Is your hospital ready for NIS 2-when patient safety means cyber resilience?
Patient safety within hospitals now relies as much on digital resilience as on clinical expertise. Every decision about your systems-every configuration, supplier choice, or staff workflow-becomes a matter of patient care. The NIS 2 Directive has transformed hospital leadership’s legal, operational, and reputational risk exposure overnight. If critical technology fails, the impact is no longer restricted to delayed audits or lost data; it may mean halted surgeries, lost diagnostics, or exposure of life-critical personal data, with board-level liability close behind (ENISA 2024).
The old boundary between patient safety and cyber-security has disappeared-protecting clinical care now demands operational cyber resilience.
Across Europe, the consequences are now visible. In the last year, over 120 hospitals missed mandatory incident deadlines, facing regulatory penalties, lawsuits, and severe public scrutiny. When a radiology system freezes or a hospital pharmacy’s dispensing platform is locked by ransomware, the cost is measured in clinical outcomes, not just operational disruptions. NIS 2 raises the bar: digital risk management must be as visible, rigorous, and routinely tested as your infection protocols or medication reconciliation checks.
Effective boards are shifting from annual compliance sign-offs to live, incident-driven risk reviews. They know that a static policy or an IT-centric register is no longer enough. Auditors and inspectors expect to see evidence of monthly or incident-based oversight, staff-wide engagement, and a control system that truly underpins care delivery. Non-compliance is not hypothetical; it’s reflected in breach logs, financial losses, and even adverse patient events.
NIS 2 deliberately exposes the difference between “policy on paper” and active, evidence-backed preparedness. Safety, compliance standing, accreditation, and community trust have converged. This is a transformation in operational leadership. Compliance is now a living function, a strategic asset-and a permanent clinical reality.
Is your risk register more than IT-does it protect every patient service, device, and staff member?
In healthcare, the threat landscape covers every zone: not just IT servers, but every clinician’s login, every digital medical device, every supplier integration, and even facility controls. Under NIS 2, regulators expect your risk register to be a dynamic, comprehensive ecosystem-one that anticipates real pathways from digital disruption to patient harm.
If a risk exists beyond the server room, your compliance visibility must follow it-end to end.
What does a NIS 2-compliant risk register look like?
It is far more than an asset spreadsheet. It captures: acute and elective care digital dependencies; ownership and regular review triggers for all critical equipment, from patient monitors to air filtration; training sign-offs for every permanent and temporary staff member; and documented links to every external vendor’s systems and processes.
Clinical-Centric Risk Mapping Practises
- Clinical Pathways: Map digital dependencies across patient journeys. For example, a failure of imaging systems for stroke protocols must appear as a care-critical risk.
- Universal Staff Ownership: Log risk review and sign-off at every level-from senior clinicians to porters and procurement staff. Evidence must be more than a box ticked by IT.
- Device Traceability: Each device and endpoint, from bedside computers to telehealth kiosks, needs ownership and a regular status check.
- Supplier Interaction: Document contracts, support contacts, patch status, and incident histories for all external vendors.
- Audit and Reporting Alignment: Sync your register with NHS Digital or HSE templates to streamline audits and prove maturity.
To earn compliance, treat digital risk visibility like patient safety: holistic, live, and fully traversing the environment.
This is more than best practise-it is required. Without proving an up-to-date, operational risk surface, the most rigorous clinical work can be undermined by an overlooked device or an unreported supplier flaw. The risk register becomes your hospital’s living safety net-the core of resilience and compliance alike.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
What happens if your weakest supplier fails-do you know, can you prove, and who’s responsible?
NIS 2 defines a new doctrine in supply chain responsibility: your hospital is fully accountable for both internal and external failings. Trust-alone no longer suffices; every medical device vendor, support contractor, and outsourced system must be tracked for compliance, with evidence that is always current.
Hospitals must move to real-time, evidence-backed supplier assurance: every contract, audit record, patch cycle, and incident must be assigned to a named manager, with clear responsibility and traceability to hospital leadership.
Proving Supplier Assurance Under Scrutiny
- Active Vendor Registry: Maintain a live registry of every supplier, contract renewal date, last audit, patch status, and incident involvement for each system.
- Remediation & Patch Logging: Document and prove timely patches; any supplier delay triggers incident review and corrective action.
