NIS2 in the health sector

Affec­ted enti­ties and demar­ca­ti­on issues

Enti­ties that fall under the Ger­man BSI Act (BSIG), the Ger­man imple­men­ta­ti­on of the NIS2 Direc­ti­ve (Direc­ti­ve (EU) 2022/2555), must regis­ter on the por­tal of the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) by March 6, 2026. Howe­ver, it is esti­ma­ted that only around 5,000 to 6,000 enti­ties regis­tered by the dead­line, which is signi­fi­cant­ly fewer than the num­ber of enti­ties expec­ted to be affec­ted. Many enti­ties have encoun­te­red uncer­tain­ties and demar­ca­ti­on issues when asses­sing their level of invol­vement, which has led to delays. This is par­ti­cu­lar­ly the case in the health sector.

Despi­te the types of enti­ties lis­ted in Anne­xes 1 and 2 of the BSIG, uncer­tain­ty often ari­ses in prac­ti­ce. This is pri­ma­ri­ly due to vague wor­ding, a lack of defi­ni­ti­ons for key terms and num­e­rous refe­ren­ces to other Euro­pean and natio­nal legal acts. In the health sec­tor, enti­ties often must con­sider seve­ral sets of regu­la­ti­ons to deter­mi­ne whe­ther they are sub­ject to the BSIG.

Health­ca­re providers

Annex 1 No. 4 BSIG in the sec­tor “Health” covers health­ca­re pro­vi­ders. The law refers to the Pati­ent Mobi­li­ty Direc­ti­ve (Direc­ti­ve 2011/24/EU). Accor­ding to Artic­le 3(g) of this Direc­ti­ve, a health­ca­re pro­vi­der is any natu­ral or legal per­son or any other enti­ty legal­ly pro­vi­ding health­ca­re […]. Health­ca­re means health ser­vices pro­vi­ded by health pro­fes­sio­nals to pati­ents to assess, main­tain or res­to­re their sta­te of health, inclu­ding the pre­scrip­ti­on, dis­pen­sa­ti­on and pro­vi­si­on of medi­cinal pro­ducts and medi­cal devices (Art. 3(a)).

The term is broad­ly defi­ned, cove­ring much more than just hos­pi­tals and doc­tors’ offices. It is pre­cis­e­ly this broad wor­ding, tog­e­ther with the BSI­G’s refe­rence to the Pati­ent Mobi­li­ty Direc­ti­ve, that gives rise to ques­ti­ons of demar­ca­ti­on in prac­ti­ce. For exam­p­le, this is the case with emer­gen­cy ser­vices and care services.

Emer­gen­cy services

In prac­ti­ce, the­re has recent­ly been inten­se deba­te as to whe­ther emer­gen­cy ser­vices are con­side­red health­ca­re pro­vi­ders. This was trig­ge­red by infor­ma­ti­on from the BSI, which initi­al­ly did not clas­si­fy emer­gen­cy ser­vices as such. The BSI has sin­ce revi­sed this assess­ment and now clas­si­fies emer­gen­cy ser­vices as health­ca­re pro­vi­ders within the mea­ning of the BSIG.

In view of the pur­po­se of the BSIG and the broad defi­ni­ti­on of health­ca­re, the out­co­me may seem under­stan­da­ble. Howe­ver, as Ste­fan Hes­sel explains, the legal basis for this remains unclear. The Court of Jus­ti­ce of the Euro­pean Uni­on (CJEU) alre­a­dy ruled in 2019 that emer­gen­cy ser­vices and qua­li­fied pati­ent trans­port are to be clas­si­fied as hazard pre­ven­ti­on and thus public secu­ri­ty (CJEU, judgment of June 27, 2019 – C‑465/17). Howe­ver, Art. 2(7) of the NIS2 Direc­ti­ve con­ta­ins an expli­cit exemp­ti­on from the scope of appli­ca­ti­on for acti­vi­ties in the field of public secu­ri­ty. Against this back­ground, it remains to be explai­ned why the BSI now clas­si­fies emer­gen­cy ser­vices as part of the health sec­tor and thus includes them in the scope of the BSIG.

Care ser­vices

When it comes to care ser­vices, it is important to distin­gu­ish bet­ween short-term and long-term care. Long-term care is excluded from the scope of the BSIG. The Pati­ent Mobi­li­ty Direc­ti­ve con­ta­ins a cor­re­spon­ding exemp­ti­on for ser­vices that assist indi­vi­du­als in car­ry­ing out rou­ti­ne, ever­y­day tasks. The expl­ana­to­ry memo­ran­dum to the BSIG also sta­tes that long-term care faci­li­ties are not con­side­red to be health­ca­re pro­vi­ders under the law.

Some quar­ters have deba­ted this excep­ti­on dog­ma­ti­cal­ly, as the NIS2 Direc­ti­ve its­elf con­ta­ins no excep­ti­on for long-term care and makes no refe­rence to the excep­ti­on in the Pati­ent Mobi­li­ty Direc­ti­ve. Howe­ver, the Euro­pean Com­mis­si­on’s cur­rent pro­po­sal to amend the NIS2 Direc­ti­ve, which expli­cit­ly excludes long-term care, sup­ports this interpretation.

