When European regulators talk about cybersecurity, doctors and hospital directors don’t always feel the urgency. Their days are filled with bed capacity, staffing gaps and angry printers, not threat actors. Yet a new European Union directive — NIS2 — is about to drag more than a thousand healthcare entities in Poland alone into a stricter, highly formalized regime of digital security.
At a recent meeting hosted by the Medical Innovation Institute and BioForum, lawyers, IT specialists and healthcare leaders tried to answer a simple question with complicated consequences: is the sector ready?
The short answer: not yet.
A New Directive, an Old Problem
NIS2 is the EU’s updated framework for securing critical infrastructure against cyber threats. In Poland, its implementation will happen through changes to the law on the National Cybersecurity System, extending its reach to 18 sectors, including a broad range of healthcare providers. For many hospitals and clinics, this will be the moment when cybersecurity stops being a “nice to have” and becomes a legal obligation.
Yet, as Monika Woźniak-Cichuta of KRK Legal noted, awareness in medical facilities is still low. Cybersecurity is often seen as an IT department concern, not a strategic issue. That, she argued, will have to change. NIS2 does not just ask for new firewalls; it demands a different way of thinking about risk, responsibility and reporting.
This shift will not be cheap. It will require investment in training, in specialized IT staff and, most importantly, in time — a resource many hospitals already lack.
From Policy to Practice
If NIS2 stayed on paper, the conversation would be simpler. But the directive lands in a world of old systems, complex workflows and tight budgets.
Marta Chalimoniuk-Nowak from the European Foundation for Innovation stressed that hospitals need more than one-off fixes. What is required is a long-term cybersecurity strategy: multi-factor authentication as a standard, regular updates of critical software, and a culture in which patching is not an optional “IT project” but routine maintenance for the entire organization.
On the technical front, Rafał Dunal of CloudiMed pointed to a looming wave of audits and software upgrades. Many facilities will discover that their systems are not only vulnerable but also hard to modernize without disrupting clinical work. Updating may mean negotiating with vendors, planning downtimes, and finding money for licenses and hardware — all at once.
Before any of this can happen, as Michał Czarnuch of the Czarnuch Law Firm reminded participants, each organization has to answer a basic question: Do we actually fall under the new rules? And if so, what exactly are we required to do? For many managers, the first challenge is simply understanding the map.
A RODO Déjà Vu — With a Twist
For those who went through the introduction of the EU’s data protection law (RODO/GDPR), all this feels familiar. Michał Bieńkowski from STOMOZ drew the comparison openly: once again, hospitals are being asked to adapt to a new regulatory regime built around risk analysis and documentation.
This time, however, the focus is wider. NIS2 is not just about personal data; it touches the availability of systems, the continuity of services and the resilience of entire organizations.
Several speakers argued that the sector needs a code of good practice: a shared, practical reference that transforms abstract legal requirements into concrete steps a hospital can actually follow. Dr hab. Bogdan Księżopolski of Kozminski University suggested that, if handled well, NIS2 could become an opportunity — a lever to raise the overall standard of cybersecurity in Polish healthcare, rather than just another administrative burden.
Vendors, Funding and the Wider Ecosystem
Healthcare providers will not be implementing NIS2 alone.
On the industry side, Patryk Kozłowski from Comarch Healthcare expressed cautious optimism that public funding could help hospitals pay for the tools and processes they will now need. But money, he warned, will not solve everything. The real challenge is aligning technology, processes and people.
From the perspective of a digital health company, Paweł Paczuski of Upmedic pointed to the difficulty of adapting internal processes to stringent security standards while still delivering products at startup speed.
Vendors of medical and IT systems are themselves under pressure. Wojciech Komnata from Nivalit reminded the audience that manufacturers must adapt their products to comply with the new regulations. In other words, NIS2 is not just a hospital story — it reshapes the entire supply chain of healthcare technology.
On the consulting side, Michał Sosinka of Deloitte highlighted the growing importance of integrated incident reporting systems and better coordination of cybersecurity information. Fragmented reporting and siloed responses will not be enough in an environment where attackers move quickly and across borders.
Management Can No Longer Look Away
Perhaps the most unsettling message for many organizations came from Dariusz Piaścik of Sagenso.com. NIS2 explicitly requires management-level involvement in cybersecurity. Boards and executives will not be able to outsource responsibility entirely to IT departments or external vendors.
For some institutions, this will be a cultural shock. Cybersecurity will now sit beside finance and medical quality as a topic that demands regular reporting, decisions and accountability at the top.
At the policy level, Jakub Kulesza from the Forum for Law and Development urged stakeholders to take part in public consultations. The way the directive is written into national law will shape how heavy or workable the burden becomes for hospitals and vendors.
Finally, Jakub Betka of Conexus Law & Consulting reminded everyone that, like GDPR, NIS2 is built around risk analysis. The difference is scope: the lens now includes not only data protection, but also information security and business continuity.
NIS2 will not magically make hospitals safe from cyberattacks. No directive can. What it can do is force a conversation that many organizations have postponed for too long: How do we protect the systems that now underpin almost every aspect of care? Who is responsible when something goes wrong? And how do we ensure that security becomes a routine part of running a hospital, not just a project for “when we have time”?
The answers will not be easy or cheap. But as more of healthcare moves online, the cost of ignoring these questions is likely to be far higher.