A single click on a malicious email attachment can be enough—and an entire hospital operation grinds to a halt. Attacks on clinics in recent years have repeatedly shown how vulnerable healthcare is. The EU NIS2 Directive therefore requires clear responsibilities: from the boardroom to IT support, it must be clear who plays which role in an emergency.
Responsibilities under Article 21 NIS2
NIS2 obliges entities in critical sectors, including healthcare, to implement structured risk management. Article 21 of the Directive requires, among other things: regular risk analyses, documented emergency plans (Business Continuity and Disaster Recovery), supply chain security reviews, encryption of sensitive data, and staff training programs. Crucially, executive management is explicitly held accountable—cybersecurity is no longer just an IT task.
ECSF as a practical tool: Roles and profiles
The European Cybersecurity Skills Framework (ECSF) by ENISA defines twelve role profiles that serve as a blueprint for implementing NIS2 obligations. The ENISA guide “Mapping NIS2 Obligations with ECSF Role Profiles” (2025) details which tasks can be assigned to which roles. These include:
Chief Information Security Officer (CISO): Overall responsibility for strategy, security policies, and crisis management.
Cyber Incident Responder: Rapid response to attacks, coordination with internal teams and external authorities, fulfillment of reporting obligations under Article 23.
Cyber Legal, Policy & Compliance Officer: Ensuring regulatory compliance, documentation and reporting, raising management awareness of liability issues.
Cybersecurity Architect: Designing secure system architectures, segmenting hospital networks, protecting medical devices and sensitive data.
Case study: Cyberattacks on hospitals
In recent years, cyberattacks have repeatedly hit hospitals in Europe. In 2024, an attack on the Synnovis laboratory service provider in London disrupted several hospitals—over 1,600 operations and treatments had to be postponed (The Guardian, NHS England). And in summer 2025, hospital operator Ameos was forced to shut down IT systems in multiple facilities (The Register). These cases show: without defined roles and clear reporting chains, hospitals risk not only organizational breakdown but also lives.
Swiss perspective: Reporting obligation since 2025
Since April 1, 2025, Switzerland has introduced a legal reporting obligation for cyberattacks on critical infrastructure. The Federal Office for Cybersecurity (BACS) requires an initial report within 24 hours, supplemented by detailed information within 14 days. Here, too, roles such as Incident Responder or Compliance Officer must be defined in advance to meet deadlines. Switzerland is thus drawing consequences from the rising number of attacks on its healthcare and supply structures.
Implementation in practice
Hospitals and SMEs in healthcare are well advised to create a security organization chart based on the ECSF. Who handles incident reporting? Who manages supplier reviews? Who trains staff? In smaller organizations, one person may cover multiple roles; in larger institutions, dedicated functions are required. The key is not the job title but that responsibilities are clearly documented and carried out.
Conclusion
NIS2 responsibilities in healthcare must be anchored in the organization and actively practiced. The ECSF provides a practical framework that helps map obligations to concrete roles. Hospitals, laboratories, and practices thereby gain clarity, faster response capability, and stronger compliance assurance.
CISO as a Service – Your next step
Those who want to reliably meet NIS2 obligations need clear responsibilities and tested processes. With our CISO as a Service offering, we provide you with experienced security experts who flexibly support your organization: from developing a security strategy to implementing governance and risk processes, through to crisis support when it matters most.
This way, you benefit from the same expertise as with an internal CISO—within a model tailored to your structure and budget. Contact us for a non-binding conversation and learn how to fulfill your NIS2 obligations pragmatically and effectively.
Key take-away – Define roles clearly
Create a security organization chart based on ECSF, define clear responsibilities, and rehearse emergency scenarios. Only those who set roles in advance can respond quickly and in compliance during an attack.
