The European Health Data Space (EHDS) is an EU initiative aimed at making health data accessible across borders. This will open up new opportunities for patients, healthcare providers, and researchers alike. The EHDS Regulation, which came into force on 26 March 2025, establishes the necessary legal framework for this. We explain the new requirements for companies in the healthcare sector.
What is the European Health Data Space?
The EHDS represents a digital infrastructure designed to standardise and exchange health data across national borders.
The aim is to improve medical care, promote scientific research, and increase efficiency in the healthcare system. For example, in emergencies, doctors will be able to access complete and up-to-date information even if the patient comes from another EU member state. This is intended to ensure better patient care.
At the same time, researchers will benefit from structured and straightforward access to anonymised data, supporting the development of innovative digital health solutions and advancing scientific progress.
Primary and secondary use of data in the EHDS
A distinction is made between the primary and secondary use of data:
On the one hand, the EHDS enables individuals to digitally access and use their health data across borders (primary use), as healthcare providers (e.g. hospitals or clinics) are obliged to record relevant data for immediate medical care. To support this, the EU has created an interoperable framework through the EHDS, allowing national systems such as electronic patient record (ePA) in Germany to be connected via standardised interfaces. The specific implementation such as the development of access portals is the responsibility of the individual member states.
On the other hand, in the context of secondary data use, the EHDS ensures that health data can be used in a trustworthy manner for scientific research and health policy purposes. The responsibility for providing the data lies with the holders of the health data.
Individuals should be able to access their data via digital access services, the provision of which must be ensured by the member states. In Germany, the ePA can serve as a key point of access for both patients and healthcare providers within the framework of the EHDS.
The EHDS Regulation allows EU member states some flexibility to introduce national provisions that give individuals the right to object to access to their health data for both primary and secondary use.
With regard to data collection for primary purposes, the opt-out options provided under the Digital Act (DigiG) in Germany can remain in place. This means that patients can decide for themselves whether and how their data is shared and used.
For secondary use – i.e. the use of data for research and innovation purposes – the EHDS stipulates a mandatory right to object. In principle, secondary use is permitted unless an explicit objection has been made (opt-out principle). However, member states may define specific, clearly outlined cases in which this right to object may be waived.
EHDS Regulation as a new legal framework
The EHDS Regulation not only provides the legal basis for the exchange of health data across Europe but also establishes new data processing authorisations.
It defines the conditions and purposes under which health data may be processed and who is permitted to access such data under which circumstances. As a result, data controllers (e.g. healthcare providers, data holders) are given clear and binding guidance that goes beyond previously vague regulations.
In addition, the EHDS Regulation sets out clear criteria to ensure data quality and interoperability between national systems.
The provisions are embedded within existing data protection laws, such as the General Data Protection Regulation (GDPR), as well as national legislation. The EHDS Regulation supplements and specifies the requirements of the GDPR. It does not close any substantive gaps but instead creates an additional, specialised framework for health data. The existing GDPR rules, especially those concerning the processing of sensitive personal data (Art. 9 GDPR), remain in force and are complemented by sector-specific provisions. This ensures that personal data can be comprehensively protected while also enabling efficient data exchange.
In addition, national regulations may be enacted to address specific national details such as those relating to the right to object. However, this national implementation must be compatible with the overarching EU framework.
Data protection and information security in the EHDS
The primary goal of the EHDS is to harness the benefits of cross-border data exchange while complying with data protection and information security requirements.
The regulation obliges all participating actors to provide open and transparent information about how and for what purposes health data is processed. This ensures that individuals retain control over their personal data and can fully exercise their rights, such as the right to access information about who has accessed their data (Art. 9 EHDS Regulation). This applies not only to primary healthcare institutions but also to secondary data processors, such as research institutions and other authorised users.
Moreover, the EHDS Regulation stipulates high technical and organisational security standards to ensure data protection. These include measures such as data encryption, strict access controls, and regular security audits in accordance with Art. 32 of the GDPR.
However, due to the particularly sensitive and cross-border nature of health data, the EHDS Regulation demands significantly higher and, in some cases, additional security requirements. These stringent standards are intended to ensure the integrity and confidentiality of data even within complex international networks.
In light of the increasing digitalisation of the healthcare sector, robust risk management and the early prevention of potential cyberattacks are essential. Accordingly, Art. 73(5) of the Regulation states that the European Commission has until 26 March 2027 to define specific requirements for a high level of security.
Cooperation at the European level plays a central role in this regard, as the exchange of best practices and coordinated responses to security incidents can help build public trust in the secure handling of their health data.
Requirements for EHR systems
Additional requirements apply to EHR systems (Electronic Health Record systems, such as the electronic patient record):
- Until now, healthcare providers were generally required to record health data. In future, they will also be obliged to document certain information within EHR systems (cf. Art. 13 EHDS Regulation).
- Furthermore, EHR systems must include two standardised components: an interoperability component and a logging component that records data access (cf. Art. 25 EHDS Regulation).
- Manufacturers are required to:
- Provide up-to-date technical documentation for their systems (Art. 37 EHDS Regulation),
- issue an EU-wide declaration of conformity (Art. 39 EHDS Regulation)
- affix the CE marking (Art. 41 EHDS Regulation), and
- register in the EU database (Art. 49 EHDS Regulation).
