EU cybersecurity Directive NIS2 will become applicable in October, but Luxembourg companies are behind in their preparation, says Renaud Le Squeren, partner at DSM Avocats à la Cour. Meanwhile, healthtechs remain notorious targets of cyberattacks.
The Network and Information Security Directive (NIS2) is part of the block’s efforts to force businesses to invest in cybersecurity, for Le Squeren. The DSM lawyer, specialising in technology, media, and telecom law, among other fields, says companies in Luxembourg are late in gearing up for NIS2. A national law is set to transpose the directive by 17 October 2024, and the Institut Luxembourgeois de Régulation (IRL) will be tasked with supervising and, if necessary, imposing sanctions in line with it. Le Squeren speculates that businesses are waiting for the transposition of the directive into Luxembourg law and hoping that the date when it will become applicable is pushed back.
Healthcare needs cybersecurity
Multifactor authentication as well as video and text tools to verify the identity of those sharing information will be part of the game for the healthtechs that will need to comply with NIS2. The directive will also impact the energy, transport, water, food, space, information and communication technologies, banking, and financial sector. But the latter is much more experienced with reporting to supervisory authorities, especially in Luxembourg.
“The European healthcare sector is relatively weak in terms of cybersecurity and is regularly in the press for data breaches and cyber-attacks. There is a big need for investment in training, hardware, and software to reach a decent level of cyber security in the health sector, particularly in the public sector,” tells Renaud Le Squeren, partner at DSM Avocats à la Cour.
“One thing that must be clearly stated is the difference between data that you can change and data that you cannot change as an individual.”
Renaud Le Squeren, partner at DSM Avocats à la Cour.
Healthtechs are quickly becoming notorious for being a preferred target for hackers. In January 2024, over 33 million French residents’ data was compromised, as revealed by the Commission Nationale Informatique et Libertés (CNIL). That is nearly half of the country’s population. The healthcare sector’s vulnerability comes from the fact that it is driven by both public and private influence. Governments tend to subcontract to businesses tasks previously done by structures under their supervision. Setting up a doctor’s appointment through an app run by a private company is the simplest example of businesses becoming part of the healthcare sector. Private laboratories conducting tests is another one.
“One thing that must be clearly stated is the difference between data that you can change and data that you cannot change as an individual. If someone steals your password, you can change it. If someone steals your social security number, your fingerprints or the print of your eye, you will not be able to change them,” concludes Renaud Le Squeren, partner at DSM Avocats à la Cour.
Healthtechs will be able to showcase their trustworthiness to clients by complying with NIS2. But as time goes on, the law will become a necessity rather than a feature for companies. Le Squeren highlights that businesses not in line with the law will likely not be able to participate in public tenders and will not have access to funding. A healthtech startup not complying with NIS2 will, in theory, also not be eligible for financing by an ESG fund due to a perceived lack of safety. Of course, how each country applies the law will play a major role, so in the first months of NIS2 being fully into effect, the ball will be in the legislator’s court, meaning the IRL.
