The number of severe cyberattacks against European organisations continues to rise. Healthcare is particularly in the crosshairs: according to ENISA, more than half of attacks on hospitals and clinics involve ransomware. Against this backdrop, the EU has introduced NIS2—a regulatory framework that, for the first time, also requires smaller organisations to systematically embed cybersecurity.
NIS2 at a glance: Who is affected—and why
With the EU NIS2 Directive, cybersecurity obligations extend to 18 sectors including healthcare, water/wastewater, transport, energy, public administration and digital services. Medium-sized companies and private healthcare providers can be classified as “essential” or “important” entities. Swiss firms with EU nexus (establishment, supply chain, services) are likewise affected in practice.
Core requirements: Article 21 (risk management) & Article 23 (incident reporting)
Article 21 requires, among other things, regular risk analyses, business continuity and disaster recovery plans, supply-chain security, backup and encryption concepts as well as training—and explicitly places accountability on executive management. Article 23 mandates staged reporting of significant incidents: an early warning within 24 hours, a detailed report within 72 hours, and a final report typically within one month. Official guidance and FAQs are provided by ENISA.
ECSF as a bridge: Role profiles for NIS2 tasks
The European Cybersecurity Skills Framework (ECSF) defines twelve roles (e.g. Cyber Incident Responder, Cybersecurity Architect, Cyber Risk Manager, Cyber Legal/Compliance). ENISA’s guide “Mapping NIS2 Obligations with ECSF Role Profiles” (2025) maps each NIS2 obligation to concrete roles—clarifying who owns which tasks (policies, BCP/DRP, supplier reviews, incident reporting).
European case: MOVEit and the supply chain
The MOVEit vulnerability (2023) led to hundreds of data breaches worldwide—an archetypal case for NIS2 requirements on third-party and software supply-chain controls. For healthcare operators this means stricter due diligence for lab and practice software, robust contracts (security clauses, audit rights) and clear escalation paths during incidents.
Swiss context: National incident reporting & healthcare
Since 1 April 2025, Switzerland has mandated legal incident reporting for critical infrastructures to the Federal Office for Cybersecurity (BACS). Healthcare has been repeatedly affected in recent years (e.g. hospital attacks, IT outages). Practical implication: hospitals need pre-built reporting templates, up-to-date contact lists and a trained incident team that can act within hours—in harmony with NIS2.
Conclusion
NIS2 and ECSF provide a workable blueprint that helps hospitals and SMEs translate requirements into roles, processes and controls. Those who now clarify responsibilities, review supply chains and test reporting structures improve security, compliance—and reliability in patient care.
CISO as a Service – Your next step
NIS2 requires organisations to establish clear accountabilities and resilient security processes. A permanent CISO role is not always foreseen—yet responsibility remains. With our offer CISO as a Service, you gain access to seasoned security leaders who support you flexibly: from cybersecurity strategy and governance to hands-on crisis support.
This way, you benefit from the same expertise as with an internal CISO—within a model that fits your structures and budget. Contact us for a non-binding conversation and learn how to meet your NIS2 obligations pragmatically and effectively.
Key take-away – Basics first
Address Article 21 first (risks, BCP/DRP, supply chain, training) and Article 23 (reporting chain). Use the ECSF to assign responsibilities—internally or with partners.
