Glossary · EU Health Data EHDS (European Health Data Space (Regulation EU 2025/327))
EU regulation, adopted March 2025, creating the European Health Data Space. Establishes harmonised rules for primary use (healthcare delivery) and secondary use (research, policy, innovation) of electronic health data across the EU. The first operational sectoral data space delivered under the Data Governance Act framework.
## What the European Health Data Space actually is
The European Health Data Space (EHDS, Regulation EU 2025/327) is the first operational sectoral data space under the [Data Governance Act](/en/glossary/data-governance-act/) framework. Adopted in March 2025 after several years of legislative work, the EHDS regulates two distinct uses of electronic health data:
1. **Primary use** — using your health data for *your own healthcare* across the EU
2. **Secondary use** — using anonymised or pseudonymised health data for *research, policy, and innovation*
Both use cases are subject to comprehensive new rules that override or supplement national health-data law.
## Primary use: cross-border healthcare data
The primary-use provisions establish citizen rights and provider obligations:
### Citizen rights
- **Access to your own electronic health data** across Member States
- **Free electronic copies** in interoperable formats
- **Transmission to providers in other Member States** for cross-border care
- **Restriction rights** — you can limit which categories of data are shared
- **Audit logs** — you can see who accessed your data
### Provider obligations
- **MyHealth@EU integration** — Member State infrastructure for cross-border data exchange
- **Mandatory categories**: patient summaries, ePrescriptions, electronic dispensations, lab results, medical images, hospital discharge reports
- **Interoperability standards**: defined HL7/FHIR-based exchange formats
- **Cybersecurity requirements** aligned with NIS2
By 2030, all Member States must have operational MyHealth@EU connections for the mandatory data categories.
## Secondary use: research and policy
The more transformative provisions cover *secondary use* of health data:
### Data permit process
Researchers, public-interest organisations, regulators, and innovators can apply for permits to access EU health data for legitimate secondary purposes:
- **Public-interest research** (academic, clinical)
- **Public-health policy** and surveillance
- **Regulatory activities** (medicines, devices, healthcare quality)
- **Educational and training** activities
- **Innovation activities** under specific conditions
Permits are issued by national **Health Data Access Bodies (HDABs)** — one per Member State, coordinated EU-wide.
### Prohibited secondary uses
The regulation explicitly prohibits secondary use for:
- **Advertising and marketing**
- **Increasing insurance premiums** for individuals
- **Pricing or excluding people** from products
- **Decisions detrimental to natural persons**
### Data sources
Health Data Access Bodies aggregate from:
- Electronic health records
- Patient registries
- Medical-device data
- Public-health surveillance data
- Wellness/wellbeing-app data (where consented)
- Clinical trial data
- Health insurance claims data
- Genomic data (under additional safeguards)
## How EHDS implements Data Governance Act principles
The DGA established the framework for data intermediation, public-sector data re-use, and data altruism. The EHDS operationalises these principles for health:
| DGA principle | EHDS implementation |
|---------------|---------------------|
| Trustworthy data sharing | Health Data Access Bodies |
| Sovereignty | EU-only secure processing environments |
| Neutrality | HDABs cannot use data for own purposes |
| Consent and altruism | Citizen restriction rights + altruism provisions |
| Cross-border | MyHealth@EU + cross-Member-State coordination |
## Why EHDS matters
### For European citizens
The primary-use rights are concrete. By 2030, a French citizen receiving care in Germany should have automatic access to her electronic health record. A Spanish citizen on holiday in Italy with an emergency should have her allergies and current medications available to the treating physician. These are real improvements over the current fragmented state.
### For European researchers
Access to harmonised cross-border health data at population scale is unprecedented globally. The data permit process is slower than commercial data brokerage — by design — but the scale and quality of data accessible through HDABs will become competitive with major US health-data sources for many research questions.
### For health-tech innovation
The regulation creates new procurement categories — secure processing environments, data quality services, anonymisation services, health-data intermediation. European health-tech companies are positioning around these.
### For US-headquartered health-tech vendors
The EHDS imposes strict sovereignty requirements on secondary-use infrastructure. Secure processing environments must be EU-located, EU-operated, and structurally outside non-EU legal reach. This is a structural barrier for US-headquartered health-cloud providers.
## Implementation timeline
- **March 2025**: Regulation adopted
- **2026**: Implementing acts on technical specifications (in progress)
- **2027-2028**: Member State Health Data Access Bodies operational
- **2028-2030**: Mandatory MyHealth@EU categories phased in
- **2030**: Full applicability deadline
As of 2026, several Member States have designated their HDABs and are building the secure processing infrastructure. France (Health Data Hub, expanded under EHDS), Germany (Forschungsdatenzentrum Gesundheit), Finland (Findata), and Estonia (Tehik) are most advanced.
## EHDS vs other EU health-data regimes
| Aspect | EHDS | National health-data law | GDPR |
|--------|------|--------------------------|------|
| Scope | EU-wide health-data uses | National variations | Personal data generally |
| Cross-border | Core feature | Limited | Required by GDPR |
| Secondary use | Permit framework | Often unclear | Article 9(2)(j) basis |
| Health-specific rules | Yes | Yes | No (general) |
| EU sovereignty requirements | Yes | National | None |
EHDS does not replace national health-data law or GDPR — it adds a coordination layer above both.
## EHDS and data sovereignty
The EHDS is structurally interesting because it represents the EU's most aggressive implementation of data-sovereignty principles in a sectoral context to date:
- **EU-only secure processing environments** required for secondary use
- **No transfer of identifiable data outside EU** under EHDS workflows
- **Strict supply-chain provenance** for technology providers
- **Audit and transparency** obligations far exceeding GDPR baseline
This is the template for future sectoral data spaces (mobility, energy, financial). Expect similar sovereignty patterns to emerge across the sectoral data space portfolio.
## Practical implications
- **For European healthcare providers**: prepare for MyHealth@EU integration; this is a procurement and IT-systems agenda for the rest of the decade
- **For health-research organisations**: HDAB engagement becomes the primary route for European health-data access
- **For EU health-tech vendors**: significant new procurement category opening up around secure processing environments and data quality services
- **For US health-tech vendors**: structural sovereignty requirements limit direct participation; JV models likely required
- **For citizens**: meaningful new rights to your own health data starting from 2028-2030 onward
The EHDS is the first major operationalisation of the Data Governance Act framework. Its implementation experience will significantly shape how subsequent sectoral data spaces are built.
Was this helpful?
Thanks for your feedback!