Biotechnology is central to modern medicine and Europe’s long-term competitiveness. From cancer and cardiovascular disease to rare conditions, it is driving transformative advances for patients across Europe and beyond . 1         Yet innovation in Europe is increasingly shaped by regulatory fragmentation, procedural complexity and uneven implementation across  m ember s tates. As scientific progress accelerates, policy frameworks must evolve in parallel, supporting the full lifecycle of innovation from research and clinical development to manufacturing and patient access.  The proposed EU Biotech Act seeks to address these challenges. By streamlining regulatory procedures, strengthening coordination  and supporting scale-up and manufacturing, it aims to reinforce Europe’s position in a highly competitive global biotechnology landscape .2       Its success, however, will depend less on ambition than on delivery. Consistent implementation, proportionate oversight and continued global openness will determine whether the  a ct translates into faster patient access, sustained investment and long-term resilience.  Q: Why is biotechnology increasingly seen as a strategic pillar for Europe’s competitiveness, resilience and long-term growth?  Gilles Marrache, SVP and regional general manager, Europe, Latin America, Middle East, Africa and Canada, Amgen:  Biotechnology sits at the intersection of health, industrial policy and economic competitiveness. The sector is one of Europe’s strongest strategic assets and a leading contributor to  research and development  growth . 3    At the same time, Europe’s position is under increasing pressure. Over the past two decades, the EU has lost approximately 25  percent of its global share of pharmaceutical investment to other regions, such as the  United States  and China.   The choices made today will shape Europe’s long-term strength in the sector, influencing not only competitiveness and growth, but also how quickly patients can benefit from new treatments.  > Europe stands at a pivotal moment in biotechnology. Our life sciences legacy > is strong, but maintaining global competitiveness requires evolution .” 4   > >  Gilles Marrache, SVP and regional general manager, Europe, Latin America, > Middle East, Africa and Canada, Amgen. Q: What does the EU Biotech Act aim to do  and why is it considered an important step forward for patients and Europe’s innovation ecosystem?  Marrache: The EU Biotech Act represents a timely opportunity to better support biotechnology products from the laboratory to the market. By streamlining medicines’ pathways and improving conditions for scale-up and investment, it can help strengthen Europe’s innovation ecosystem and accelerate patient access to breakthrough therapies. These measures will help anchor biotechnology as a strategic priority for Europe’s future  —  and one that can deliver earlier patient benefit  —  so long as we can make it work in practice.  Q: How does the EU Biotech Act address regulatory fragmentation, and where will effective delivery and coordination be most decisive? Marrache: Regulatory fragmentation has long challenged biotechnology development in Europe, particularly for multinational clinical trials and innovative products. The Biotech Act introduces faster, more coordinated trials, expanded regulatory sandboxes and new investment and industrial capacity instruments.   The proposed EU Health Biotechnology Support Network and a  u nion-level regulatory status repository would strengthen transparency and predictability. Together, these measures would support earlier regulatory dialogue, help de-risk development   and promote more consistent implementation across  m ember  s tates.   They also create an opportunity to address complexities surrounding combination products  —  spanning medicines, devices and diagnostics  —  where overlapping requirements and parallel assessments have added delays.5 This builds on related efforts, such as the COMBINE programme,6 which seeks to streamline the navigation of the In Vitro Diagnostic Regulation , 7 Clinical Trials Regulation8 and the Medical Device Regulation9 through a single, coordinated assessment process. Continued clarity and coordination will be essential to reduce duplication and accelerate development timelines .10 Q: What conditions will be most critical to support biotech scale-up, manufacturing  and long-term investment in Europe?  Marrache: Europe must strike the right balance between strategic autonomy and openness to global collaboration. Any new instruments under the Biotech Act mechanisms should remain open and supportive of all types of biotech investments, recogni z ing that biotech manufacturing operates through globally integrated and highly speciali z ed value chains.   Q: How can Europe ensure faster and more predictable pathways from scientific discovery to patient access, while maintaining high standards of safety and quality?   Marrache: Faster and more predictable patient access depends on strengthening end-to-end pathways across the lifecycle.  The Biotech Act will help ensure continuity of scientific and regulatory experti z e, from clinical development through post-authori z ation. It will also support stronger alignment with downstream processes, such as health technology assessments, which  are  critical to success.   Moreover, reducing unnecessary delays or duplication in approval processes can set clearer expectations, more predictable development timelines and earlier planning for scale-up.    Gilles Marrache, SVP and regional general manager, Europe, Latin America, Middle East, Africa and Canada, Amgen. Via Amgen. Finally, embedding a limited number of practical tools (procedural, digital or governance-based) and ensuring they are integrated within existing  European Medicines Agency and EU regulatory structures can help achieve faster patient access . 11 Q: What role can stronger regulatory coordination, data use and public - private collaboration play in strengthening Europe’s global position in biotechnology?  Marrache: To unlock biotechnology’s full potential, consistent implementation is essential. Fragmented approaches to secondary data use, divergent  m ember   state interpretations and uncertainty for data holders still limit access to high-quality datasets at scale. The Biotech Act introduces key building blocks to address this.   These include Biotechnology Data Quality Accelerators to improve interoperability, trusted testing environments for advanced innovation, and alignment with the EU AI Act ,12  European Health Data Space13 and wider EU data initiatives. It also foresees AI-specific provisions and clinical trial guidance to provide greater operational clarity.  Crucially, these structures must simplify rather than add further layers of complexity.   Addressing remaining barriers will reduce legal uncertainty for AI deployment, support innovation and strengthen Europe’s competitiveness.  > These reforms will create a moderni z ed biotech ecosystem, healthier > societies, sustainable healthcare systems and faster patient access to the > latest breakthroughs in Europe .” 14 > > Gilles Marrache, SVP and regional general manager, Europe, Latin America, > Middle East, Africa and Canada, Amgen.  Q: As technologies evolve and global competition intensifies, how can policymakers ensure the Biotech Act remains flexible and future-proof?  Marrache:  To remain future-proof, the Biotech Act must be designed to evolve alongside scientific progress, market dynamics and patient needs. Clear objectives, risk-based requirements, regular review mechanisms and timely updates to guidance will enhance regulatory agility without creating unnecessary rigidity or administrative burden.  Continuous stakeholder dialogue combined with horizon scanning will be essential to sustaining innovation, resilience and timely patient access over the long term. Preserving regulatory openness and international cooperation will be critical in avoiding fragmentation and maintaining Europe’s credibility as a global biotech hub.  Q: Looking ahead, what two or three priorities should policymakers focus on to ensure the EU Biotech Act delivers meaningful impact in practice?  Marrache: Looking ahead, policymakers should focus on three priorities for the Biotech Act:    First, implementation must deliver real regulatory efficiency, predictability and coordination in practice. Second, Europe must sustain an open and investment-friendly framework that reflects the global nature of biotechnology.  And third, policymakers should ensure a clear and coherent legal framework across the lifecycle of innovative medicines, providing certainty for the use of  artificial intelligence   —  as a key driver of innovation in health biotechnology.  In practical terms, the EU Biotech Act will be judged not by the number of new instruments it creates, but by whether it reduces complexity, increases predictability and shortens the path from scientific discovery to patient benefit. An open, innovation-friendly framework that is competitive at the global level will help sustain investment, strengthen resilient supply chains and deliver better outcomes for patients across Europe and beyond. -------------------------------------------------------------------------------- References 1. Amgen Europe, The EU Biotech Act Unlocking Europe’s Potential, May 2025. Retrieved from https://www.amgen.eu/media/press-releases/2025/05/The_EU_Biotech_Act_Unlocking_Europes_Potential 2. European Commission, Proposal for a Regulation to establish measures to strengthen the Union’s biotechnology and biomanufacturing sectors, December 2025. Retrieved from