EHDS 2025: Rights and obligations for the use of health data

The European Health Data Space (EHDS) will transform the way health data is used in Europe. The aim is to securely enable the cross-border use of medical information and remove legal and technical barriers. It is crucial for companies and organisations within the healthcare ecosystem to understand their future obligations and how to prepare efficiently from an early stage.

Arrange a non-binding initial consultation

Content

Purpose and objective of the EHDS

The EHDS establishes a consistent legal framework and encourages the development of sector-specific data spaces within the healthcare sector. The focus is on electronic health data.

This refers to health information that is processed electronically. This term is therefore both narrower and broader than in other legal frameworks: it is narrower because it only covers electronic data, but it is broader because it includes both personal and non-personal health data. The decisive factor is therefore electronic availability, rather than whether the data is assigned to a specific person.

The EHDS Regulation primarily provides for two areas of application:

  • Primary use: The care and treatment of patients, supported by interoperable electronic health records (EHRs).
  • Secondary use: The use of health data for research, innovation, policy-making, regulation and quality assurance.

The aim is to enable the secure flow of health data across the EU while maintaining high security, interoperability and governance standards.

Newsletter

For your Inbox

Current updates and important information on topics such as data law, information security, technology, artificial intelligence, and much more. (only in German)

What is the sum of 8 and 9?

Mit Klick auf den Button stimmen Sie dem Versand unseres Newsletters und der aggregierten Nutzungsanalyse (Öffnungsrate und Linkklicks) zu. Sie können Ihre Einwilligung jederzeit widerrufen, z.B. über den Abmeldelink im Newsletter. Mehr Informationen: Datenschutzerklärung.

Who is affected by the EHDS?

The EHDS regulations impact stakeholders across the entire healthcare spectrum, including data owners, healthcare providers, researchers, new intermediaries, and supervisory bodies.

Health data controllers

Health data controllers are entities that collect or process health data and have access to it. These include healthcare facilities, research institutions and companies that hold relevant data sets, for example.

Primary users

Primary users are primarily healthcare professionals and providers who access electronic health data for treatment purposes. They are required to record and continuously update electronic health records.

Secondary users

Secondary users are companies and public institutions that wish to use health data for permissible purposes. To do so, they require data authorisation and must comply with strict protection and security requirements.

New institutions under the EHDS

The EHDS provides for the establishment of several institutions to manage and supervise the system:

  • The National Contact Point and MyHealth@EU, which facilitate secure exchange in the area of primary use.
  • An access point for health data acts as a central authority, reviewing applications for secondary use, mediating access and defining requirements.
  • Digital health authorities will be responsible for enforcing and supervising the EHDS requirements.

The EHDS establishes rights and obligations for companies and organisations

The EHDS entails various responsibilities and obligations depending on the role.

The obligations of health data holders

Health data holders must:

  • provide electronic health data within three months of a request;
  • maintain an up-to-date description of the data records managed;
  • provide sufficient documentation; and
  • make non-personal health data available in an open database.

Please note that health data must also be provided if it is protected by intellectual property rights or trade secrets. In such cases, it will be clarified which confidential content is to be disclosed and which protective measures must be taken.

Obligations of health data users

Health data users must submit a comprehensive application for access to electronic health data in which they:

  • describe the intended use and processing;
  • outline security measures;
  • opt for anonymised or pseudonymised data; and
  • demonstrate compliance with relevant data protection regulations.

Obligations of healthcare providers

Healthcare providers have extensive documentation and updating obligations. In practice, this means that patient data must be recorded in an electronic health record (EHR) system and kept up to date on an ongoing basis.

Obligations for public research institutions

Researchers are subject to the obligations of health data users. In addition, they must disclose their sources and publish results in anonymised form, for example.

Penalties for violations

Penalty mechanisms are in place for violations of EHDS obligations. The range of possible fines can be up to several million euros or a certain percentage of total worldwide annual turnover.

EHDS deadlines

  • Entry into force: The EHDS came into effect on 25 March 2025.
  • Application: Following a transition period, it will apply throughout the EU from 26 March 2027.
  • Phased application: Obligations will be introduced gradually in certain areas, particularly with regard to primary use (EHR), secondary use, and the relevant institutions. Companies should check which parts specifically affect them and when they will take effect.

What should affected companies do now?

  • Adapt their strategy: Align product, service and development roadmaps with EHDS specifications relating to primary and secondary use, interoperability and regulatory processes.
  • Conduct a data inventory: Identify data sets, data flows and legal bases, and close any gaps in documentation and standardisation.
  • Establish provisioning processes: Define procedures and responsibilities to ensure that requests can be handled within three months.
  • Strengthen security and governance frameworks: Implement technical and organisational measures (including anonymisation/pseudonymisation, secure environments and purpose limitation).
  • Leverage synergies: Transfer existing GDPR implementation structures (e.g. register of processing activities, TOMs, DPIA) to the EHDS.
    Pool expertise: Network legal, technical and organisational expertise, for example through a dedicated EHDS programme or project.

Conclusion

The EHDS establishes clear guidelines for the responsible management of health data in Europe. For companies, this means establishing processes and ensuring interoperability now, so that data can flow securely, legally and beneficially in the future.

How we can help you with the EHDS

As the founders of the Health & Law, with years of experience in healthcare and IT law, we are well placed to provide comprehensive advice and prepare you for the EHDS.

Whether you are an established pharmaceutical company, a dynamic life science start-up, a public research institution, a medical care centre or a hospital, our goal is to guide you through the European Health Data Space and collaborate with you to develop solutions that will stand the test of time.

Schedule your initial consultation

Describe your situation to us in a no-obligation phone call, and our lawyers will work with you to find the best solution.

Schedule consultation

Content

Your experts

Johannes Gilch, LL.M. (Dresden/Strasbourg)

Lawyer, Senior Associate Berlin

Dr. Maximilian Wagner

Lawyer, Senior Associate Berlin