The European Health Data Space is in force: implications for healthcare, MedTech and life sciences

The European Health Data Space Regulation (EU) 2025/327 (the EHDS Regulation) introduces the first EU-wide legal framework governing both the primary and secondary use and exchange of electronic health data across the European Union.

The EHDS Regulation came into force on 26 March 2025 and will become applicable in stages, with the general date of application falling on 26 March 2027 and further major milestones following on 26 March 2029, 26 March 2031 and 26 March 2035.

It is an essential component of the European Health Union and the first common EU data space dedicated to a specific sector, namely the health sector, as part of the European strategy for data. Healthcare providers, MedTech businesses and life sciences organisations are now in a position to assess the impact of the Regulation and to identify which parts of the regime apply to them, when, and with what implementation consequences. The regime is nonetheless phased and will depend in part on further implementing acts.

The EHDS Regulation is a sector-specific EU regulation that strengthens individuals’ rights in relation to personal electronic health data. It creates a new legal and technical framework for the primary use and exchange of electronic health data, a new regulated regime for the secondary use of health data, and a harmonised framework for electronic health record systems. It also establishes a framework for cross-border access and exchange for healthcare purposes. It sits alongside and works with the GDPR and other horizontal EU instruments rather than displacing them.

The EHDS Regulation does not replace any existing EU data protection, product, cybersecurity or sector-specific health legislation. It overlays them. For organisations in scope, the EHDS Regulation should not be subject to a legal analysis in isolation, but should instead be read together with the GDPR, the Data Governance Act, the Data Act, the AI Act, the Medical Devices Regulation (MDR), the In Vitro Diagnostic Regulation (IVDR) and, where relevant, NIS2 and sector-specific health regulation to determine how it modifies the current compliance position.

For healthcare providers, manufacturers and suppliers of electronic health record (EHR) systems, and life sciences organisations, the EHDS Regulation is a far-reaching regulation with impact at the data, product, research, and contracting level at the same time. That cumulative effect is one of the most important legal features of the EHDS Regulation. It means that EHDS implementation is not simply a health-data exercise, but a broader regulatory-mapping exercise across multiple EU legal frameworks.

We first consider the legal obligations arising from the EHDS Regulation for healthcare providers, manufacturers and suppliers of EHR systems, and life sciences organisations (Section one), before analysing the implementation steps recommended for affected organisations during the transition period (Section two).

Section one - Legal obligations under the EHDS Regulation

Healthcare providers, manufacturers and suppliers of EHR systems, and life sciences organisations that are within scope are required to understand the timetable for implementation and the legal effect of the EHDS framework across the relevant sectors.

Implementation timetable

The European Commission’s implementation materials make clear that the Regulation entered into a transition phase in March 2025 and that implementation will be gradual and structured:

  • Key implementing acts are due to be published by 26 March 2027. 
  • Certain Chapter IV provisions also begin to apply from 26 March 2027, including provisions on templates for health data access applications, permits and requests, requirements for secure processing environments, certain HealthData@EU provisions, dataset descriptions and the data quality and utility label.
  • The first major operational milestone will take place on 26 March 2029, when key parts of the primary-use framework, the exchange of the first group of priority categories of health data (patient summaries and ePrescriptions/eDispensations) and most of the secondary-use regime are due to start applying across the EU.
  • The next major milestone is 26 March 2031, when rules for primary use, the exchange of the second group of categories of health data (medical images, laboratory results and hospital discharge reports) and additional categories relevant to secondary use, including genomic data, will become operational.
  • At a later stage on 26 March 2035, third countries and international organisations will be able to apply to join HealthData@EU for secondary use.

That timetable matters because the EHDS Regulation is not a high-level policy instrument. It is a detailed legal and technical framework that will become effective through staged institutional, operational and product-related implementation. The transition period is the period in which Member States, regulators, healthcare systems, manufacturers and health-data users are expected to build the governance, technical and contractual architecture needed for the regime to function.

The Commission’s FAQs on the EHDS make clear that preparatory work includes technical specifications, infrastructure, applications, permits and requests for access, and requirements relating to EHR systems and cross-border exchange. In legal terms, the phased timetable does more than sequence implementation. It affects the order in which organisations should prioritise scoping, product analysis, data-governance work and contracting. A business that waits for 2029 before beginning legal analysis will have left too little time for product remediation, supplier discussions, interoperability work and internal governance allocation.

For organisations affected by the regime, the practical significance is obvious. The transition period should therefore be treated as implementation time, not as a reason to defer analysis. That is particularly so because 26 March 2027 is not merely an administrative waypoint. It is also the point at which certain legally operative Chapter IV provisions begin to apply.

Legal effect of the EHDS Regulation

The substance of the EHDS Regulation falls into three strands:

  • The first is primary use: individual access to and control over personal electronic health data, together with cross-border exchange through the EU infrastructure. 
  • The second is secondary use: a structured data access regime for specified purposes such as scientific research, innovation, policy-making and regulatory activities. 
  • The third is the regulation of certain EHR systems: it includes interoperability and related compliance obligations.

