The European Committee of the Regions’ Interregional Group on Health and Well-being (IRGHW) convened on 14 May 2025 to address one of the most urgent and cross-cutting challenges facing public health today: cybersecurity in healthcare. Organised with the support of EUREGHA, the meeting offered a timely space to reflect on the implications of the European Commission’s Action Plan on Cybersecurity in Health, launched earlier this year.

The EU Perspective: A Call to Action

In his intervention, Juuso Järviniemi, Policy Officer at DG CNECT, outlined the rationale and ambitions behind the Action Plan. With the health sector experiencing a surge in cyber incidents, from ransomware attacks to data breaches, protecting digital health infrastructure has become a political and public health priority.

The Action Plan covers the entire cybersecurity cycle—from prevention to deterrence—while focusing on tools, coordination mechanisms, and support tailored to the needs of healthcare providers. Importantly, the plan also mentions regional implementation, with European Structural and Investment Funds (ESIF) playing a key role in supporting cybersecurity investments in hospitals and local systems.

Mr. Järviniemi also invited regional actors to contribute to the public consultation (open until 30 June) and to apply for the newly created Health Cybersecurity Advisory Board (deadline: 23 May). These mechanisms aim to gather on-the-ground expertise and ensure that national and regional actors can shape how the Action Plan is implemented.

The Regional Reality: Best practises from Scotland

Lisa Hill, Head of Cybersecurity Strategy at the Scottish Government, presented Scotland’s approach to digital cyber-resilience in healthcare. With over 20 health boards, 15,000 locations, and millions of daily data transactions, Scotland has invested heavily in cybersecurity audits and capacity-building initiatives.

One of the standout initiatives is the Cyber Centre of Excellence in Dundee—a collaboration with universities aimed at creating a skills pipeline for future cybersecurity professionals in health. This complements the Scottish Cyber Coordination Centre, which centralises functions such as threat intelligence, vulnerability management, and incident response.

Scotland’s model illustrates how multi-level governance, dedicated infrastructure, and skills development can come together to build a more cyber-resilient health system.

A Wider Conversation: Skills, Funding, and Digital Readiness

The meeting also served as a platform for broader discussion among CoR members, stakeholders, and EUREGHA representatives. Several important takeaways emerged:

• Skills development is essential—not only for cybersecurity professionals, but also for frontline healthcare workers. Participants called for the upskilling of the health workforce to navigate digital systems safely and confidently.

• The lack of dedicated funding at the national level for cybersecurity in health was noted as a barrier. The European Commission encouraged regions to explore Digital Europe and Cohesion Policy funding opportunities.

• As cyber threats evolve, so must the collaborative frameworks to address them. Many stressed the need for cross-border coordination, common standards, and a platform for sharing best practices across the EU.

Open Discussion

The discussion also emphasised the need for better access to funding, interregional cooperation, and inclusive governance. Several contributions underlined the importance of equipping the healthcare workforce with essential digital skills, especially to support older professionals during the ongoing digital transition in healthcare. 

The IRGHW will continue to follow this file closely, supporting the involvement of regional and local health authorities in shaping and implementing EU-level digital health and cybersecurity initiatives. EUREGHA remains committed to fostering collaboration and ensuring that regions are equipped to meet the challenges of tomorrow’s health threats, digital and beyond.