The European Union Cybersecurity Legislation for the Health Sector: A Croatian Experience Report

Cybersecurity aims to protect digital assets from being compromised. Cybersecurity is a shared responsibility and should be built within the organizational culture, set up as a priority business function, as well as properly implemented into technological solutions in place. Some sectors are more essential than others, like the health sector, dealing with sensitive user information and data about the health status, medical procedures applied, medicinal products and medical devices used, etc. A regulated approach to cybersecurity necessarily requires a certain level of organizational centralization, both at the EU level, as well as at the level of EU Member States, where there is no uniform solution. The difference in approaches is mostly the result of the different national developments of cyber resources in the previous years. When the EU has adopted the NIS Directive to strengthen cybersecurity at the EU level, transposition and implementation of this legal act presented a challenge to the EU Member States. This paper presents an experience report for Croatia in implementing EU legislation for cybersecurity in the health sector. Established processes and guidelines are showcased and specific challenges given within the health system.