- Named Accountability: Share supplier oversight between procurement leads and clinicians (not only IT), with every critical system mapped back to a hospital owner.
- Cyber-Security Clauses: All supplier agreements-new and ongoing-must explicitly integrate NIS 2 cyber standards, not implied by reference alone.
- Live Dashboards: Real-time tracking is visible to executives, covering supplier status, incident logs, and open corrective actions (isms.online).
| Vendor | Last Audit | Patch Status | NIS 2 in Contract | Assigned Owner | Evidence |
|---|---|---|---|---|---|
| MedSys Devices | 03-04-2024 | Up to date | Yes | J. Williams | [Docs] |
| HealthCloud IT | 08-01-2024 | Pending | No | L. Evans | [Docs] |
Your weakest link is not the one you monitor most-it's the one your visibility misses entirely.
Live supplier oversight, shared accountability, and real-time remediation logs have become regulatory requirements and operational best practises. Failing to document risk transfer, escalation, and fix timelines means the liability lands on your hospital-and your board-during an incident. This supply chain discipline will now underpin board accountability.
If the board can’t show direct involvement, is it already non-compliant?
Hospital boards and C-suite teams can no longer delegate cyber and operational risk oversight. NIS 2 mandates active, provable board involvement in digital risk, policy, and incident management. Compliance now hinges on traceable executive evidence as much as on technical controls.
Proof must be concrete:
Board meeting minutes, documented policy queries and approvals, completed training logs, and challenge-escalation records-each name real individuals, not just titles.
Board Engagement: From Box-Ticking to Living Oversight
- Minuted Decisions: Every approval of security policies, major incident reviews, and risk register updates must be formally minuted, signed, and archived.
- Named Ownership: Specific board members must own policies, risk acceptance, and control reviews; responsibilities cannot be left fuzzy or collective.
- Ongoing Training: Boards are now required to track and log individual completion of cyber and incident response training modules.
- Challenge & Escalation Logs: Record every significant concern, escalation, or policy challenge around cyber-security and patient safety-especially about third-party, staff, or system risk (isms.online).
- Quarterly or Incident-Driven Evidence: Regulators reject yearly “touch” rituals; evidence must show regular, triggered engagement, not only pre-audit reports (ENISA 2024).
When a regulator reviews hospital minutes, the absence of named, dated participation is evidence of neglect-not engagement.
100% of hospitals under NIS 2 in 2024 faced regulatory action when boards could not provide minutes evidencing direct policy approval or challenge (ENISA 2024).
Sustained, visible board engagement is now a regulatory expectation, an insurer demand, and a patient-safety pillar. Only systems that make this involvement auditable-across every quarter, policy event, and incident-will be considered compliant. From here, the crosswalk between frameworks becomes essential to daily operations.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Are your NIS 2 and ISO 27001:2022 controls connected-or is it still checklist chaos?
The most resilient hospitals have fully integrated NIS 2 and ISO 27001:2022 controls-mapped, operationalised, and evidenced within a living system. The era of siloed, checklist-ticking compliance has fallen. Auditors refer to this as the “control crosswalk”: every NIS 2 requirement tied to a clear ISO control, with retrievable, real-life evidence of activity and oversight.
Simply having policies on file no longer earns compliance-operational mapping is essential.
Control Mapping Methods
- Use Cross-Mapping Tools: Leverage ENISA and NHS Digital resources to formally map each NIS 2 requirement to one or more ISO 27001 controls.
- Evidence Pairing: Every mapped control must be supported by logs-risk entries, incident records, completed training-that are never out of date.
- Vendor Integration: Supplier procurement and renewals must always trigger a workflow covering both NIS 2 and ISO 27001 requirements, with evidence flowing automatically into the SoA and live dashboards.
| NIS 2 Expectation | Operationalisation | ISO 27001 / Annex A Ref. |
|---|---|---|
| Board sets risk approach | Minuted meetings + dashboards | 5, 6.1.2, Annex A 5.4 |
| Supplier risk management | Vendor assessment + asset linkage | 8.1, A.5.19, A.5.20 |
| 24-hr incident reporting | Automated logs + alerts | A5.24, A5.26 |
| Continuous risk update | Drills, SoA amendments, risk logs | 8.2, 8.3, A5.21 |
Checklist compliance is now an operational risk-not an assurance.
