NIS2 important entity · from 50 employees / €10 million revenue
Cybersecurity for private clinics
Private specialist clinics have been subject to regulation since the NIS2UmsuCG — without their own 24/7 security teams or a CISO position. We provide pragmatic awareness, phishing simulation, vulnerability management, and a managed SOC — exactly at the level of depth required by NIS2 and § 391 SGB V, without enterprise overhead.
Regulatory context
NIS2 affects private clinics as an important institution — with a little less pressure, but the same substance.
Private specialist clinics generally fall under the category of an important facility (§ 28 BSIG) — not a particularly important facility. This reduces supervisory intensity and fines, but not the substantive obligations: the ten risk management measures from § 30 BSIG and the reporting requirements under § 32 BSIG apply equally to both categories.
NIS2 · Section 30 BSIG
Risk management measures
Risk analysis, incident response, business continuity, supply chain security, security in development and maintenance including vulnerability management, effectiveness testing, cyber hygiene and training, cryptography, access control and asset management, multi-factor authentication — ten measures that NIS2 requires of every affected organization, regardless of size. When implementing them, proportionality applies: they may be scaled down, but not omitted.
Section 391 of SGB V
IT security in hospital operations
For facilities with hospital authorization under Section 108 of the German Social Code Book V (SGB V), Section 391 SGB V applies in parallel with NIS2—regardless of case volume, or whether they are an affiliated hospital or a rehabilitation clinic. The obligation: appropriate organizational and technical safeguards in line with the state of the art; the DKG’s B3S Hospitals serves as the reference. For purely outpatient practices or rehabilitation clinics without Section 108 authorization, however, Section 391 does not apply.
Legal sources: NIS2UmsuCG of 6 Dec 2025 · Sections 28, 30, 32, 38, 65 BSIG · Sections 391, 108 SGB V · B3S Hospitals (DKG) · GDPR Articles 9, 32, 33, 34, 83.
TYPICAL ATTACK SCENARIOS
The attacks that hit private clinics particularly hard.
Attackers calculate that private clinics have patients with a high ability to pay, often high-profile treatment cases, and frequently less security maturity than public hospitals. The attack patterns are correspondingly opportunistic — and the consequences can quickly become existentially threatening.
OUR SOLUTIONS
NIS2-ready without enterprise overhead.
You don’t need your own CISO or security department to meet the requirements of NIS2 and Section 391 of the German Social Code V (SGB V). Our four services form a lean but complete security program — each component produces evidence that can be used directly.
Continuous training
Phishing Simulation as a Service
Monthly, realistic campaigns — job applications, lab results, supplier invoices. Click rate and report rate are measured by department. Direct NIS2 evidence of compliance under Article 21(2)(g).
Employee Resilience
Security Awareness Training
Annual core course ~20 minutes, quarterly spotlights 1–2 minutes. Equally suitable for nursing, physicians, administration, and reception — without an enterprise LMS, distributable by email, with progress automatically documented.
Know the attack surface
Vulnerability Management
Continuous asset discovery, clinically prioritized remediation, passive detection of medical devices (no active scanning on IoMT). Active scans run exclusively on IT infrastructure. Focus on the truly critical vulnerabilities — no 300-page reports to sort through yourself.
24/7 Managed SOC
Incident Detection & Response
24/7 monitoring of your endpoints, firewalls, email, and Active Directory — without having to build your own SOC team. Clear escalation paths into your IT, with prepared reporting documents in accordance with Section 32 of the BSIG.
WHY ENTROPY CS
The right partner for medium-sized healthcare facilities.
Large security consultancies aren't interested in 100-person companies. Generic IT service providers are overwhelmed by healthcare regulations. We are built precisely for the gap in between.
Appropriately sized
NIS2 requires appropriate measures — not maximum ones. We size the scope, frequency, and depth of our services to your actual risk situation, not to the highest level in the industry.
One point of contact, not three tools
Awareness, phishing, VM, and SOC from a single source — with a shared report structure. No parallel contract negotiations with three vendors, no integration hassles between dashboards.
Audit-ready evidence from day 1
Every one of our services produces structured documentation—not just at the next audit, but continuously. When the BSI, auditors, or the executive board ask, the evidence package is one export click away.
The questions we regularly hear from owners, management, and IT managers of private specialty clinics.