Belgian healthcare facilities, as essential entities, are subject to the most stringent NIS2 obligations. Hospitals, laboratories and large pharmacy groups must be certified through CyberFundamentals or ISO 27001 by April 18, 2027. At the same time, the combination of patient data, medical IoT and 24/7 availability makes the healthcare sector particularly vulnerable to cyberattacks. Flemish grants cover up to 50% of the cost of external cybersecurity expertise.
The healthcare industry is digitizing at a rapid pace. Electronic patient records, connected medical devices and telemedicine platforms are making healthcare more efficient, but at the same time significantly increasing the attack surface. Meanwhile, NIS2 and the GDPR place increasingly stringent requirements on the security of sensitive health data. For healthcare IT managers and executives, the question is no longer whether cybersecurity deserves attention, but how to address it with limited resources and maximum continuity. The good news: the Flemish and federal governments support healthcare institutions with substantial subsidies and budgets.
Which healthcare facilities are covered by NIS2?
Healthcare institutions are among the sectors classified as essential or important by the Belgian NIS2 law (law of April 26, 2024). That means mandatory monitoring, incident reporting and conformity assessment. The classification depends on the type of institution and the size of the organization.
Almost all Belgian general and university hospitals qualify as essential entities because of their size (generally more than 250 employees) and their critical social function. They fall under the strictest supervisory regime. Reference laboratories that provide critical services to public health share that classification.
Pharmacy groups, home care organizations and residential care centers fall under NIS2 as a major entity once they exceed the thresholds: more than 50 employees or more than €10 million annual sales. Larger groups such as Multipharma are explicitly in scope. Medical device manufacturers also fall under the law when their products are considered critical.
Smaller GP practices and individual pharmacies are basically outside the direct scope. But the so-called “oil slick effect” affects them as well: larger entities must ensure supply chain security under NIS2. That means hospitals and pharmacy groups will impose contractual security requirements on smaller partners. You can read more details about NIS2 obligations and deadlines in our complete NIS2 guide.
The five cyber threats that make healthcare organizations especially vulnerable
The healthcare sector combines technical and organizational characteristics that combine to create a unique risk profile. Belgian healthcare organizations faced an average of 2,620 cyber attacks per week per institution. Five factors explain why the sector is so attractive to attackers.
Medical IoT and legacy systems. Infusion pumps, MRI scanners, CT scanners and pacemakers are increasingly connected to the hospital network. Many of these devices run on outdated operating systems that no longer receive security updates. Patching is often impossible without invalidating the device’s medical certification. Hardware or software vulnerabilities play a role in 80% of healthcare incidents, often because medical devices are not segmented from the office network. This is similar to OT issues in the manufacturing industry, but with an added dimension: a hacked infusion pump directly affects patient safety.
The value of health data. Patient data is worth up to 50 times more on the dark web than financial data. The reason is simple: you can block a credit card, but your medical history, genetic information and chronic conditions are permanent. That makes health data highly suitable for identity fraud, insurance fraud and long-term extortion. By 2025, data breaches accounted for 28% of all cyber incidents in the European healthcare industry.
24/7 availability as vulnerability. Hospitals cannot simply take their systems offline for maintenance or updates. That permanent availability requirement gives attackers a means of pressure: they know a hospital is more likely to pay to restore patient care.
The human factor under work pressure. Healthcare personnel work under high time pressure, with immediate patient care always a priority. Shared workstations at nursing stations, open sessions during shift changes and remote access for specialists increase the risk of phishing and account abuse. Research shows that 60% of initial access in healthcare cyberattacks is via phishing.
Changing access patterns. Doctors, nurses, interns, outside specialists and maintenance technicians all require different levels of access, often at varying times. Without automated identity and access management, gaps inevitably arise.
Recent cyberattacks on healthcare facilities: lessons for Belgium
The impact of cyber attacks on healthcare facilities is not a theoretical risk. Recent incidents in Belgium and Europe show the direct impact on patient safety.