New obligations for companies in the healthcare sector
To achieve the intended standard, the EHDS Regulation has established a comprehensive set of rules outlining the respective rights and obligations of the relevant actors.
Obligation to collect data
Healthcare providers, including not only individual professionals but also hospital groups and directly operating institutions, are required in the EU to collect data for the immediate provision of medical care (primary purposes).
Transmission obligations
Holders of health data must transmit their data via the EHDS infrastructure to authorised access points. These points ensure controlled access for authorised users such as research institutions and companies. The specific implementation is governed by the interaction between the EHDS Regulation, the GDPR, and national regulations.
Access regulations
Healthcare professionals are granted specific rights to access data for primary purposes. Access and usage permissions for data used for research or development purposes (secondary purposes) are extended to other authorised users such as research institutions and companies. This includes scientific research and development projects in the healthcare sector and explicitly excludes general monetisation (e.g. for advertising).
Regulations for EHR systems
Manufacturers, importers, and providers of software solutions and devices for electronic health records (EHR systems) must comply with strict testing, standardisation, and documentation requirements. In Germany, the ePA, as a national tool for digital health records, falls under the requirements of the EHDS Regulation.
Additionally, Art. 14 of the Regulation sets out precisely which types of health data must be made available. Privacy is safeguarded by the principle that only anonymised data is generally shared. The processing of pseudonymised data is permitted only in exceptional cases and with special justification in accordance with Art. 67(2)(e) EHDS Regulation, for instance, if full anonymisation would significantly impair scientific findings.
Who can apply for secondary use?
Both natural and legal persons may apply to the national contact points for access to personal electronic data for secondary purposes under certain conditions, in accordance with Art. 53(1) EHDS Regulation (Art. 67 EHDS Regulation). Access is granted only if the relevant data protection requirements are met and the requested purpose aligns with the permitted uses defined in the Regulation (Art. 68 EHDS Regulation).
Alternatively, a “health data request” may be submitted if only anonymised statistical analyses are required (Art. 69 EHDS Regulation).
Deadlines to observe
The Regulation entered into force on 26 March 2025 and is now being implemented in stages:
- According to the European Commission’s website, EU member states must establish digital health authorities and set up national contact points by 26 March 2027.
- From 26 March 2029, the provisions for primary use – such as electronic prescriptions and patient summaries – will apply, allowing patients to directly benefit from their new rights.
- For EHR system manufacturers, 26 March 2029 is also a key date, as from then on they must ensure that their systems comply with the requirements outlined above.
- Additional categories, such as medical imaging and test results, must be integrated into the EHR system from 26 March 2031.
- A similar timeline applies to secondary use: While most data can be used from 2029 onwards, genetic information will only be accessible from 2031.
Fines for violations
To ensure compliance with the new provisions, Art. 64 EHDS Regulation provides for sanctions in cases of infringement. Authorities are empowered to impose penalties on those who misuse or improperly store health data.
Depending on the nature of the violation, fines may amount to up to EUR10 million or 2% of a company’s global annual turnover. In particularly serious cases, penalties can reach as high as EUR20 million or 4% of global annual turnover.
Data protection assessment
The EHDS Regulation establishes a Europe-wide legal framework that enables the data protection-compliant use of health data for secondary purposes. These are particularly sensitive personal data, which, under Art. 9 of the GDPR, may only be processed under specific conditions.
Until now, the use of health data for research and development purposes was fraught with legal uncertainties. Although Art. 89 of the GDPR regulates the processing of personal data for scientific research purposes, the EHDS Regulation creates a specific framework tailored to the healthcare sector. Unlike the previous research exemption, the EHDS Regulation explicitly obliges health data holders to make data available for secondary use.
With the EHDS Regulation, a clear legal basis has now been established, defining both the category of electronic health data and the purposes for secondary use in Art. 51 and 53. These include, among others, scientific research projects, the promotion of innovation in the healthcare sector, and the training and testing of algorithms in digital health applications.
At the same time, Art. 54 EHDS Regulation explicitly prohibits the use of health data for purposes such as advertising, marketing, or harmful products.
Conclusion
The European Health Data Space represents a step towards a more connected healthcare system. At the same time, the EHDS Regulation provides the necessary legal framework to enable the secure and data protection-compliant exchange of health data.
However, there is uncertainty as to whether differences in national implementation, delays in building the necessary infrastructure, and challenges in harmonising security standards may lead to implementation and enforcement deficits. Therefore, the successful implementation of the EHDS Regulation requires close coordination between EU-level requirements and national legislation.
Stakeholders in the healthcare sector are facing new obligations under the EHDS. They are encouraged to familiarise themselves with the new provisions at an early stage in order to implement the required changes in a timely manner.
In particular, the specific security requirements, which are yet to be defined by 2027, pose the risk that, in practice, the ideal balance between data access and data protection may not always be achieved. Moreover, the debate in early 2025 surrounding security concerns related to Germany’s ePA highlights that trust in the protection of health data is a fundamental prerequisite for the digitalisation of healthcare.
It therefore remains to be seen to what extent the ambitious goals of the EHDS will truly revolutionise everyday medical practice and what tangible outcomes will ultimately result from secondary data use.
