Noordbeek Certification has been conducting NEN 7510 audits for years as a certification body accredited by the Dutch Council for Accreditation. A NEN 7510 certification process with us means an audit by an accredited institution, not by an intermediary. What does that mean in practice? Our certificate is recognised. By hospitals, mental healthcare institutions, health insurers and everyone who requires proof during tendering procedures.
Call us for no-obligation information or request a quote
This is not going away
NEN 7510 has been legally required for healthcare providers since 2008 through the Wabvpz, and since 2023 all hospitals must demonstrably comply with the standard. Healthcare institutions, hospitals and health insurers increasingly require a NEN 7510 certificate as proof during tender procedures. No certificate? Then you often do not make it past the first selection round.
There is more. In December 2024, NEN 7510-1:2024 was published. This is the latest version of the standard, which aligns more closely with ISO 27001:2022. Do you still hold a certificate based on the 2017 version? Then you have until 20 February 2027 to make the transition. That sounds like plenty of time. It is not.
And then there is NIS2. This European directive is being transposed into Dutch law through the Cybersecurity Act and affects a large part of the healthcare sector. NEN 7510:2024 is structurally aligned with the NIS2 requirements. Annex E of the standard contains a mapping table. Organisations working according to NEN 7510 already meet a significant portion of what NIS2 requires, but not everything automatically. NIS2 sets additional requirements around incident reporting within 24 hours, board-level accountability and supply chain responsibility.
Does this sound familiar?
A client calls. A tender is on the table. They require NEN 7510. Deadline: six weeks. At that point you are already too late.
You already have ISO 27001. But the healthcare institution specifically wants NEN 7510. What exactly is the difference? And do you have to start all over again?
You supply EPD software. You process healthcare data every day. You know certification is coming, but where do you begin?
We answer those questions directly. No vague stories. Just honest answers.
What is NEN 7510?
NEN 7510 certification is the Dutch standard for information security in healthcare, based on ISO 27001 and supplemented with healthcare-specific requirements.
In practice: it is ISO 27001, but specifically tailored to the healthcare sector. Supplemented with Dutch legislation including the Wabvpz and the GDPR.
The standard consists of two parts. NEN 7510-1:2024 describes the requirements for your information security management system, also known as an ISMS. NEN 7510-2:2024 contains the specific security measures that go with it. Together they form the framework through which you demonstrably get information security in healthcare in order.
Concretely this means: additional requirements around logging of patient data through NEN 7513, access management for electronic patient records and chain agreements with suppliers. Things that are not covered or are handled differently in ISO 27001.
Already have ISO 27001? Then the step towards NEN 7510 is smaller than you think. We handle that through a combined audit process. That saves you time and costs.
Who is it for?
Not just large hospitals. The standard applies to every organisation that processes, stores or manages patient data. Think of:
General practices and health centres Mental healthcare institutions Nursing homes and home care organisations Suppliers of EPD systems and healthcare apps Hosting providers with healthcare data Medical laboratories Administrative service providers in healthcare
Not sure whether your organisation falls under the standard? Just ask. We will check it with you free of charge.
What does it get you?
Access to tenders is the most direct benefit. But there is more.
A large part of what the GDPR requires from you is already covered by NEN 7510. Two birds with one stone. A working ISMS according to NEN 7510 requires you to systematically map risks, take measures and periodically test them. That reduces the chance of data breaches and incidents, limits recovery costs and downtime, and cyber insurers often reward demonstrable security with better conditions.
The certificate gives patients, clients and chain partners confidence. Not because you say so, but because an independent party has verified it.
How does it work?
We work in five steps. No surprises. No unexpected invoices afterwards.
Step 1 - Intake A free, no-obligation conversation of one hour. We look at your organisation together: your scope and your current situation. You receive a tailored quote afterwards. No standard price, because that does not exist.
Step 2 - Document review An auditor reviews your policies, procedures, risk analysis and your statement of applicability. You receive a report detailing what still needs to be adjusted before the on-site audit.
Step 3 - On-site audit The auditor visits your organisation. He speaks with people and reviews systems. The question is always the same: does what is written on paper match what actually happens in practice?
Step 4 - Certification committee Three senior auditors review the file independently from one another. No single person ever decides alone. That is what keeps the value of our certificate high.
Step 5 - The certificate Valid for three years. Followed by recertification. In between, a lighter annual surveillance audit to check whether the ISMS is still functioning as it should.
Schedule a NEN 7510 certification intake - free and no obligation
What does it cost?
Honest answer: it depends on the size of your organisation, your scope and how far along you already are. There is no standard price. A tailored quote gives you a clear picture of what the audit and the full process will cost in your specific situation.
Want a concrete figure for your situation? Request a quote. No sales pitch. No obligations.
Why Noordbeek?
We are not a large international firm. No client who sees a different person at the table every year. No audits conducted through a foreign hub.
Our accreditation has been granted by the Dutch Council for Accreditation, known as the RvA. The RvA is a signatory of the IAF-MLA and ILAC-MRA, which means that certificates issued under accreditation are recognised worldwide. Our auditors genuinely know the healthcare sector. The healthcare auditor knows NEN 7510 inside and out and understands what is happening in practice at a mental healthcare institution or an EPD supplier.
You speak to a real person. No call centre, no ticket system. And before you start, you know what it costs.
Frequently asked questions
How long does a NEN 7510 process take?
If you already have a reasonable foundation in place, expect three to six months. If little is in order, preparation will take closer to six to nine months. A thorough gap analysis at the start saves a lot of time later on. We carry that out together during the intake.
Is it mandatory?
Demonstrably complying with the standard is legally required under the Wabvpz. A certificate is the most common way to prove that. In practice, hospitals, mental healthcare institutions and health insurers actively request it from suppliers. Without a certificate you miss out on contracts.
Can I combine NEN 7510 with ISO 27001?
Yes, and we recommend it. We conduct the audits as a combined process. The overlap between the two standards is substantial. You do not pay for two separate processes.
What changes with NEN 7510-1:2024?
The standard now aligns more closely with ISO 27001:2022. There is greater emphasis on demonstrability: you must be able to show that your ISMS is current and actually working. NCS 7510:2025 has also been published, which is the certification scheme that certification bodies must comply with. The transition deadline for organisations is 20 February 2027.
Can I switch from another certification body?
You do not go back to square one. You keep your certificate and your audit cycle. Only our accreditation is on it from that point forward.
What if we do not pass the first audit?
You receive a list of the points that do not comply. You are given time to resolve them. After that, a follow-up check takes place on exactly those points. You only pay for the additional hours required.
Ready for the first step?
The intake is free and comes with no obligations. No sales pitch. Just an honest hour about where you stand and what it takes to get certified.
