Skip to content
TECHNOMATON | Docs SAI Certified Trainers

Healthcare

Compliance requirements for the healthcare sector.

Sector Profile

AttributeValue
AI Act impactCRITICAL (High-Risk)
NIS2 categoryEssential (Annex I — Health)
GDPR impactCRITICAL (Special category data)
Other regulationsHealth Services Act, MDR

AI Act for Healthcare

High-Risk AI Systems (Annex III)

SystemClassificationObligations
Diagnostic AIHIGH-RISKFull obligations, CE marking
AI for patient triageHIGH-RISKDPIA, human oversight
Predictive analytics (prognosis)HIGH-RISKTesting, documentation
AI assistant for physiciansMEDIUMTransparency
Administrative AILOWMinimal

High-Risk AI in Healthcare — Requirements

NIS2 for Healthcare

Scope

  • Essential entity (Annex I, sector 5 — Health)
  • Hospitals, laboratories, health insurers
  • Medical device manufacturers (if >250 employees)

Specific Requirements

AreaRequirementPriority
System availabilityRTO <4h for critical systemsCritical
Patient data protectionEncryption + access controlCritical
Network segmentationMedical devices isolatedCritical
Incident response24h notification to national CSIRTCritical
Supply chainAudit medical device vendorsHigh
Business continuityPaper backup proceduresHigh

Medical Device Cybersecurity

GDPR for Healthcare

Special Category Data (Art. 9)

Health data = special category — stricter rules apply

Legal basisWhen to use
Explicit consentResearch, secondary use
Necessary for healthcarePrimary care, diagnostics
Public interest in healthEpidemiology, public health
Legal obligationReporting of infectious diseases

Specific GDPR Requirements

AreaRequirementStatus
RetentionMedical records min. 10 yearsLegal obligation
Access controlRole-based, need-to-knowRequired
Audit trailWho accessed a patient recordRequired
Patient portalDSAR self-service recommendedRecommended
Cross-borderSCCs for transfer outside EUIf applicable

DSAR in Healthcare

Checklist for Healthcare

Immediate (Weeks 1-2)

  • Inventory of AI systems in clinical use
  • Audit of connected medical devices
  • GDPR data mapping for patient data

Short-term (Months 1-3)

  • High-risk AI classification
  • NIS2 scope confirmation
  • Incident response plan for health data breach

Medium-term (Months 3-6)

  • DPIA for diagnostic AI
  • Medical device network segmentation
  • Staff training (GDPR + AI)

Long-term (Months 6-12)

  • ISO 27001 certification
  • AI Act full compliance
  • NIS2 full implementation

Typical Costs

ItemEstimate
ISMS + ISO 27001EUR 50-80k
Medical device security auditEUR 20-40k
AI compliance (per system)EUR 15-30k
GDPR health data auditEUR 15-25k
Staff trainingEUR 10-20k
Total Y1EUR 110-195k

Resources