If you build software that touches Dutch patient data, "GDPR-compliant" isn't the whole story. In the Netherlands, healthcare information security is governed by a specific standard — NEN 7510 — that sits on top of GDPR and is, in practice, obligatory. This guide explains what NEN 7510 is, how it interacts with GDPR and the UAVG, and how to bake it into a build instead of retrofitting it under audit pressure.

Not legal advice. This is an engineering-oriented overview. Confirm your specific obligations with a qualified data-protection or NEN 7510 specialist.

What NEN 7510 is

NEN 7510 is the Dutch standard for information security in healthcare. It is closely related to ISO 27001 but tailored to the healthcare sector, setting out a framework focused on the availability, integrity, and confidentiality of health information. It comes with two companions: NEN 7512 (trust in electronic data exchange between parties) and NEN 7513 (logging access to electronic patient records).

Is it actually mandatory?

NEN 7510 is not a law by itself — but through Dutch legislation and regulatory oversight it becomes effectively mandatory for virtually every organisation that handles medical personal data. The Decree on electronic data processing by healthcare providers requires providers using a health information system and electronic exchange to follow NEN 7510, 7512 and 7513. The data-protection regulator, the Autoriteit Persoonsgegevens, supervises. Translation: if your software processes Dutch health data, you are expected to meet the standard.

How it fits with GDPR and the UAVG

Think of it as layers. GDPR sets the EU-wide obligation to protect personal data and imposes extra duties on special-category data like health. The UAVG is the Dutch national implementation. NEN 7510 provides the concrete, healthcare-specific control set that shows how you meet the security duty in practice. Dutch healthcare organisations must satisfy all of these simultaneously — overlapping GDPR, UAVG, and NEN 7510 — under AP oversight.

What it means for how you build

NEN 7510 translates into concrete architecture decisions. At minimum, plan for:

Why suppliers should care

NEN 7510 is explicitly relevant to suppliers, not just providers. When a Dutch clinic or hospital procures software, alignment to NEN 7510 is a gating question. Building to the standard — and being able to show it — turns compliance from a cost into a competitive advantage that shortens security reviews and unlocks deals that non-compliant vendors can't reach.

Wider context: the arrival of the European Health Data Space pushes systems toward open, API-exposed architectures — which raises the security bar further. Designing to NEN 7510 now positions you well for what's coming.

Frequently asked questions

Is NEN 7510 mandatory? Not as a standalone law, but Dutch legislation and regulatory oversight make it effectively mandatory for organisations handling medical personal data.

How does it relate to GDPR? GDPR sets the duty to secure personal data; NEN 7510 is the healthcare-specific control framework that demonstrates how you meet it, alongside the national UAVG.

Does it apply to software vendors? Yes — it applies to any organisation working with healthcare information in the Netherlands, including suppliers and processors.

Neurova AI is based in Eindhoven and builds healthcare software to Dutch and EU security expectations — encryption, RBAC, access logging, and EU hosting designed in from the start. Explore our guides to SaMD under the MDR, the EU AI Act, and what custom medical software costs.