When a GP practice in Letterkenny found that its patient management system had been encrypted by ransomware in early 2025, staff reverted to paper for two weeks. Appointments were missed. Prescriptions could not be verified. Referral letters sat unread in an inaccessible inbox. It was not only a data breach — it was a patient safety incident. That story, repeated in different forms across Irish healthcare, is exactly the scenario that the NIS2 Directive was designed to prevent.
What NIS2 Means for Healthcare Providers
The NIS2 Directive — the EU's updated Network and Information Security framework — significantly expands the range of organisations with formal cybersecurity obligations. Healthcare is one of the explicitly named sectors. This means that GP practices, community pharmacies, specialist clinics, and allied health providers in Donegal and across Ireland are now subject to binding cybersecurity requirements, not merely good-practice recommendations.
The NCSC Ireland, the national authority responsible for overseeing NIS2 implementation, has confirmed that healthcare entities fall within scope as important entities at minimum, and may qualify as essential entities depending on size and patient population served.[^1] The distinction matters: essential entities face fines of up to €10 million or 2% of global turnover; important entities face fines of up to €7 million or 1.4% of global turnover. In both cases, directors can be held personally liable for failures in governance.
Many practice managers and pharmacy owners assume their organisation is too small to be regulated. That assumption is not safe. NIS2 applies based on sector criticality, not just company size. If you process patient records digitally, dispense medications using connected systems, or share data with the HSE or other providers, you are operating systems that fall within the directive's scope.
Does your practice or pharmacy know what cybersecurity controls NIS2 requires you to have in place? Book a free 20-minute strategy call — we will walk through your obligations in plain English and help you identify where to start.
What You Are Required to Do
NIS2 requires covered healthcare organisations to implement risk management measures across several specific areas. These are legal obligations, not suggestions.
You must carry out and document a risk assessment of your digital systems. This means identifying what data you hold, how it is stored, who can access it, and what would happen if it were lost, encrypted, or stolen. For a GP practice, that assessment needs to cover the patient management system, the email server, any connected diagnostic equipment, and the devices used by staff to access records remotely.
You need documented incident response procedures. If your systems are compromised, NIS2 requires you to notify the NCSC Ireland within 24 hours of discovery, with a full incident report following within 72 hours. Most Irish GP practices and pharmacies have no such procedure in place. Building one does not require a large budget — it requires clear thinking about who does what when something goes wrong.
Business continuity planning is mandatory. This includes tested data backups, a documented plan for operating without digital systems, and an understanding of how long critical processes can run in degraded mode. The HSE cyberattack in 2021 demonstrated that the entire national health infrastructure can be paralysed when continuity planning is absent or untested. Donegal practices cannot assume the HSE's recovery resources will be available to them.
Supply chain security is specifically required. If your patient management software is provided by a third-party vendor, if your IT support is outsourced, or if your pharmacy dispensing system connects to a central database, the security of those suppliers is your responsibility under NIS2. You must assess their cybersecurity posture and ensure contracts include appropriate security obligations.
Multi-factor authentication must be in place for any system that holds or processes patient data and is accessible remotely. A username and password alone is not compliant. An Garda Síochána's National Cyber Crime Bureau has consistently highlighted credential theft as the primary entry point for attacks on Irish healthcare organisations.[^2]
Why the Stakes Are Higher in Healthcare
A cyberattack on a manufacturing firm disrupts production. A cyberattack on a healthcare provider can directly harm patients. That is why regulators treat this sector differently. The Data Protection Commission in Ireland has also noted the particular sensitivity of health data under GDPR, meaning that a NIS2-reportable incident will almost always trigger a parallel GDPR notification obligation.[^3]
The reputational consequences are equally serious. Patients expect their most sensitive personal information to be protected. A disclosed breach — whether discovered internally or reported by a patient — can damage the trust a practice has built over decades. Given that GP practices and pharmacies operate on relationships, that trust is not easily restored.
There is also a financial reality. The cost of recovering from a ransomware attack — including system restoration, data recovery, temporary manual processes, and lost billing — typically runs to tens of thousands of euros for a small healthcare practice. NIS2 compliance investment, by comparison, is a fraction of that cost.
Every euro invested in cybersecurity before an incident costs far less than the bill that arrives after one.
Three Steps to Take Now
1. Run a basic risk assessment on your digital systems. List every system that holds patient or business data. Identify who has access, from where, and with what credentials. Mark the systems where a failure would immediately affect patient care or practice operations. This list is the foundation of your NIS2 compliance programme.
2. Enable multi-factor authentication on your email and patient management system. This is the single highest-impact action you can take right now. Most practice management platforms support MFA. Your IT provider can enable it within hours. It will stop the majority of credential-based attacks cold.
3. Draft a one-page incident response plan. Decide now: who calls the NCSC Ireland if your systems are attacked? Who calls An Garda Síochána? Who tells patients if their data is affected? Who contacts your IT provider? What is the out-of-hours contact number? Writing this down before you need it is the difference between a managed incident and a crisis.
The NCSC Ireland provides free practical guidance for healthcare organisations. Engaging with that guidance now, before an incident occurs, is the right first step.
Related Reading
- NIS2 for Irish SMEs: Your Obligations Explained
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
- Seven Signs a Donegal Business Needs a vCISO Now
[^1]: NCSC Ireland, guidance for organisations on NIS2 obligations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána, National Cyber Crime Bureau cybercrime resources: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission, guidance on health data and GDPR: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.