NEN 7510 β information security in healthcare
NEN 7510 is the Dutch information security standard specifically for the healthcare sector. Itβs based on ISO 27001, supplemented with requirements specific to handling medical and personal health data. The current version is NEN 7510:2024; organisations must transition to this version by 20 February 2027 at the latest (including re-certification where applicable). IT-Checklist explains the basics here.
π‘οΈ NEN 7510 and NIS2 overlap
Healthcare also falls under the Cybersecurity Act (NIS2). If you already work according to NEN 7510, youβll already have much of the risk management NIS2 requires in place.
Who does NEN 7510 apply to?
The standard applies to any organisation processing personal health information: GP practices, mental health and public health institutions, hospitals, physiotherapy practices, healthcare IT suppliers and other chain partners. Even as a small healthcare practice or sole trader, you may encounter it as soon as you work with a health insurer or hospital.
Practical first steps
- Map out which patient data you process and where.
- Do a risk analysis: what could go wrong, and whatβs the impact?
- Draft an information security policy and assign responsibilities.
- Arrange baseline measures: access control, backups, updates and an incident procedure.
Start with our free IT check to see which baseline measures you already have in place.
Is NEN 7510 certification mandatory?
Healthcare providers that electronically exchange personal health data are legally required to demonstrably comply with NEN 7510 (set out in the Dutch Wabvpz/Wegiz data-exchange laws and the Healthcare Quality, Complaints and Disputes Act). A formal certificate isn't always a strict legal requirement, but health insurers and chain partners increasingly demand it as a condition for contracts.
What does NEN 7510 certification cost for a GP or physiotherapy practice?
For a small healthcare practice (GP, physiotherapist, mental health practice), costs are typically around β¬5,000ββ¬8,000 in the first year (guidance plus the certification audit), then around β¬2,000ββ¬3,000 per year for the annual surveillance audit. Larger healthcare institutions invest considerably more. Start with a baseline assessment for a realistic estimate for your practice.
How long does a NEN 7510 certification process take?
For a small practice, the process usually takes two to six months, from the initial risk analysis to the certification audit. Larger healthcare organisations with multiple locations or systems may take longer.
How does NEN 7510 relate to the GDPR?
The GDPR (privacy legislation) sets general requirements for handling personal data, while NEN 7510 describes a concrete management system to demonstrably get information security in healthcare in order. Complying with NEN 7510 therefore also helps you meet key GDPR obligations (such as 'appropriate technical and organisational measures'), but it doesn't replace the GDPR.