Those three strands do not affect the same actors in the same way, which is why early scoping is critical. They also do not create the same type of legal exposure.

For healthcare providers, the immediate significance lies mainly in the primary-use framework. The EHDS Regulation is designed to give individuals stronger rights to access, control and share their personal electronic health data, including across borders.

 The first priority categories include patient summaries, ePrescriptions and eDispensations. The second priority categories include medical images, laboratory results and hospital discharge reports. Providers therefore need to think now about whether existing systems, data structures and supplier arrangements are likely to support those obligations when the milestones arrive. The key legal and operational issues include: readiness for exchange, interoperability, access controls, correction mechanisms, auditability and the allocation of responsibility across internal systems and external suppliers.

Providers will need to examine whether existing governance around confidentiality, patient access rights, supplier dependency, data quality and cross-border exchange is sufficiently mature to support EHDS-driven rights and infrastructure obligations once they become applicable. The legal significance extends to governance over who within the provider organisation is responsible for data quality, correction workflows, patient-facing rights processes and dependencies on third-party technology providers.

For MedTech and digital-health businesses, the position is different because the EHDS Regulation is also a product-facing regime. The Commission’s FAQs make clear that where a product is an EHR system and also a medical device, both the EHDS and the MDR frameworks may apply. The Commission’s FAQs also confirm that the EHDS and the AI Act may apply cumulatively where an EHR system incorporates AI functionality. In other words, for software and device businesses, the EHDS Regulation should not be treated as a free-standing data law. It may sit alongside MDR and AI Act compliance and will need to be built into product scoping and product lifecycle work.

The EHDS Regulation therefore has significance well beyond health-data flows. It also affects product design, technical documentation, conformity-related obligations, post-market responsibilities and, where relevant, overlap with adjacent frameworks such as the MDR and IVDR. That cumulative application is one of the most important legal features of the EHDS Regulation for Medtech businesses.

The relevant legal question is not simply whether a product processes health data, but whether it falls within the EHDS concept of an EHR system, whether it is also regulated as a medical device or in vitro diagnostic medical device, whether AI functionality triggers the AI Act, and how conformity, registration and technical documentation obligations will need to be coordinated across those regimes. That analysis is likely to be particularly acute for software suppliers whose products sit close to the boundary between healthcare IT, regulated devices and AI-enabled functionality.

For life sciences organisations, the main strategic significance lies in the secondary-use framework. The EHDS Regulation creates a structured legal route through which defined categories of electronic health data may be accessed for specified purposes, including scientific research, innovation and regulatory activities. That route is, however, tightly controlled. Access is mediated through health data access bodies, subject to the conditions and procedures laid down in the EHDS Regulation, and is constrained by rules on secure processing environments, outputs, re-identification and prohibited uses. The opt-out framework is also legally significant. The Commission’s FAQs make clear that the right to opt out of secondary use applies where personal electronic health data relating to the data subject can be identified in a dataset, subject to the structure and limits set out in the EHDS Regulation and the logic reflected in Article 11 GDPR where the holder cannot identify the data subject.

For life sciences organisations, that may create significant opportunity, but it also means that existing assumptions about data access, collaboration structures, research governance and contractual rights need to be tested against the EHDS model rather than carried forward unquestioned. From a legal standpoint, it is not simply that access may become easier in some contexts, but that it becomes more formalised, more conditional and more dependent on regulatory process, including health data access applications, permits or requests, health data access body procedures, secure processing environment rules and output controls.

For organisations whose R&D strategies depend on large-scale access to health datasets, that changes both legal planning and execution risk. It also has implications for exclusivity assumptions, control over downstream outputs and the extent to which contractual mechanisms can still deliver strategic access advantages once EHDS processes become the relevant route to access.

The EHDS Regulation does not simply make health data more available. It places access, exchange and reuse within a more formal EU regulatory architecture, with differentiated obligations for different actors and a greater dependence on institutional mechanisms than many organisations currently assume. That is the central legal effect of the EHDS Regulation. It is not deregulation. It is a new allocation of rights, access routes, institutional controls and product obligations within a harmonised EU framework.

Section two - EHDS implementation recommendations

Organisations in scope in the health sector must ensure that they understand, map and prepare for a regime that will apply in stages and will affect different sectors in different ways, before analysing the contract remediation and implementation consequences.

The compliance preparation matrix

Compliance planning is critical for EHDS implementation, particularly in relation to scoping, legal mapping and governance.

The first priority is scope. Healthcare groups should identify which entities, systems and data flows are likely to fall within the primary-use framework, particularly in relation to the priority categories and the cross-border exchange model. MedTech and software businesses should assess whether any products fall within the EHDS framework for EHR systems or related software, and whether existing product-development and regulatory pathways adequately account for the EHDS Regulation overlay. Life sciences organisations should identify which current or planned research, innovation or regulatory programmes depend on access to electronic health data that may in future be channelled through the EHDS secondary-use mechanisms. That scoping exercise is a threshold legal exercise, because it determines whether the organisation is acting as a healthcare provider, manufacturer, health data holder, health data user, or in several capacities at once. For some organisations, particularly diversified groups, the answer may be several of those at the same time.

The second priority is legal mapping. The EHDS Regulation should not be analysed in isolation. The Commission expressly positions it alongside the GDPR, the Data Governance Act, the Data Act and the wider EU digital-health framework. In practice, organisations will also need to assess interaction with confidentiality duties, national health-data rules, existing information-governance arrangements, the MDR and IVDR where applicable, and sector-specific frameworks such as the Clinical Trials Regulation. The legal exercise is therefore cumulative, not siloed. The question is not only what the EHDS Regulation requires on its own terms, but how it alters the compliance position when layered onto obligations that already exist. That is particularly important where an organisation already relies on contractual arrangements, ethics approvals, scientific research frameworks or product-regulatory processes that assume access to health data can be secured through existing channels. The EHDS Regulation may not eliminate those channels, but it may significantly reshape how they operate in practice. That point is especially important for cross-border research structures and public-private collaborations that have historically relied on a patchwork of national access routes and local governance arrangements.

The third priority is governance. EHDS implementation cannot credibly sit with one function alone. Legal, privacy, regulatory, digital, product, procurement, security and data teams are all likely to have a role. The real risk during the transition period is not simply delay. It is fragmented ownership, with no coherent internal view of scope, timetable, accountability or dependencies. Organisations that do not assign clear responsibility now are likely to discover too late that the EHDS Regulation affects products, systems, access routes and contracts at the same time. For many healthcare, MedTech and life sciences businesses, that means EHDS should be treated as a cross-functional regulatory change programme rather than as an isolated privacy or product issue.

Contractual remediation requirements

The EHDS Regulation will require significant contractual remediation work for healthcare providers and manufacturers and suppliers of EHR systems, and may also require life sciences organisations to revisit data-access, collaboration and downstream-use assumptions.

For healthcare providers and MedTech suppliers, the EHDS Regulation is as much a systems and implementation issue as it is a legal one. If the EHDS Regulation will require changes to interoperability, logging, data quality, support models, security controls, product configuration, or regulatory cooperation with customers and authorities, those issues need to be identified early and reflected in procurement strategy and contracting clauses. That includes supplier due diligence, implementation statements of work, and contractual obligations in relation to compliance, changes in law/regulatory requirements, support and maintenance obligations, audit, responsibilities for standards updates and the allocation of risk if a system does not meet EHDS-related requirements when the relevant obligations begin to apply. In legal terms, this means the EHDS Regulation should now begin to inform procurement documentation, product and technology contracts, customer and supplier allocation of responsibility, change-control language, regulatory cooperation clauses and, where relevant, warranty and indemnity positions. It may also require review of existing service descriptions and implementation assumptions where current contractual language does not allocate responsibility for future EHDS-driven compliance change.

For life sciences organisations, the key practical task is secondary-use readiness. That means understanding the EHDS access model in operational terms: the role of health data access bodies, the permit and request framework, secure processing environment requirements, output restrictions, and the treatment of re-identification risk and prohibited uses. It also means reviewing whether current research and innovation strategies assume easier access, broader downstream use, or more negotiable contractual arrangements than the EHDS model will in fact permit. Businesses that expect to use EHDS-enabled access for R&D, regulatory or AI-related purposes should not wait until 2029 to decide how they will operate within that structure. They should be identifying now which datasets matter, where dependencies sit, how collaborations will need to be structured, and what technical and governance capabilities will be required to make lawful and effective use of EHDS pathways. It is also a legal strategy point: if future access to valuable datasets depends on permit-based routes, institutional interfaces and output controls, organisations need to reassess now the legal robustness of current collaboration models, data-sharing assumptions, exclusivity expectations and intellectual property strategies. They should also test whether current arrangements assume a degree of direct negotiability over data access or downstream use that may become harder to sustain once EHDS processes sit between the parties and the dataset.

Conclusion

The EHDS Regulation is now in force as enacted EU law. Its application is phased, but the compliance burden is real and sector-specific. For healthcare providers, the immediate focus is primary-use readiness and exchange capability. For MedTech, it is the overlap between health-data regulation and product regulation. For life sciences, it is preparation for a more structured route to secondary use and a more disciplined regulatory environment for access to electronic health data. The organisations that use the transition period to map scope, assign ownership, and begin systems and contract work will be in a materially stronger position than those that do not.

Related content

Report

Kennedys Foresight: The 2026 risk landscape

15/01/2026

Article

Preparing for the UK DUA Act’s new complaints handling regime: ICO guidance and practical steps for organisations (UK)

29/10/2025

Article

Managing AI in the workplace: five key legal and compliance risks and how to mitigate them (UK)

29/10/2025

Article

A Short Primer to DOJ’s Data Security Program (US)

27/10/2025

View more

Services

Sectors

Locations