https://health.ec.europa.eu/publications/proposal-regulation-establish-measures-strengthen-unions-biotechnology-and-biomanufacturing-sectors_en 3. EFPIA, The pharmaceutical sector: A catalyst to foster Europe’s competitiveness, February 2026. Retrieved from https://www.efpia.eu/media/zkhfr3kp/10-actions-for-competitiveness-growth-and-security.pdf 4. The Parliament, Investing in healthy societies by boosting biotech competitiveness, November 2024. Retrieved from https://www.theparliamentmagazine.eu/partner/article/investing-in-healthy-societies-by-boosting-biotech-competitiveness#_ftn4 5. Amgen Europe, The EU Biotech Act Unlocking Europe’s Potential, May 2025. Retrieved from https://www.amgen.eu/docs/BiotechPP_final_digital_version_May_2025.pdf   6. European Commission, combine programme, June 2023. Retrieved from https://health.ec.europa.eu/medical-devices-topics-interest/combine-programme_en  7. European Commission. Medical Devices – In Vitro Diagnostics, March 2026. Retrieved from https://health.ec.europa.eu/medical-devices-vitro-diagnostics_en 8. European Commission, Clinical trials – Regulation EU No 536/2014, January 2022. Retrieved from https://health.ec.europa.eu/medicinal-products/clinical-trials/clinical-trials-regulation-eu-no-5362014_en 9. European Commission, Simpler and more effective rules for medical devices – Commission proposal for a targeted revision of the medical devices regulations, December 2025. Retrieved from https://health.ec.europa.eu/medical-devices-sector/new-regulations_en#mdr 10. Amgen Europe, The EU Biotech Act Unlocking Europe’s Potential, May 2025. Retrieved from https://www.amgen.eu/docs/BiotechPP_final_digital_version_May_2025.pdf   11. AmCham, EU position on the Commission Proposal for an EU Biotech Act 12. European Commission, AI Act | Shaping Europe’s digital future, June 2024. Retrieved from https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai 13. European Commission, European Health Data Space, March 2025. Retrieved from https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space-regulation-ehds_en 14. The Parliament, Why Europe needs a Biotech Act, October 2025. Retrieved from https://www.theparliamentmagazine.eu/partner/article/why-europe-needs-a-biotech-act -------------------------------------------------------------------------------- Disclaimer POLITICAL ADVERTISEMENT * The sponsor is Amgen Inc * The ultimate controlling entity is Amgen Inc * The political advertisement is linked to advocacy on the EU Biotech Act. More information here.

Europe’s ambition to become climate neutral by 2050 cannot succeed in healthcare unless we fix a basic problem: we do not measure sustainability in the same way across the single market. Currently, measuring Product Carbon Footprints (PCF) and Life Cycle Assessments (LCA) throughout the European Union consists of a patchwork of national methodologies and/or competing frameworks. This fragmentation is not just a technical inconvenience, it actively undermines fair procurement, increases costs, and risks unequal patient access across Europe.[1] Without a single, harmonized methodology or framework, this EU sustainability and competitiveness goal will remain challenging to achieve. Though the lack of harmonizsation may seem technical, its consequences are tangible. PCF and LCA outputs can differ widely depending on the standards and methodologies defined and endorsed by policymakers, the way they are applied by industry, or how existing international standards are interpreted and implemented across member states.[2] The result is that national authorities are effectively speaking different languages. A treatment considered more environmentally responsible in one country may be evaluated entirely differently just across the border. And without harmonized sustainability assessments for medicines, there is a risk that sustainability is given disproportionate weight compared with safety and quality, undermining high-quality medicine development. In short, fragmentation slows progress, weakens trust and, importantly, – prevents comparability. [1]  > In short, fragmentation slows progress, weakens trust and, importantly, – > prevents comparability. In practice, the absence of a harmonized standard allows 27 different interpretations of ‘sustainability’ to coexist, which is incompatible with a functioning single market. Fortunately, PAS 2090:2025 offers what the EU has been missing: a single, science-based methodology that allows regulators, procurers, and industry to finally speak the same language. Developed with stakeholders across the healthcare and life sciences sector, PAS 2090:2025 specifies the appropriate methodology for medicines under ISO standards, aligning the playing field for everyone involved. Published by the British Standards Institution in November 2025, it reflects broad technical consensus and strong credibility. PAS 2090:2025 provides the first practical