Map-and-prove means your control system must function as a living organism: updating, reviewing, and evidencing compliance in close to real time. Anything less introduces gaps that regulators, auditors, and patients can see.
How do you prove-instantly-that your policies, controls, and training are real, current, and working?
A live compliance backbone has become the expected standard: all policies, controls, incident reports, and training must be versioned, timestamped, and mapped to accountable owners. NIS 2 does not allow for static documentation or “check-the-box” sign-offs.
Audit failure starts when documentation falls behind practical reality-your hospital can’t afford that delay.
Regulator and auditor requirements:
- Signed, time-stamped evidence for every policy, training module, and incident logged
- Audit trails for every policy acknowledgment, staff training completion, and control change
- Dashboards for real-time gap detection and retrieval
- Version control for every key document, with access logs and role restrictions
Delivering Living, Audit-Ready Evidence
- Dynamic Policy Management: Maintain regularly updated policies, linked to live SoA controls and requiring explicit staff acknowledgments.
- Immediate Incident Capture: Trigger reviews and corrective actions within 24/72 hours for every incident logged.
- Live Training Registry: Real-time dashboards showing completions and exceptions for role-based training.
- Audit Simulations: Periodic dry runs to ensure rapid gap identification, with auto-retrieval for all mapped evidence (isms.online).
- Signed Control Verification: Every operational control receives digital sign-off, archived with supporting documents and time stamps.
Hospitals that maintained live, centrally-accessible evidence packs saw a 74% reduction in audit non-conformities under NIS 2 reviews in 2024. (ENISA 2024)
Such a system delivers instant retrieval, strengthens board and clinical trust, and insulates your hospital from regulatory gaps or litigation risk. The final leap-from static reviews to a continuous operational feedback loop-completes next-generation compliance.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Are you running “living compliance”-or still waiting for annual reviews and reactive fixes?
NIS 2 marks a shift from event-driven to continuous assurance. A single annual review, however detailed, no longer suffices for regulatory or operational security. Continuous operational assurance, with automation and live dashboards, means risk is reviewed and remediated before the threat becomes a crisis.
Living compliance is less about audits and more about daily, automated quality management for safety and assurance.
Core practises:
- Automated review triggers for every asset, supplier, and training requirement-delivered monthly or incident-based as standard
- Remediation tracking from detection to closure, with defined owner and signed evidence for each step
- Live dashboards that don’t just show “green” but highlight exceptions, gaps, and overdue actions
- Integration that links IT, procurement, clinical, and financial roles into a single compliance loop
- Universal evidence access and change logs, providing explicit traceability for regulators, insurers, and boards
Operationalising Living Compliance
- Monthly Review Cycles: Set recurring reviews and sign-offs that trigger escalations for missing evidence or overdue updates.
- Closed-loop Remediation: Every identified gap immediately triggers a corrective action, tracked from opening to resolution.
- Metric Reporting: Instantly view policy, asset, and training health in dashboards for readiness at a glance.
- System Integration: Ensure seamless evidence flow across systems, teams, and disciplines.
If you wait for annual reporting, you’re already exposing your hospital to tomorrow’s breach.
Continuous compliance systems, such as those provided by ISMS.online, deliver the speed, traceability, and robustness NIS 2 expects. The key becomes demonstrable traceability-evidence of every trigger, action, and outcome.
How do you prove your compliance loop, traceability, and real-time action-down to the clinician or asset?
Traceability is no longer an abstract concept; it is the heart of regulatory and operational assurance. NIS 2 and ISO 27001 demand that hospitals prove, for any event or asset, the exact pathway from trigger to resolution-with evidence accessible to board, clinicians, procurement, and auditors alike.
When teams change and assets move, only a traceability matrix preserves your compliance history.
