EU data strategy

On 6 December 2023 the Council of the European Union adopted its general approach to the proposed European Health Data Space (EHDS) regulation, setting the stage for trilogue negotiations with the European Parliament and Commission in 2024. The EHDS aims to set up a harmonized framework for primary use of electronic health data (care delivery) and secondary use (research, innovation, policy-making).

The Council's position clarifies national responsibilities for health data access bodies, the European infrastructure for cross-border data exchange (MyHealth@EU and HealthData@EU), and the safeguards expected for patient rights. Boards of healthcare providers, insurers, digital health companies, and researchers must now prepare governance structures, setup roadmaps, and DSAR operations that align with the emerging obligations.

The Council text emphasizes phased setup. Member states must designate national digital health authorities, ensure interoperability of electronic health records (EHRs), and connect to EU infrastructures. Secondary use will require data access bodies to manage permits, enforce secure processing environments, and monitor compliance with the EHDS rules. The Council also proposes adjustments to consent opt-outs, data categories eligible for reuse, and the role of industry standardization. Teams should treat the general approach as the blueprint for future compliance requirements.

Governance preparations for healthcare boards

Boards should commission an EHDS readiness assessment that maps organizational roles across primary and secondary data use. For hospitals and providers, governance documentation must evaluate EHR maturity, participation in national digital health authorities, and readiness to support cross-border patient access. For research institutions and pharma companies, the focus should be on secondary data permits, data altruism participation, and compliance with secure processing facility obligations. Risk committees should integrate EHDS into enterprise risk management, noting dependencies on national setup laws, interoperability standards, and funding mechanisms.

Boards must also designate accountable executives. Chief medical information officers, chief data officers, or digital health leads should own EHDS compliance programs, reporting progress to the board quarterly. Governance charters should outline responsibilities for aligning EHDS obligations with GDPR, Medical Device Regulation, and clinical safety requirements. Teams operating in multiple member states should create coordination councils that track national variations in setup timelines and supervisory expectations.

The Council's general approach highlights patient rights, including opt-out options for secondary use and transparency obligations. Boards should ensure that patient advisory councils or ethics committees are consulted when shaping consent models, opt-out experiences, and communication plans. Documenting stakeholder engagement supports accountability and shows good faith if regulators scrutinise governance choices.

Implementation roadmap: infrastructure, interoperability, and security

Implementation efforts will span infrastructure investments and policy updates. Primary use obligations require providers to adopt EHDS-compliant EHR systems capable of structured data exchange using common formats and terminologies (such as HL7 FHIR, SNOMED CT, and LOINC). IT roadmaps should budget for upgrading legacy systems, integrating patient access portals, and connecting to the MyHealth@EU network for cross-border services. Teams must also implement role-based access controls and audit trails that support patient access logs.

For secondary use, data access bodies and data holders must establish secure processing environments. These environments should provide approved researchers with controlled access to pseudonymised datasets, prohibit data downloads, and enforce output checks to prevent re-identification. Implementation teams should consider privacy-enhancing technologies, differential privacy, and statistical disclosure controls to meet the Council's expectations. Contracts with data users must clearly state permitted purposes, security requirements, retention limits, and penalties for misuse.

Interoperability requires standardization of metadata and data quality processes. Teams should adopt data catalogs that describe dataset provenance, quality metrics, and consent status. Data stewards must tag datasets with sensitivity levels, opt-out indicators, and applicable legal restrictions. Integration with national registries and terminologies will be essential for cross-border exchange; this may involve participating in European standardization activities and aligning with CEN/ISO norms.

Security remains essential. Healthcare teams should benchmark controls against NIS2 and sector-specific frameworks, covering identity and access management, encryption, network segmentation, and incident response. Incident response plans must include notification pathways to national digital health authorities and data protection authorities if of EHDS-related breaches. Teams should also test resilience of secure processing environments, including disaster recovery and business continuity.

DSAR and patient engagement improvements

The EHDS reinforces patient rights to access their electronic health data, obtain digital copies, and control secondary use. DSAR systems must therefore provide near real-time access to EHR data, with interfaces that display provenance, access history, and sharing preferences. Teams should integrate DSAR workflows with national patient portals where possible, ensuring consistent experiences. Identity verification should use eIDAS-compliant methods or national health identifiers to maintain security.

