Oct 21, 2022

Healthcare Regulations in Germany: What to Expect

Many German healthcare institutions and organizations are about to implement numerous tough regulations and standards to protect the critical infrastructure from the malicious security threats. Learn about the BSI Act, PDSG, SGB V, and many others to know what the healthcare sector should expect in 2022.

The healthcare sector in Germany has been facing regulatory strengthening since the pandemic, and authorities are pushing to ensure that all assets are maximum secured. Critical infrastructures are susceptible to malicious cyberattacks that pose absolute security and data protection threats. The European Union continues to harden multiple regulations, policies, and standards that companies and institutions are obliged to implement and follow. 

Which Healthcare Facilities are Considered Critical Infrastructures?

By the end of 2021, all hospitals in Germany were obliged to upgrade their IT security to meet the requirements of the BSI and the authorities. 

The healthcare sector in Germany provides four critical medical care services to the general public: 

  • Inpatient medical care: admission, diagnosis, therapy, accommodation in hospitals
  • Supply of life-sustaining medical devices: production, and distribution
  • Supply of medicines and blood/plasma: production, distribution, and distribution of prescription medicines, blood and plasma concentrates
  • Laboratory diagnostics: transport and analysis in laboratories

If operators provide these critical services in their facilities and exceed the threshold of approximately 500 thousand supplied persons, they become KRITIS operators.

What is B3S Standard in Healthcare?

With the onset of the coronavirus pandemic, hospitals have seen quite a few cyberattacks across Europe. Being one of the vital KRITIS sectors, a disruption in healthcare caused by any cyber threat can seriously endanger human lives and jeopardize society. That’s why by the end of 2021, each hospital and health facility in Germany if they treat more than 30,000 cases per year, were required to update their IT security. 

To successfully meet this objective, in 2019, the Federal Office for Information Security BSI recognized the new industry-specific standard — B3S, the methodology by which healthcare facilities must improve their information technology to strengthen security.  

The B3S includes 168 standards that must be implemented, and every two years, hospitals have to prove to the BSI that they have taken all the necessary measures to strengthen their IT security.

Other Regulatory Changes for Critical Infrastructures: Healthcare  

Here are the main regulations that the healthcare industry in Germany must comply with. 


The BSI Act has become a must for a broader range of healthcare institutions. According to it, large hospitals with 30,000+ full inpatient cases per year are obliged to implement corresponding legal requirements, such as industry-specific security standards (B3S). These hospitals also must provide the Federal Office for Information Security (BSI) with evidence of the prescribed security level.


After the Patient Data Protection Act or PDSG came into force in Germany in October 2020, it introduced several innovative digital applications and requirements for protecting patient information stored in an electronic format.


According to §75c of the Social Code (SGB V), information security in hospitals is now newly regulated. The BSI law and the sector-specific security standards are established as the standard for all hospitals in Germany. It is mandatory for all clinics, regardless of their size, to implement appropriate state-of-the-art IT security measures starting from the 1st of January, 2022. All hospitals are affected by the regulation unless they already have the status of KRITIS operator with over 30 thousand cases per year.

To ensure full compliance with the data protection laws and regulations, beginning from the 1st of January, 2022, all hospitals must implement appropriate organizational and technical measures to enhance IT security and processes relevant to hospital and patient information from being compromised.

The affected IT must be adapted to the standards every two years. Hospitals can fall back on a B3S industry standard approved by the BSI. As for small hospitals, starting from January 2022, they must introduce the electronic patient record (ePA), digital referrals, e-prescriptions, etc. All of this poses challenges, above all, to the storage and management of patient’s personal data, which is often the very target of cyberattacks. Hospitals are under an obligation to provide the appropriate systems for data processing on the one hand, and to precisely implement data protection guidelines on the other.

IT Security Act 2.0

Following the changes in the IT Security Act 2.0, KRITIS Regulation 2021 has now two changes related to the investments and new thresholds values in the sector:

Supply of medicines: The system collection and further processing of blood donations is replaced by blood or plasma donation control, and the threshold remains.

Laboratories: The new plant Laboratory Information Association replaces the transport system and communication system for orders and findings — the network controls sample transport, communication, and the laboratory information system (LIS) with IT services.

What to Expect for Critical Infrastructures in Other Sectors?

In April 2021, the Bundestag passed the IT Security Act 2.0 (also known as IT-SIG 2.0), which went into effect in May 2021. The Act introduces the new CI sector — municipal waste management, responsible for collecting, disposal, and recycling of hazardous materials, chemicals, arms, etc.

It also adds 270 more critical operators to the 1600 existing ones, specifically in healthcare, transport, IT, telecom, and finance. 

What’s more, IT-SIG 2.0 places a number of new responsibilities on critical infrastructures. They must:

  • follow security requirements for critical components;
  • follow information obligations and reporting requirements with regard to the BSI;
  • comply with minimum security standards for CI; 
  • adhere to new rules such as cyber-attacks detection with mandatory systems and processes for attack identification and report incidents to BSI;
  • identify critical components in critical infrastructures, 
  • immediate registration is required at BSI as an operator.

In addition, the EU NIS2 and EU RCE directives will substitute the EU NIS and ECI.


EU RCE is the directive on the resilience of critical entities, meaning that organizations providing critical services in the European Union will be regulated for resilience and risk and supervised by national governance. 

10 critical sectors included in the directive and operators are identified by the national government’s entities and reported to the European Union. 

What’s more, EU RCE states a few measures that must be taken for critical services such as prevention, physical security, crisis management, BCM and suppliers, personnel security, and awareness.

In addition, operators must provide incident reporting and implement risk analysis, and planning.


EU NIS2 is the directive on a high level of cybersecurity in the EU. It means that organizations that provide critical services in the Union will be governed for cybersecurity and supervised.

The detective now comprises 10 essential, and 6 important sectors, and operators are medium and large enterprises. The measures that these operators must take for network and IT systems include policies, incident management,  BCM and crisis management, supply chain security, test and audit, and cryptography.

How Critical Infrastructures in Germany Can Address the Regulatory Challenges

Implementation of multiple standards is a cumbersome, challenging, and time-consuming process. Having a Governance, Risk, and Compliance solution at hand is a real game-changer for critical infrastructures. Compliance software will help CIs to manage their operations processes and comply with multiple standards, laws, and regulations. 

Compliance Aspekte is a GRC tool that was specifically created to meet the needs and objectives of Critical Infrastructure operators. The solution is an all-in-one platform that was created to support integration with any regulatory or custom standard, policy, procedure, or process.

Compliance Aspekte already has in-build standards, including BS3, BSI IT-Grundschutz, GDPR, and many others. It is also possible for Critical Infrastructures operators to add custom standards and regulations upon request to be able to manage multiple standards in one place.  

Try Compliance Aspekte For Free

Book a 1-2-1 Live Demo and Obtain a 3-months Non-binding Trial

    What Standards are you interested in?

    I have read the privacy policy and agree.