EU data spaces

On 3 May 2022 the European Commission proposed a Regulation establishing a European Health Data Space (EHDS). The draft law creates a mandatory framework for primary use of electronic health data—ensuring patient access, interoperability, and digital health services across the EU—and a regulated secondary-use regime under which authorized bodies can process health datasets for research, innovation, policy, and regulatory oversight. The proposal supplements the GDPR and Data Governance Act, introduces certification requirements for electronic health record (EHR) systems, and sets up cross-border infrastructure (MyHealth@EU and HealthData@EU) governed by new national authorities.

Operational priorities for healthcare providers

Hospitals, clinics, and insurers operating in the EU must first assess how the EHDS will reshape patient data access obligations. Article 3 requires Member States to ensure that individuals can access their electronic health data free of charge, immediately, and in an easily readable, consolidated format.

Providers must integrate with the MyHealth@EU infrastructure to exchange core datasets—patient summaries, ePrescriptions, eDispensations, lab reports, imaging, discharge letters, and more—using EU-wide standards. Operational teams should map current electronic medical record workflows, identify data quality gaps, and budget for integration with national contact points that will relay data cross-border.

The proposal also requires healthcare professionals have access to patient data generated in other Member States, subject to patient consent. Teams should update consent management systems, ensuring that patient preferences, language requirements, and revocation mechanisms are captured in structured formats. Since EHDS emphasizes interoperability via the European Electronic Health Record Exchange Format, IT departments must align data models, coding systems (SNOMED CT, ICD, LOINC), and terminologies. This may require upgrades to middleware, data warehouses, and interface engines to translate local codes into EU-mandated vocabularies.

Article 14 introduces new obligations for manufacturers of EHR systems: only certified products conforming to European standards (covering security, interoperability, and export functionality) may be placed on the EU market. Healthcare teams should inventory EHR modules, confirm vendor certification roadmaps, and prepare procurement plans for upgrades or replacements. Certification will probably build on existing structures (for example, EU cybersecurity certification frameworks), requiring secure-by-design engineering, logging, and incident reporting. Ensure that contracts include clauses obligating vendors to obtain and maintain EHDS certification once the delegated acts are finalized.

Secondary-use governance

For secondary use, the EHDS proposal creates Health Data Access Bodies (HDABs) in each Member State. These authorities will process data permit applications, mediate secure data processing environments, and enforce purpose limitations. Research institutions, pharmaceutical companies, medtech vendors, and public bodies seeking to use electronic health data beyond direct care must obtain permits specifying data categories, processing duration, and security measures. The regulation prohibits use for certain purposes, including advertising, decisions detrimental to individuals, and sharing with third countries lacking adequate safeguards without Commission approval.

Teams planning to use secondary-use datasets should establish compliance programs mirroring data altruism and GDPR accountability principles. Develop standard operating procedures for drafting data permit applications, including research protocols, privacy impact assessments, and security controls. HDABs will require use of secure processing environments; teams should budget for infrastructure capable of pseudonymization, differential privacy, access logging, and output vetting. Align secondary-use initiatives with ethics committees and institutional review boards to validate lawful bases under both GDPR and EHDS.

Interaction with existing data protection regimes

The EHDS proposal explicitly states that GDPR remains the baseline for personal data processing. However, it introduces sector-specific rules: data subjects cannot object to primary use processing necessary for healthcare delivery, but must be able to restrict cross-border sharing in certain scenarios.

Controllers must inform patients about secondary-use permits involving their data, and HDABs must publish registers of data requests. Your compliance team should update privacy notices, consent forms, and data protection impact assessments to reflect EHDS rights and obligations. They must also revisit lawful bases for processing (Articles 6 and 9 GDPR) when using data for innovation, ensuring alignment with EHDS-permitted purposes.

Data transfers outside the EU gain a new layer: secondary-use data may only be shared with third-country recipients if they adhere to Commission-approved requirements, adopt binding contracts, and process data within secure environments that meet Union standards. Teams relying on global research networks must evaluate cross-border data sharing agreements and determine whether alternative strategies, such as federated analytics, are needed to keep processing within EU borders.

Operational roadmap

Near term (2022–2023): Launch EHDS readiness assessments covering infrastructure, data governance, and patient engagement. Track the legislative process in the Council and Parliament, including potential amendments about data altruism, interoperability timelines, or penalties (currently envisaged at GDPR-equivalent levels). Engage with national digital health authorities to understand plans for establishing HDABs and national contact points.

Medium term (2024–2026): Assuming adoption with transitional periods, prepare projects to integrate with MyHealth@EU. This includes adopting reference setup guides, deploying APIs for patient access, and aligning identity verification with EU eIDAS schemes. Hospitals should plan change management initiatives to train clinicians on accessing foreign records, documenting consent, and resolving discrepancies. Data management teams must invest in mastering patient identities across disparate systems to prevent mismatches during cross-border exchange.

Long term (post-2026): As secondary-use frameworks mature, explore partnerships with research consortia and innovation ecosystems that use HealthData@EU. Develop internal governance boards to evaluate secondary-use opportunities, balancing societal benefit with privacy obligations. Integrate EHDS compliance metrics into environmental, social, and governance (ESG) reporting, demonstrating contributions to European public health objectives.

