On March 5, 2025, the European Health Data Space (EHDS) was officially published, marking a significant milestone in EU health data regulation. Set to enter into force on March 25, 2025, the EHDS introduces a transformative framework that will reshape how health data is accessed, shared, and utilized across the European Union. While the regulation formally enters into force this year, its obligations will only become fully applicable in March 2027, allowing stakeholders a two-year transition period for compliance. While it aims to unlock the potential of health data for better patient care and medical innovation, it also imposes new compliance requirements on healthcare providers, businesses, and policymakers.
From data protection to data activation
To understand the EHDS, we need to understand the EU’s data strategy, which has evolved significantly these last years. After prioritizing data protection through the implementation and enforcement of the GDPR, the EU’s focus has shifted to unlocking the large reserves of underutilized, yet (largely) GDPR-compliant, data. This reflects the EU’s broader ambition to encourage data-driven innovation while maintaining GDPR-level data protection. The EHDS emerges as a cornerstone of this effort, standing alongside other recent legislative initiatives such as the Data Act and the Data Governance Act. Together, these regulations establish a structured framework for secure and responsible data sharing, with a particular emphasis on health data as a key enabler of cross-border healthcare and research.
Primary v. secondary use of health data
A key distinction in the EHDS is the difference between the primary and secondary use of health data. Primary use refers to the utilization of electronic health data for providing medical care. This includes patient records, prescriptions, and imaging data that healthcare providers access to diagnose and treat individuals. The EHDS mandates interoperability for these records across EU member states, making cross-border healthcare much easier.
Secondary use, on the other hand, pertains to the processing of health data for purposes beyond direct patient care, such as scientific research, policy development, and AI model training. The EHDS creates a structured framework for researchers and businesses to access anonymized or pseudonymized health data under strict governance. This includes ethical review processes, security requirements, and predefined purposes for which the data can be used, such as public health research and healthcare system improvements. Commercial exploitation, such as targeted advertising, is explicitly prohibited.
MyHealth@EU – The backbone of the EU’s digital health infrastructure
To support this cross-border exchange of health data, the EHDS builds upon MyHealth@EU, an EU-wide digital infrastructure aimed at facilitating the secure exchange of electronic health records. This platform enables patients to access their medical data across EU Member States and ensures that authorized healthcare providers can retrieve relevant health information when needed. The EHDS expands the functionalities of MyHealth@EU, making it the backbone of the EU’s efforts to establish a truly EU-wide interoperable health data space.
The opt-out system
One of the most debated aspects of the EHDS is its opt-out mechanism. Unlike current systems where explicit patient consent (opt-in) is often required to share health data, the EHDS adopts an opt-out approach. This means that, by default, patients’ health data will be made available for both primary and secondary use unless they actively choose to opt out. While this streamlines data sharing and enhances research opportunities, it can raise some concerns about patient autonomy and awareness. Member states retain some flexibility, such as imposing stricter requirements for certain sensitive data categories like genetic information, which may still require explicit consent.
Compliance and market regulation
For healthcare providers and digital health companies, the EHDS presents both opportunities and compliance challenges. A core aspect of the regulation is the requirement for enhanced interoperability, meaning that healthcare systems across the EU must adopt standardized formats for electronic health data. In some cases, this will necessitate significant IT investments and compliance efforts, particularly for hospitals, clinics, and digital service providers that handle patient data.
Beyond compliance for healthcare providers, the EHDS also introduces new market regulations for digital health tools. Developers of electronic health record systems and wellness apps will need to meet specific interoperability and security standards. The EHDS establishes a self-certification framework that requires manufacturers of electronic health record systems to ensure their products comply with technical and cybersecurity requirements. National authorities will oversee compliance.
Conclusion
The EHDS should revolutionize digital health, data privacy, and medical research in Europe. Organizations should take proactive steps to ensure compliance while leveraging the new opportunities it presents. Conducting a review of existing data governance frameworks, investing in interoperable systems, and closely monitoring updates will be crucial in navigating the EHDS. Businesses that act early can position themselves at the forefront of the next era in European health data innovation.
Olivier Van Raemdonck, Managing Partner
Ward Verwaeren, Managing Associate
Axel Desmet, Associate