On Jan. 13, 2026, ransomware hit AZ Monica in Antwerp. The IT department detected the problem at 6:30 a.m. and decided to preemptively shut down all servers to prevent further spread. The result: more than 70 surgical procedures canceled, seven critical patients transferred to other hospitals, and MUG and PIT services temporarily taken over by neighboring hospitals. Electronic patient records and medical imaging were inaccessible for days. Recovery took weeks; employees only regained access to patient records three weeks after the attack.
AZ Monica is not alone. In November 2023, CHC Montlégia in Liege was hit by an attack whose recovery took more than four months. In March 2024, the medical data of 50,000 Belgians was leaked through the platform Medicheck. And in April 2026, ransomware struck software provider ChipSoft, forcing several hospitals to take their patient portals offline. This latest incident illustrates an important point: even an attack on your software vendor can directly affect your healthcare delivery.
At the European level, ENISA reports confirm that healthcare has been the most affected sector for four consecutive years. Ransomware dominates with 54% of all incidents, in 43% of which data is also effectively stolen (double extortion). The median cost of a major security incident in healthcare is estimated at €300,000, but can reach €5 million for large hospitals.
The lesson is clear: A cyber attack on a hospital is not an IT problem. It is a patient safety problem. When electronic health records are inaccessible, doctors miss crucial information about medications, allergies and history. That leads to delays, errors and, at worst, harm to patients. Learn more about how to respond when things do go wrong in our article on the first 7 steps to a cyberattack.
NIS2 and GDPR in healthcare: the double duty of notification in the event of a data breach
Healthcare facilities that face an incident involving patient data fall under two reporting regimes simultaneously. That makes the legal complexity in healthcare greater than in almost any other sector.
Under GDPR, you must report a data breach to the Data Protection Authority (GBA) within 72 hours. Under NIS2, an even tighter deadline applies: an early warning within 24 hours to the CCB, followed by a full report within 72 hours and a final report within one month. Both reports go through different channels and have different perspectives. GDPR focuses on the protection of privacy and rights of data subjects. NIS2 focuses on service and infrastructure protection.
In practice, this means that your DPO (Data Protection Officer) and your CISO or NIS2 officer must act simultaneously on every incident. Patient data is also “special personal data” under Article 9 of the GDPR. That makes the reporting requirements more stringent and the potential fines higher: up to €20 million or 4% of global revenue under the GDPR, on top of NIS2 penalties.
An additional concern in healthcare concerns retention periods. Medical records in Belgium must be kept for 30 to 50 years after the last patient contact. That legal retention requirement takes precedence over the GDPR right to oblivion, but places enormous demands on the long-term security of digital records. Protecting 30 years of patient data requires a structural approach, not a one-time investment.
Concrete security measures for healthcare facilities
The CyberFundamentals (CyFun) framework provides the structure to concretely implement NIS2 obligations. For hospitals as essential entities, the Essential level is relevant, with 140 to 200 controls. The measures translate into five priorities specific to the healthcare sector.
Network segmentation of medical devices. Medical IoT devices (infusion pumps, ventilators, imaging systems) should be isolated from the office network and guest Wi-Fi. This prevents a visitor’s or employee’s infected laptop from communicating with critical medical equipment. Network segmentation is the most effective measure to limit lateral movement of attackers, as the AZ Monica incident painfully illustrated.
Tailored identity and access management for healthcare. The diversity of users in a hospital (doctors, nurses, interns, remote technicians) requires automated user management based on the “least privilege” principle. Multifactor authentication (MFA) must be active on all external connections and access to critical systems. The CCB directive n° 1/2025 explicitly requires this.
Immutable backups. Backups must be kept independent of the primary network and protected from modification. This is the only effective guarantee of recovery after ransomware. Organizations with tested, offline backups are significantly less likely to pay ransom and recover faster. Learn more about the cost and impact of ransomware in our article on ransomware costs for SMBs.
Awareness training tailored to healthcare personnel. Standard phishing training is not enough in a healthcare environment. Training should be short, relevant and tailored to daily practice: how do you recognize a suspicious emergency request? What do you do when you receive a suspicious message while standing with a patient? The frequency should be monthly, not annually.
