By Miriam Friedmann
09. February 2026

NIS-2 in hospitals: Improving resilience and cybersecurity with the cloud

Critical infrastructure facilities have long been grappling with the question: How can we make our resilience more robust and protect ourselves as best as possible against cyberattacks? With the EU-wide NIS 2 Directive for cybersecurity in healthcare, small and medium-sized hospitals now also have to ask themselves these questions. This article summarizes what NIS 2 brings and how you can improve your resilience with the cloud.

Cybersecurity in hospitals is becoming increasingly important

The issue of data security is becoming increasingly important for hospitals. Hardly a week goes by without reports in the press of cyberattacks on healthcare facilities.

The figures from the latest BSI status report for 2025 underscore the urgency of the situation: during the reporting period (July 2024 to June 2025), an average of 119 new vulnerabilities in IT systems were reported every day – an increase of 24 percent over the previous year.

During the current BSI reporting period, 726 reports were received from operators of critical infrastructures—up from 490 reports in the previous period, representing a significant increase in reported IT security incidents.

A study commissioned by the digital association Bitkom estimates the annual damage to the German economy caused by cybercrime at over 200 billion euros.

The resulting damage to hospitals is multifaceted: in addition to economic losses, there is a risk of system downtime, which can sometimes last for several months, or the encryption of data by hackers, which cannot be restored or can only be restored at considerable expense. The situation is particularly critical when the attack targets medical image data: This poses a massive risk to patient care, as image data is essential for diagnosis and treatment.

The EU's NIS-2 Directive is putting more pressure on hospitals and other medical facilities. The directive significantly broadens the scope of those affected and, in addition to the already regulated KRITIS facilities, also requires small and medium-sized healthcare facilities to implement the security measures required by the directive.

NIS-2 stands for "The Network and Information Security Directive." The EU directive was published in December 2022 and came into force at EU level in January 2023. In Germany, the directive was implemented on December 6, 2025, with the NIS-2 Implementation Act (NIS2UmsuCG). The aim of the directive is to regulate the cyber and information security of companies and institutions.

Which healthcare facilities are affected by NIS-2?

The focus is on the cyber resilience of hospitals. Whereas previously only KRITIS institutions – i.e., hospitals with more than 30,000 inpatient cases per year – were required to comply with certain cybersecurity guidelines, smaller institutions are now also required to take measures to protect themselves against cyberattacks. NIS-2 applies to all healthcare facilities that employ at least 50 people or have an annual turnover or balance sheet total of more than ten million euros.

In addition, NIS-2 places a clear obligation on the management of hospitals and other healthcare facilities to implement specified cybersecurity measures. In addition to protective measures, this also involves the ability to quickly resume operations after and during an attack. Failure to comply with the measures defined in NIS-2 can result in substantial fines.

Not sure if you are affected? Use the BSI's impact assessment tool or seek legal advice to help you evaluate your situation.

NIS-2: What measures do hospitals need to take now?

With the NIS 2 Implementation Act coming into force in Germany on December 6, 2025, national IT security law has been comprehensively modernized.

Healthcare facilities affected by NIS-2 must register with the NIS-2 registration authority by March 6, 2026, at Federal Office for Information Security (BSI) by March 6, 2026, as part of the NIS-2 registration requirement.

The measures to be implemented under NIS-2 are not insignificant. Effective risk management for cybersecurity forms the foundation of the NIS-2 Directive. Hospitals must consider the following aspects to increase reliability:

Risk management measures such as technical and organizational measures for risk analysis, handling security incidents, or maintaining operations.
Registrierungspflicht bis 6. März 2026 beim Bundesamt für Sicherheit in der Informationstechnik (BSI) für betroffene Einrichtungen in einem zweistufigen Registrierungsprozess:
- Schritt 1: Anmeldung bei „Mein Unternehmenskonto“ (MUK)
- Schritt 2: Registrierung im BSI-Portal (seit 6. Januar 2026 verfügbar)
Meldepflicht von Vorfällen innerhalb von 24 Stunden an das BSI über das BSI-Portal:
- Erstmeldung innerhalb von 24 Stunden nach Kenntniserlangung
- Konkretisierung der Meldung innerhalb von 72 Stunden
- Abschlussmeldung innerhalb von 30 Tagen
Governance as the management of cybersecurity by senior management, who are also liable for its implementation.
Supply chain security to ensure, among other things, that downstream service providers comply with cyber security measures and that continued operation is possible.

