NEN 7510 for healthcare sector information security updated

The NEN 7510 standard for information security in the healthcare sector has been revised. The new NEN 7510-1:2024 was published on 16 December 2024 and replaces the previous version, NEN 7510:2017+A1:2020. The old version of the standard can still be used for certification under accreditation until 20 February 2027.

The updated NEN 7510 includes important revisions and aligns with the latest versions of ISO/IEC 27001, ISO/IEC 27002 and the international draft standard ISO/IEC DIS 27799, incorporating additional requirements specific to the healthcare sector. Furthermore, the standard addresses (new) legislation. NEN 7510 supports organizations in complying with laws such as the Dutch ‘Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg (Wabvpz, Supplementary Provisions for Processing Personal Data in Healthcare Act), the Wet elektronische gegevensuitwisseling in de zorg (Wegiz, Electronic Data Exchange in Healthcare Act) and the European NIS2 Directive, which will take effect in 2025.

What are the key changes?

One of the most significant changes is the integration of the latest ISO/IEC 27001 and ISO/IEC 27002 standards, ensuring better alignment with international frameworks. Fourteen general ISO control measures have been adapted for use within healthcare organizations, along with eight additional measures specifically targeting the healthcare sector. These updates help mitigate the ever-evolving cybersecurity risks and serve as a foundation for the requirements set by the NIS2 Directive.

How can NEN 7510 serve as a foundation for NIS2?

The Network and Information Security 2 (NIS2) Directive aims to enhance the digital resilience of organizations, including those in the healthcare sector. In the Netherlands, NIS2 will be implemented through the Cyberbveiligingswet (Cbw, Cybersecurity Act). Compliance with NEN 7510 already partially meets the Cbw requirements, such as emergency communication, external incident reporting, management training and Zero Trust Principles. Even if your organization does not fall under the Cbw’s scope, adherence to NEN 7510 remains mandatory for healthcare providers.

Do not delay implementation

Healthcare organizations are strongly advised not to postpone the implementation of NEN 7510:2024. The updated standard contains numerous improvements that better address current cybersecurity challenges in the healthcare sector. If your organization is already NEN 7510 certified, we recommend starting the transition to the new standard as soon as possible. The updated version is freely available on the NEN website. The audit duration will increase: for single NEN transition audits, an additional half-day of audit time will be required. For initial audits, the new standard will be applied directly.

Transition period

A two-year transition period applies to NEN 7510. This means that certified organizations must complete the transition to NEN 7510:2024 by 20 February 2027. Kiwa has started the accreditation process and the implementation of NCS 7510:2025 is underway. We will keep you informed about the progress and the steps you need to take.