methodology for measuring the environmental performance of pharmaceuticals, establishing a common framework to support comparable environmental reporting, reduce regulatory duplication and provide policymakers with a credible basis to demonstrate progress toward climate neutrality. It also gives industry the predictability needed to invest in sustainable innovation, while ensuring that patients receive consistent assessments of a treatment’s environmental profile, regardless of where it is evaluated. Importantly, this approach reflects principles already embedded in EU policymaking. The European Health Data Space, for example, demonstrates how interoperability and standardized frameworks are essential in making cross-border data meaningful and actionable.[3] Meanwhile, the European Commission has been equally clear: harmonized technical standards and coherent sustainability rules are critical to the effective functioning of the Single Market and ensuring the free movement of goods.[4] This is a shared concern across stakeholder groups. Both the Federation of European Academies of Medicine and European Academies’ Science Advisory Council, representing Europe’s leading academies of medicine and science, have similarly highlighted the fact that common standards are essential for transparent procurement and fair competition across therapeutic categories.[5]And the innovative pharmaceutical industry, via the European Federation of Pharmaceutical Industries and Associations, has outlined both the challenges caused by the absence of harmonized standards and called for policymakers, regulators and healthcare stakeholders to endorse PAS 2090:2025 as the one, internationally accepted standard for measuring PCA and LCA in the pharmaceutical industry.[6]Europe’s leading academies of medicine and science, the European Commission, and the innovative pharmaceutical sector all point to the same conclusion: without harmonized standards, sustainability policy cannot work. > At Chiesi, we support PAS 2090:2025 not because it is convenient, but because > it makes our environmental performance directly comparable and therefore > accountable.[2]  That is why our teams have laid out ambitious, yet reachable, targets regarding the reduction of Scope 1, 2 and 3 greenhouse gas emissions. We also know that in order to reach these targets, we need to measure our actions and emissions. Measuring what matters is the foundation to making a meaningful difference.[3]  > Measuring what matters is the foundation to making a meaningful > difference.[3]  Our support for PAS 2090:2025 reflects a commitment to transparency, science-based decision-making and long-term sustainability; we use it ourselves because we believe it is the way forward — making it simple to compare products fairly, design transparent tenders, and procure with clarity. Further, industry members will be able to innovate with confidence, knowing that the life-changing efforts will be assessed with science and clear understandings. That said, no single actor can deliver alignment alone. Real progress depends on collaboration between regulators, policymakers, scientific bodies, and industry around a shared approach to measuring and comparing environmental impact. Chiesi stands ready to work with policymakers and partners across the healthcare ecosystem in favor of the adoption of PAS 2090:2025, understanding that achieving true regulatory harmonization is essential for ensuring patient access, maintaining high safety and quality standards, and fostering a globally competitive pharmaceutical industry in Europe. At the end of the day, the EU does not need another pilot program, framework, or national workaround. It needs a decision. It needs action. Europe must agree on how sustainability in healthcare is measured consistently and credibly across the single market. Measuring what matters, in the same way across Europe, is the only path to a climate-neutral, competitive, and fair European health system. Endorsing PAS 2090:2025 as the reference methodology would turn that principle into practice. Andrea Bonetti Andrea Bonetti is head of the EU office at Chiesi Farmaceutici, where he oversees the company’s public affairs strategy at European level across healthcare, sustainability and planetary health. Since opening Chiesi’s Brussels office in 2020, he has strengthened the company’s engagement with EU institutions, contributed to key policy discussions and supported initiatives to advance awareness on climate and environmental priorities in line with Chiesi’s values. He collaborates closely with cross-functional teams on the development and implementation of Chiesi’s sustainability strategy and represents the company within European and international trade associations. With more than 15 years of experience in health and environmental policy, he supports Chiesi’s external positioning and contributes to sector-wide work on environmental and sustainability frameworks. Disclaimer: POLITICAL ADVERTISEMENT * The sponsor is Chiesi Farmaceutici * The political advertisement is linked to advocacy on EU sustainability and Single Market policy. More information here. -------------------------------------------------------------------------------- [1] European Commission. (2023). Annual Single Market Report 2023. https://single-market-economy.ec.europa.eu/system/files/2023-01/ASMR%202023.pdf   [2] Healthcare Without Harm. (2022). Report: Procuring for greener pharma. https://europe.noharm.org/media/4639/download?inline=1   [3] European Union. (2025). Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847. https://eur-lex.europa.eu/eli/reg/2025/327 [4] European Commission. (2026). Public procurement. https://single-market-economy.ec.europa.eu/single-market/public-procurement_en [5] European Academies’ Science Advisory Council (EASAC) & Federation of European Academies of Medicine (FEAM). (2021). Decarbonisation of the health sector: A commentary by EASAC and FEAM. https://easac.eu/fileadmin/PDF_s/reports_statements/Health_Decarb/EASAC_Decarbonisation_of_Health_Sector_Web_9_July_2021.pdf.pdf [6]European Federation of Pharmaceutical Industries and Associations (EFPIA). (2025). Advancing environmental sustainability assessment of pharmaceuticals through standardisation and harmonisation of product carbon footprint assessment. https://www.efpia.eu/news-events/the-efpia-view/efpia-news/advancing-environmental-sustainability-assessment-of-pharmaceuticals-through-standardisation-and-harmonisation-of-product-carbon-footprint-assessment/ --------------------------------------------------------------------------------  

Publishing the name of a professional athlete online because they have broken anti-doping rules is against the EU’s privacy laws, a top EU lawyer has said. The fresh opinion from Advocate General Dean Spielmann weighs a case taking place in Austria, where four professional athletes who have broken anti-doping rules are arguing that publication of their details online would breach the EU’s General Data Protection Regulation. Austrian law requires details including the athletes’ names, sporting discipline, duration of their exclusion and the reasons for that exclusion to be published on the websites of the Austrian anti-doping agency and an associated legal committee. Spielmann said he had “serious doubts” about the need to publish all those details online, according to a court press release, on the basis that any national laws that require personal data to be published have to be proportionate. He said publishing pseudonymized details on the internet would still deter athletes from doping and prevent offenders from circumventing doping rules, while also protecting the individual’s privacy. The opinion is not binding but will inform the final decision at the Court of Justice of the EU.

Simon Meier, a trauma and orthopedic surgeon, was off duty when a colleague called one evening. University Hospital Frankfurt was the target of a massive cyberattack which required an urgent response. The next morning, Meier, who was also the hospital’s emergency planner, sat in a crisis meeting with hospital leadership. IT teams had worked through the night without success, and now, a critical decision loomed. “We had to cut off the whole hospital network from the internet,” Meier recalled. “We didn’t want to give anyone the chance to tamper with the IT systems anymore.” Internet access was severed, databases were frozen and hospital staff had to switch to pen and paper, as well as phone calls, to deliver care. “It severely impaired the communication between our electronic systems,” Meier said. Accessing lab results or data from mobile X-ray machines became a headache, with systems unable to report to the hospital database. “We had to reschedule appointments just to be able to have a look into the patient’s files and postpone some planned surgeries,” he said. Now, over one-and-a-half years later, the system is not yet back to “normal,” Meier said. Internet and database access remain restricted, and a costly infrastructure rebuild is underway to plug long-exploited vulnerabilities. This attack is just one of 309 cybersecurity incidents targeting the health care sector in the EU in 2023 alone — more than any other critical sector. The cost of a major incident typically reaches some €300,000. Beyond the financial impact, cyberattacks pose a threat to patients’ lives. The stakes became clear in a recent case in the U.K., where the death of a patient was linked — among other contributing factors — to a delayed blood test result caused by a cyberattack that disrupted pathology services last summer.  World Health Organization (WHO) chief Tedros Adhanom Ghebreyesus called cyberattacks on health care “issues of life and death.”  