Microsoft licences for the healthcare sector: compliance, privacy, and cost savings
Healthcare institutions in the Netherlands process large amounts of sensitive patient data and therefore fall under the strictest privacy and security requirements in Dutch business. The combination of the GDPR, the NEN 7510 standard, and the upcoming Cybersecurity Act, the Dutch implementation of the EU NIS2 Directive, imposes concrete requirements on the software your organisation uses. In this article, we discuss which compliance requirements are relevant for Microsoft software in healthcare, why data sovereignty plays a role in the choice between cloud and on premise, and how pre owned licences help your organisation meet all requirements without exceeding the IT budget.
The regulatory landscape for IT in healthcare
Healthcare institutions must deal with three overlapping regulatory frameworks that directly affect the choice and management of Microsoft software.
| Regulation | What it requires | Impact on Microsoft software |
|---|---|---|
| GDPR | Appropriate technical and organisational measures to protect personal data. Fines of up to €20 million or 4% of annual turnover. | Software must be current and secure. Processing patient data requires a data processing agreement with Microsoft, if cloud is used, or full internal control, if on premise is used. |
| NEN 7510 | The Dutch standard for information security in healthcare. Revised in December 2024. Mandatory for hospitals, indirectly mandatory for other healthcare providers. | Requires an ISMS with encryption, access management, logging, and risk analysis. Software without security updates, End of Life, is treated as a deviation during an audit. |
| Cybersecurity Act, NIS2 | The Dutch implementation of the EU NIS2 Directive. Expected to enter into force in Q2 2026. Applies to healthcare institutions with 50 or more FTE or annual turnover above €10 million. | Imposes a duty of care, incident reporting obligations, incidents within 24 hours, and management accountability. The use of unsupported software is a risk factor. |
The three frameworks reinforce each other. NEN 7510 provides the concrete security framework, the GDPR sets the legal requirements for the processing of personal data, and the Cybersecurity Act adds a reporting obligation and management liability. In practice, for the choice of Microsoft software, this means your organisation must be able to demonstrate that the software in use is current, secure, and properly documented.
End of Life software: a compliance risk in healthcare
The use of Microsoft software whose support period has expired, End of Life, constitutes a direct compliance risk under all three regulatory frameworks. After the EoL date, Microsoft no longer provides security updates, which means known vulnerabilities are no longer patched. The Dutch Health and Youth Care Inspectorate, IGJ, considers the absence of current security updates to be a deviation during NEN 7510 audits.
This is especially relevant in 2026. Several widely used Microsoft products reach the end of their support this year: SQL Server 2016, 14 July 2026, SharePoint Server 2019, 14 July 2026, and Office 2021, 13 October 2026. Healthcare institutions still using these products must upgrade before those dates in order to remain compliant. The good news is that upgrading does not have to be expensive. Pre owned licences for the latest versions provide the same software at a fraction of the new price.
Data sovereignty: on premise vs cloud in healthcare
The choice between Microsoft 365, cloud, and on premise Microsoft software is not a purely technical consideration in the healthcare sector. It is about the question of who controls patient data and where that data is stored.
With Microsoft 365, your data is stored on Microsoft servers. Although Microsoft states that European customer data is stored within the EU, the EU Data Boundary initiative, legal questions remain around the Schrems II ruling of the European Court of Justice. The core issue is that US legislation, such as the CLOUD Act, may compel Microsoft to hand over data even if it is stored in European data centres. For organisations processing special categories of personal data, such as health information, this is a real point of concern.
With on premise software, the software runs on your own servers, within your own network. The data does not leave your organisation. You are responsible for security, backups, and updates, but you also retain full control. For healthcare institutions with their own IT department and strict requirements regarding data location, on premise is therefore often the preferred choice. You can read more about the trade off between cloud and on premise in the disadvantages of Microsoft 365.
In practice, many healthcare institutions work with a hybrid model: on premise servers for patient data and critical applications, combined with cloud services for less sensitive work processes. The choice depends on your specific situation, your risk analysis, and the policy you have laid down within your ISMS.
Would you like to know what pre owned Microsoft licences would cost for your healthcare institution? Softtrader supplies hospitals, mental healthcare institutions, and healthcare regions across the Netherlands. Request a no obligation quote and receive a tailored offer within 24 hours. Or call us directly on +31 24 202 21 03.
Which Microsoft products are relevant to the healthcare sector?
Most healthcare institutions use a combination of the following Microsoft products. All of these products are available as pre owned volume licences from Softtrader.
| Product | Use in healthcare | Supported until |
|---|---|---|
| Office 2024 LTSC | Administration, correspondence, reporting. The LTSC version is RDS compatible for terminal server environments. | 9 October 2029 |
| Windows Server 2025 | Server infrastructure, Active Directory, file servers, application servers for EHR systems. | 10 October 2034, extended |
| SQL Server 2025 | Databases for EHR, laboratory systems, and financial administration. TDE for data encryption. | 6 January 2036, extended |
| RDS CALs | Remote Desktop access for staff on wards, outpatient clinics, and home workstations. | Same as the Windows Server version |
| Windows 11 Enterprise | Workstations for administrative staff. LTSC version for medical equipment and kiosk systems. | 10 November 2034, LTSC 2024 |
| Exchange Server 2019 | On premise email for institutions that do not want to place email data in the cloud. | Expired, 14 October 2025. Successor: Exchange Server SE. |
For healthcare institutions that use medical equipment, MRI, CT, laboratory systems, the LTSC version of Windows and Office is particularly relevant. LTSC software does not receive feature updates, only security patches. This prevents a software update from disrupting the operation of connected medical equipment. This is exactly what Microsoft designed the Long Term Servicing Channel for.
