NIS 2 and the Pharmaceutical Industry: The urgency of Cybersecurity in the sector

Cybersecurity is a key concern for all industries today, and the pharmaceutical sector is no exception. With the implementation of the European Union’s NIS 2 Directive, the requirement to strengthen the security of critical infrastructures has increased substantially. Failure to comply with the new rules can have severe consequences for companies in the sector, ranging from high fines to direct impacts on business continuity.

The NIS 2 (Network and Information Security) Directive is an evolution of the original NIS, expanding the list of sectors covered and imposing stricter security measures. Among the sectors now included as critical infrastructure is the pharmaceutical industry, which plays a vital role in public health and the global economy.

NIS 2 requirements include:

• Mandatory cybersecurity risk management measures;

• Continuous monitoring and immediate reporting of incidents;

• Accountability of top management;

• Strengthening security in the supply chain;

• Regular audits to ensure compliance.

  
  

The Impact on the Pharmaceutical Industry

The pharmaceutical industry is worth billions of euros annually and handles highly sensitive data, from personal patient information to the intellectual property of new medicines. Companies that fail to invest in a robust cybersecurity strategy could face devastating consequences.

Cyberattacks on the pharmaceutical industry have been on the rise, with recent examples including ransomware , data theft and industrial espionage. The 2020 attack on the European Medicines Agency (EMA) highlighted the vulnerabilities of the sector, with documents on COVID-19 vaccines being compromised.

Other significant attacks include:

• The Industrial Spy ransomware attack on Novartis in 2022;

• The NotPetya attack in 2017, which impacted Merck & Co. and caused global losses exceeding $10 billion;

• Cyber espionage on pharmaceutical companies during the COVID-19 pandemic, affecting major industry players.

The Consequences of Non-Compliance

Non-compliance with NIS 2 will not be taken lightly. Penalties may include:

• Heavy fines : Amounts that can reach 10 million euros or 2% of the company's global turnover;

• Management accountability : Managers can be held personally liable for cybersecurity failures;

• Suspension of activities : In extreme cases, regulatory authorities may require the suspension of operations until the requirements are met;

• Irreparable reputational damage : Consumer, investor and regulatory confidence can be severely damaged.

How should companies prepare?

To mitigate risks and ensure compliance with NIS 2, pharmaceutical companies should adopt a strategic cybersecurity plan that includes:

• Risk assessment and implementation of protective measures ;

• Continuous monitoring and rapid incident response ;

• Training and awareness raising of employees ;

• Supply chain security management ;

• Regular vulnerability testing and internal audits .

  
  

NIS 2 is not just a new regulatory requirement – it is a wake-up call to the importance of cybersecurity in the pharmaceutical industry. Failure to comply can result in severe financial impacts, loss of credibility and even operational downtime. Companies must act now to ensure they are prepared to meet the new requirements and protect their critical assets from increasingly sophisticated threats.

Safety cannot be an afterthought – it is a strategic imperative for the future of the pharmaceutical industry.

Is your company ready for NIS 2?

Take our quick NIS 2 Readiness Test and find out how prepared your organization really is.