Everything you need to know about the NTA 7516

NTA 7516 – the essential guide for healthcare providers, government and insurers

Wondering how the NTA 7516 impacts your organization? Read on to find out what you need to know to ensure compliance with NTA 7516 and related data protection laws.



In September 2018, the NEN was commissioned by the Dutch Ministry of Health, Welfare and Sport and the Healthcare Information Council to develop the NTA 7516. The Dutch Data Protection Authority (AP) found that the majority of data leaks occur in relation to the exchange of personal, often healthcare related, information. Although a great deal of these data leaks were related to human error, such as misdirected email, it also became clear that many organizations still used ‘regular’ email to share personal health related information. However, regular email lacks the encryption and authentication controls that are required under GDPR (General Data Protection Regulation) and other relevant laws and standards. 

There was also a need for clarity concerning how digital communication channels, such as email, could be used to securely exchange sensitive information between separate solutions, known as interoperability. 

The NTA 7516 was designed to address the above issues. The NTA 7516 standard currently applies in the Netherlands only. However, it is expected that this or similar more stringent standards will be rolled out further within the European Union (EU).

What is the NTA 7516?

The NTA 7516 is the standard for secure ad hoc communication of health information. The standard was created by the NEN, on behalf of the Ministry of Health, Welfare and Sport, the Healthcare Information Council and municipalities. 

Ad hoc communication includes email, chat, portals, messengers, and so on. In other words, all forms of communication that take place between people. 

The standard describes over 25 requirements concerning availability, integrity, confidentiality, user-friendliness, interoperability, policy and logging, which organizations and the solutions they use must meet in order to be compliant.

Update CTA Bird Icon

NTA 7516: What does it mean for you?

Quick read | What your organization needs to know about the NTA 7516 in brief

Changes to NTA 7516

Retraction of supplier certification

The NEN recently made the decision to withdraw the current NTA 7516 certification for all suppliers - here’s why this change has been made and what it means for your organization. 

Why NTA 7516 supplier certifications have been withdrawn

In many cases, it has become apparent that certificates have been issued to suppliers on the basis of incorrect and incomplete testing, partly due to a lack of clarity in the criteria. Therefore, the certificate did not ensure that an organization was indeed compliant with the standard. As such, supplier certification has been withdrawn.

The intended purpose of withdrawing the certifications is to remove ambiguity, effectively requiring organizations to investigate whether and to what extent a supplier can support compliance with the NTA 7516.

The situation regarding incorrect certifications was brought to the attention of the NEN by Zivver. The Ministry of Health, Welfare and Sport, the NEN and certifiers have tried to reach an agreement with suppliers regarding testing. Unfortunately, this was not possible and the NEN made the decision to withdraw the NTA 7516 certification in its entirety.

Consequences for organizations

It is important to note that the NTA 7516 remains in full force and effect. All organizations that mail personal healthcare related information (i.e. healthcare institutions, municipalities, insurance companies etc) must continue to comply with the NTA 7516.

The withdrawal of the certification for suppliers places greater responsibility on organizations to conduct their own investigations into whether suppliers can support compliance with the standard.

For Zivver customers, the change has no impact. Zivver provides all the technical functionality required to comply with the NTA 7516.

For organizations using alternative suppliers for secure emailing, it is important to confirm to what extent the platform supports compliance with NTA 7516. Due to incorrectly granted certifications, many organizations have been under the false impression that their supplier supports compliance.

Future expectations regarding certification

It is expected that the NEN will work towards a new certification scheme in the future, providing a more transparent and reliable framework for organizations. There is currently no estimated schedule for the delivery of this scheme.

False certifications awarded to suppliers lead many many organizations to continue communicating healthcare related information under the false belief that they were compliant with the NTA 7516. At Zivver, we welcome the withdrawal of supplier certifications as a much needed improvement in ensuring compliance.

We’re on hand to answer any questions you might have about your organization’s compliance responsibilities. Get in touch at customersuccess@zivver.com (Zivver customers only) or sales@zivver.com.

What are the objectives of the NTA 7516 standard?