While health care has become the primary target for cybercriminals in recent years, putting lives at risk, the sector paradoxically invests less in cybersecurity than any other industry, leaving high-value data vulnerable to attack. PERFECT TARGET For cybercriminals, targeting health data “is a perfect business plan,” said Christos Xenakis, professor at the department of digital systems at the University of Piraeus, Greece. “It’s easy to steal data, and what you steal, you can sell it at a high price.” Ransomware attacks — where hackers lock data and demand a ransom — dominate the sector, an EU Agency for Cybersecurity (ENISA) report showed. “They achieve two targets: One is to get the data and sell (it), and the other is to encrypt the whole system, disrupt the whole system, and ask for money,” Xenakis said.  While health care has become the primary target for cybercriminals in recent years, putting lives at risk, the sector paradoxically invests less in cybersecurity than any other industry, leaving high-value data vulnerable to attack. | Andreas Arnold/Picture Alliance via Getty Images Stolen data can be sold on the dark web to criminals who use it to commit identity theft, insurance fraud or blackmail. To restore disrupted systems, criminals can demand millions of euros — hackers, for instance, wanted $4.5 million for the return of the stolen data after a cyberattack on Hospital Clínic in Barcelona. The hospital refused to pay.  However, other types of cyberattacks are also on the rise, including those by pro-Russian hacktivists aiming to disrupt health care operations, rather than for profit. Despite the risks, only 27 percent of health care organizations have a dedicated ransomware defense program, and 40 percent don’t offer any security awareness training for non-IT staff, a separate ENISA report found. CREATING CYBERSECURITY CULTURE Xenakis believes that the health care sector sees cybersecurity as “out of their business” scope and as a “luxury” rather than an essential. Health care staff are unaware of the risks, he believes, resulting in poor “cyber hygiene.” He recalls being left alone in a doctor’s office with unsecured computers — an easy target for hackers. “If I wanted to do something, it [would have been] easy for me,” he said. At the same time, he doubts that he would have been left in a room with critical medicines. Hospitals understand the risks if medicines got into the wrong hands, he said, “but they cannot understand cybersecurity.”  The task is to create a culture of good cybersecurity practices to protect data and the systems, Xenakis said. “Technology awareness education is … extremely low.” Findings from the Finnish Innovation Fund Sitra back this up. While many health care organizations have cybersecurity policies in place, they are often not “clearly communicated or consistently understood by their staff.” High personnel turnover — not just among medics but also cybersecurity officers — further “exacerbates training gaps and the ability to enforce cybersecurity policies.” Sabina Magalini, a former professor of surgery at the Catholic University of the Sacred Heart in Rome, who coordinated an EU-funded project PANACEA to improve hospital cybersecurity, believes that current laws overlook hospital-specific challenges. “Hospitals have different problems,” she said, listing high staff turnover, lack of training and overwork. “The hospital is not a nuclear power plant … It’s like a port … with a harbor: people coming in, going out, and everything is open,” Magalini said.  She argued that hospitals need continuous cybersecurity drills and streamlined systems that don’t slow down care. Health care staff “don’t want to pass half of the day logging in and logging out,” she said. BLAME THE SYSTEM, NOT THE STAFF However, training hospital personnel, while beneficial, is insufficient to address security threats. “If you have a hospital with 2,000 people working, the probability for someone to click the button (for a phishing link)” is unavoidable, Xenakis said. Especially as artificial intelligence is increasingly used by cybercriminals for automating attacks, such as phishing and deepfake-driven fraud, making the attacks “very sophisticated, very targeted,” Xenakis said.  Germany is backing sector-specific cybersecurity standards and also requires hospitals to invest at least 15 percent of cybersecurity funding received through a program on future-proofing hospitals under its recovery and resilience plan. | Andreas Arnold/Picture Alliance via Getty Images “You cannot blame the people,” Xenakis said. There must be intelligent detection tools “to eliminate the damage … or counteract the attack,” he said. Magalini also pointed out another shortcoming: cybersecurity consultancies that assist hospitals often originate from outside Europe. “They are either from the United States or Canada … also from Russia,” she said, adding that there should be a “European way of doing cybersecurity.” INVESTMENT GAPS While the risks are clear, national governments are skimping on prevention, Xenakis believes, saying that he has no good example of a country “that has invested a lot in cybersecurity in the health sector.”  