← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 40/100

Data Strategy Briefing — December 6, 2023

EU governments have agreed their European Health Data Space stance, signalling boards to prepare governance for primary and secondary health data flows, invest in infrastructure implementation, and tighten DSAR and consent safeguards ahead of final negotiations.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

On 6 December 2023 the Council of the European Union adopted its general approach to the proposed European Health Data Space (EHDS) regulation, setting the stage for trilogue negotiations with the European Parliament and Commission in 2024. The EHDS aims to establish a harmonised framework for primary use of electronic health data (care delivery) and secondary use (research, innovation, policy-making). The Council's position clarifies national responsibilities for health data access bodies, the European infrastructure for cross-border data exchange (MyHealth@EU and HealthData@EU), and the safeguards expected for patient rights. Boards of healthcare providers, insurers, digital health companies, and researchers must now prepare governance structures, implementation roadmaps, and DSAR operations that align with the emerging obligations.

The Council text emphasises phased implementation. Member states must designate national digital health authorities, ensure interoperability of electronic health records (EHRs), and connect to EU infrastructures. Secondary use will require data access bodies to manage permits, enforce secure processing environments, and monitor compliance with the EHDS rules. The Council also proposes adjustments to consent opt-outs, data categories eligible for reuse, and the role of industry standardisation. Organisations should treat the general approach as the blueprint for future compliance requirements.

Governance preparations for healthcare boards

Boards should commission an EHDS readiness assessment that maps organisational roles across primary and secondary data use. For hospitals and providers, governance documentation must evaluate EHR maturity, participation in national digital health authorities, and readiness to support cross-border patient access. For research institutions and pharma companies, the focus should be on secondary data permits, data altruism participation, and compliance with secure processing facility obligations. Risk committees should integrate EHDS into enterprise risk management, noting dependencies on national implementation laws, interoperability standards, and funding mechanisms.

Boards must also designate accountable executives. Chief medical information officers, chief data officers, or digital health leads should own EHDS compliance programs, reporting progress to the board quarterly. Governance charters should outline responsibilities for aligning EHDS obligations with GDPR, Medical Device Regulation, and clinical safety requirements. Organisations operating in multiple member states should create coordination councils that track national variations in implementation timelines and supervisory expectations.

The Council's general approach highlights patient rights, including opt-out options for secondary use and transparency obligations. Boards should ensure that patient advisory councils or ethics committees are consulted when shaping consent models, opt-out experiences, and communication plans. Documenting stakeholder engagement supports accountability and demonstrates good faith if regulators scrutinise governance choices.

Implementation roadmap: infrastructure, interoperability, and security

Implementation efforts will span infrastructure investments and policy updates. Primary use obligations require providers to adopt EHDS-compliant EHR systems capable of structured data exchange using common formats and terminologies (such as HL7 FHIR, SNOMED CT, and LOINC). IT roadmaps should budget for upgrading legacy systems, integrating patient access portals, and connecting to the MyHealth@EU network for cross-border services. Organisations must also implement role-based access controls and audit trails that support patient access logs.

For secondary use, data access bodies and data holders must establish secure processing environments. These environments should provide approved researchers with controlled access to pseudonymised datasets, prohibit data downloads, and enforce output checks to prevent re-identification. Implementation teams should consider privacy-enhancing technologies, differential privacy, and statistical disclosure controls to meet the Council's expectations. Contracts with data users must clearly state permitted purposes, security requirements, retention limits, and penalties for misuse.

Interoperability requires standardisation of metadata and data quality processes. Organisations should adopt data catalogues that describe dataset provenance, quality metrics, and consent status. Data stewards must tag datasets with sensitivity levels, opt-out indicators, and applicable legal restrictions. Integration with national registries and terminologies will be essential for cross-border exchange; this may involve participating in European standardisation activities and aligning with CEN/ISO norms.

Security remains paramount. Healthcare organisations should benchmark controls against NIS2 and sector-specific frameworks, covering identity and access management, encryption, network segmentation, and incident response. Incident response plans must include notification pathways to national digital health authorities and data protection authorities in the event of EHDS-related breaches. Organisations should also test resilience of secure processing environments, including disaster recovery and business continuity.

DSAR and patient engagement enhancements

The EHDS reinforces patient rights to access their electronic health data, obtain digital copies, and control secondary use. DSAR systems must therefore provide near real-time access to EHR data, with interfaces that display provenance, access history, and sharing preferences. Organisations should integrate DSAR workflows with national patient portals where possible, ensuring consistent experiences. Identity verification should leverage eIDAS-compliant methods or national health identifiers to maintain security.

Patients will be able to restrict secondary use via opt-outs, subject to member state rules. DSAR teams must record opt-out requests, communicate them to data access bodies, and ensure that datasets released for secondary use respect these preferences. When opt-outs cannot be honoured—for example, due to public interest exemptions—responses must explain the legal basis and available recourse. Documentation of opt-out handling should be retained for audits.

Transparency obligations include informing patients about data categories processed, access logs, and permissions granted to professionals. Organisations should provide dashboards summarising recent access events, research projects using their data, and mechanisms to lodge complaints. DSAR teams should coordinate with data protection officers to respond to complex requests involving multiple data holders or cross-border processing. Training should equip staff to explain EHDS rights in accessible language and to guide patients through opt-out mechanisms.

Vendor and partner coordination

The EHDS will reshape vendor relationships. Procurement teams should update contracts with EHR vendors, cloud providers, and analytics partners to include EHDS compliance obligations, interoperability standards, and data localisation requirements where applicable. Vendors must support secure processing environments, audit logging, and integration with national infrastructures. Organisations should develop vendor assessment frameworks that evaluate EHDS readiness, including API support, security certifications, and incident management capabilities.

Collaborations with research institutions and industry consortia will require governance agreements covering data sharing, intellectual property, and compliance with data access permits. Organisations should establish joint steering committees to oversee project compliance, review DSAR impacts, and coordinate communications with data access bodies. Memoranda of understanding should specify how opt-outs, withdrawal of consent, and incident response responsibilities are handled among partners.

Monitoring, training, and preparing for trilogues

Because the EHDS regulation is still under negotiation, organisations must maintain agile monitoring. Legal teams should track trilogue developments, analyse amendments, and brief governance bodies on changes affecting obligations, timelines, or penalties. Scenario planning should consider potential divergences between the Council and Parliament positions, such as data categories covered, opt-out scope, and enforcement structures.

Training programs should cover clinical staff, data scientists, IT professionals, and executives. Modules should explain EHDS objectives, governance structures, DSAR obligations, secure processing requirements, and interoperability standards. Regular refreshers will be necessary as the legal text evolves. Organisations should also participate in national pilot projects or sandbox initiatives to gain practical experience with EHDS infrastructures.

By proactively strengthening governance, investing in compliant infrastructure, and enhancing DSAR and patient engagement practices, healthcare organisations can position themselves to leverage the European Health Data Space while safeguarding patient trust and meeting forthcoming regulatory expectations.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU data strategy
  • Health data
  • Data spaces
Back to curated briefings