When hours decide over lives: hospitals are particularly vulnerable to cyberattacks – availability of critical services is not a luxury but a duty.
Article 23 reporting obligations for hospitals – what is at stake
Article 23 reporting obligations for hospitals are strict: the EU NIS2 Directive requires “essential and important entities” to report severe security incidents — an initial notification, a detailed report and a final report, all within clear deadlines. For hospitals this means: an IT outage in surgical planning, data loss in laboratories or a cyber incident in core infrastructure can trigger mandatory reporting — to the national CSIRT or competent security authorities. Switzerland is introducing similar reporting obligations for critical infrastructures and healthcare providers. Relevant regulations are currently being drafted or entering into force. (BSI information package on NIS-2 reporting obligations)
The ENISA Health Threat Landscape Report
The ENISA report “Health Threat Landscape” (January 2021 to March 2023) is clear: 53% of all reported incidents in the health sector affected healthcare providers, including hospitals, dental practices and nursing facilities. Ransomware attacks account for more than half of these cases, alongside incidents undermining data security and service availability. (ENISA Health Threat Landscape Report)
Case study: Barcelona – hospital operations under pressure
In March 2023, a hospital in Barcelona was forced to cancel numerous surgeries and postpone thousands of outpatient consultations after a cyberattack compromised its systems. The attack delayed patient care and administrative processes; however, clear reporting channels and emergency plans helped contain the damage. (ICT&Health – ENISA warns of hacktivism)
Case study Switzerland: hospital networks at risk?
In Switzerland, there are clear signs that healthcare providers are increasingly targeted. The ENISA report also lists incidents in Switzerland among the reviewed cases. While no major hospital was completely shut down, smaller IT disruptions in clinical networks led to outages in specialized departments. These cases highlight the need for hospitals to test their reporting structures (internal and external) and emergency plans — including those of their supply chain and third-party providers.
Practice: implementing Article 23 reporting obligations for hospitals
A practical approach to Article 23 reporting obligations for hospitals consists of several steps:
1. Predefined incident templates: Initial notification, interim report and final report with clear details (when, what, who was affected, impact, number of users affected).
2. Define responsibilities: Appoint clear internal roles: who authorizes the report, who manages communication (internal, authorities, affected parties).
3. Establish early warning systems: Monitoring tools, automated alerts, log availability and vulnerability scans must enable fast detection and assessment of incidents.
Conclusion
Reporting duties under Article 23 reporting obligations for hospitals are not a bureaucratic burden but a decisive safeguard for patient safety, legal certainty and recovery in emergencies. Hospitals that establish and rehearse reporting structures protect not only their operations but also comply with legal requirements in a proactive and effective way.
CISO as a Service – your next step
If you want to implement Article 23 NIS2 efficiently, our CISO as a Service offering is the right choice: our experts support you in setting up reporting processes, incident templates and training — tailored for hospitals and medical facilities.
Contact us to schedule an appointment and establish your NIS2 reporting obligations in a secure and practical manner.
Key Take-away – Build reporting structures with care
Develop templates for early warnings, interim and final reports, assign roles clearly and review processes regularly — this is how you minimize response times and risks.
