European Health Data Space Regulation: Digital Revolution In Healthcare

Introduction and regulatory context

The COVID-19 pandemic revealed major limitations in the efficient use and exchange of health data in Europe. In response to these challenges, the European Union adopted Regulation (EU) 2025/327¹ of 11 February 2025 ("Regulation"), which creates the European Health Data Space ("EHDS"). The Regulation introduces ambitious rules for cross-border access, use and exchange of personal electronic health data.

The EHDS reinforces the fundamental rights under the GDPR and introduces new obligations for economic operators. It also creates a robust European infrastructure for health data exchange, aiming at greater efficiency, interoperability and innovation in the sector.

Main pillars and impact of the Regulation

The EHDS is based on three main pillars:

• Improving citizens' access to and control over their health data:
  1. Right to free and immediate electronic access to priority data (e.g. electronic prescriptions, clinical reports)².
  2. The right to enter and correct information in their own electronic record.
  3. The right to restrict certain access by healthcare professionals and to see who has accessed their data.

• Ensuring cross-border interoperability³ between health systems in the EU:
  1. Obligation to use common European formats for the exchange of data.
  2. Mandatory certification (CE marking) of the electronic health record systems (EHR systems)⁴.

• Facilitating the digital single market in health, promoting innovation, research and secondary use of data:
  1. Regulated access to health data for research, innovation and policy making.
  2. Possibility of secondary use of data with specific authorisation.

Implementation timetable: phased application of obligations

The EHDS will enter into force on 26 March 2025, with a gradual application of its rules due to the technical and operational complexity of its implementation.

Thus:

The EHDS establishes a legal framework for the processing of health data⁵ in an electronic format that facilitates the exchange of such data between healthcare providers in different EU Member States (European electronic health record exchange format - EHR⁶).

Through the EHDS, the EU intends to:

• Create the cross-border infrastructure – MyHealth@EU – governing primary use, i.e. use related to the provision of healthcare.
• Create the cross-border infrastructure – HealthData@EU – that governs secondary use, i.e. the processing of electronic health data for purposes other than those for which it was originally collected.
• Specify and complement some of the rights of natural persons set out in Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), with the aim of enshrining sufficient safeguards to protect the security, confidentiality and ethical use of personal electronic health data.

Governance structure: New bodies responsible for implementation and surveillance

In order to implement and monitor the obligations arising from the EHDS, the Regulation introduces new institutional bodies that will be important for operators in the sector:

• National Digital Health Authorities: responsible for oversight, implementation of the EHDS and ensuring patients' rights. Member States must notify the Commission of the identity of the digital health authorities by 26 March 2027⁷
  
• National Health Data Access Bodies: authorise and monitor requests for secondary re-use of health data.
• The European EHDS Board: coordinates the consistent application of the Regulation at EU level, in particular with regard to cross-border interoperability⁸.
• National Market Surveillance Authorities: verify technical and legal compliance of EHR systems placed on the European market.

Main obligations for companies and economic operators

Penalties and risks of non-compliance

Failure to comply with the obligations imposed by the EHDS could result in administrative fines of up to €20 million or 4% of annual global turnover (whichever is greater), similar to the GDPR.

Rigorous and timely implementation of the new obligations must therefore be seen as a strategic priority, requiring rigorous management and effective operational coordination.

Strategic opportunities: Innovation, growth and competitiveness

In addition to legal obligations, the EHDS presents important business opportunities:

• Simplified and regulated access to large European datasets can accelerate innovation, clinical research and new product development.
• European harmonisation facilitates cross-border deployment of technological and digital health solutions.
• New digital infrastructures offer markets for services, applications and health technology platforms with pan-European reach.

How to prepare for implementation: Next steps

To ensure compliance and seize opportunities, stakeholders are advised to:

• Evaluate existing systems and identify investments needed for technological adequacy.
• Establish clear internal policies on data processing, sharing and re-use.
• Train internal teams on the new rules and appoint EHDS compliance officers.
• Actively monitor implementing legislation and additional guidance from the European Commission, National Digital Authorities and the EHDS Board.

Conclusion: A new digital landscape in European healthcare

Regulation (EU) 2025/327 represents an unprecedented digital transformation in the EU healthcare sector. In addition to compliance requirements, it represents a significant strategic opportunity for healthcare organisations to invest in digital innovation and benefit from a harmonised and highly competitive European market.

Successful implementation of the EHDS requires a proactive, informed and strategic approach to address challenges, capitalise on opportunities and ensure full compliance.

In order to assess the effectiveness, relevance and added value of the Regulation, the Commission will carry out specific evaluations after eight years and global evaluations after ten years of its entry into force. The Commission will then report its findings to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions.

Footnotes

1. Regulation (EU) 2025/327

2. Article 14 of the Regulation states that the priority categories are: (i) patient summaries; (ii) electronic prescriptions; (iii) electronic dispensations; (iv) medical imaging studies and related imaging reports; (v) medical test results, including laboratory results and other diagnostic results and related reports; and (vi) discharge reports.

3. Article 2(2)(f) of the Regulation states that interoperability is the "ability of organisations, as well as of software applications or devices from the same manufacturer or different manufacturers, to interact through the processes they support, involving the exchange of information and knowledge, without changing the content of the data, between those organisations, software applications or devices".

4. Article 2(2)(k) of the Regulation states that an EHR system is "any system whereby the software, or a combination of the hardware and the software of that system, allows personal electronic health data that belong to the priority categories of personal electronic health data established under this Regulation to be stored, intermediated, exported, imported, converted, edited or viewed, and intended by the manufacturer to be used by healthcare providers when providing patient care or by patients when accessing their electronic health data".

5. Electronic health data includes personal and genetic health data, as well as non-personal health data that has been anonymised or has never been linked to a data subject, but which has an impact on health.

6. Article 2(2)(j) of the Regulation states that the EHR is "a collection of electronic health data related to a natural person and collected in the health system, processed for the purpose of the provision of healthcare".

7. The digital health authorities designated under Article 19 of the Regulation must publish an activity report every two years containing a comprehensive description of their activities. The activity report will follow a structure agreed at EHDS Board level.

8. The Regulation states that, "The EHDS Board should be able to issue written contributions related to the consistent application of this Regulation throughout the Union, including by helping Member States to coordinate the use of electronic health data for healthcare and certification, but also concerning secondary use, and the funding for those activities".