Request for Proposals: Dedicated Action to Reinforcing Hospitals and Healthcare Providers

Objectives

• This action aims to strengthen the cybersecurity of hospitals and healthcare providers.
• The goal is to ensure that hospitals and healthcare providers, which are crucial operators in the health sector, can effectively detect, monitor, and respond to cyber threats, particularly ransomware, which pose significant risks, thereby enhancing the resilience of the European healthcare system.
• The action will contribute to the EU action plan on cybersecurity in hospitals and
  healthcare, adopted by the Commission in January 2025.

Scope

• This action addresses the growing need for continuous cybersecurity monitoring, threat intelligence, and incident response in hospitals and healthcare providers, which often lack dedicated cybersecurity resources to adequately protect themselves from cyber threats.
• The action will support pilot projects, which will bring together stakeholders such as regional and/or national clusters associations of hospitals and healthcare providers (such as national healthcare systems, hospitals or associations of hospitals, healthcare providers and/or professional associations of healthcare practitioners), as well as cybersecurity service providers
• The pilot projects will define the state of preparedness of clusters of hospitals and healthcare providers in the European Union, to be able to assess their needs. Based on this analysis, they will prepare an overview of the state-of-the-art cybersecurity solutions and resources needed (technologies, services, tools, human resources, training needs, etc.) for hospitals and healthcare providers to meet the scope of the action. These may include, for example: Security Operation Centres offering real-time monitoring, threat detection, and rapid incident response, and advanced cybersecurity tools, such as Security Information and Event Management (SIEM) platforms, threat intelligence, and automated response capabilities, among others.
• The pilots will develop technical plans, tailored to the needs of representative hospitals and healthcare providers (e.g. small or large hospitals, private healthcare providers, etc.) which will also need to include best implementation recommendations and cost estimates for effective deployment.
• The pilot projects will conduct a demo implementation of these technical plans to demonstrate their effectiveness in operations at the stakeholders’ sites, showcasing different use cases for different user groups at small, medium and large hospitals and healthcare providers, at least in two different Member States.
• The pilot projects will serve as demonstration projects and will also provide cybersecurity education and training to the staff of their partner hospitals and healthcare providers, enhancing awareness and ensuring best practices in safeguarding sensitive healthcare information.
• The pilot projects will support healthcare institutions complying with the NIS 2 Directive.

Funding Information

• Budget (EUR) – Year 2025: 30 000 000

Expected Outcomes

• Mapping of common cybersecurity needs of hospitals and healthcare providers.
• Guidelines for healthcare providers to assess their current state of cybersecurity protection and relevant needs.
• Technical cybersecurity plans to enhance preparedness and cyber resilience: improved detection and response capabilities for healthcare institutions minimising the impact of cyberattacks, particularly for ransomware. This also includes dedicated training courses to staff.
• Pilot cybersecurity demo installations at partner hospitals and healthcare provider sites to ensure hospitals and healthcare providers can maintain operational continuity in the face of cybersecurity incidents. This should be monitored through specific KPIs.
• Wide dissemination campaigns to help scale up preparedness of hospitals and healthcare providers in Europe.

Eligibility Criteria

• Applications will only be considered eligible if their content corresponds wholly (or at least in part) to the topic description for which they are submitted.
• Eligible participants (eligible countries):
  • In order to be eligible, the applicants (beneficiaries and affiliated entities) must:
    • be legal entities (public or private bodies)
    • be established in one of the eligible countries, i.e.:
      • EU Member States (including overseas countries and territories (OCTs))
      • EEA countries (Norway, Iceland, Liechtenstein)

For more information, visit EC.