There are two primary objectives of the NTA 7516:

  1. To provide clear conditions around the use of email, chat, and messaging (e.g. a portal) solutions. This ensures the secure and reliable exchange of personal health information. 
  2. Ensuring that messages can be exchanged between compliant solutions available to organizations, regardless of supplier. This is known as interoperability or multichannel communication.
Update CTA Bird Icon

NTA 7516 checklist

Download our checklist and take the next steps towards NTA 7516 compliance

Who does the NTA 7516 apply to?

The NTA 7516 applies to all organizations which use ad hoc communication processes and platforms to share health information; for example, emailing appointment confirmations or examination results to patients, chatting with colleagues, or sharing medical data via email for insurance purposes. 

This means that the NTA 7516 applies not only to hospitals, mental health institutions, elderly care organizations, general practitioners and other organizations or professionals directly involved in the delivery of healthcare services, but to any organization which handles sensitive healthcare related data, such as the Public Prosecution Service (OM), legal firms, or insurers.

Compliance with the NTA 7516 requires the organization to use NTA 7516 compliant solutions. This means that suppliers of communications solutions which wish to be compliant must meet NTA 7516 requirements.

While the NTA 7516 is currently a Dutch standard, the NEN has shared their intention to make it a European CEN standard. The Netherlands is the first country to have drawn up such a standard for secure ad hoc communication. These types of standards are often adopted centrally or decentrally by other CEN member countries, including all 28 European member states.

What is interoperability under the NTA 7516

Compliant NTA 7516 providers must be interoperable. This means that neither the sending or receiving party is affected if each party is using a different solution for their digital communications.

For example, just like you don't know whether a caller’s provider is KPN, EE, or Vodafone, an organization’s preferred communications provider will function seamlessly with an alternative provider.

Update CTA Bird Icon

NTA 7516: What does it mean for you?

Quick read | What your organization needs to know about the NTA 7516 in brief

What is user-friendliness under the NTA 7516?

User-friendliness plays a central role in the NTA 7516 and carries the most requirements. Security and user-friendliness go hand in hand; if a security solution isn’t user-friendly, people won't use it and will instead choose an alternative method of communication, putting data at risk.

The standard outlines requirements for things such as securely replying to messages, secure message forwarding, security as standard (security by default), not having to create an account or install separate software, and the ability to download messages for your own use/archive. In short, secure communication should be easy to manage.

Free demo
Free demo
Free demo

Ready for a deeper dive? So are we.


NTA 7516 FAQs

Does the NTA 7516 apply to me?

Does your organization communicate personal health information via email, chat, messaging or a portal to other organizations or patients/clients/insured persons/customers/citizens? If the answer is yes, then your organization must comply with the NTA 7516!

Does my communication system need to be interoperable to be compliant?

Yes - your solution must be NTA 7516 compliant. The solutions used by stakeholders with whom you share sensitive healthcare data must also be NTA 7516 certified. 

What is interoperability?

Interoperability, also referred to as multi-channel communication, is a requirement in the NTA 7516. It requires manufacturers ensure that their product can 'talk' to other products - this means that the provider of the solution is inconsequential; two organizations may use different systems and both parties can receive secure messages in its own NTA 7516-compliant application of choice.

What makes a solution interoperable?

Interoperability requires that products can speak 'the same language'. The Ministry of Health, Welfare and Sport, in collaboration with the suppliers involved, has drawn up a ‘Technical Handbook’ in which this coupling language is described. Suppliers must adapt their products to the requirements in this technical guide, or they cannot be NTA 7516 certified.

How do I know if I am NTA 7516 compliant?

Our NTA 7516 checklist describes the steps you need to take towards NTA 7516 compliance.

To comply with the NTA 7516, you must meet all requirements in the standard regarding availability, integrity, confidentiality, user-friendliness, interoperability, policy and logging. At the moment, VWS and umbrella organizations are working on checklists and guidelines to help organizations with this. 

Is compliance with the NTA 7516 mandatory?

The standard NTA 7516 still remains in force, meaning any organizations communicating healthcare related information by email or chat must comply. The recent change to the standard places greater importance on the organization to ensure their suppliers can support compliance.

