NIS2 in healthcare: building on the foundation of NEN 7510

One of the core principles of NIS2 is that organizations must implement appropriate and proportionate technical and organizational measures based on risk analysis. Rutger Fugers states: ‘This means that not only technical controls are required, but an integrated management system in which risks are identified, assessed and controlled. NEN 7510 is structured exactly in this way. The standard requires healthcare organizations to establish an Information Security Management System based on a risk based methodology, including periodic evaluation and continuous improvement in line with the PDCA cycle.’

Risk based approach

According to Fugers, the risk based thinking required by NIS2 is not new for organizations that apply NEN 7510 seriously. ‘They are accustomed to analyzing threats, determining impact and prioritizing measures. This aligns seamlessly with the duty of care under NIS2.’ In addition to the management system, there is substantive overlap. NIS2 explicitly identifies several security domains, including incident management, access control, encryption, logging and monitoring, business continuity and supply chain security. ‘All of these topics are elaborated in NEN 7510-2, tailored to the healthcare context. This includes strict authorization controls around electronic patient records, logging of record access, encryption of sensitive data and continuity measures for critical healthcare systems.’

Fugers summarizes it concisely: ‘You can view it this way: NIS2 defines what must be achieved and NEN 7510 provides the framework to realize this in a structured and demonstrable manner.’ However, according to Fugers, this does not mean that NEN 7510 automatically guarantees full NIS2 compliance. ‘NIS2 is legislation and includes additional requirements, for example regarding reporting deadlines and management liability. Operationally, however, the overlap is substantial.’

Demonstrability and governance

An important emphasis in NIS2 is management accountability. Executives are explicitly responsible for compliance with cybersecurity requirements and may be held liable in cases of negligence. NIS2 also sets requirements for policy, documentation, internal controls and periodic evaluation. ‘NEN 7510 supports this governance structure,’ Fugers explains. ‘The standard requires formally approved policies, clearly defined roles and responsibilities, internal audits and management reviews. This creates a structured framework that provides management with insight into risks and control measures.’

According to Fugers, demonstrability is essential for supervisory authorities. ‘With a certified NEN 7510 management system, an organization can show that cybersecurity is not an isolated IT activity but an integral part of business operations.’ Certification is not legal proof of NIS2 compliance. ‘It does not replace formal assessment under the Cybersecurity Act. However, it serves as a strong indication that fundamental controls have been systematically implemented and independently assessed.’

Healthcare sector as essential entity

Many healthcare institutions will be classified under NIS2 as essential or important entities. This results in enhanced supervision and stricter enforcement. For these organizations it is relevant that NEN 7510 has for years been the established standard for information security in Dutch healthcare. ‘The healthcare sector has an advantage compared to other sectors,’ Fugers states. ‘Because NEN 7510 is already mandatory or contractually required, many institutions have structurally organized their information security. The step toward NIS2 is therefore often smaller than expected.’

This does not mean that additional actions are unnecessary. Organizations must explicitly assess where NIS2 goes further, for example regarding specific incident reporting timelines or the obligation to provide cybersecurity risk training for executives.

Supply chain responsibility

One of the most far reaching elements of NIS2 is its emphasis on supply chain security. ‘Organizations must not only have their own security in order but also manage risks within the supply chain.’ According to Fugers, NEN 7510 already includes provisions on outsourcing, supplier assessment and contractual arrangements with processors. This provides a logical foundation for operationalizing supply chain responsibility.

‘Many healthcare organizations depend heavily on ICT suppliers, cloud providers and medical technology,’ Fugers explains. ‘NEN 7510 requires them to control those relationships. NIS2 makes this responsibility more explicit and legally stronger, but the starting point is already in place.’

From foundation to full compliance

The extent to which NEN 7510 contributes to NIS2 compliance is therefore significant. The standard covers a large portion of the operational and organizational requirements, provides a robust framework for risk management and supports governance and demonstrability. At the same time, NEN 7510 is not a one to one implementation of NIS2. Organizations are advised to perform a targeted gap analysis between their existing NEN 7510 implementation and the specific statutory obligations under NIS2.

‘Consider NEN 7510 a solid foundation,’ Rutger Fugers concludes. ‘If that foundation is in place, you do not need to start from scratch. Full NIS2 compliance does require a deliberate translation, in which legal, organizational and governance aspects are explicitly addressed.’ For healthcare organizations, this means that existing investments in information security not only contribute to patient safety and privacy protection, but also provide a strategic advantage in the new European cyber landscape.