When is a hospital subject to NIS2?

Hospitals fall automatically under NIS2 Annex I No. 5 (healthcare) as healthcare providers, irrespective of employee or turnover thresholds. All hospitals providing inpatient acute care qualify as healthcare entities under Art. 3 Para. 1 NIS2 Directive. Size-independent obligations arise from the effective date of the German BSIG-neu.

What is the difference between NIS2 and KRITIS for hospitals?

NIS2 (Essential Entity under Annex I) applies to all hospitals without size threshold. KRITIS under BSI-KritisV § 6 Annex 5 only applies above 30,000 inpatient cases per year or 55,000 outpatient operations. Below the KRITIS threshold only NIS2 obligations apply; above it, stricter requirements such as 24/7 reachability, BSI attestation every two years, and registration as a KRITIS operator are added.

What fines do hospitals face for NIS2 violations?

Hospitals are Essential Entities under Annex I and risk fines of up to 10 million Euro or 2 percent of global annual revenue under § 65 BSIG-neu. In addition, management is personally liable under § 38 BSIG-neu. For KRITIS hospitals, coercive fines under § 53 BSIG-neu can also be imposed.

What must hospitals observe regarding medical devices and IT under NIS2?

Medical-technical systems (imaging, patient data management systems, networked infusion pumps) qualify as critical IT infrastructure under § 30 BSIG-neu. Obligations include network segmentation between clinical and administrative networks, patch management for medical devices, and backup concepts for patient data. MDR (EU) 2017/745 and NIS2 overlap for Software-as-a-Medical-Device; both frameworks must be complied with simultaneously.

When must hospitals report security incidents to the BSI?

§ 32 BSIG-neu prescribes a three-stage reporting chain: initial report within 24 hours of becoming aware of a significant incident, follow-up report within 72 hours with initial root cause findings, final report within 30 days. Significant incidents are those that significantly disrupt or may disrupt hospital operations or patient care. In parallel, reporting obligations under § 8b BSIG may apply for KRITIS hospitals.

What do NIS2 supply-chain obligations mean for hospitals?

§ 30 Para. 2 No. 4 BSIG-neu requires hospitals to impose cybersecurity requirements on IT suppliers and service providers. This affects HIS providers (hospital information systems), medical device manufacturers, cloud providers, and remote maintenance service providers. Contracts should include security clauses, penetration test rights, and reporting obligations for the supplier's own security incidents.

Are hospital managing directors personally liable for NIS2 compliance?

§ 38 BSIG-neu requires management to approve and supervise risk management measures and actively participate in training. Culpable failure in these duties creates personal liability. For hospitals, an ISMS per ISO/IEC 27001 with an explicit healthcare scope is recommended, covering BSI-Grundschutz requirements and NIS2 obligations simultaneously.

Industry-specific Self-Check

Is my hospital affected by NIS2?

NIS2 and KRITIS obligations in the health sector have different thresholds. This calculator checks both - based on current law.

Step 1 / 2

Care structure and digitalization level

NIS2 Annex I No. 5 covers health entities with critical care functions. Check what applies to your hospital.

Somatic acute care with inpatient bedsGeneral hospital, specialist hospital, university clinic with inpatient careNetwork or group structure with multiple sitesHospital group, medical care centers (MVZ) attached to main facilityUse of networked medical technology and digital patient recordsHIS, PACS, monitoring, networked surgical technology, digital patient recordsInpatient case count above 15,000 per yearIndicator of supra-regional care relevance - KRITIS applies at 30,000

Step 2 / 2

Company size

Hospital: The Complete NIS2 Guide

Hospitals with more than 50 employees or EUR 10 million in annual revenue must be classified as Essential Entities under NIS2 Annex I No. 5 (Health). This means stricter obligations and higher fines than for Annex II entities. The threat is real: hospitals are among the most frequently attacked critical infrastructure targets in Germany. This guide is written for hospital management, CISOs, and IT directors.

Who is affected?

Hospitals fall under NIS2 Annex I No. 5 (Healthcare providers) when they exceed the SME thresholds: at least 50 employees or at least EUR 10 million in annual revenue (EU Recommendation 2003/361/EC Art. 2). Since virtually all hospitals exceed these thresholds, they must be classified as Essential Entities across the board.

Large hospitals, university medical centers, and hospital groups with more than 250 employees and more than EUR 50 million in revenue are also subject to KRITIS obligations under BSI-KritisV (threshold: 30,000 inpatient cases per year). These have already been regulated under the IT Security Act 1.0.