Does the NTA 7516 also apply to my organization?

 The NTA 7516 applies to any organization that exchanges personal health information through 'ad-hoc' channels, such as email and portals. This could be healthcare providers, insurers, municipalities, occupational health services etc.

In addition, since February 2022, the standard has also been used by the judiciary as a condition for safe emailing.

Does my organization need to be certified for NTA 7516 compliance?

No, as an organization you cannot yet be certified on the NTA 7516, but you can indicate this by means of a self-declaration. Naturally, it is a condition that the organization meets all requirements set by the NTA 7516.

What are the consequences if my organization does not comply with the NTA 7516?

If you are not yet NTA 7516 compliant, it is very important that you work to ensure compliance immediately. The obligation to do so remains in full force and effect and the benefits of interoperability (as outlined in the standard) are considerable.

The NTA 7516 is seen by the Dutch Data Protection Authority and the Healthcare and Youth Inspectorate (IGJ) as an important testing framework for the use of email and chat applications for ad hoc communication of personal healthcare related information. In practice, if your organization does not comply with the NTA 7516, you cannot send personal healthcare related information via email and chat.

What does the withdrawal of supplier certification change?

The recent withdrawal of supplier certifications serves to support organizations in ensuring they are fully compliant with the NTA 7516; it largely removes ambiguity that has arisen as a result of falsely awarded supplier certifications.

The NTA 7516 remains in effect and organizations must work to understand the functionality a supplier provides to ensure secure mailing. Zivver can help your organization with this.

Why has the NEN withdrawn the certification of suppliers?

The NEN and certifiers note that certificates have been issued to suppliers on the basis of incorrect and incomplete testing. As a result, these certificates are not guaranteed to provide the intended certainty and clarity of compliance with the NTA 7516.

Zivver brought this situation to the attention of the NEN approximately two years ago. The Ministry of Health, Welfare and Sport, the NEN and certifiers have since tried to reach agreements on better testing with suppliers. Unfortunately, this was unfeasible. 

By revoking supplier certificates, organizations are obliged to re-examine whether their ad hoc communication suppliers do indeed support compliance with the NTA 7516. In the future, the NEN will work towards a new scheme with more clarity in order to create a level playing field between all parties.

Does the withdrawal of the NTA 7516 certification apply to all suppliers?

Yes, the withdrawal of the NTA 7516 certification applies to all suppliers.

We were already NTA 7516 compliant with Zivver, will anything change for us?

No, for Zivver customers, the recent change has no impact. You can still securely email interoperably with other NTA 7516-compliant partners, and operate with confidence that your ad-hoc communication channels meet the highest level of security.

We were already NTA 7516 compliant with an alternative supplier to Zivver - will anything change for us?

This depends on the supplier. We advise you to do your own research to assess whether the chosen supplier complies with all points of the NTA 7516. Our NTA 7516 checklist can help you with this.

We are already NTA 7516 compliant. Can we still use interoperability?

Yes, if an organization complies with NTA 7516, interoperability may still be used.

How can I check whether our organization is NTA 7516 compliant?

 The NTA 7516 consists of 24 technical requirements and five policy requirements. To check whether your organization is compliant, download our NTA 7516 checklist.

What can we do to become NTA 7516 compliant?

To achieve compliance, organizations must meet all technical and policy requirements of the NTA 7516. In total, the NTA 7516 consists of 24 technical requirements and five policy requirements. To check whether your organization is compliant, download our NTA 7516 checklist.

We are looking for a suitable solution for secure email. What should we pay attention to when selecting a supplier and its solution?

When seeking a solution for secure emailing, it is important to understand which points of the NTA 7516 a supplier can implement and how the solution achieves this. To check whether your organization is compliant, download our NTA 7516 checklist or get in touch to learn how Zivver can support your organization in meeting compliance at sales@zivver.com.

Can we request updates on developments concerning the NTA 7516 with the NEN?

Yes, anyone can contact the NEN to request further information. The NEN website provides clarity around the standard, as well as contact details. 

What are the expected timelines for the new certification?

A timeframe for the development of a new certification is currently unavailable.