We work in healthcare, how heavy is NEN 7510 in practice?
NEN 7510 is the Dutch information-security standard for healthcare. It follows the ISO 27001 structure and adds care-specific measures around access, traceability and patient safety.
Try this first
- 1Decide whether you are a care provider under Wkkgz or Wabvpz, or a supplier to one. Care institutions usually must apply NEN 7510; suppliers follow by contract.
- 2Start with a gap analysis against NEN 7510-1 and 7510-2. Most SMB care providers fall short on patient-record logging and formal access reviews.
- 3Access to patient data on need-to-know, with logging traceable to the individual employee. Generic accounts and shared passwords are findings.
- 4DPAs in order with EHR vendor, hosting and any ICT manager. They process special-category data.
- 5Plan an internal audit and, where chain partners ask, external certification. Care institutions vary in what they want to see; ask the customer.
When to bring us in
Connections via VECOZO, LSP or regional infrastructures often add chain-level requirements. Align with the connecting party before you build.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.