DICOM data in hospitals: High risk potential

Medical image data accounts for the largest share of the total data volume in hospitals. Depending on the number of beds and the available CT, MRI, and X-ray equipment, easily over 100 GB of data can be generated each week. Based on our experience, a medium-sized hospital with 400 beds has an average of 30 terabytes of DICOM images alone in its archives.

Not only is managing these large amounts of data a challenge for hospitals, but so is storing it securely. With increasing digitalization, the necessary protective measures go far beyond special server rooms and failover concepts. Due to the close internal networking in hospitals, cyberattacks usually cause a complete standstill of all processes—including image data management.

Hospital emergency plan: Rapid emergency response to cyberattacks

In the event of an acute threat, hospitals must manage emergency operations as quickly as possible in order to be able to maintain critical care services - for example, the operation of the emergency room or cardiology or gynecology departments.

If hospitals have location-independent data storage, for example for their DICOM data in a long-term archive in the cloud, this can be restored and made available in the shortest possible time. Archiving newly generated X-ray, CT or MRI images in the cloud archive is also no problem - even if the PACS or HIS used is affected by the cyber attack.

This is because DICOM images can be transferred directly from the emergency modalities to the cloud. If the internet connection is cut, the required connection to the cloud can be made via a mobile hotspot specially provided for emergency operation.

Operational security as a core requirement of NIS-2

The ability to quickly restore operations—known as business continuity management, or BCM for short—is a key requirement of the NIS 2 Directive. A professional emergency plan helps hospitals meet legal requirements and provide reliable patient care even in crisis situations.

Cloud-based solutions can help hospitals by:

Complying with legal requirements: NIS-2 requires documented emergency plans and verifiable recovery processes.
Minimizing downtime: Immediate access to critical image data, even in the event of a complete failure of the local IT infrastructure.
Demonstrate compliance: Documented and regularly tested recovery processes as evidence for regulatory authorities
Compliance with reporting requirements: Rapid response to security incidents thanks to clear processes

Diagnostics of DICOM data in emergency operation

In addition to archiving and retrieving data, cloud solutions also ensure that findings can continue to be accessed independently of individual workstations in the event of an attack.

For example, Telepaxx's TMD Cloud from Telepaxx offers a web-based user portal that allows doctors to securely view DICOM data and findings from any computer via a web browser. This means that important departments can be quickly restored to operational readiness in an acute threat situation.

Conclusion: Increase reliability with cloud and SaaS solutions

The security of health data is at risk due to the increasing digitization of processes and the networking of systems. The NIS 2 Directive addresses this issue and aims to improve data security in facilities that are critical to society in the European Union.

Innovative technologies such as cloud solutions and software-as-a-service should play a central role in the development of a cybersecurity strategy in hospitals, as they can minimize risk and increase reliability.

External cloud archiving is particularly recommended for medical image data, which represents the largest amount of data in a hospital, in order to be ready for use again more quickly in the event of a crisis and to minimize potential data loss.

Additional information from the BSI

The BSI offers comprehensive information materials and step-by-step instructions to support the implementation of NIS 2:

NIS-2 information packages: Compact information on specific topics such as risk management, reporting obligations, and sector-specific requirements
NIS-2 FAQ: Answers to frequently asked questions about who is affected and implementation
NIS-2 Roadmap: Structured guidance for project planning and implementation of requirements in the company

All materials are available at: www.bsi.bund.de – NIS-2-regulated companies