“Cybersecurity in healthcare is not just a technical issue, but a matter of local, regional, national, and European security. We are concerned by the absence of the regional and local level in the action plan proposed by the Commission, even though hospitals are managed regionally or locally in two-thirds of member states. We call for the full involvement of local and regional authorities, clarity regarding digitalization funding, and access for regional experts to European cybersecurity networks. Protecting hospitals is an investment in citizens' trust and the democratic resilience of the European Union.” Daniela Cîmpean (RO/EPP), President of Sibiu County Council made these remarks when presenting her opinion at the CoR plenary.
In her opinion Cîmpean calls on EU member states to fully involve cities and regions in the development and implementation of cybersecurity strategies to protect healthcare systems.
The call, which is contained in an opinion adopted by the European Committee of the Regions, stresses the urgent need for comprehensive measures to counter rising cyber-threats and argues for enhanced practices and procedures to maintain the health and security of IT systems and for increased training across the healthcare sector.
In the opinion, Daniela Cîmpean, argues that cyber-security in healthcare is not just a technical issue, but also a local, regional, national and European security issue, warning that hospitals could become a target for malevolent actors in a period of heightened geopolitical tensions.
Cyber-attacks on healthcare systems and other healthcare providers risk delaying treatment, disrupting emergency services, and eroding patients’ trust.
Cîmpean also called on those Member States that have yet to transpose the EU’s Critical Resilience Directive into national law, to do so immediately. The directive came into force in 2023. In her opinion, Cîmpean urged the European Commission to initiate infringement procedures against any country that did not respect the deadline (17 October 2024).
The recommendations also call for greater attention to the local and regional level, urging the European Commission to provide greater clarity about funding to support actions by the local and regional authorities to strengthen their digital systems in the healthcare sector and pressing the Commission and Member States to ensure that experts nominated by regional authorities are welcome in the network of European Chief Information Security Officers.
Hospitals and healthcare systems are facing increasing threats, particularly from ransomware hackers that attack them for financial gain. Over the past four years, the healthcare sector has become the most attacked industry in the EU, according to data from the European Commission.
A survey by the EU Agency for Cybersecurity (ENISA), published in 2024, found that only a quarter of companies in the health, education and social-care sector had provided training or awareness-raising about cybersecurity in the previous 12 months.
Digitalisation of healthcare has reached a point where, according to eHealth Indicator Study, almost 80% of EU citizens having online access to their electronic health records in primary care.
Background
- Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions European action plan on the cybersecurity of hospitals and healthcare providers COM(2025) 10 final