Incident response plan with clinical component. A digital crisis preparedness plan is mandatory under NIS2. In healthcare, that plan must go beyond IT recovery: it must also include evacuation procedures in the event of IT failure, arrangements with neighboring hospitals for patient transfer, and a communication protocol for patients and staff. Regular simulations are essential.
VLAIO grants and federal budgets for healthcare cybersecurity
The financial threshold for NIS2 compliance is lower than many healthcare institutions think. Both the federal and Flemish governments provide substantial support.
Federal hospital budgets. As of 2025, the FPS Health foresees a structural annual budget of €15.6 million for cyber resilience in hospitals. Of this, 80% will go to institution-specific projects (risk assessments, network security, identity management) and 15% to sector-wide initiatives. Additionally, in 2024, a one-time amount of €39.5 million was distributed to hospitals to facilitate the first step toward NIS2 compliance.
VLAIO grants for SMEs and VZWs. Pharmacies, laboratories and home care organizations structured as SMEs or VZWs can apply for the VLAIO cybersecurity improvement programs: 50% subsidy on external expertise for SMEs and customized companies (including VZWs). Larger enterprises covered by NIS2 receive 35% intervention. Packages range from €7,100 to €39,900.
Since February 1, 2026, the VLAIO SME portfolio has been reserved exclusively for cybersecurity advice. Small businesses get back 45%, medium-sized ones 35%, with an annual ceiling of €7,500. So a €5,000 cybersecurity audit will cost only €2,750 for a small healthcare organization after the grant.
Investment Deduction. Companies can deduct 10% to 40% of their investments in digital security systems from their taxable profits.
The message is clear: don’t wait until budgets run out. The combination of federal funds and Flemish subsidies makes it possible to invest in a structural approach now, instead of paying for the consequences of an incident later.
Frequently asked questions about cybersecurity in the healthcare industry
Is my healthcare facility covered by NIS2?
Hospitals with more than 250 employees fall under the most stringent NIS2 obligations as a key entity. Pharmacy groups, home care organizations and residential care centers with more than 50 employees or more than €10 million in revenue fall into scope as a key entity. Smaller practices are indirectly affected through supply chain requirements.
What is the deadline for the NIS2 compliance assessment for hospitals?
Essential entities, including most hospitals, must submit an initial conformity assessment (CyFun Basic or Important level) by April 18, 2026. Full certification at the target level must be completed by April 18, 2027. Learn more about this process in our article on the NIS2 conformity assessment.
Should I notify both the GBA and the CCB in the event of a data breach?
Yes, in an incident involving patient data, two reporting regimes apply simultaneously. Under the GDPR, you report to the GBA within 72 hours. Under NIS2, you send an early warning to the CCB within 24 hours, followed by a full report within 72 hours and a final report within one month.
What grants exist for cybersecurity in the healthcare sector?
Hospitals receive federal budgets through the FPS Public Health (€15.6 million structural per year). Smaller healthcare organizations can apply for VLAIO improvement projects (50% subsidy) and the SME portfolio (45% subsidy on cybersecurity advice). There is also an investment deduction of 10% to 40%.
How do I protect medical devices that cannot be patched?
Network segmentation is the key measure: isolate medical IoT devices in a separate network segment that is separated from office and guest networks. Combine this with monitoring for anomalous network traffic and strict access control for maintenance technicians.
Specifically, how do I begin NIS2 compliance in my healthcare facility?
Start with a cybersecurity audit to identify your current level of security. This provides a concrete gap analysis and roadmap. From there, choose the right framework (CyFun or ISO 27001) and work in a focused way to prioritize. Cyberplan conducts audits and pen tests that take into account the 24/7 availability and specific system architecture of healthcare organizations.
Want to know where your healthcare facility stands on cybersecurity? Cyberplan combines technical depth with an understanding of the healthcare context. From security audits to pen tests on medical networks, we take into account the 24/7 availability and sensitivity of patient data. Schedule a no-obligation consultation and find out how to structurally protect patient data and business continuity.