Patients will be able to restrict secondary use via opt-outs, subject to member state rules. DSAR teams must record opt-out requests, communicate them to data access bodies, and ensure that datasets released for secondary use respect these preferences. When opt-outs cannot be honored—for example, due to public interest exemptions—responses must explain the legal basis and available recourse. Documentation of opt-out handling should be retained for audits.

Transparency obligations include informing patients about data categories processed, access logs, and permissions granted to professionals. Teams should provide dashboards summarizing recent access events, research projects using their data, and mechanisms to lodge complaints. DSAR teams should coordinate with data protection officers to respond to complex requests involving multiple data holders or cross-border processing. Training should equip staff to explain EHDS rights in accessible language and to guide patients through opt-out mechanisms.

Vendor and partner coordination

The EHDS will reshape vendor relationships. Procurement teams should update contracts with EHR vendors, cloud providers, and analytics partners to include EHDS compliance obligations, interoperability standards, and data localization requirements where applicable. Vendors must support secure processing environments, audit logging, and integration with national infrastructures. Teams should develop vendor assessment frameworks that evaluate EHDS readiness, including API support, security certifications, and incident management capabilities.

Collaborations with research institutions and industry consortia will require governance agreements covering data sharing, intellectual property, and compliance with data access permits. Teams should establish joint steering committees to oversee project compliance, review DSAR impacts, and coordinate communications with data access bodies. Memoranda of understanding should specify how opt-outs, withdrawal of consent, and incident response responsibilities are handled among partners.

Monitoring, training, and preparing for trilogues

Because the EHDS regulation is still under negotiation, teams must maintain agile monitoring. Legal teams should track trilogue developments, analyze amendments, and brief governance bodies on changes affecting obligations, timelines, or penalties. Scenario planning should consider potential divergences between the Council and Parliament positions, such as data categories covered, opt-out scope, and enforcement structures.

Training programs should cover clinical staff, data scientists, IT professionals, and executives. Modules should explain EHDS objectives, governance structures, DSAR obligations, secure processing requirements, and interoperability standards. Regular refreshers will be necessary as the legal text evolves. Teams should also participate in national pilot projects or sandbox initiatives to gain practical experience with EHDS infrastructures.

By early strengthening governance, investing in compliant infrastructure, and enhancing DSAR and patient engagement practices, healthcare teams can position themselves to use the European Health Data Space while safeguarding patient trust and meeting forthcoming regulatory expectations.

Related articles

Curated signals from the same pillar or overlapping topics.

Data Strategy · Credibility 88/100 · June 9, 2020

EU Data Strategy

Council conclusions on 9 June 2020 set a roadmap for common European data spaces, high-value public data release, strong governance, and investment in cloud-to-edge infrastructure to keep the EU competitive and…

Data Strategy · Credibility 88/100 · April 22, 2024

HIPAA Privacy Rule update — Reproductive health data safeguards

HHS finalized revisions to the HIPAA Privacy Rule restricting use and disclosure of protected health information related to reproductive health care, with compliance due December 23, 2024, requiring covered entities to…

Data Strategy · Credibility 73/100 · November 21, 2024

Data Strategy — EU regulation

The EU's financial data space initiative launched calls for proposals in late 2024. They are building infrastructure for secure financial data sharing across the EU. If you are in fintech or financial services, watch for…

Data Strategy · Credibility 73/100 · June 3, 2022

EU data strategy

With the EU Data Governance Act published on 3 June 2022 and applying from September 2023, teams must prepare for new rules on public-sector data re-use, data intermediation notifications, and data altruism governance.

Data Strategy · Credibility 71/100 · November 30, 2021

EU data strategy

Expanded briefing on the provisional Data Governance Act agreement with governance, neutrality, and board oversight steps anchored in primary EU sources.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

December 6, 2023

Coverage pillar

Data Strategy

Source credibility

73/100 — medium confidence

Topics

EU data strategy · Health data · Data spaces

Sources cited

3 sources (consilium.europa.eu, data.consilium.europa.eu, iso.org)

Reading time

6 min

References

1. European Health Data Space: Council agrees its position — Council of the European Union
2. General approach of the Council on the proposal for a European Health Data Space — Council of the European Union
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization