European health data space regulation enters into force

After years of discussions and as part of the European strategy for data, the Regulation (EU) 2025/327 on the European Health Data Space ("EHDS Regulation") was officially published on 5th March 2025 and entered into force on 26th March 2025. This highly anticipated regulation established of a common data space (the "European Health Data Space") within the member states of the European Union (and the European Economic Area). 

The EHDS aims to both (i) strengthen the rights to the protection of personal health data by building on the possibilities of EU law for processing sensitive health data and genetic data, and (ii) improve the functioning of the internal market and the free movement of goods and services (under the same regulatory framework). 

The regulation provides for:

1. An improvement in cross-border, secure access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data);
2. The use of data for purposes that benefit society such as research, innovation, policy-making, patient safety, personalized medicine, official statistics or regulatory activities (secondary use of electronic health data); and
3. The provision of a uniform legal framework for the development, marketing and use of electronic health record systems ("EHR systems").
    

The EHDS is not a standalone regulation and should be read and interpreted in conjunction with other regulations, mainly the General Data Protection Regulation ("GDPR"), the Data Governance Act, the Data Act, and the Network and Information Systems Directive. 

Does the EHDS Regulation Impact Norway and Norwegian Companies?

As Norway is not part of the EU, the implementation of the EHDS Regulation will not automatically apply to Norway. However, the EHDS Regulation has been considered EEA relevant, meaning it is likely that it will be implemented in Norway as well. The EHDS Regulation will first be implemented in Norway when there is a formal decision by the EEA Council. The Norwegian Health Directorate has also been tasked with analyzing the impact of the EHDS Regulation on Norway. It remains to be seen how the EHDS Regulation will affect Norwegian companies.

Norwegian companies that wish to work and provide services to the European market and intend to access or use the data should consider complying with the EHDS Regulation.

Who needs to comply with the EHDS Regulation?

As an extensive regulation for a data space, it will apply to several subjects, such as Member States, healthcare providers, manufacturers and suppliers of EHR Systems, software and system providers, controllers and processors of primary or secondary health data, and other electronic health data holders, which may be companies and individuals with access to primary or secondary health data.

What data is subject to the EHDS Regulation?

The EHDS Regulation addresses electronic health data, which is comprised of both personal electronic health data and non-personal electronic health data. 

Firstly, personal electronic health data is defined simply as "data concerning health and genetic data, processed in an electronic form."[1] In addition, the EHDS Regulation also refers to definitions in other regulations, including that:

1. Data will have the meaning defined in Article 2(1) of the Data Governance Act; and
2. Personal data will have the meaning provided in Article 4(1) of the GDPR.

As mentioned above, this EHDS Regulation will need to be reviewed and interpreted appropriately alongside other regulations.

Secondly, ‘non-personal electronic health data’ is defined as electronic health data other than personal electronic health data, including both data that have been anonymized so that they no longer relate to an identified or identifiable natural person (the ‘data subject’) and data that have never related to a data subject.

How can the data be used?

Electronic health data may be used under two formats. 

Primary Use of Data:

The primary use of data aims to ease the provision of healthcare by individuals in the EU, ensuring the free movement of persons. In this sense, the primary use of data relates to the provision of health services to assess, maintain or restore the state of health of the natural person in connection with the (i) prescription, dispensation, and/or provision of medicinal products; (ii) medical devices; and (iii) relevant social security, administrative or reimbursement services. 

The main goal of this primary use of data is to allow a resident of the EU to receive proper medical treatment in any Member State. The natural person may opt out in the case of the primary use. 

Secondary Use of Data

The secondary use of data may be the most anticipated part of this regulation for the opportunities it creates for innovators and companies. 

The secondary use of data relates to the processing of electronic health data for the purposes of: (i) activities of public interest in public and occupational health; (ii) supporting public sectors, agencies, or bodies to carry out their tasks; (iii) producing statistics related to health or care; (iv) education or teaching activities; (v) scientific research; (vi) development and innovation activities for products or services; or ensuring high levels of quality; (vii) training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications; and (viii) providing personalized healthcare consisting of assessing, maintaining or restoring the state of health of natural persons.

The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of secondary use.

Prohibited Secondary Use of Data:

Certain uses of data are prohibited under the EHDS Regulation and access can be denied or revoked if it is established that the interested party is using the data for purposes such as to:

1. Take decisions detrimental to a natural person based on their electronic health data;
2. Take decisions in relation to a natural person or groups of natural persons in relation to job offers, less favorable terms in the provision of services and products, insurance or credit contracts;
3. Advertise or market activities; and
4. Develop products or services that may harm individuals and societies at large (e.g., illicit drugs, alcoholic beverages, tobacco products, or goods or services which are designed or modified in such a way that they contravene public order or cause risk for a human health).

Who can access data for secondary use?

Any natural or legal person may submit a data request for the above-listed purposes. The request will be assessed by a health data access body (which shall be defined by each Member State) to confirm whether the requested data is necessary for the purpose listed in the application. If the requirements of the application are fulfilled by the applicant, the health data access body shall issue a data permit.

The data may cover data processed for the provision of health or care or for public health, research, innovation, policy-making, official statistics, patient safety or regulatory purposes, collected by entities and bodies in the health or care sectors. 

How will the data be accessed?

Prior to the publication of the EHDS Regulation, the EU had established two platforms to enable accessing to the data. These platforms have been subject to pilot projects. 

MyHealth@EU

A cross-border infrastructure called MyHealth@EU was established for the primary use of electronic health data. MyHealth@EU is a platform formed by the combination of national contact points for digital health to:

1. Support and facilitate the exchange of electronic health data; and
2. Enable the exchange of the personal electronic health data, based on the European electronic health record exchange format (by the national point of contact)

Each Member State must ensure: (i) the connection of all healthcare providers; and (ii) that pharmacies can dispense electronic prescriptions. They may also provide supplementary services.

HealthData@EU 

For the secondary use of data, HealthData@EU was established. It is an infrastructure connecting national contact points for secondary use of electronic health data and the central platform, aiming to facilitate cross-border access to electronic health data for secondary use by different authorized participants. 

Relevant for companies that want to operate in this space is the fact that the EU released an open source HealthData@EU Central Platform. For additional information on this, please check: HealthData@EU Central Platform.

All the deliverables of the HealthData@EU Pilot are available here. Reviewing these deliverables may give an idea of the new possibilities empowered by the Regulation. 

Timeline for implementation:

The EU has defined a timeline for implementation of the EHDS Regulation which extends until March 2034, when countries outside the EEA and international organizations will be able to apply to join HealthData@EU, for the secondary use.

Unlocking Potential in the European Health Data Space

There is no doubt that this innovative landscape is brimming with potential for individuals and companies eager to make a mark. However, navigating these opportunities requires a keen understanding of the regulatory challenges and limitations. By properly addressing these challenges, one can capitalize on opportunities within the European Health Data Space and gain competitive advantage.