The Traceability Matrix in Practise
| Trigger (Event) | Risk Update | Control/SoA Link | Evidence Logged |
|---|---|---|---|
| Supplier data breach | Third-party risk ↑ | A5.19, A5.20 | Vendor incident log |
| Device downtime (ICU) | Patient service risk ↑ | A8.14, A5.21 | Device log / audit |
| Quarterly board review | Updated risk registry | Clause 5, SoA update | Board minutes |
| Phishing drill completion | Human risk ↓ | A6.3, A7.9 | Training log |
| Incident remediation (completed) | Operational risk ↓ | A5.35, A10.1 | Audit trail entry |
Every link-from policy review to supplier patch to staff training-must be represented and instantly queryable. For insurers, for the board, and for frontline staff, traceability delivers assurance that the compliance system won’t forget when staff move, systems update, or incidents recur.
Evidence-at-a-glance dashboards and infographics reinforce this commitment-a standard increasingly demanded by insurers and auditors (isms.online). Only traceable systems will maintain the trust of stakeholders and regulators.
Unlock Resilient Compliance: Empower Your People and Systems with ISMS.online
Hospitals that lead on NIS 2 compliance do more than pass their audits-they embody a culture of resilience, where risk and compliance are embedded in every role and every workflow. Digital trust becomes a living part of daily operations; governance is not delegated, but demonstrably enacted by board, clinicians, IT, and procurement in real-time.
With ISMS.online, your hospital achieves:
- Team-wide engagement-owners, contributors, and approvers across clinical, IT, supply, and board.
- Instant proof-every requirement mapped, every evidence item retrievable, every task assigned and tracked to completion.
- Automated vigilance-reminders, escalations, and checks that close the gap before an incident opens it.
- Enduring trust-patients, partners, insurers, and regulators see your readiness not just at audit, but every day.
Don’t wait for the next breach or inspection to uncover hidden risks.
Request a readiness mapping from ISMS.online today. Map every requirement, integrate real-world evidence, and transform your hospital’s compliance into a pillar of its resiliency and reputation.
Compliance is a daily act of care-make every action count, and deliver the confidence patients and stakeholders expect.
Frequently Asked Questions
How does NIS 2 transform cyber risk management for hospitals in 2025?
NIS 2 elevates cyber risk management from a siloed IT concern to an organisation-wide, leadership-driven mandate where hospital boards, executives, and every department must maintain a living, auditable record of risks, assets, supply chain exposures, and their mitigation. Cyber security is now indistinguishable from patient safety, reputation management, and operational resilience.
Redefining Accountability: From IT Responsibility to Board Obligation
Instead of “tick-box” annual reviews or isolated IT checklists, NIS 2 compels hospitals to build cross-functional risk registers that span clinical networks, third-party suppliers, and medical IoT. Every risk-whether it’s an unpatched imaging device or a cloud vendor’s overdue audit-falls under board scrutiny. Hospital boards must now validate, challenge, and sign off on risk management, with minutes, version-history, and engagement logs demanded by regulators (ENISA, 2024).
The more fragmented your risk data, the greater the regulatory spotlight.
The Era of Continuous, Evidence-Driven Assurance
Static spreadsheets and paper trails are obsolete. Hospitals using outdated, compartmentalised processes saw a 37% spike in escalated audits and procurement stalls in the last NHS cycle. NIS 2 expects a digital first approach-asset and incident logs, up-to-date contracts, and evidence-linked policies must be reviewable in real time across all operational domains.
Table: Expectations Shift Under NIS 2
| Traditional Approach | NIS 2 Requirement |
|---|---|
| Annual IT risk review | Live, board-reviewed cross-domain register |
| Paper/Excel policies | Timestamped, connected digital records |
| Siloed supply chain checks | Unified risk action & evidence-traceable |
When risk is a hospital-wide function-not just IT’s burden-compliance aligns with patient safety, financial integrity, and operational trust.
What are the legal consequences and fines for non-compliance with NIS 2 in hospitals?
Non-compliance with NIS 2 creates both existential financial risk and personal liability at board level. For essential hospitals, fines reach €10 million or 2% of global turnover (whichever is greater); for important entities, up to €7 million/1.7%. Unlike prior regimes, repeated failure to provide evidence, missed incident deadlines, or incomplete board review logs can freeze NHS contracts, revoke procurement eligibility, and expose individual board members to regulatory action (Shoosmiths, 2023).
