← Back to all briefings
Data Strategy 7 min read Published Updated Credibility 40/100

Data Strategy Briefing — May 3, 2022

The European Commission’s May 2022 proposal for a European Health Data Space introduces mandatory patient access, cross-border interoperability, EHR certification, and regulated secondary-use permits, requiring healthcare stakeholders to overhaul governance, infrastructure, and vendor contracts.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On 3 May 2022 the European Commission proposed a Regulation establishing a European Health Data Space (EHDS). The draft law creates a mandatory framework for primary use of electronic health data—ensuring patient access, interoperability, and digital health services across the EU—and a regulated secondary-use regime under which authorised bodies can process health datasets for research, innovation, policy, and regulatory oversight. The proposal supplements the GDPR and Data Governance Act, introduces certification requirements for electronic health record (EHR) systems, and sets up cross-border infrastructure (MyHealth@EU and HealthData@EU) governed by new national authorities.

Operational priorities for healthcare providers

Hospitals, clinics, and insurers operating in the EU must first assess how the EHDS will reshape patient data access obligations. Article 3 requires Member States to ensure that individuals can access their electronic health data free of charge, immediately, and in an easily readable, consolidated format. Providers must integrate with the MyHealth@EU infrastructure to exchange core datasets—patient summaries, ePrescriptions, eDispensations, lab reports, imaging, discharge letters, and more—using EU-wide standards. Operational teams should map current electronic medical record workflows, identify data quality gaps, and budget for integration with national contact points that will relay data cross-border.

The proposal also mandates that healthcare professionals have access to patient data generated in other Member States, subject to patient consent. Organisations should update consent management systems, ensuring that patient preferences, language requirements, and revocation mechanisms are captured in structured formats. Given that EHDS emphasises interoperability via the European Electronic Health Record Exchange Format, IT departments must align data models, coding systems (SNOMED CT, ICD, LOINC), and terminologies. This may necessitate upgrades to middleware, data warehouses, and interface engines to translate local codes into EU-mandated vocabularies.

Article 14 introduces new obligations for manufacturers of EHR systems: only certified products conforming to European standards (covering security, interoperability, and export functionality) may be placed on the EU market. Healthcare organisations should inventory EHR modules, confirm vendor certification roadmaps, and prepare procurement plans for upgrades or replacements. Certification will likely build on existing structures (e.g., EU cybersecurity certification frameworks), requiring secure-by-design engineering, logging, and incident reporting. Ensure that contracts include clauses obligating vendors to obtain and maintain EHDS certification once the delegated acts are finalised.

Secondary-use governance

For secondary use, the EHDS proposal creates Health Data Access Bodies (HDABs) in each Member State. These authorities will process data permit applications, mediate secure data processing environments, and enforce purpose limitations. Research institutions, pharmaceutical companies, medtech vendors, and public bodies seeking to use electronic health data beyond direct care must obtain permits specifying data categories, processing duration, and security measures. The regulation prohibits use for certain purposes, including advertising, decisions detrimental to individuals, and sharing with third countries lacking adequate safeguards without Commission approval.

Organisations planning to leverage secondary-use datasets should establish compliance programmes mirroring data altruism and GDPR accountability principles. Develop standard operating procedures for drafting data permit applications, including research protocols, privacy impact assessments, and security controls. HDABs will require use of secure processing environments; teams should budget for infrastructure capable of pseudonymisation, differential privacy, access logging, and output vetting. Align secondary-use initiatives with ethics committees and institutional review boards to validate lawful bases under both GDPR and EHDS.

Interaction with existing data protection regimes

The EHDS proposal explicitly states that GDPR remains the baseline for personal data processing. However, it introduces sector-specific rules: data subjects cannot object to primary use processing necessary for healthcare delivery, but must be able to restrict cross-border sharing in certain scenarios. Controllers must inform patients about secondary-use permits involving their data, and HDABs must publish registers of data requests. Compliance teams should update privacy notices, consent forms, and data protection impact assessments to reflect EHDS rights and obligations. They must also revisit lawful bases for processing (Articles 6 and 9 GDPR) when leveraging data for innovation, ensuring alignment with EHDS-permitted purposes.

Data transfers outside the EU gain a new layer: secondary-use data may only be shared with third-country recipients if they adhere to Commission-approved requirements, adopt binding contracts, and process data within secure environments that meet Union standards. Organisations relying on global research networks must evaluate cross-border data sharing agreements and determine whether alternative strategies, such as federated analytics, are needed to keep processing within EU borders.