In prac­ti­ce, this rai­ses the ques­ti­on of how to distin­gu­ish bet­ween long-term and short-term care. This is deter­mi­ned on a func­tion­al basis: long-term care pri­ma­ri­ly invol­ves assis­ting with dai­ly acti­vi­ties, whe­re­as the medi­cal tre­at­ment falls under the cate­go­ry of health ser­vices. The­re is no bin­ding time thres­hold for the term “long-term care” under EU law. Howe­ver, in prac­ti­ce, it may be appro­pria­te to refer to Sec­tions 14(1) and 2(1) of the Ele­venth Book of the Ger­man Social Code (SGB XI) and the Ninth Book of the Ger­man Social Code (SGB IX) (six months).

Manu­fac­tu­r­ers of medi­cal devices and IVD

In the sec­tor “Manu­fac­tu­ring”, par­ti­cu­lar­ly among manu­fac­tu­r­ers of medi­cal devices and in vitro dia­gno­stic medi­cal devices (IVD) (Annex 2 No. 5 BSIG), ques­ti­ons of demar­ca­ti­on ari­se in prac­ti­ce. This par­ti­cu­lar­ly appli­es to com­pa­nies that do not manu­fac­tu­re pro­ducts them­sel­ves but ins­tead have them manu­fac­tu­red and then repacka­ge and dis­tri­bu­te them under their own name.

Neither the BSIG nor the NIS2 Direc­ti­ve con­ta­ins its own defi­ni­ti­on of “manu­fac­tu­rer”. Like the Direc­ti­ve, the BSIG refers to the Medi­cal Devices Regu­la­ti­on (MDR) and the In Vitro Dia­gno­stic Medi­cal Devices Regu­la­ti­on (IVDR). Accor­ding to the­se pro­duct laws, a manu­fac­tu­rer is defi­ned as a natu­ral or legal per­son who manu­fac­tures or ful­ly refur­bis­hes a device or has a device desi­gned, manu­fac­tu­red or ful­ly refur­bis­hed, and mar­kets that device under its name or trade­mark. The focus is the­r­e­fo­re on mar­ket respon­si­bi­li­ty for the pro­duct rather than on the ope­ra­tio­nal pro­duc­tion pro­cess its­elf. This defi­ni­ti­on is con­sis­tent with the prin­ci­ples of pro­duct (safe­ty) law.

Howe­ver, the NIS2 regu­la­ti­on aims to ensu­re the cyber­se­cu­ri­ty of cri­ti­cal enti­ties. The­r­e­fo­re, the cri­ti­cal­i­ty of the enti­ty and its ope­ra­tio­nal pro­ces­ses is par­ti­cu­lar­ly important. Addi­tio­nal­ly, NIS2 refers to various Euro­pean regu­la­ti­ons that employ dif­fe­rent defi­ni­ti­ons of “manu­fac­tu­rer”. For ins­tance, the REACH Regu­la­ti­on and the NACE clas­si­fi­ca­ti­on sys­tem are lin­ked to the manu­fac­tu­ring pro­cess its­elf. The­r­e­fo­re, the lite­ra­tu­re (inclu­ding Hessel/Schneider, MMR 2025, 243) empha­si­zes that the Euro­pean legis­la­tor did not intend to use an incon­sis­tent defi­ni­ti­on of “manu­fac­tu­rer”. Ins­tead, a defi­ni­ti­on of “manu­fac­tu­rer” rela­ted to cyber­se­cu­ri­ty should be used. Accor­ding to this defi­ni­ti­on, the manu­fac­tu­rer under NIS2 as well as the BSIG is the par­ty that car­ri­es out the ope­ra­tio­nal manu­fac­tu­ring process.

Con­clu­si­on

The impact assess­ment under NIS2 / BSIG remains com­plex, par­ti­cu­lar­ly in the health sec­tor. Vague ter­mi­no­lo­gy, num­e­rous refe­ren­ces to other EU regu­la­ti­ons and con­flic­ting regu­la­to­ry objec­ti­ves mean that it is often impos­si­ble to clas­si­fy indi­vi­du­al insti­tu­ti­ons at first glance.

In prac­ti­ce, this means that enti­ties should not sole­ly base their level of invol­vement on for­mal cate­go­ries, but also on their spe­ci­fic acti­vi­ties and func­tion­al role in the health sec­tor. Dif­fe­ren­tia­ted clas­si­fi­ca­ti­on is espe­ci­al­ly important in bor­der­line are­as. The clas­si­fi­ca­ti­on is com­plex and the imple­men­ta­ti­on pro­cess is chal­len­ging and time cri­ti­cal. If you have any ques­ti­ons or requi­re assis­tance with imple­men­ting NIS2, plea­se do not hesi­ta­te to cont­act us.

Check now if your com­pa­ny is affec­ted by NIS2 with our free NIS2 Quick-Check.