Health software publishers: reinforced security and new obligations!

The health sector is one of the priority targets of cybercrime. The sensitivity of the data processed, the multiplicity of digital actors involved and an underinvestment in cybersecurity make it a structurally vulnerable field.

‍

The CNIL had also heavily sanctioned a software publisher in the health sector at the end of 2025 in the amount of 1.7 million euros (read our review).

‍

The numbers speak for themselves: during the RGPD “Health Data and Research” day which took place in Paris on 26 March, the CNIL specified that it recorded more than 6,000 notifications of data breaches in 2025, 8% of which were in the health sector — and in the last few months of 2025 alone, this percentage increased to 53% for the health sector. So the threat is massive and concentrated!

‍

Faced with this observation, legislators and regulators have accelerated the construction of a strengthened regulatory framework. We will examine recent incidents to measure the extent of the threat (1) in order to understand the continuing desire of French and European legislators to reinforce security obligations in this sector (2). We have also prepared a checklist of the obligations incumbent on health software publishers.

‍

I. Overview of the latest health data breaches in France: all actors are concerned

‍

November 2024 : the Mediboard hospital software was compromised, resulting in the sale of the data of 750,000 patients located in France — identity, prescriptions, attending physician, mutual history — on BreachForums, the forum on cybercrime. According to the software publisher, the origin of the violation is an account usurpation with one of its customers (L'Usine Digitale, November 20, 2024, A health institution victim of a data leak, 750,000 French files stolen, Y. BOURGIN).

‍

August 2025 : the Inovie Labosudn laboratory group detects an intrusion carried out via the compromised identifiers of an external service provider. Result: 3.2 million patients exposed — administrative data, contact details, social and mutual security information, but also medical data relating to the analyses carried out (L'Usine Digitale, September 26, 2025, Medical data exposed after a security incident at Inovie Labosud, A. VITARD).

‍

September 2025 : the GIP Inéa Santé Numérique Hauts-de-France — a public administration — reports a cyberattack targeting the identity data of patients in public hospitals. Fortunately, no medical records were compromised, but the incident reminds us that public authorities are also concerned by these threats (ARS Hauts-de-France, October 8, 2025, Cyberattack against the identity data of patients in public hospitals in the region).

‍

October 2025 : the patient management software - MonLogicielMedical by Cegedim Santé - is undergoing a cyberattack involving up to 15 million patients in France. It is the largest health data leak ever occurred in France (Digital century, March 2, 2026, Massive cyberattack against medical software: up to 15 million French people concerned, F. OLIVIERI).

November 2025 : the first SaaS medical software intended for liberals in France — published by Weda — has suffered a cyberattack depriving 23,000 health professionals of access to the tool for several days, with a risk of exfiltration of patient data (Le Monde, November 18, 2025, A cyberattack against Weda, software used by thousands of doctors, causes system paralysis and data leaks, MR. SZADKOWSKI).

‍

End of November 2025 : the MédecinDirect teleconsultation platform is the victim of an intrusion that has led to the compromise of the data of 320,000 patients — reasons for consultation, exchanges with doctors and social security numbers (L'Usine Digitale, December 8, 2025, Cyberattack: The MédecinDirect teleconsultation platform victim of a data leak, 285,000 people affected, THE STAINED GLASS).

‍

These incidents have one thing in common: in each case, a digital service provider — software publisher, host, outsourcer, subcontractor — is at the heart of the violation, whether it was directly responsible or whether it did not react quickly enough.

‍

The usual reflex of passing responsibility back and forth between publisher and client has become a dead end. Each incident, regardless of the immediate cause, must question the entire chain of actors: how could it have been avoided?

‍

We propose to draw up an overview of legislative and regulatory provisions and recommendations applicable to health software publishers.

‍

II. The framework applicable to health software publishers: obligations and new requirements

‍

The last two years and the beginning of 2026 mark a significant densification of the normative framework applicable to providers in digital health. Below we distinguish between binding texts and soft law, in chronological order.

2.1. Binding texts

‍

NIS 2 guideline: Adopted in 2022, the NIS 2 directive (Directive No. 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures to ensure a high common level of cybersecurity across the Union) significantly extends the scope of NIS 1 and introduces substantial obligations for the health sector.

‍

From now on, healthcare institutions, laboratories, medical device manufacturers and some digital providers are now qualified of essential or important entities. This qualification requires reinforced obligations, which impact providers and more specifically health software publishers offering their services to these actors.

‍

Two major security contributions of NIS 2 deserve to be highlighted:

the obligations to report incidents are strengthened: initial alert within 24 hours, full notification within 72 hours.

the security of the subcontracting chain is becoming a formal obligation: service providers and suppliers must be evaluated and their services contractually supervised.

‍

Sanctions can reach up to 10 million euros or 2% of global turnover.

‍

The transposition of the NIS 2 directive into French law is in progress: the “Resilience” bill is currently before the National Assembly.

‍

To note: ANSSI launches the “RECYF” reference system to help organizations prepare for the requirements of the NIS 2 directive. This tool offers best practices for strengthening cybersecurity, especially in terms of risk management and resilience in order to anticipate the “Resilience” law.

