EHDS: EU Moves Ahead with Ambitious Digital Health Transformation

Introduction

On 5 March 2025, the European Union published the European Health Data Space Regulation (EHDS), marking a significant advancement of digital health across the European Union (EU). The regulation will enter into force on 26 March 2025, with its provisions phased in gradually over the coming years. The EHDS is designed to reshape the framework for accessing, exchanging, and utilising health data across the EU, fostering greater interoperability, transparency, and efficiency in health data governance.

What is the goal of EHDS?

The EHDS is designed to improve access to and more effective utilisation of health data across the EU. It strengthens patients’ rights by granting them greater control over their electronic health data and providing additional rights to easily access and share their data when receiving healthcare in other Member States (referred to as primary use of health data).

In addition, the EHDS establishes a framework for the secure use of high-quality health data in research, innovation, policymaking, and regulatory activities (referred to as the secondary use of health data). EU legislators anticipate that by improving interoperability and facilitating data sharing, the EHDS will support better healthcare delivery, accelerate medical research, and lead to the development of innovative healthcare solutions

Who will be affected by EHDS?

The EHDS will primarily impact stakeholders across the healthcare sector in the broadest sense, particularly affecting:

• patients,
• healthcare providers, such as hospitals, doctors, public and private medical centres
• researchers in life-science sector
• med-tech and pharma industries
• wellness and lifestyle application providers
• providers of electronic health records systems.

What will EHDS change for the patients?

Patients will benefit from additional rights, including an enhanced ability to access, control, and share specific categories of their electronic health data—extending beyond the protections already provided by the GDPR. More concretely, through secure electronic services, patients will be able to review their health records at any time, identify who has accessed their data, and restrict future access if they wish. Patients will also be empowered to export their data in a standardized electronic format (EEHRxF), making it readily available for healthcare providers across EU Member States. Consequently, medical professionals will have access to more comprehensive patient medical histories, even if the patients have previously received care at another facility. It is important to emphasize, however, that the EHDS does not involve the creation of a central EU repository of electronic health data. Instead, the infrastructure established under the EHDS will facilitate secure, point-to-point exchanges of data.

How can the healthcare sector prepare for EHDS?

The relevance of specific EHDS provisions will vary depending on the type of entity concerned.

For example:

• Developers of software systems intended for healthcare providers: Manufacturers and distributors of electronic health record (EHR) systems, intended for use by hospitals and other healthcare providers in delivering patient care, must implement harmonised interoperability and logging components. These systems will be required to undergo testing within an automated testing environment and obtain a CE marking prior to being placed on the EU market. The aim is to ensure that software designed for capturing doctors’ notes, storing test results, or managing patient records is fully capable of exchanging patient data seamlessly and securely.
• Wellness app manufacturers: Manufacturers of wellness applications (e.g., fitness trackers or weight-loss apps) claiming their apps can integrate or transmit information into electronic health record (EHR) systems must ensure compliance with the common specifications and essential requirements applicable to EHR systems under the EHDS framework.
• Health data holders: Entities within the healthcare sector – including medical centres, pharmaceutical or medical device companies, and private healthcare research institutions – will be required to comprehensively map their datasets and submit detailed descriptions of electronic health datasets and other covered datasets to the designated authorities (health data access bodies). In addition, they will be obligated to make these datasets available to authorised researchers or competent authorities upon request.
• Researchers and innovators, including companies developing healthcare products or services: Researchers, industry actors, and public institutions will be able to access catalogues of available health datasets and request permission to use such data for scientific research, including the training of artificial intelligence models for healthcare purposes. However, any data access request must first be approved by the designated health data access body and will be strictly limited to pseudonymized or anonymized data. Furthermore, data will be provided exclusively through secure processing environments and will remain subject to rigorous privacy safeguards in accordance with EHDS requirements.

When does EHDS take effect?

The general application of the EHDS will commence in 2027. Provisions governing the secondary use of health data will become applicable in 2029, while specific rules relating to clinical trials and genetic data will enter into force in 2031. Although the timeline may appear extended, substantial preparatory work will be required from Member States and the European Commission, with the participation healthcare sector—including developing technical specifics within implementing acts. Compliance and oversight will be assured by digital health authorities established in each Member State, as well as dedicated bodies responsible for managing data access requests. These authorities will operate with support from the newly established European Health Data Space Board.

Key takeaways:

1. The EU just introduced EHDS – new rules on the use and re-use of electronic health data. These changes will impact a wide range of stakeholders across the entire data life cycle—from individual patients and doctors, healthcare providers, to their suppliers, as well as the research and life sciences sectors.
2. Patients will gain significant new rights and practical control over their health data under EHDS, enabling secure, cross-border access to their medical records. Healthcare providers must anticipate and prepare for these patient-centric changes.
3. Developers of EHR systems and wellness app manufacturers who explicitly market integration with electronic health records need to align their products with EHDS interoperability and compliance standards to remain competitive in the EU market.
4. Health data holders—including hospitals, medical research institutions, pharmaceutical companies, medical device manufacturers, and healthcare-related businesses—must proactively catalogue their datasets and establish clear procedures for data sharing in compliance with EHDS requirements.
5. Researchers, innovators, and companies developing healthcare solutions will benefit from regulated access to extensive EU health datasets. However, organizations must be prepared to navigate strict privacy safeguards, secure processing environments, and mandatory authorization processes.
6. Despite the phased implementation timeline for EHDS implementation, organizations should initiate impact assessments and compliance preparations. Proactive planning will ease compliance burdens and position stakeholders strategically ahead of EHDS deadlines.

Author

Magdalena Kogut-Czarkowska, counsel, attorney-at-law, Timelex