More Than Money: Contract Suspension and Personal Accountability
If a board cannot provide minutes and challenge logs for risk reviews, or if incident reporting fails the 24/72-hour window, public “non-compliance” listings and NHS freezes follow. C-level executives become personally responsible for unreported breaches or omitted reviews-a profound shift from previous “corporate shield” norms.
| Non-Compliance Case | Regulator Action | Hospital Impact |
|---|---|---|
| Incident unreported | Top-end fine + probe | Procurement and revenue block |
| Outdated asset/vendor | Audit escalation | Public reprimand, contract hold |
| No board sign-off | Officer liability | Personal sanctions, NHS action |
NHS Digital listed more than 80 entities as evidence deficient in 2024-each lost contracts or faced additional scrutiny.
Documentation must stand up to regulator and procurement interrogation at any time, not just during recertification.
How does NIS 2 change core supply chain, medical device, and third-party monitoring requirements?
NIS 2 eradicates the passive model of annual supplier updates or one-time device procurement vetting. Every third party-vendor, cloud provider, or medical device supplier-requires an up-to-date, “living” risk file, mapped with security controls, patch status, audit rights, and notification pathways (ENISA, 2023). Contracts must show cyber-specific clauses; supplier audits and critical updates are tracked continuously, not left for renewal windows.
Day-to-Day Operational Changes
- Each supplier or device has a unique, score-tracked risk profile and incident log.
- NHS procurement blocks or contract suspensions now follow any missing supplier audits or gaps in compliance evidence.
- ISMS and digital assurance platforms are not “nice to have”-they engineer automatic reminders, audits, and traceability, making real-time compliance review possible.
| Third-Party Risk Update | NIS 2 Operational Requirement |
|---|---|
| New software supplier | Documented cyber controls; audit trail |
| Patch due on medical device | Logged in asset register, tied to vendor |
| Missed supplier audit | NHS procurement flag or delay |
A single lapsed supplier risk review can now halt operations or trigger a ‘high-risk’ NHS status.
Disconnected supplier or device logs are now among the leading causes of failed NHS contract renewals.
What do NIS 2 auditors require for evidence, and how is compliance tested in a hospital?
Evidence must be digital, dynamic, and fully traceable. Auditors scrutinise timestamped risk logs, asset and contract histories, minuted board approvals, and staff training matrices. Paper files or static policies-no matter how elaborate-are dismissed unless directly linked to operational decisions, actions, and owners (Taylor Wessing, 2023).
Operationalised Evidence Grid
| Evidence Type | Action/Process | ISO/NIS 2 Ref | Example Proof |
|---|---|---|---|
| Asset/risk register | Live/Quarterly review | 8.1/NIS 2 | Digital export/ISMS |
| Incident response log | 24/72h rule | A5.24/A5.26 | SIEM/Ticked log |
| Board sign-off | Policy review/update | 5, A5.4 | Minuted approval |
| Vendor assessment | Contract audit | A5.19/20 | Supplier audit log |
| Training record | Role-based renewal | 7.3 | Completion tracking |
Auditors “walk the trail”-from event trigger through policy and risk update, to proof of resolution. If any link is broken, the whole compliance position is questioned.
What are the new deadlines and workflows for incident notification under NIS 2 for hospitals?
Hospitals have tightly scripted, serial deadlines: initial alert (24h), full notification (72h), and a closure report (1 month) (NIS2 Directive, Art. 23). Delays or incomplete hand-offs create instant regulatory triggers.
Notification Timeline Table
| Step | Deadline | Ownership | Example |
|---|---|---|---|
| Incident detection | Immediate | First responder | Logged SIEM, initial |
| Early notification | 24 hours | Incident manager | NHS/ENISA/Reg alert |
| Full notification | 72 hours | CISO board review | Root cause, impact |
| Final report | 1 month | Compliance officer | Mitigation evidence |
Hospitals missing notifications or assigned owner trails in 2024 were the first to face NHS funding suspensions and mandatory audits.
Hospitals must operationalise a notification matrix where every stakeholder (including board members and clinicians) knows their role, deadline, and documentation responsibilities in a breach scenario.
How must boards and hospital leaders maintain-and prove-continuous NIS 2 engagement?
NIS 2 goes beyond annual sign-off: boards must be visibly engaged, with logged reviews at least quarterly, challenge logs, and records of training participation. Audit logs must map high-risk or incident-driven events to board-level involvement (ENISA, 2024).
Continuous Engagement: Audit-Proofing Leadership
- Documented board sign-offs are cross-referenced with policy and risk changes.