Why pre owned licences for the healthcare sector?
The healthcare sector is under constant financial pressure. IT budgets compete with investments in care capacity, staff, and medical equipment. Pre owned Microsoft licences give healthcare institutions a way to meet all compliance requirements without exceeding the IT budget.
Pre owned licences are previously issued Microsoft volume licences whose origin has been verified and which have been legally resold in accordance with the UsedSoft ruling of the European Court of Justice, case C 128/11 from 2012. The software is identical to a new licence: the same applications, the same features, the same security updates. The only difference is the price: pre owned licences are up to 70% cheaper than the original new price.
In practical terms, this means for your healthcare institution: you buy current, supported software, Office 2024, Windows Server 2025, SQL Server 2025, at a substantially lower price. With every purchase, Softtrader provides all documentation required for a Microsoft audit, a NEN 7510 audit, or an IGJ inspection. Softtrader has been supplying healthcare institutions, government organisations, and IT resellers across Europe for more than 10 years. Also read how municipalities and public authorities save with pre-owned licences.
NEN 7510 and software: what should you pay attention to?
The revised NEN 7510:2024 sets requirements for the software your organisation uses as part of the Information Security Management System, ISMS. The standard does not prescribe specific software products, but it does require that the software you deploy meets the security requirements arising from your risk analysis. In practice, this means the following for your Microsoft environment.
All software must fall within the support period so that security updates remain available. Access management must be configured in accordance with the least privilege principle, with multi factor authentication, MFA, wherever possible. Encryption of data at rest and in transit is required for systems processing patient data, SQL Server offers Transparent Data Encryption for this purpose. Logging and monitoring must be enabled so that access to patient data is traceable, NEN 7513. And licence documentation must be available as part of the ISMS file, so that during an audit it can be demonstrated that the software is legally licensed and properly documented in use.
Pre-owned licences from Softtrader meet all these requirements. The software is identical to a new licence, the origin has been verified, and upon delivery you receive all documentation required for a NEN 7510 audit or Microsoft audit.
The Cybersecurity Act, NIS2: what changes for your healthcare institution?
The Cybersecurity Act, Cbw, the Dutch implementation of the EU NIS2 Directive, is expected to enter into force in the second quarter of 2026. The healthcare sector falls under the category of “essential entities”, which means healthcare institutions must meet the strictest requirements. The law applies to healthcare providers, according to the Wkkgz definition, with at least 50 FTE, or with annual turnover and balance sheet total above €10 million.
The Cybersecurity Act adds three obligations that directly affect your software choices. The duty of care requires you to carry out a risk analysis and implement appropriate technical measures. Software without security updates is a risk factor that must be addressed. The reporting obligation requires you to report serious cyber incidents within 24 hours. A security breach in unsupported software leading to a data breach is such an incident. And management responsibility makes directors personally liable for failure to comply with the duty of care. The message is clear: the use of End of Life software in a healthcare environment will soon not only be a technical risk, but also a governance risk.
How does purchasing pre owned licences from Softtrader work?
The process is simple and transparent. You select the desired products on the Softtrader website and request a no obligation quote via the quote form. Our team prepares a tailored quotation within 24 hours, on working days, aligned with the size of your healthcare institution. After approval, you usually receive the licences, product keys, and all associated documentation, invoice, licence agreement, proof of origin, within 3 working days.
Softtrader was founded in 2013, is registered with the Dutch Chamber of Commerce, 77307739, and is based in Nijmegen. Over the past 10 plus years, we have served more than 2,400 organisations and more than 1,100 IT resellers across Europe, including healthcare institutions, municipalities, and government bodies. For healthcare institutions that purchase through an IT reseller, Softtrader offers a reseller programme with white label delivery.
Frequently asked questions
Are pre owned licences compliant with NEN 7510?
Yes. NEN 7510 sets requirements for the security of your information systems, not for the origin of the licence. As long as the software is current, within the support period, correctly configured, and the licence documentation is available, a pre owned licence meets the same requirements as a new licence.
Does my healthcare institution fall under the Cybersecurity Act?
Most likely yes, if you are a healthcare provider, according to the Wkkgz definition, with at least 50 FTE, or with annual turnover and balance sheet total above €10 million. The law applies to hospitals, mental healthcare institutions, rehabilitation centres, home care organisations, laboratories, and other healthcare providers that meet these criteria.
Why is LTSC software relevant for medical equipment?
LTSC versions, Long Term Servicing Channel, of Windows and Office receive only security updates, not feature updates. The interface and operation remain unchanged throughout the full support period. This is essential for medical equipment, MRI, CT, laboratory systems, whose software has been certified and must not be altered by unexpected updates.
Can my healthcare institution also purchase from Softtrader through an IT reseller?
Yes. Softtrader works with more than 1,100 IT resellers across Europe. Your IT partner can purchase from us under reseller terms and supply the licences to you. Softtrader acts as a distributor in the background: white label delivery, no direct contact with your organisation. More information can be found on the Become a reseller page.
How much can my healthcare institution save with pre owned licences?
Pre-owned licences are up to 70% cheaper than the original new price. The exact saving varies by product and number of licences. Request a no obligation quote and you will know within 24 hours how much you can save.
Do you have another question? View our full FAQ or contact our team by phone, +31 24 202 21 03, or email, info@softtrader.nl.
Looking for compliant and affordable Microsoft licences for your healthcare institution? View the full range of pre-owned Microsoft licences at Softtrader. Receive your tailored quote within 24 hours, or call us directly on +31 24 202 21 03.
