As a 250-bed hospital, are we affected by NIS-2?

Most likely yes. Annex I of the German NIS-2 implementation act covers healthcare facilities as essential entities from 250 employees or 50 million euros annual revenue. With more than 30,000 inpatient cases per year, the German KRITIS regulation adds up. The legally binding evaluation remains a matter for counsel.

How does §75c SGB V relate to NIS-2?

§75c SGB V has required sector-specific security standards (B3S Krankenhaus) for KRITIS hospitals since 2022. NIS-2 is a general law with minimum measures, B3S Krankenhaus is sector-specifically more concrete. In practice they overlap largely. The platform maps both control sets together.

How do we handle medical devices without update capability?

Legacy medical devices without patch capability are common. NIS-2 requires appropriate measures at the state of the art. Compensating controls (network segmentation, monitoring, restricted connectivity) are accepted. Documented risk acceptance instead of sweeping under the rug. On patient safety impact the MDR manufacturer must be notified.

What happens in a hospital ransomware case?

Multiple escalation paths: BSI within 24 hours, data-protection authority on data breach, KRITIS report to BSI under §8b BSIG, hospital supervisor at state level, MDR manufacturer on device involvement. Plus patient-safety triage (ensure emergency care). The platform supports with documented reporting paths inventory.

What does NIS-2 and KRITIS preparation cost?

For a 250- to 500-bed hospital, typically 16 to 24 weeks for audit-ready NIS-2 readiness, depending on KRITIS status, IT modernisation level and number of sites. Platform licence and onboarding project scale by size. The specific indication comes from the risk check.

NIS-2 for healthcare

Healthcare is Annex I. Plus MDR. Plus GDPR.

Annex I of the German NIS-2 implementation act covers healthcare facilities, laboratories, pharma manufacturers and medical device makers as essential entities. MDR (medical device regulation) and GDPR with special patient-data protection add up. The Cybervize platform covers ISMS, BCM and supplier risk in one solution.

Book the NIS-2 risk check

Cybervize Platform maturity report per ISO 27001 as evidence of cross-industry consulting expertise

What NIS-2 means in practice for healthcare

Hospitals with 30,000+ inpatient cases per year qualify as KRITIS operators and fall under NIS-2 Annex I as „essential entity"; medical-device manufacturers and health-IT providers fall under Annex I or II depending on activity, plus MDR cybersecurity requirements. Four consequences of this classification for hospitals, labs and parts of the pharma sector. Sector alone is not enough: pharma manufacturers and medical-device manufacturers fall under different rule sets (NIS-2 Annex I/II, MDR, AMG); the actual classification depends on activity and size thresholds. The legally binding evaluation remains a matter for specialised counsel.

01 · Scope

Essential entity with proactive BSI supervision

Annex I means the highest sanction tier and active BSI supervision. Cyber incidents touching patient data carry double reporting obligations: BSI under NIS-2 plus data-protection authority under GDPR.

02 · Scope

Medical devices with IT interfaces in scope

Medical devices with IT interfaces (imaging, lab equipment, connected implants) fall under MDR plus NIS-2. Manufacturers additionally have post-market surveillance obligations. Hospitals carry user obligations.

03 · Scope

KRITIS regulation for large facilities

Hospitals with more than 30,000 inpatient cases per year fall under the German KRITIS regulation. Obligations under BSI standards and security audits add up.

04 · Scope

Patient-data protection under GDPR special categories

Health data are special categories under Art. 9 GDPR. Processing requires specific legal grounds. A cyber incident with a data breach triggers tightened reporting obligations and higher GDPR sanction risks.

Five minimum measures with healthcare examples

Five NIS-2 minimum measures per §30, translated for healthcare practice.

Risk analysis with medical-device context

Risk register separating office IT, clinical IT (HIS, RIS, PACS) and medical devices but tying them together. Patient safety risks from cyber incidents classified separately.

Supply chain security for medical devices

Supplier inventory with medical-device manufacturers, MDR status, cybersecurity bill of materials (CBOM) for connected devices, agreements on patches and vulnerability disclosure.

Cryptography for patient data

Patient data encrypted at rest and in transit, key management per §75c SGB V (sector requirements for healthcare), clinical backups in a dedicated security zone.

Incident response with patient impact

Incident response plan distinguishing pure cyber incidents from incidents with patient safety impact. Escalation to BSI, data-protection authority, hospital supervisor. MDR manufacturers additionally notify BfArM.

Business continuity for clinical care

BCM plan with patient safety as the top priority. Fall-back processes for HIS outage (paper records, manual workflow), emergency care during ransomware. Restart sequence documented.

Cybervize building blocks for healthcare

The Cybervize platform covers ISMS, BCM, assessment and supplier risk in one solution. For healthcare, KRITIS reporting and medical-device risk modules are additionally relevant.

Service 01

NIS-2 risk check

Free 30-minute initial call with an indicative NIS-2 classification, top-5 gaps and a path recommendation.

Learn more Service 02

Cybervize platform

ISMS, compliance and evidence from a single platform. Multi-entity, multi-country, AI-supported.

Learn more Service 03

Virtual CISO

Platform plus permanent CISO function. For organisations without an in-house CISO.

Learn more Service 04

NIS-2 onboarding project

Gap assessment, roadmap, implementation via the platform. Fixed price from 4,500 euros.

Learn more

Self-check available

NIS-2 maturity check: 30 questions, 10 §30 BSIG measures, instant traffic light

Free, no signup, around 5 minutes. Detailed evaluation by email if desired.

Start the check

Why Cybervize fits healthcare

Industry experience in healthcare and KRITIS from 25 years of ISMS practice at PwC, Deloitte and KPMG. Hospital mandates and medical-device manufacturers part of the methodology. ISO 27001 Lead Auditor since 2006.

KRITIS: BSIG and KRITIS regulation coverage
MDR: medical-device interface
§75c SGB V: healthcare sector requirements
2006: ISO 27001 Lead Auditor since

Frequently asked questions from healthcare

Classify NIS-2 for healthcare in 30 minutes

Free risk check with indicative NIS-2 classification, KRITIS threshold indicator and path recommendation. Ideally with IT leadership or data protection officer plus management board present.

Book the NIS-2 risk check

Memberships, programmes and partnerships

Content last reviewed: May 18, 2026

Healthcare is Annex I. Plus MDR. Plus GDPR.

Book the NIS-2 risk check

What NIS-2 means in practice for healthcare

Healthcare is Annex I. Plus MDR. Plus GDPR.

What NIS-2 means in practice for healthcare

Essential entity with proactive BSI supervision