As mentioned in our previous European Health Data Space (EHDS) blogpost back in March 2024, consensus was reached between the European Parliament and the Council of the EU concerning the EHDS. This regulation lays the foundation for a unified EU framework, enabling the secure exchange and use of electronic health data across Member States of the EU.
In March 2025, the EHDS regulation was formally adopted, marking a major milestone in the digital transformation of healthcare across the EU. The regulation aims to enable the secure exchange and use of health data within the EU while upholding strong data protection and cybersecurity safeguards.
Yet, while the regulation has now been published, its full implementation will be a phased process over the coming years. The EHDS is an ambitious, long-term initiative that promises substantial benefits for healthcare innovation, research and patient outcomes across Europe.
Let's delve deeper into the regulation below.
1. How the EHDS will transform healthcare
The EHDS regulation is structured around three core components that will reshape the way health data is accessed and used in the EU:
- Primary use of health data
The primary use of health data refers to its use within healthcare for direct patient care. The EHDS empowers individuals to access, control and share their electronic health data in regards of primary use across borders, for instance to improve healthcare delivery. Among other things, this entails (immediate) access to electronic health data, the ability to restrict access of certain healthcare providers, as well as the ability to insert information in the electronic health records of those natural persons.
Additionally, health professionals must be able to access certain categories of personal electronic health data, in cases of cross-border care, for instance. This means that throughout the EU, electronic health record systems must be made interoperable. In that regard, the European Commission is working on a health record exchange format to smoothen cross-border cooperation.
ii. Secondary use of health data
Beyond direct patient care, the EHDS facilitates the reuse of health data for broader purposes, such as medical research, public health monitoring, policymaking and healthcare innovation. To make this happen, data holders are required to make available several categories of electronic health data.
It should be noted that a data holder is not only a health professional, but also amounts to natural or legal persons, public authorities, agencies or other bodies in the healthcare or the care sectors, including reimbursement services where necessary. Data holders also include any natural or legal persons developing products or services intended for the health, healthcare or care sectors, developing or manufacturing wellness applications, performing research in relation to the healthcare or care sectors or acting as a mortality registry.
One can also be considered a data holder if one has the ability to make available non-personal electronic health data through the control of the technical design of a product and related services, including by registering, providing, restricting access to or exchanging such data.
iii. Regulation of Electronic Health Record (EHR) systems and wellness applications
The EHDS aims to establish harmonised software standards for EHR systems and wellness applications, ensuring interoperability and security. This standardisation supports both the primary use of health data and the secondary use.
In order to obtain interoperability, EHR systems should include certain harmonised software components. These systems cannot be put on the market if the system does not meet the relevant requirements. Obligations in regard to EHR systems are not only imposed on the manufacturers, but also on the importers and distributors – if applicable.
In addition to EHR systems, so-called wellness applications are also subject to the EHDS. A wellness application is defined as “any software, or any combination of hardware and software, intended by the manufacturer to be used by a natural person, for the processing of electronic health data, specifically for providing information on the health of natural persons, or the delivery of care for purposes other than the provision of healthcare”.
Specifically, wellness applications may only be declared as interoperable and may thus only be connected with an EHR system if certain essential requirements following from the EHDS are met.
2. Health Data Access Bodies
One of the key players in the successful implementation of the EHDS is the Health Data Access Body (HDAB). HDABs will act as facilitators, ensuring that organisations can securely access and share health data for specific purposes, as outlined in the regulation. Their primary role is to uphold strict privacy and security standards for sensitive health information.
Every EU Member State must establish a HDAB, with designation required within two years (by March 2027) and full operational status within four years (by March 2029).
We will closely monitor the latest Benelux developments on EHDS implementation.
In Belgium, the Health Data Agency (HDA) (link) is expected to serve as the HDAB, facilitating regulated access to health data for hospitals, universities, companies and research institutions.
Since December 2023, the Netherlands has been developing the HDAB-NL program to establish its Health Data Access Body (link). Organisations seeking to use health data for medical research, healthcare innovation or policy development must obtain authorisation. Access to patient data will be strictly regulated, with information only available in a secure environment and in an anonymised or pseudonymised form to ensure privacy and security.
Luxembourg National Data Service was nominated by the Ministry of Health and Social Security to apply and coordinate this Direct Grant project from the European Commission. This funded four-year project aims to prepare and lay the technical foundations for the future HDAB in Luxembourg. Kicked off in January 2024, the project will develop the digital business capacities for the future HDABs, including Data Access Application Systems, Health Datasets Metadata Cataloguing, Secure Processing Environments, and Cross-Border Gateways (link).
Luxembourg is working on new legislation, processes and tools to align with the EHDS (link). Stakeholders affected by the regulation will require training, and implementation efforts have already begun at the Ministry of Health and Social Security and the Ministry of Digitalisation.
3. Connection with other privacy regulations
Ensuring data protection and security is crucial for the success of the EHDS. The regulation builds upon existing legal frameworks that already safeguard these principles, providing a trusted environment for the secure access and processing of diverse health data. The EHDS is designed to align with and expand upon the GDPR, the Data Governance Act, the Data Act and NIS2 Directive. However, the EHDS also introduces sector-specific sectoral tailored to the sensitive nature of health data, ensuring its responsible and secure use.
For example, the EHDS has a few opt-out provisions in place. It allows Member States to offer a full opt-out from the data-sharing infrastructure established under the regulation. It also allows opt-out provisions for secondary use of data which offer flexibility while maintaining a balance between respecting patient preferences and ensuring that essential health data remains available for public interest purposes.
To further strengthen security, the EHDS mandates secure processing environments that comply with strict privacy and cybersecurity safeguards. These measures are essential to protecting individuals’ sensitive health data while enabling innovation and efficiency in healthcare.
4. Key takeaways
- As discussed, this regulation is a long-term endeavour, meaning its implementation will take place in phases.
- Healthcare professionals will have access to more comprehensive patient records, possibly leading to better-informed decisions, faster diagnoses, and more effective treatments. This is particularly valuable for patients traveling or relocating across EU countries.
- Researchers will have secure access to health data from multiple countries, accelerating disease research and treatment development. This could lead to faster discoveries, new medications and better prevention strategies, potentially reducing the number of patients in the future. On the other hand, this requires organisations to be ready to process large amounts of (sensitive) data, meaning that security and strategy are key.
- By improving data-sharing efficiency, healthcare systems can reduce waste and prevent costly errors. This could lead to financial savings for hospitals and governments, which can be reinvested in patient care, prevention programs and healthcare innovation.
- Companies in healthcare, pharmaceuticals and digital technology can leverage EHDS data to enhance their products and services. This could foster the creation of advanced medical technologies and should ensure strong safeguards for personal data protection.
5. Next
The EHDS will significantly impact companies operating in healthcare, pharmaceuticals, digital health and AI. If you’d like to understand how this regulation affects your business, our experts are here to help. Don’t hesitate to reach out to one of our experts for further guidance.
As mentioned in our previous European Health Data Space (EHDS) blogpost back in March 2024, consensus was reached between the European Parliament and the Council of the EU concerning the EHDS. This regulation lays the foundation for a unified EU framework, enabling the secure exchange and use of electronic health data across Member States of the EU.
In March 2025, the EHDS regulation was formally adopted, marking a major milestone in the digital transformation of healthcare across the EU. The regulation aims to enable the secure exchange and use of health data within the EU while upholding strong data protection and cybersecurity safeguards.
Yet, while the regulation has now been published, its full implementation will be a phased process over the coming years. The EHDS is an ambitious, long-term initiative that promises substantial benefits for healthcare innovation, research and patient outcomes across Europe.
Let's delve deeper into the regulation below.
1. How the EHDS will transform healthcare
The EHDS regulation is structured around three core components that will reshape the way health data is accessed and used in the EU:
- Primary use of health data
The primary use of health data refers to its use within healthcare for direct patient care. The EHDS empowers individuals to access, control and share their electronic health data in regards of primary use across borders, for instance to improve healthcare delivery. Among other things, this entails (immediate) access to electronic health data, the ability to restrict access of certain healthcare providers, as well as the ability to insert information in the electronic health records of those natural persons.
Additionally, health professionals must be able to access certain categories of personal electronic health data, in cases of cross-border care, for instance. This means that throughout the EU, electronic health record systems must be made interoperable. In that regard, the European Commission is working on a health record exchange format to smoothen cross-border cooperation.
ii. Secondary use of health data
Beyond direct patient care, the EHDS facilitates the reuse of health data for broader purposes, such as medical research, public health monitoring, policymaking and healthcare innovation. To make this happen, data holders are required to make available several categories of electronic health data.
It should be noted that a data holder is not only a health professional, but also amounts to natural or legal persons, public authorities, agencies or other bodies in the healthcare or the care sectors, including reimbursement services where necessary. Data holders also include any natural or legal persons developing products or services intended for the health, healthcare or care sectors, developing or manufacturing wellness applications, performing research in relation to the healthcare or care sectors or acting as a mortality registry.
One can also be considered a data holder if one has the ability to make available non-personal electronic health data through the control of the technical design of a product and related services, including by registering, providing, restricting access to or exchanging such data.
iii. Regulation of Electronic Health Record (EHR) systems and wellness applications
The EHDS aims to establish harmonised software standards for EHR systems and wellness applications, ensuring interoperability and security. This standardisation supports both the primary use of health data and the secondary use.
In order to obtain interoperability, EHR systems should include certain harmonised software components. These systems cannot be put on the market if the system does not meet the relevant requirements. Obligations in regard to EHR systems are not only imposed on the manufacturers, but also on the importers and distributors – if applicable.
In addition to EHR systems, so-called wellness applications are also subject to the EHDS. A wellness application is defined as “any software, or any combination of hardware and software, intended by the manufacturer to be used by a natural person, for the processing of electronic health data, specifically for providing information on the health of natural persons, or the delivery of care for purposes other than the provision of healthcare”.
Specifically, wellness applications may only be declared as interoperable and may thus only be connected with an EHR system if certain essential requirements following from the EHDS are met.
2. Health Data Access Bodies
One of the key players in the successful implementation of the EHDS is the Health Data Access Body (HDAB). HDABs will act as facilitators, ensuring that organisations can securely access and share health data for specific purposes, as outlined in the regulation. Their primary role is to uphold strict privacy and security standards for sensitive health information.
Every EU Member State must establish a HDAB, with designation required within two years (by March 2027) and full operational status within four years (by March 2029).
We will closely monitor the latest Benelux developments on EHDS implementation.
In Belgium, the Health Data Agency (HDA) (link) is expected to serve as the HDAB, facilitating regulated access to health data for hospitals, universities, companies and research institutions.
Since December 2023, the Netherlands has been developing the HDAB-NL program to establish its Health Data Access Body (link). Organisations seeking to use health data for medical research, healthcare innovation or policy development must obtain authorisation. Access to patient data will be strictly regulated, with information only available in a secure environment and in an anonymised or pseudonymised form to ensure privacy and security.
Luxembourg National Data Service was nominated by the Ministry of Health and Social Security to apply and coordinate this Direct Grant project from the European Commission. This funded four-year project aims to prepare and lay the technical foundations for the future HDAB in Luxembourg. Kicked off in January 2024, the project will develop the digital business capacities for the future HDABs, including Data Access Application Systems, Health Datasets Metadata Cataloguing, Secure Processing Environments, and Cross-Border Gateways (link).
Luxembourg is working on new legislation, processes and tools to align with the EHDS (link). Stakeholders affected by the regulation will require training, and implementation efforts have already begun at the Ministry of Health and Social Security and the Ministry of Digitalisation.
3. Connection with other privacy regulations
Ensuring data protection and security is crucial for the success of the EHDS. The regulation builds upon existing legal frameworks that already safeguard these principles, providing a trusted environment for the secure access and processing of diverse health data. The EHDS is designed to align with and expand upon the GDPR, the Data Governance Act, the Data Act and NIS2 Directive. However, the EHDS also introduces sector-specific sectoral tailored to the sensitive nature of health data, ensuring its responsible and secure use.
For example, the EHDS has a few opt-out provisions in place. It allows Member States to offer a full opt-out from the data-sharing infrastructure established under the regulation. It also allows opt-out provisions for secondary use of data which offer flexibility while maintaining a balance between respecting patient preferences and ensuring that essential health data remains available for public interest purposes.
To further strengthen security, the EHDS mandates secure processing environments that comply with strict privacy and cybersecurity safeguards. These measures are essential to protecting individuals’ sensitive health data while enabling innovation and efficiency in healthcare.
4. Key takeaways
- As discussed, this regulation is a long-term endeavour, meaning its implementation will take place in phases.
- Healthcare professionals will have access to more comprehensive patient records, possibly leading to better-informed decisions, faster diagnoses, and more effective treatments. This is particularly valuable for patients traveling or relocating across EU countries.
- Researchers will have secure access to health data from multiple countries, accelerating disease research and treatment development. This could lead to faster discoveries, new medications and better prevention strategies, potentially reducing the number of patients in the future. On the other hand, this requires organisations to be ready to process large amounts of (sensitive) data, meaning that security and strategy are key.
- By improving data-sharing efficiency, healthcare systems can reduce waste and prevent costly errors. This could lead to financial savings for hospitals and governments, which can be reinvested in patient care, prevention programs and healthcare innovation.
- Companies in healthcare, pharmaceuticals and digital technology can leverage EHDS data to enhance their products and services. This could foster the creation of advanced medical technologies and should ensure strong safeguards for personal data protection.
5. Next
The EHDS will significantly impact companies operating in healthcare, pharmaceuticals, digital health and AI. If you’d like to understand how this regulation affects your business, our experts are here to help. Don’t hesitate to reach out to one of our experts for further guidance.