- Training logs show board, not just staff, participation in annual or incident-driven refreshers.
- Challenge logs evidence that boards actively interrogate, escalate, and close risks-not just rubber-stamp reports.
- All engagement is digital, time-stamped, and mapped to real action-“passive” approval is a compliance red flag.
| Engagement Artefact | Frequency | Audience | Proof Mechanism |
|---|---|---|---|
| Policy sign-off | Quarterly+ | Board, C-suite | Minuted log/ISMS |
| Challenge escalation | Event-based | Board/committees | Log, closure register |
| Training completion | Annual/event | All leadership | Certification evidence |
Auditors flagged 100% of policy engagement gaps in 2024 as “avoidable”-there is no tolerance for missing leadership involvement in live compliance.
How can hospitals harmonise NIS 2 and ISO 27001:2022 for audit-proof, living compliance?
Harmonisation requires a live mapping between every NIS 2 clause and the hospital’s ISO 27001:2022 Annex A (or SoA) controls-plus automated linkage of digital evidence and responsible owners (ENISA, 2023). Using a digital ISMS (like ISMS.online) enables single-click crosswalks, versioning, and evidence tracking.
Table: NIS 2/ISO 27001:2022 Control Linkage
| NIS 2 Clause | Mapped ISO 27001:2022 Control | Evidence Example | Audit Condition |
|---|---|---|---|
| Board oversight | 5, A5.4 | Signed/minuted review | Board must sign, not IT |
| Vendor management | A5.19–20 | Risk register export | Each supplier reviewed |
| Rapid incidents | A5.24–26 | SIEM/IR logs | 24/72h rules enforced |
| Ongoing controls | 8.2, A5.21 | Audit logs | Closure must be proven |
Every asset, device, and policy must show its mapped control and up-to-date evidence trail. Audit-readiness is continuous-no more “cleanup sprints” before annual recertification.
What are best practises for continuous assurance and traceability in hospital cyber-security compliance?
The most resilient hospitals move to “living compliance”-using digital platforms that automate every review, action, and evidence step. Best practises include (Diamatix, 2024, (https://www.isms.online/)):
- Automate monthly reviews and role-based reminders for assets, suppliers, contracts, and policies.
- Mandate closed-loop remediation: audit gaps tracked, assigned, and marked complete only once evidence is digitally attached.
- Empower every team (procurement, clinical, IT) to escalate issues, close remediations, and contribute evidence-not just the compliance office.
- Build out traceability matrices, mapping each event-breach, device update, board review-to its corresponding risk register and control, with proof on demand.
Visual Traceability Mini-Table
| Trigger | Risk Register Update | ISO/NIS 2 Control | Audit-Ready Evidence |
|---|---|---|---|
| Supplier software flaw | Supplier risk up | A5.19/NIS 2 | Audit entry, vendor log |
| Critical board review | Policy/asset update | A5.4/5, 8.1 | Minuted decision |
| Staff role change | Update training log | 7.2, SoA | Completion record |
Compliance is no longer a bureaucratic hurdle-it’s the connective tissue between care, trust, and digital resilience.
How can hospitals achieve operational, audit-ready, “living” NIS 2 compliance-across assets, vendors, staff, and controls?
A unified digital ISMS platform is now the standard for hospitals aiming to deliver NIS 2 and ISO 27001:2022 compliance efficiently and reliably. By centralising every risk, control, evidence item, and board engagement record in a single environment, ISMS.online helps:
- Automate reminders for monthly and event-driven reviews.
- Map each control and asset to a responsible owner and last audit date.
- Produce digital audit trails, live dashboards, and instant exports for NHS, ENISA, or board queries.
- Power universal staff and leadership engagement, making compliance a hospital-wide function.
Next Steps for Hospital Leaders:
- Request a tailored ISMS.online readiness assessment to uncover blind spots before regulators or procurement do.
- Map every NIS 2/ISO 27001 action to an explicit control, owner, and digital proof.
- Move compliance out of the “audit sprint” mentality-embed it into daily operations, staff onboarding, and leadership routines.
The hospitals that win trust and drive operational excellence are those where compliance is alive-evident in every device, contract, staff action, and board review. Let your evidence lead, not lag, your care.