‍

SREN law : Adopted in 2024, the SREN law⁹ transposes into French law, in particular the European DSA and DMA regulations of 2022. The aim of this law is to restore citizens' trust in digital technology and to regulate the practices of major platforms.

‍

Specifically concerning health, digital health actors, the law added these two notable obligations:

Health data must be stored on the territory of a member state of the European Union or the European Economic Area;

Remote access to health data from third countries remains possible but must be contractually supervised and transparent to customers and persons concerned.

‍

These requirements are included in the decree of 24 March 2026 and in the new HDS V2 standard.

‍

Note: the SREN law does not prohibit the use of non-European providers for hosting health data — it adds contractual and practical conditions in such a case.

‍

Decree of 3 March 2026: This decree¹⁰ specifies the sanctions regime applicable to providers of digital health services in the event of non-compliance with national standards of interoperability, security and ethics, as well as in the absence of conformity certification when this is required for their activities.

‍

The decree entrusts the Digital Health Agency (ANS) with a central role in identifying breaches and punishing the providers concerned. The amount of the penalty can range from 1% of the turnover excluding taxes made in France and up to 1 million euros.

‍

Note: in addition to the service providers directly concerned, users may also be sanctioned for non-compliance with the standards by these service providers.

‍

Decree of 24 March 2026 : The decree¹¹ amends the Public Health Code to incorporate the requirements already included in the HDS v2 framework (see the SREN law above). It imposes on health data hosts three obligations — already included in the HDS v2 framework: to base any remote access from a third country on a solid RGPD legal basis, to explicitly mention extra-European transfers and access risks in the hosting contract, and to maintain an up-to-date map of remote data accesses.

‍

2.2. Soft Law

‍

Circular No. 6519/SG of the Prime Minister, dated 5 February 2026: The circular¹² sets the priority goals of government digital procurement. It is aimed in particular at healthcare and health institutions and ARS, excluding private actors.

‍

Among its priorities, digital sovereignty occupies a central place. The circular affirms the requirement to use SecNumCloud certified providers — and not only HDS V2- for hosting health data. The objective is to maximize” immunity to extra-European legislation with extraterritorial scope ” particularly threatened by the American Cloud Act and FISA.

‍

It should be remembered that, in the hierarchy of norms, the circular constitutes a lower-ranking administrative act, placed below laws and decrees.

‍

The Digital Health Doctrine 2026: Published on March 13, 2026 by the Digital Health Delegation (DNS), the new Digital Health Doctrine¹³ constitutes the reference framework for all actors in the health sector: health institutions, medico-social structures, health professionals, digital health companies and public institutions.

‍

It integrates recent regulatory developments, in particular requirements from NIS 2, and translates expectations in terms of interoperability, security and ethics into practical obligations.

‍

The Digital Health Doctrine devotes a sheet dedicated to security, structured around two axes: European and national SSI regulation, including PGSSI-S and HDS V2 certification as well as the security requirements applicable to major digital health programs, including the CAre program aimed at strengthening the resilience of institutions in the face of cyberattacks.

‍

CNIL — RGPD Day (March 26, Paris): Faced with the multiplication of health data breaches, the CNIL recommends that subcontractors notify it directly of personal data breaches. This approach would make it possible to centralize notifications, simplify the procedures of data controllers and improve the reliability of data relating to breaches.

‍

2.3. Coming soon

‍

In the coming months we expect:

the adoption of the “Resilience” law transposing the NIS 2 Directive and the Cyber Resilience Act into French law;

the decree implementing article 31 of the SREN law, which will specify the concrete methods of implementing the “sovereign cloud” requirement for public administrations and operators using private cloud providers.

the draft recommendation on the security of electronic patient records prepared by the CNIL following checks carried out at several health institutions — it includes 15 fact sheets, including several devoted to safety¹⁴

We have put together in a checklist the main reflexes and obligations applicable to software publishers in the health sector, according to the texts concerned:

‍

RGPD — processing of health data

Implement appropriate security measures

Audit its subsequent subcontractors and ensure their guarantees

Make notifications to the CNIL in the event of a data breach and provide information to the data controller — (for example, provide them with notification templates to the CNIL and to the persons concerned)

‍

Decree of 3 March 2026 — standards

Verify whether its activity is subject to an interoperability, security or ethical framework (to date: medical devices and teleconsultation)

Comply with the applicable standard and proactively demonstrate compliance to customers

‍

SREN law & HDS v2 repository — health data hosting

Maintain/or ensure that the subcontractor in charge of hosting health data maintains its HDS v2 certification for any health data hosting or outsourcing activity

Control your subcontracting chain and include security obligations in the contract

Ensuring transparency towards customers and persons concerned about subcontractors and data transfers outside the EEA

Update the warranty representation table published on the site

‍

NIS 2 Directive —Essential and Important Entities

If the publisher offers its services to customers qualified as EE or EI:

Implement appropriate technical and organizational measures, such as PSSI, incident management, access management

Managing and auditing the entire subcontracting chain — contracting security requirements

Respect the deadlines for reporting data breaches to ANSSI (24 hours for the alert, 72 hours for the complete notification and the final report within one month)

‍

Digital health doctrine — safety and interoperability