NEN 7510: more than a box-ticking exercise

    - - - / 7 January 2026

    In healthcare, everything revolves around trust. Patients must be able to trust that their medical data are safe. NEN 7510 is the leading standard for information security in healthcare and provides a framework for this purpose. Yet many organisations still see NEN 7510 as little more than a compliance tick, an administrative box to be checked. With the 2024 revision, the introduction of NIS2 and the Cybersecurity Act, and stricter supervision by the Health and Youth Care Inspectorate, that approach is no longer sufficient. Having information security in order on paper is not enough; it must also be implemented in practice throughout the organisation.

    In this blog, we explain why NEN 7510 is more than a checklist, what lessons can be learned from recent incidents, and how the standard can be used as a foundation for safe and reliable healthcare.

    What is NEN 7510:2024?

    NEN 7510 is the Dutch standard for information security in healthcare. The latest version aligns with ISO 27001:2022 and places strong emphasis on the protection of medical personal data. What makes the standard distinctive is that it is:

    • healthcare-specific: focused on risks such as interoperability, medical devices and chain cooperation;
    • embedded in legislation: explicitly included in the Act on Additional Provisions for the Processing of Personal Data in Healthcare; and
    • subject to supervision: with the Health and Youth Care Inspectorate actively and more strictly monitoring compliance.

    The 2024 version introduces several new elements:

    • Greater emphasis on current threats, such as ransomware;
    • Stricter requirements for suppliers and cloud and Software-as-a-Service services;
    • Strengthened requirements around continuity and recovery; and
    • Alignment with NIS2.

    Why a box-ticking approach falls short

    In many organisations, NEN 7510 is still treated as an administrative obligation. But paper compliance offers no real protection. Two recent incidents illustrate this clearly.

    1. NHS ransomware attack, United Kingdom (2024)

    A ransomware attack on a software supplier caused emergency care systems to fail, resulting in severe delays or the inability to provide care. At least one death was linked to the outage. The lesson is clear: resilience must extend across the entire chain.

    2. Clinical Diagnostics (July 2025)

    An attack led to the leakage of data relating to almost 500,000 women participating in a population screening programme. The societal impact was enormous. The incident raised serious questions about technical resilience, supply chain security and, in particular, crisis communication. Here too, it became clear that compliance without proper implementation is insufficient.

    A box-ticking mindset carries several risks:

    • it creates a false sense of security for boards;
    • ownership remains confined to the IT department; and
    • there is no learning capability after incidents.

    From ticks to resilience

    Those who use NEN 7510 as a strategic framework build resilience. The standard requires a risk-based approach, involving the following steps:

    1. Identify the risks your organisation faces.
    2. Apply measures that are genuinely relevant.
    3. Prioritise improvements based on impact and likelihood.

    The focus is on continuity of care, medical devices, cooperation within chains, and the availability of records.

    Behaviour and awareness

    Technology alone is not enough. Many incidents arise from human behaviour: weak passwords, phishing or unsafe applications. NEN 7510 therefore requires structural attention to awareness and training, such as e-learning, crisis exercises and phishing simulations.

    NEN 7510 is based on the Plan-Do-Check-Act cycle. This cycle forces organisations to continuously evaluate and adapt to new threats and technologies.

    From compliance to trust

    Information security is not just an IT issue. Boards must demonstrably take ownership of information security, responsibilities must be clearly allocated, and suppliers must be actively managed. In this way, NEN 7510 aligns with broader objectives around digital resilience.

    The purpose of NEN 7510 is to provide healthcare organisations with a framework for information security so that medical and other personal data are processed, stored and shared securely. Patients must know that their data are safe, healthcare professionals must be able to rely on trustworthy systems, and organisations must be able to ensure continuity in the event of incidents.

    Compliance is therefore not an end in itself, but a prerequisite for safe care and effective cooperation within networks.

    Practical tips

    A mature implementation of NEN 7510 does not have to be complex or burdensome. It starts with awareness, prioritisation and a solid first step. Some practical tips:

    1. Carry out a baseline assessment or maturity scan. For example, a maturity scan by Z-CERT can provide insight into strengths and weaknesses.
    2. Involve employees and the board: make security a recurring topic in meetings and training.
    3. Integrate processes: align NEN 7510 with existing processes, such as the Harmonisation of Quality Assessments in Healthcare.
    4. Learn from incidents: record and analyse every incident and translate lessons learned into improvement measures.

    NEN 7510 is not a compliance tick, but a foundation for safe and reliable healthcare. By approaching the standard as a strategic framework rather than a checklist, you not only increase digital resilience, but also strengthen the trust of patients and professionals. That turns information security from a burden into a strategic advantage.

    How we can help

    NEN 7510 provides a strong basis for safe healthcare, but its implementation requires time, expertise and organisational support, which can be challenging.

    We support healthcare organisations at every stage:

    • NEN 7510 maturity scans;
    • risk analyses;
    • guidance on implementing or redesigning NEN 7510;
    • training and awareness programmes for employees and boards; and
    • internal audits and support during external audits.

    Would you like to know where your organisation currently stands, or are you looking for support in taking information security to the next level? Please feel free to contact us for an informal discussion. Together, we ensure that information security in healthcare becomes more than a box-ticking exercise.

    Contact us
    Back to overview

    Melanie van Leeuwen

    Compliance Consultant
    Read more
    Security

    Meer van onze artikelen