Members of the NAT commission adopted a draft opinion on cybersecurity of hospitals and healthcare providers, led by rapporteur Daniela Cîmpean (RO/EPP), President of Sibiu County Council. The draft opinion underscores the urgent need for comprehensive measures to counter rising cyber threats, advocates for greater involvement of regional and local authorities in shaping cybersecurity strategies and calls for enhanced cyber hygiene and training across the healthcare sector.
Cimpean said “We protect lives not only in operating rooms, but also across the digital networks that support our medical infrastructure. A cyberattack can delay diagnosis, disrupt care, and in the worst cases, cost lives.”
Daniela Cimpean welcomed the EU’s Action Plan as a much-needed and comprehensive step forward—one that recognizes not just infrastructure and technology, but also the people, skills, and coordination required to make our health systems truly resilient.
The key challenges are: unequal digital maturity across Member States underfunded, outdated systems, lack of trained personnel, weak coordination across government levels, financial sustainability of proposed actions. The opinion highlights the vital role of regional and local governments in reinforcing cybersecurity and calls for their full inclusion in national and EU-level planning. Notable proposals include:
- Involving local and regional authorities in the design and implementation of national cybersecurity strategies for health, recognising that hospital governance is decentralised in two-thirds of Member States.
- Establishing Regional Cybersecurity Support Centres, tailored to the specific needs of hospitals and care providers on the ground, to bridge the gap between national frameworks and local realities.
- Creating networks of support and training hubs to build digital and cybersecurity capacities at the regional level, especially for public hospitals operating under resource constraints.
- Clarifying funding access for regional and local entities within EU programmes like EU4Health and Digital Europe, to ensure targeted investments in digital transformation.
- Promoting staff-wide cyber hygiene through mandatory training and awareness-raising for all healthcare personnel—not just IT professionals—with support from regional education and vocational institutions.
- Encouraging procurement processes at the regional level that are aligned with cybersecurity standards, reducing risk across hospital supply chains and service contracts.
The opinion is scheduled for adoption during the next plenary session of the CoR in July.