Operational roadmap

Near term (2022–2023): Launch EHDS readiness assessments covering infrastructure, data governance, and patient engagement. Track the legislative process in the Council and Parliament, including potential amendments relating to data altruism, interoperability timelines, or penalties (currently envisaged at GDPR-equivalent levels). Engage with national digital health authorities to understand plans for establishing HDABs and national contact points.

Medium term (2024–2026): Assuming adoption with transitional periods, prepare projects to integrate with MyHealth@EU. This includes adopting reference implementation guides, deploying APIs for patient access, and aligning identity verification with EU eIDAS schemes. Hospitals should plan change management initiatives to train clinicians on accessing foreign records, documenting consent, and resolving discrepancies. Data management teams must invest in mastering patient identities across disparate systems to prevent mismatches during cross-border exchange.

Long term (post-2026): As secondary-use frameworks mature, explore partnerships with research consortia and innovation ecosystems that leverage HealthData@EU. Develop internal governance boards to evaluate secondary-use opportunities, balancing societal benefit with privacy obligations. Integrate EHDS compliance metrics into environmental, social, and governance (ESG) reporting, demonstrating contributions to European public health objectives.

Sourcing and ecosystem impacts

EHR vendors, telehealth providers, and health data platforms will face increased scrutiny. Procurement teams should request EHDS compliance roadmaps, including timelines for certification, interoperability support, and secure data export capabilities. Evaluate vendors’ ability to integrate with national digital health infrastructures, support multilingual interfaces, and manage consent granularity. Cloud providers hosting health data must demonstrate compliance with EU data localisation expectations, robust security certifications (ISO/IEC 27001, HDS in France), and capabilities for secure data processing environments required by HDABs.

Startups developing digital therapeutics, remote monitoring solutions, or AI diagnostics should prepare for stricter data access conditions. The EHDS may require them to process data within accredited secure environments, submit algorithms for assessment, and adhere to transparency obligations under the proposed AI Act. Investors should factor compliance costs and certification timelines into due diligence. Collaboration with academic medical centres may offer avenues to access secondary-use data under HDAB oversight while sharing compliance responsibilities.

Risk management and controls

Key risks include data interoperability failures, insufficient consent capture, cybersecurity exposures, and delays in securing secondary-use permits. Implement data quality programmes that monitor completeness, accuracy, and standardised coding. Deploy consent management platforms capable of capturing granular patient preferences, including opt-outs for specific datasets or research purposes. Enhance cybersecurity controls—multi-factor authentication for clinicians, zero-trust network segmentation, encryption in transit and at rest—to meet EHDS security expectations and align with NIS2 obligations for healthcare operators.

Audit and compliance teams should prepare for supervisory scrutiny. The EHDS empowers national authorities to conduct inspections, require remediation plans, and impose penalties aligned with GDPR (up to €20 million or 4% of global turnover). Maintain documentation of interoperability testing, staff training records, security certifications, and incident response exercises. Establish metrics tracking patient access requests, cross-border data exchanges, permit approvals, and breach notifications.

Stakeholder engagement

Success depends on coordinated stakeholder management. Engage patient advocacy groups early to design transparent communication materials explaining new access rights and data reuse safeguards. Work with clinicians to incorporate EHDS-compliant workflows into electronic charting systems, minimising disruption during consultations. Collaborate with national health ministries, standardisation bodies (CEN, ISO), and industry associations to shape delegated acts on certification criteria and data formats.

Universities and research organisations should align grant proposals and ethics submissions with EHDS requirements, demonstrating secure data handling and societal benefit. Pharmaceutical companies can explore pre-competitive collaborations via HealthData@EU to accelerate clinical research, pharmacovigilance, and health technology assessment, while ensuring that commercial objectives do not breach permitted purposes.

Monitoring legislative developments

The EHDS proposal will undergo co-legislative negotiations; expect debates over the scope of permitted secondary-use purposes, obligations for private insurers, and financing of national infrastructures. Parliament committees (ENVI, LIBE, IMCO) and the Council’s working parties may propose amendments affecting timelines, certification costs, or enforcement. Organisations should maintain a policy watch function, possibly leveraging Brussels-based associations, to anticipate changes and adjust project plans. Once adopted, delegated and implementing acts will flesh out technical details—data sets, interoperability standards, security requirements—necessitating agile programme management to keep pace.

The European Health Data Space aims to unlock cross-border healthcare and innovation while safeguarding fundamental rights. Healthcare and life sciences organisations that invest early in interoperability, governance, and secure data reuse will be best positioned to comply with the regulation and leverage new data-driven opportunities across the Union.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU data spaces
  • Healthcare interoperability
  • European Union
Back to curated briefings