Sourcing and ecosystem impacts

EHR vendors, telehealth providers, and health data platforms will face increased scrutiny. Procurement teams should request EHDS compliance roadmaps, including timelines for certification, interoperability support, and secure data export capabilities. Evaluate vendors’ ability to integrate with national digital health infrastructures, support multilingual interfaces, and manage consent granularity. Cloud providers hosting health data must show compliance with EU data localization expectations, strong security certifications (ISO/IEC 27001, HDS in France), and capabilities for secure data processing environments required by HDABs.

Startups developing digital therapeutics, remote monitoring solutions, or AI diagnostics should prepare for stricter data access conditions. The EHDS may require them to process data within accredited secure environments, submit algorithms for assessment, and adhere to transparency obligations under the proposed AI Act. Investors should factor compliance costs and certification timelines into due diligence. Collaboration with academic medical centers may offer avenues to access secondary-use data under HDAB oversight while sharing compliance responsibilities.

Risk management and controls

Key risks include data interoperability failures, insufficient consent capture, cybersecurity exposures, and delays in securing secondary-use permits. Implement data quality programs that monitor completeness, accuracy, and standardized coding. Deploy consent management platforms capable of capturing granular patient preferences, including opt-outs for specific datasets or research purposes. Enhance cybersecurity controls—multi-factor authentication for clinicians, zero-trust network segmentation, encryption in transit and at rest—to meet EHDS security expectations and align with NIS2 obligations for healthcare operators.

Audit and compliance teams should prepare for supervisory scrutiny. The EHDS helps national authorities to conduct inspections, require remediation plans, and impose penalties aligned with GDPR (up to €20 million or 4% of global turnover). Maintain documentation of interoperability testing, staff training records, security certifications, and incident response exercises. Establish metrics tracking patient access requests, cross-border data exchanges, permit approvals, and breach notifications.

Working with stakeholders

Success depends on coordinated stakeholder management. Engage patient advocacy groups early to design transparent communication materials explaining new access rights and data reuse safeguards. Work with clinicians to incorporate EHDS-compliant workflows into electronic charting systems, minimising disruption during consultations. Collaborate with national health ministries, standardization bodies (CEN, ISO), and industry associations to shape delegated acts on certification criteria and data formats.

Universities and research teams should align grant proposals and ethics submissions with EHDS requirements, demonstrating secure data handling and societal benefit. Pharmaceutical companies can explore pre-competitive collaborations via HealthData@EU to accelerate clinical research, pharmacovigilance, and health technology assessment, while ensuring that commercial objectives do not breach permitted purposes.

Monitoring legislative developments

The EHDS proposal will undergo co-legislative negotiations; expect debates over the scope of permitted secondary-use purposes, obligations for private insurers, and financing of national infrastructures. Parliament committees (ENVI, LIBE, IMCO) and the Council’s working parties may propose amendments affecting timelines, certification costs, or enforcement. Teams should maintain a policy watch function, possibly using Brussels-based associations, to anticipate changes and adjust project plans. Once adopted, delegated and implementing acts will flesh out technical details—data sets, interoperability standards, security requirements—requiring agile program management to keep pace.

The European Health Data Space aims to enable cross-border healthcare and innovation while safeguarding fundamental rights. Healthcare and life sciences teams that invest early in interoperability, governance, and secure data reuse will be best positioned to comply with the regulation and use new data-driven opportunities across the Union.

Related articles

Curated signals from the same pillar or overlapping topics.

Data Strategy · Credibility 40/100 · July 13, 2022

ONC USCDI v3 Final Release

The U.S. ONC finalized United States Core Data for Interoperability (USCDI) v3 on 13 July 2022, expanding required health data classes and elements, prompting providers and health IT vendors to update data-exchange…

Data Strategy · Credibility 73/100 · January 18, 2022

Data Strategy — Healthcare interoperability

TEFCA launched with its Common Agreement—a framework for nationwide health information exchange. If you are building healthcare integrations, this is the path toward interoperability without dozens of point-to-point…

Data Strategy · Credibility 76/100 · July 9, 2021

Data Strategy — USCDI v2

ONC’s July 2021 United States Core Data for Interoperability Version 2 expands certified health IT exchange requirements to new sexual orientation, gender identity, social determinants, and care-team elements that…

Data Strategy · Credibility 76/100 · April 18, 2023

Data Strategy — Healthcare interoperability

ONC's HTI-1 proposed rule in April 2023 updated health IT certification requirements. Decision support, USCDI v3, and real-time benefit tools. Healthcare IT certification continued evolving.

Data Strategy · Credibility 73/100 · April 5, 2021

Data Strategy — Healthcare interoperability

ONC’s Cures Act information blocking rules entered enforcement on 5 April 2021, obligating U.S. healthcare providers, HIEs, and certified developers to operationalize exceptions governance, FHIR API delivery, and patient…

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

May 3, 2022

Coverage pillar

Data Strategy

Source credibility

73/100 — medium confidence

Topics

EU data spaces · Healthcare interoperability · European Union

Sources cited

3 sources (eur-lex.europa.eu, ec.europa.eu, iso.org)

Reading time

7 min

References

1. Proposal for a Regulation on the European Health Data Space — European Commission
2. European Commission proposes a European Health Data Space — European Commission
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization