Regulation (EU) 2025/327: Establishing the European Health Data Space (EHDS)

The EHDS Regulation establishes the common European Health Data Space, by laying down obligations upon public and private sector bodies for the facilitation of the primary and secondary use of electronic health data, either personal or non-personal. The provisions of the Regulation are expected to have disruptive impact on the health sector, giving rise to new business models and opening unprecedented opportunities for digitalization, innovation, big data and AI related to healthcare.

On 26 May 2025, Regulation (EU) 2025/327 on the European Health Data Space (“EHDS”) comes in force (“Regulation”).

The Regulation establishes an EU-wide framework for accessing, managing, and sharing electronic health data across the EU, labelled as the European Health Data Space (“EHDS”).

The aim of the Regulation is to:

•  Improve natural persons’ access to and control over their personal electronic health data in the context of healthcare; as well as
• Promote public interest purposes through the use of electronic health data in relation to R&D, policymaking, regulation, statistics, health threats preparedness and response, patient safety and personalized medicine.

For this purpose, the Regulation lays down common rules for:

i. the rights of data subjects in relation to the primary use and secondary use of their personal electronic health data;

ii.  the access and use electronic health record systems (‘EHR systems’);

iii. the primary and secondary use of electronic health data and the establishment of the relevant cross-border infrastructure;

iv.  the governance and coordination mechanisms of the EHDS at Union and national level.

1. Scope & Definitions

The Regulation establishes duties and obligations on the following public and private sector bodies:

• Health data holders, i.e. any natural or legal person, public authority, agency or other body in the healthcare or the care sectors, including reimbursement services where necessary, as well as any natural or legal person developing products or services intended for the health, healthcare or care sectors, developing or manufacturing wellness applications, performing research in relation to the healthcare or care sectors or acting as a mortality registry, as well as any Union institution, body, office or agency that processes personal electronic health data.
• Health data users, i.e. any natural or legal person, including Union institutions, bodies, offices or agencies, which has been granted lawful access to electronic health data for secondary use pursuant to a data permit, a health data request approval or an access approval by an authorized participant in HealthData@EU.

The Regulation also establishes significant rights of patients to access and control their health data.

2. Primary Use of Health Data

According to the Regulation, “primary use” means the processing of electronic health data for the provision of healthcare.

The following categories of health data shall be subject to primary use: (a) patient summaries; (b) electronic prescriptions; (c) electronic dispensations; (d) medical imaging studies and related imaging reports; (e) medical test results, including laboratory and other diagnostic results and related reports; and (f) discharge reports.

Where electronic health data are processed for the provision of healthcare, healthcare providers shall be obliged to register personal electronic health data in an electronic format in an EHR system.

All EHR systems in the EU shall interoperate, by including a European interoperability software component for EHR systems and a European logging software component for EHR systems.

In each member state, one or more electronic health data access services shall be established at national, regional or local level to enable natural persons to access their personal electronic health data and exercise their rights under the Regulation.

A central interoperability platform for digital health under the title MyHealth@EU, administered by the Commission, shall act as the main cross-border infrastructure for the primary use of personal electronic health data across the Union.

3. Secondary Use of Health Data

According to the Regulation, “secondary use” means the processing of electronic health data for the purposes of:

• public or occupational health, patient safety and medicinal products or medical devices;
• statistics, policy-making and regulatory activities;
• scientific research, education and training;
• improvement of the delivery of care, of the optimization of treatment and of the provision of healthcare, based on the electronic health data of other natural persons.

The Regulation establishes the duty of health data holders to make extensive categories of electronic health data available to health data access bodies for secondary use.

Access to health data for secondary use shall only be granted by health data access bodies to health data users, subject to the issuance of permits, within three (3) months from the receipt of the respective application. Health data access bodies may also charge relevant fees.

Access shall only be provided (i) to electronic health data that are adequate, relevant and limited to what is necessary in relation to the purpose of processing, (ii) in an anonymized format, where the purpose of processing by the health data user can be achieved with such data.

In relation to electronic health data containing content or information protected by intellectual property rights, trade secrets or covered by the regulatory data protection right laid down in Article 10(1) of Directive 2001/83/EC or Article 14(11) of Regulation (EC) No 726/2004, health data access bodies shall take all specific appropriate and proportionate measures of protection or, may even refuse access.

Health data holders shall put the requested electronic health data at the disposal of the health data access body no later than three months from the receipt of its request.

In respect of non-personal electronic health data, health data holders shall provide access through trusted open databases to ensure unrestricted access for all users and data storage and preservation.

On the other hand, health data users shall make public the results or output of secondary use within 18 months of the completion of their processing. The results or output of secondary use shall contain only anonymous data.

A central interoperability platform for digital health under the title HealthData@EU, administered by the Commission, shall act as the main cross-border infrastructure for the primary use of personal electronic health data across the Union.

4. Rights of Data Subjects

Data subjects shall have the following rights under the Regulation:

• The right to identify themselves electronically in order to access and use electronic health data access services, by using any electronic identification means which are recognized pursuant to Article 6 of Regulation (EU) No 910/2014/
• The right to obtain information, including through automatic notifications, on any access to their personal electronic health data through the health professional access service obtained in the context of healthcare.
• The right to access and download copies of personal electronic health data relating to them that belong to priority categories and are processed for the provision of healthcare through the electronic health data access services.
• The right to insert information and rectify their EHRs through electronic health data access services or applications.
• The right to give access to, or to request a healthcare provider to transmit, all or part of their personal electronic health data to another healthcare provider of their choice immediately, free of charge and without hindrance.
• The right to restrict the access of health professionals and healthcare providers to all or parts of their personal electronic health data.
• The right to opt out at any time, and without providing any reason, from the processing of personal electronic health data for primary or secondary use under the Regulation. The exercise of that right shall be reversible.
• The right to mandate a not-for-profit body, organization or association, constituted in accordance with national law, having statutory public interest objectives and active in the field of the protection of personal data, to lodge a complaint on his or her behalf or to exercise his / her rights under the Regulation.
• The right to receive compensation for material or non-material damage as a result of an infringement of the Regulation.

5. Supervision & Enforcement

National digital health authorities shall supervise and enforce the rules of the Regulation in respect of primary use, including the power to examine complaints of natural or legal persons, whose rights or interests are negatively affected by acts or omissions resulting in non-compliance.

National market surveillance authorities shall supervise and enforce the rules of the Regulation upon manufacturers or other economic operators in respect of the EHR systems placed on the market or put into service.

In addition, health data access bodies shall have the following monitoring and supervisory powers upon health data users and health data holders:

• The power to request and receive all the necessary information to verify compliance with the Regulation.
• The revocation of data permits and the termination without undue delay of the affected electronic health data processing operations.
• The exclusion of health data users from any access to electronic health data in the context of secondary use for a period of up to five years.
• The examination of complaints of natural or legal persons, whose rights or interests are negatively affected by acts or omissions resulting in non-compliance.
• The imposition of periodic penalty payments upon health data holders for each day of delaying access to health data for secondary use.
• The imposition of administrative fines in case of violations of the Regulation, amounting up to EUR 20m or 4 % of the total worldwide annual turnover, whichever is higher.

A European Health Data Space Board shall also be established at EU level to facilitate cooperation and the exchange of information among Member States and the Commission.

Finally, the Commission shall develop, maintain, host and operate the infrastructures and central services required to support the functioning of the EHDS.

6. Entry into Force and Application

The Regulation shall apply from 26 March 2027.

However, most provisions of the Regulation concerning primary use shall come into application gradually up to March 2031.

7. Compliance Challenges & Business Impact:

A. Impact on Businesses & Organizations

• Healthcare providers must adapt their IT infrastructure to comply with the EHDS framework.
• Tech companies & startups offering health-related services need to ensure interoperability and compliance.
• Research institutions will gain greater access to high-quality health data while adhering to strict security measures.

B. Compliance Challenges for Organizations

• Technical Upgrades – Healthcare providers and tech vendors must update or replace non-compliant EHR systems to meet EHDS standards.
• Data Governance Complexity – New rules require stronger internal policies on data processing, patient rights, and security monitoring.
• Cross-Border Operations – Organizations processing health data in multiple EU countries must comply with varying national interpretations of EHDS rules.

C. Business & Industry Impact

• Healthcare Providers – Must invest in secure digital infrastructure and staff training for EHDS compliance.
• Tech & EHR Vendors – Need to align software with EHDS certification to remain market eligible in the EU.
• Pharmaceutical & Research Companies – Gain broader access to high-quality health datasets for clinical trials, innovation, and AI-driven healthcare.

8. Compliance Deadlines & Next Steps:

• By June 2025 – Each EU Member State must appoint a National Digital Health Authority to oversee EHDS implementation.
• By January 2026 – All healthcare providers & EHR vendors must certify their systems for interoperability & security compliance.
• By 2027 – Full EHDS enforcement across the EU, with penalties for non-compliant organizations.
• March 2029: Key parts of the EHDS Regulation will enter into application, including, for primary use, the exchange of the first group of priority categories of health data (Patient Summaries, ePrescriptions/eDispensations) in all EU Member States. Rules on secondary use will also start to apply for most data categories (e.g. data from electronic health records).
• March 2031: For primary use, the exchange of the second group of priority categories of health data (medical images, lab results, and hospital discharge reports) should be operational in all EU Member States. Rules on secondary use will also start to apply for the remaining data categories (e.g. genomic data).
• March 2034: Third countries and international organizations will be able to apply to join HealthData@EU, for the secondary use.

9. Expectation from the EHDS:

EHDS optimizes the use of health data to improve healthcare, foster innovation, and support evidence-based policymaking. It is expected to:

• generate €11 billion in savings over the next decade by enhancing data accessibility.
• enhance healthcare service efficiency across EU member states
• drive 20-30% expansion in the digital health sector
• strengthen policy development and scientific research
• lead to better health outcomes for European citizens.

10. What Organizations Should Do Next

Organizations required to follow and implement the EHDS Regulation must conduct an EHDS Readiness Audit. Simultaneously, it is crucial that organizations make an assessment on the existing data governance policies, IT systems, and compliance gaps.

By doing that they must upgrade EHR & Cybersecurity Systems to ensure interoperability, encryption, and access control compliance. Lastly, it is of the outmost importance that organizations train their Legal & IT Teams and educate employees on EHDS regulations, data privacy, and cybersecurity best practices to ensure regulatory compliance.

The Regulation is available here.