🧾 Summary: EU Regulation 2025/327 on the European Health Data Space (EHDS)

📘 Legal Basis and Scope

Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space :

• Amends: Directive 2011/24/EU and Regulation (EU) 2024/2847

• Entry into Force: March 26, 2025

• Application Timeline:

  • Primary Use Provisions: Apply from March 26, 2027

  • Secondary Use Provisions: Apply from March 26, 2029

  • Extended Secondary Use (e.g., genomic data): Apply from March 26, 2031

It is part of the European Strategy for Data (ESD). The ESD is a cornerstone of the European Union’s digital transformation, aiming to create a single market for data that enhances Europe’s global competitiveness, strengthens digital sovereignty, and supports responsible data governance. This strategic vision builds upon the European Commission’s 2020 report, which presents recommendations aimed at facilitating the scaling, responsible, and sustainable implementation of Business-to-Government (B2G) data sharing in the public interest within the EU.

Related legislative instruments include the Data Act (Regulation (EU) 2023/2854), which entered into force on 11 January 2024, and its Corrigendum of 9 December 2024 (2024/90790). This regulation reinforces the principles of fair access and user rights. Complementing this, the Data Governance Act (Regulation (EU) 2022/868) establishes a trust-based framework for voluntary data sharing. It promotes the use of data intermediaries, supports the development of data altruism mechanisms, and sets the conditions for secure data re-use by public sector bodies, all with the aim of fostering innovation and delivering tangible benefits to businesses, researchers, and EU citizens.

A fundamental component of the ESD is the creation of Common European Data Spaces to enable secure, interoperable, and lawful data sharing across the EU. These data spaces will increase the availability and accessibility of data for use in the economy and society, while ensuring that data governance principles and data protection standards are rigorously upheld. The ESD also ensures that individuals and businesses retain control over the data they generate, thereby fostering trust in the European data economy and supporting compliance with the General Data Protection Regulation (GDPR).

🎯 🔑 Objectives &  Key Provisions

• Free movement of health data : Optimise the exchange of and access to health information within the EU.

• Patient Rights: Enhance Data subjects' rights over personal electronic health data for effective care.

  • Right to immediate, free, secured and controlled access to their electronic health data

  • Right to opt out in primary use

  • Right to control, revoke and restrict access to health data or by specific persons

  • Right to view access logs

  • Right to insert information in their own EHR

  • Right to portability, transmission and rectification

  • Data presented in a standardized European format

• Create European infrastructures : Promote the secondary use of data for research, health technology assessment and the adoption of health policies.

• Optimise Primary Use of Health Data in Healthcare : Facilitate healthcare delivery by enabling the secure and interoperable cross-border exchange of and access to personal electronic health data. This will help them make better-informed and more targeted decisions, particularly in cases involving cross-border treatment, travel, or emergency care. Through the EHDS framework, medical professionals across the EU will have timely access to relevant patient health information. Priority categories of personal electronic health data for primary use include electronic dispensations, electronic prescriptions, medical imaging studies and related imaging reports, medical test results, including laboratory and other diagnostic results and related reports, patient summaries and laboratory results.

• Promote Secondary Use of Health Data: Allow secure, anonymized or pseudonymized reuse of health data for scientific research, innovation in health sectors, monitoring public health and policy development, whilst safeguarding intellectual property and trade secrets.

• Establish Governance Framework: Create structures for the management and oversight of health data use. Health data must be findable, accessible, interoperable and reusable (FAIR).

• Obligations for Health Data Holders : Exemptions for microenterprises and natural persons (including individual researchers), unless extended by Member States.

• Penalties and Sanctions : Member States should take all measures necessary to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement.

  
  

🏛️ Governance and Infrastructure

• Digital Health Authorities (DHA) designated by each Member State

• Health Data Access Bodies (HDAB)

• Market Surveillance Authorities

• European Health Data Space Board (EHDS) Board : facilitate cooperation and the exchange of information among Member States and the Commission

• Stakeholder forum : facilitating the exchange of information and promoting cooperation among stakeholders in relation to the implementation of this Regulation.

• Digital Health Authorities

• Steering groups for MyHealth@EU and HealthData@EU: Established for the cross-border infrastructures

🏥 Key Implications for Public and Private Hospitals

Access and Sharing of Electronic Health Data (Primary Use)

• Ensure patients’ electronic health data is accessible in a standardized format (European Electronic Health Record Exchange Format).

• Ensure secure cross-border data access by implementing data interoperability standards and secure IT infrastructure.

• Appoint responsible roles for EHDS compliance and data management.

• Cooperate with health data access bodies (Digital Health Authorities and HDABs) for monitoring, audits, and access procedures. Non-compliance can result in periodic penalty payments or even exclusion from EHDS secondary data access (up to 5 years).

• Watch out for the European Commission's technical specifications for the priority categories of personal electronic health data.

✅In France, the Digital Health Agency (Agence du numérique en santé - ANS) is this contact and therefore the entry point for the MyHealth@EU services. To this end, the ANS is implementing the Sesali.fr service and its API for healthcare software.

Electronic Health Record (EHR) and Hospital Information System (HIS) software solutions used in major French hospitals include leading platforms such as Orbis, DxCare, and Care4U, all developed by Dedalus, among others. These systems play a critical role in the digital management of patient data, supporting clinical workflows and administrative processes.

⚠️ Commercial use of data must be transparent and justified (e.g., development of AI diagnostic tools), and hospitals must guard against misuse or re-identification.