In Germany, for example, “they are used to just putting new regulations in place, but invest nothing in the cybersecurity of hospitals,” Meier said. He believes his Frankfurt hospital would have found the attack earlier if it had an intrusion detection system. They were “very lucky” to discover the attack before it destroyed the entire database, Meier said. “It could have resulted in a complete shutdown of the hospital.” “Cybersecurity threats pose enormous challenges for the health care sector by endangering the availability of essential health care services,” a spokesperson from the German health ministry told POLITICO in a written response. Germany is backing sector-specific cybersecurity standards and also requires hospitals to invest at least 15 percent of cybersecurity funding received through a program on future-proofing hospitals under its recovery and resilience plan. Europe’s Health Commissioner Olivér Várhelyi has also made it clear that investment must come from national governments. “If you go to a hospital, you always see a guard in the door. There is money for that, so there should be money for protecting the data as well,” he said in January.  But with the health sector often suffering from underinvestment, how much governments can spend on cybersecurity “is a question,” Magalini said. “There are so many other (health care) problems which are not cybersecurity … so I don’t know how they can make the investments.” The cost of inaction can be hundreds of millions of euros, as it was with an attack on Ireland’s Health Service Executive in May 2021 that shut down IT systems of the country’s publicly funded health care system. The attack’s cost was estimated at least €101 million, with a further €657 million to be spent safeguarding against future attacks.  “Why did it cost so much? Not because of the damage but [because] then someone intelligent thought, ‘no, we have to rebuild the system in a secure way,’” Magalini said.  Ray Walley, general practitioner from Ireland, saw firsthand how the attack severed ties with the hospital system.“We couldn’t refer stuff in. It affected outflow from the hospital system. We weren’t getting the results of blood tests. We weren’t getting the results of X-rays and scans,” he said. Walley believes that “cybersecurity is just another form of health care.” “We need to invest in this,” he said. “We need to be proactive. We need to spend the money.” EU’S ACTION: GOOD, BUT COULD BE BETTER The increasing number of cyberattacks on health care systems triggered a response from the EU this year. The European Commission unveiled in January an “action plan” on cybersecurity for hospitals and the health care sector. The plan proposes setting up a European Cybersecurity Support Center for the health care sector within ENISA and a specific rapid response service. The plan also introduces “cybersecurity vouchers,” which will enable EU countries to provide financial support to smaller health care providers for enhancing their cyber resilience.  “It’s good,” said Markus Kalliola, Sitra’s program director. But it “could be stronger.” He is one of the authors of the Commission’s evaluation report by Sitra, which points to murky EU governance, a lack of clear targets or budgets and a missed opportunity to build a functioning single market for cybersecurity solutions.  Sitra calls for going beyond the EU’s plan by considering cybersecurity as a matter of national security; setting up mandatory cybersecurity readiness for health care organizations; incorporating cybersecurity skills into health professionals’ basic training; and organizing more pan-European cybersecurity exercises. With the changing geopolitical situation, “it’s also a matter of national security,” Kalliola said. “EU member states should focus on … what is the national strategy in securing these critical health care services,” he added. Whether or not Europe’s security will feature in the Commission’s final hospital cybersecurity plan remains to be seen; the EU executive has just concluded a consultation and promised to put forward a refined plan by the end of the year. Other pieces of EU legislation — including the NIS2 Directive, Cyber Resilience Act, AI Act and medical devices rules — also raise the bar for cybersecurity across different sectors, including health care.  However, “despite advancements in regulatory efforts and technical solutions, implementation remains inconsistent. There is no time to lose in turning regulations into reality,” Kalliola said.