The COVID-19 pandemic has revealed limitations in the exchange and efficient use of healthcare data in Europe. In response to these challenges, the European Union has adopted a Regulation creating the European Health Data Space (EHSD).
Introduction and regulatory context
The COVID-19 pandemic revealed major limitations in the efficient use and exchange of health data in Europe. In response to these challenges, the European Union adopted Regulation (EU) 2025/327[1] of 11 February 2025 (“Regulation”), which creates the European Health Data Space (“EHDS”). The Regulation introduces ambitious rules for cross-border access, use and exchange of personal electronic health data.
The EHDS reinforces the fundamental rights under the GDPR and introduces new obligations for economic operators. It also creates a robust European infrastructure for health data exchange, aiming at greater efficiency, interoperability and innovation in the sector.
Main pillars and impact of the Regulation
The EHDS is based on three main pillars:
- Improving citizens’ access to and control over their health data:
- Right to free and immediate electronic access to priority data (e.g. electronic prescriptions, clinical reports)[2].
- The right to enter and correct information in their own electronic record.
- The right to restrict certain access by healthcare professionals and to see who has accessed their data.
- Ensuring cross-border interoperability[3] between health systems in the EU:
- Obligation to use common European formats for the exchange of data.
- Mandatory certification (CE marking) of the electronic health record systems (EHR systems)[4].
- Facilitating the digital single market in health, promoting innovation, research and secondary use of data:
- Regulated access to health data for research, innovation and policy making.
- Possibility of secondary use of data with specific authorisation.
Implementation timetable: phased application of obligations
The EHDS will enter into force on 26 March 2025, with a gradual application of its rules due to the technical and operational complexity of its implementation.
Thus:
The EHDS establishes a legal framework for the processing of health data[5] in an electronic format that facilitates the exchange of such data between healthcare providers in different EU Member States (European electronic health record exchange format - EHR[6]).
Through the EHDS, the EU intends to:
- Create the cross-border infrastructure – MyHealth@EU – governing primary use, i.e. use related to the provision of healthcare.
- Create the cross-border infrastructure – HealthData@EU – that governs secondary use, i.e. the processing of electronic health data for purposes other than those for which it was originally collected.
- Specify and complement some of the rights of natural persons set out in Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), with the aim of enshrining sufficient safeguards to protect the security, confidentiality and ethical use of personal electronic health data.
Governance structure: New bodies responsible for implementation and surveillance
In order to implement and monitor the obligations arising from the EHDS, the Regulation introduces new institutional bodies that will be important for operators in the sector:
- National Digital Health Authorities: responsible for oversight, implementation of the EHDS and ensuring patients’ rights. Member States must notify the Commission of the identity of the digital health authorities by 26 March 2027[7]
- National Health Data Access Bodies: authorise and monitor requests for secondary re-use of health data.
- The European EHDS Board: coordinates the consistent application of the Regulation at EU level, in particular with regard to cross-border interoperability[8].
- National Market Surveillance Authorities: verify technical and legal compliance of EHR systems placed on the European market.
Main obligations for companies and economic operators
Penalties and risks of non-compliance
Failure to comply with the obligations imposed by the EHDS could result in administrative fines of up to €20 million or 4% of annual global turnover (whichever is greater), similar to the GDPR.
Rigorous and timely implementation of the new obligations must therefore be seen as a strategic priority, requiring rigorous management and effective operational coordination.
Strategic opportunities: Innovation, growth and competitiveness
In addition to legal obligations, the EHDS presents important business opportunities:
- Simplified and regulated access to large European datasets can accelerate innovation, clinical research and new product development.
- European harmonisation facilitates cross-border deployment of technological and digital health solutions.
- New digital infrastructures offer markets for services, applications and health technology platforms with pan-European reach.
How to prepare for implementation: Next steps
To ensure compliance and seize opportunities, stakeholders are advised to:
- Evaluate existing systems and identify investments needed for technological adequacy.
- Establish clear internal policies on data processing, sharing and re-use.
- Train internal teams on the new rules and appoint EHDS compliance officers.
- Actively monitor implementing legislation and additional guidance from the European Commission, National Digital Authorities and the EHDS Board.
Conclusion: A new digital landscape in European healthcare
Regulation (EU) 2025/327 represents an unprecedented digital transformation in the EU healthcare sector. In addition to compliance requirements, it represents a significant strategic opportunity for healthcare organisations to invest in digital innovation and benefit from a harmonised and highly competitive European market.
Successful implementation of the EHDS requires a proactive, informed and strategic approach to address challenges, capitalise on opportunities and ensure full compliance.
In order to assess the effectiveness, relevance and added value of the Regulation, the Commission will carry out specific evaluations after eight years and global evaluations after ten years of its entry into force. The Commission will then report its findings to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions.