July 3, 2025

The following is a press release:

The European Committee of the Regions also calls for legal measures against national governments that have yet to transpose EU directive into national law.

EU cities and regions have called on EU member states to fully involve their regions in the development and implementation of cybersecurity strategies to protect healthcare systems.

In an opinion adopted by the European Committee of the Regions on 3 July, local leaders stress the urgent need for comprehensive measures to counter rising cyber-threats and argue for enhanced practices and procedures to protect IT systems and for increased training across the healthcare sector.

The opinion, drafted by Daniela Cîmpean (RO/EPP), President of Sibiu County Council, argues that cyber-security in healthcare is not just a technical issue, but a key security challenge that needs to be addressed at local, regional, national and European level, as hospitals could become a target for malevolent actors in a period of heightened geopolitical tensions.

Cyber-attacks on healthcare systems and other healthcare providers risk delaying treatment, disrupting emergency services, and eroding patients’ trust.

CoR members also urged for the immediate transposition into national laws of the EU’s Critical Resilience Directive, which came into force in 2023 and has not been yet implemented in all Member States. The Committe demands the European Commission to initiate infringement procedures against any country that did not respect the deadline (17 October 2024).

The adopted recommendations also call for greater attention to the local and regional level, urging the European Commission to provide greater clarity about funding opportunities to support local and regional authorities's work to strengthen digital systems in the healthcare sector. Commission and Member States are also requested to ensure that experts nominated by regional authorities are involved in the network of European Chief Information Security Officers.

Quotes:

Daniela Cîmpean (RO/EPP), President of Sibiu County Council: “Cybersecurity in healthcare is not just a technical issue, but a matter of local, regional, national, and European security. We are concerned by the absence of the regional and local level in the action plan proposed by the Commission, even though hospitals are managed regionally or locally in two-thirds of member states. We call for the full involvement of local and regional authorities, clarity regarding digitalization funding, and access for regional experts to European cybersecurity networks. Protecting hospitals is an investment in citizens' trust and the democratic resilience of the European Union.”

Background

Hospitals and healthcare systems are facing increasing threats, particularly from ransomware hackers that attack them for financial gain. Over the past four years, the healthcare sector has become the most attacked industry in the EU, according to data from the European Commission. A survey by the EU Agency for Cybersecurity (ENISA), published in 2024, found that only a quarter of companies in the health, education and social-care sector had provided training or awareness-raising about cybersecurity in the previous 12 months.

Digitalisation of healthcare has reached a point where, according to eHealth Indicator Study, almost 80% of EU citizens having online access to their electronic health records in primary care.

Homepage - Cymedsec

Directive 2022/2557 on the resilience of critical entities

Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions European action plan on the cybersecurity of hospitals and healthcare providers COM(2025) 10 final

Contact

Wioletta Wojewodzka

Tel: +32 473843986

Wioletta.wojewodzka@cor.europa.eu