Healthcare

Two distinct healthcare-sector signals this week. Dutch IGJ ruling on Clinical Diagnostics / NMDL (2026-05-14) formally found the laboratory provider non-conformant with NEN 7510 (Dutch information-security-management standard for healthcare) at the time of the July 2025 ransomware breach; the daily 2026-05-14 (citing Computable) records approximately 941,000 patients affected including cervical-cancer screening records. This is the first IGJ NEN 7510 non-conformity finding against a third-party diagnostics provider and sets a regulatory precedent that maps directly onto NIS2 essential-entity supplier-due-diligence obligations — Dutch hospitals using the same supplier face open questions about whether their own NIS2 essential-entity status now creates downstream cyber-due-diligence liability for the supplier's controls (IGJ inspection report; Computable; daily 2026-05-14).

West Pharmaceutical Services SEC Form 8-K Item 1.05 (2026-05-12 [SINGLE-SOURCE-OTHER]) — data exfiltrated, systems encrypted, global operations partially restarted; pharmaceutical-manufacturing-sector incident with potential EU drug-supply-chain implications. The pattern across the two incidents is that healthcare-adjacent third-party suppliers (diagnostic labs, pharmaceutical-component manufacturers) are operationally critical to NIS2-scope hospital and public-health-service consumers but typically sit one tier away from the regulator's direct view; the IGJ-NMDL ruling provides the legal template for closing that gap (daily 2026-05-12).