Assessment
The health sector finds itself roughly in the center of the 22 sectors assessed along both axes. Due to the health sector being one of six sector’s judged to have a higher “criticality” score than “maturity” score, it has been placed in the “risk zone”. The report calls for these sectors to receive “extra attention to ensure their maturity gaps are addressed in a way that enables them to effectively deal with the added challenges posed by their respective criticality levels.”[v]
In terms of maturity, the health sector is placed well above sectors like public administration, oil, and drinking water, but well behind leaders like electricity, banking, and telecommunications. Maturity challenges include wide variations in how NIS is implemented across EU member states, numerous national authorities providing only basic support in terms of guidance and supervision, limited guidance on how to manage cyber risk, no comprehensive understanding of sector-wide risks at the EU-level, and a mixed level of operational preparedness.
However, on the positive side, the report does note the expectation for national authorities to grow their capacity, general approval of cyber risk management controls within health entities leadership, and a fairly well-established collaboration and information sharing environment.
In terms of criticality, the health sector was assessed as roughly equal to space, gas, and railways, and behind core internet, telecommunications, and ICT service management. Socioeconomic impacts were judged to be moderate as incidents tended to be relatively confined to member states and with the health sector. Time criticality was assessed to be moderate due to the “relatively high tolerance before an outage escalates into a crisis.”[vi] The report also noted the likelihood of the criticality score increasing over time as ICT dependencies continue to grow.
Key Health Sector Challenges & Areas for Improvement
The key challenges identified by the report include:
- The “pressing” need to address the “disparity in understanding among sector entities of cyber risks facing them”, especially between large and small entities;
- The health sector’s “reliance on complex supply chains as well as its dependence on legacy systems and inadequately secured medical devices”;
- Inconsistent and inadequate levels of operational preparedness.
The report also outlined some key areas for improvement, including:
- A need to clarify the “interplay and synergies” between the various regulations and policy efforts that affect the health sector (NIS2, Medical Device Regulation (MDR), AI Act, Cyber Resilience Act (CRA), Cyber Solidarity Act (CSA), etc…);
- A need for the sector to engage in EU and member state level exercises to improve response capabilities; and
- A need to expand participation in information sharing and collaboration initiatives.
The health sector portion of the report is not particularly long, and we encourage members to review it for full details.
Action & Analysis
**Available with Health-ISAC Membership**
Report Source(s)
Sources
[i] https://www.enisa.europa.eu/sites/default/files/2025-03/ENISA%20-%20NIS360%20-%202024_0.pdf
[ii] https://www.enisa.europa.eu/sites/default/files/2025-03/ENISA%20-%20NIS360%20-%202024_0.pdf
[iii] https://www.enisa.europa.eu/sites/default/files/2025-03/ENISA%20-%20NIS360%20-%202024_0.pdf
[iv] https://www.enisa.europa.eu/sites/default/files/2025-03/ENISA%20-%20NIS360%20-%202024_0.pdf
[v] https://www.enisa.europa.eu/sites/default/files/2025-03/ENISA%20-%20NIS360%20-%202024_0.pdf
[vi] https://www.enisa.europa.eu/sites/default/files/2025-03/ENISA%20-%20NIS360%20-%202024_0.pdf
[vii] https://www.enisa.europa.eu/sites/default/files/2025-03/ENISA%20-%20NIS360%20-%202024_0.pdf
- Related Resources & News
- New Cybersecurity Policies Could Protect Patient Health Data
- CyberWire Podcast: PHP flaw sparks global attack wave
- HSCC Aiming to Identify Healthcare Workflow Chokepoints
- New Healthcare Security Benchmark Highlights Key Investment Priorities and Risks
- Are Efforts to Help Secure Rural Hospitals Doing Any Good?
- CISA cuts $10 million annually from ISAC funding for states amid wider cyber cuts
- 2024 Health-ISAC Discussion Based Exercise Series After-Action Report
- Cobalt Strike takedown effort cuts cracked versions by 80%
- Denise Anderson recognized on Cyber25 Women of Impact list
- The ISAC Advantage for Collective Threat Intelligence