EU Regulation on the European Health Data Space (EHDS) published

Regulation (EU) 2025/327 on the European Health Data Space (EHDS) was published yesterday in the Official Journal. It will therefore enter into force on 26 March 2025.

The European Health Data Space (EHDS) aims to standardise the secure exchange and use of health data in the EU in order to improve healthcare and foster innovation. For companies, this results in central obligations, especially in the areas of interoperability, data security and compliance.  

Companies that develop or distribute electronic health records (EHR) systems must ensure that their systems support the European EHR exchange format. This format is defined by the European Commission by means of implementing acts and ensures the machine-readability and cross-border compatibility of data such as patient summaries, laboratory results or electronic prescriptions. Manufacturers must ensure that their EHR systems comply with EU technical specifications, which include interoperability, security and logging of access, including an EU declaration of conformity. Wellness apps (e. g. fitness trackers) are subject to labelling and information requirements if the manufacturer claims that they are interoperable with EHR systems.  

Data owners, including hospitals, doctors' practices or private healthcare providers, are required to collect electronic health data in structured, interoperable formats and make it available for primary and secondary use. For secondary use (e. g. research, policy-making), data must be pseudonymised or anonymised, with strict data security requirements. Companies wishing to access this data need authorisation from national health data access points, which assess applications on the basis of defined criteria (e. g. scientific merit, data protection).  

Companies that use health data must provide transparent terms of use and ensure that the data is only used for approved purposes (e. g. medical research, AI development). Commercial use for marketing purposes or the development of products that are harmful to health is explicitly prohibited. In addition, secure processing environments are mandatory to prevent unauthorized access. Violations of these obligations can result in high fines.  

Telemedicine providers and online pharmacies have specific requirements: they must offer cross-border services and support electronic means of identification in accordance with the eIDAS Regulation. Integration into the EU-wide MyHealthEU infrastructure is mandatory in order to be able to exchange patient records across borders.  

Companies must also log data accesses and inform those affected about third-party access. When developing AI systems or medical devices, ethical guidelines specified by the EHDS Committee must be taken into account. Cooperation with national digital health authorities is essential to demonstrate compliance and receive technical support.  

The EHDS requires companies to make significant investments in IT infrastructure, training and compliance management. At the same time, it opens up opportunities for innovation through unified market access and improved data availability. A two-year deadline of 26 March 2027 is provided for the implementation of the obligations, i. e. similar to that of the AI Regulation, although member states can set national deadlines for specific requirements. Companies should adapt processes at an early stage in order to remain competitive and minimize regulatory risks.