A district hospital with 200 beds and 300 employees is an Essential Entity under NIS2.

Obligations under § 30 BSIG-new

§ 30 BSIG-new requires seven technical and organizational measure areas that are especially demanding for hospitals because of patient-safety-critical IT systems:

Risk analysis and management: HIS (Hospital Information System), RIS/PACS (radiology), laboratory IT, networked medical devices, and patient data infrastructure must all be assessed.
Incident handling: A ransomware attack on the HIS is a reportable incident. Escalation into clinical operations (fallback procedures) and IT security response must be coordinated.
Business continuity: Hospitals must maintain downtime procedures for all clinical IT systems. Paper-based emergency processes for HIS failure must be tested and documented.
Supply chain security: HIS vendors, laboratory software providers, and medical device service companies must be reviewed for security standards. § 30 Para. 2 No. 4 BSIG-new requires contractual clauses.
Access control and MFA: Access to HIS, PACS, and administrative systems must be secured by MFA. Clinical staff and IT administration need separate access concepts.
Encryption: Patient data in transit and at rest must be encrypted. This also applies to mobile devices (tablets on wards, on-call doctor smartphones).
Training and awareness: Physicians, nursing staff, and administrative personnel must receive regular phishing and IT security training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months. For security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

A ransomware attack on the HIS must be reported to the BSI within 24 hours. This applies even if clinical operations can continue through fallback procedures. The report must include the scope of the incident, affected systems, and measures taken.

Fines and personal liability

Essential Entity (Annex I): up to EUR 10 million or 2% of global annual turnover. For hospitals without international revenue: 2% of total hospital group revenue.

§ 38 BSIG-new: personal liability of the hospital managing director and the senior IT manager for negligently missed NIS2 obligations. Combined with data protection liability (GDPR Art. 82) and professional code consequences, this represents significant personal risk.

Hospital Modernization Act funding and NIS2 obligations: when subsidies and compliance align

The German Hospital Modernization Act (KHZG) provides funding under §§ 21-21c KHZG for digitalization, including IT security (funding category 10). This funding overlaps significantly with NIS2 requirements.

Specifically: KHZG funding category 10 finances measures for "improving IT security." This includes network segmentation, identity and access management, SIEM systems, and emergency plans - all NIS2 obligations under § 30 BSIG-new.

Hospitals can therefore co-finance NIS2 compliance measures using KHZG funding. The condition: the hospital must justify in its application how the measures improve IT security. NIS2 compliance as a framework provides a clear line of argument for this. Unused KHZG funding potential for IT security is a missed opportunity.

First steps

Determine whether your hospital must be classified as an Essential Entity (virtually all hospitals: yes).
Inventory all clinical IT systems: HIS, PACS/RIS, laboratory, pharmacy, intensive care monitoring.
Ensure that downtime procedures exist for all critical systems and are regularly practiced.
Identify all remote maintenance access points from HIS vendors and medical device service teams.
Conduct a risk analysis for complete HIS failure: how long can clinical operations continue without HIS?
Review open KHZG application options for IT security measures.
Register with the BSI.

Common pitfalls

Medical devices excluded from IT security review: Ventilators, infusion pumps, and patient monitors with network connections are IT systems in the NIS2 sense.

HIS treated as a "closed system": Modern HIS systems connect via interfaces to laboratory systems, radiology, and external services. Each interface is a potential attack path.

Emergency plans only address hardware failure, not cyberattacks: Classic BCP plans assume hardware failure. A cyberattack requires different responses: network isolation, forensics, regulatory reporting.

KHZG funding not used for IT security: Many hospitals have applied for KHZG funds for process digitalization, not for IT security. This is a missed financing opportunity for NIS2 measures.

Use the industry-specific NIS2 calculator for hospitals to verify your obligations in a few minutes.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my hospital affected by NIS2?

Hospital: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

Hospital Modernization Act funding and NIS2 obligations: when subsidies and compliance align

First steps

Common pitfalls

Frequently asked questions

01When is a hospital subject to NIS2?

02What is the difference between NIS2 and KRITIS for hospitals?

03What fines do hospitals face for NIS2 violations?

04What must hospitals observe regarding medical devices and IT under NIS2?

05When must hospitals report security incidents to the BSI?

06What do NIS2 supply-chain obligations mean for hospitals?

07Are hospital managing directors personally liable for NIS2 compliance?