Regulatory synergy in healthcare: Exploring the intersection of NIS 2 and GDPR compliance
2025 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE credits
Student thesis
Abstract [en]
This qualitative study explores how healthcare organizations navigate the dual regulatory demands of the General Data Protection Regulation (GDPR) and the NIS 2 Directive, focusing on the practical challenges and strategies for achieving compliance in a highly digitalized and sensitive environment. Through ten semi-structured interviews with professionals from five healthcare institutions in Greece and Germany, including DPOs, CISOs, legal advisors, and managers, this study offers insights into how organizations experience and operationalize these overlapping regulatory frameworks.
Using thematic analysis, six key themes emerged: awareness and understanding of GDPR and NIS 2, implementation practices, challenges and ambiguities, organizational culture and communication, staff engagement, and participants’ further reflections. The findings reveal varying levels of regulatory familiarity, with GDPR more embedded in practice than the newer and more technical NIS 2. Compliance efforts are shaped by organizational size, resources, internal structures, and cultural attitudes. Legal-technical overlaps, resource limitations, and communication gaps present ongoing barriers. How-ever, strong leadership, context-sensitive training, and cross-functional collaboration were identified as key enablers of effective compliance.
The study concludes that an integrated and context-aware approach, balancing legal requirements, technological safeguards, and staff engagement, is vital for healthcare organizations. By highlighting real-world implementation dynamics, this research provides practical insights for regulators, policymakers, and healthcare professionals seeking to reconcile cybersecurity resilience with data protection imperatives in healthcare. Future research should build on these findings by incorporating broader participant groups, exploring more in depth the role of emerging technologies like AI and Internet of Medical Things (IoMT) in regulatory compliance, and conducting longitudinal or cross-national studies to assess how healthcare organizations adapt to the evolving demands of GDPR and NIS 2.
Place, publisher, year, edition, pages
2025. , p. ii, 94
Keywords [en]
GDPR, NIS 2 Directive, Regulatory compliance in healthcare, Cyber-security, Data privacy, Information security
National Category
Information Systems, Social aspects Law Health Care Service and Management, Health Policy and Services and Health Economy
Identifiers
URN: urn:nbn:se:his:diva-25504OAI: oai:DiVA.org:his-25504DiVA, id: diva2:1984097
Subject / course
Informationsteknologi
Educational program
Privacy, Information and Cyber Security - Master's Programme 120 ECTS
Supervisors
Examiners
2025-07-142025-07-142025-09-29Bibliographically approved