European Health Data Space

Regulation (EU) 2025/327

European Union regulation
Text with EEA relevance
Title	Regulation (EU) 2025/327 of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847
Made by	European Commission
Made under	Article 16 and Article 114 of the TFEU
Journal reference	L, 2025/327, 5 March 2025
History
European Parliament vote	24 April 2024
Council Vote	21 January 2025
Date made	11 February 2025
Entry into force	26 March 2025
Preparative texts
Commission proposal	2022/197 final
EESC opinion	2022/02531
CR opinion	2022/03754
Other legislation
Amends	Directive 2011/24/EU and Regulation (EU) 2024/2847
Current legislation

The European Health Data Space (EHDS) is a European Union regulation on the use and exchange of electronic health data in the European Union.^[1][2] The EHDS was tabled as a regulatory proposal by the European Commission on 3 May 2022. It was published in the Official Journal of the European Union on 5 March 2025 and entered into force on 26 March 2025.^[1] It has two primary aims: to provide EU citizens better control over their personal health data, and to ensure that various actors such as researchers, companies, and policy-makers can apply for access to health data for secondary (i.e. not directly related to patient care) purposes.^[3][4] In order to achieve these aims, the regulation provides the Commission with the authority to set standards for electronic health records and thereby enhance interoperability.

The regulation contains general provisions and specifications relating to primary uses, secondary uses, and governance elements.

The general provisions outline the subject matter and scope. This is where definitions are provided and the scope and relation to other regulations are explained.

The primary uses are regulated through the articles in chapter II of the regulation and pertain to the clinical uses and the rights of natural persons. Natural persons gain a right to immediate access to health data (without the processing period allowed in GDPR) (Article 3[1]), and the right to download their health data from electronic health records free of charge (Article 3 [2]). These rights can be restricted by member states if the purpose is to protect the citizen, for example by ensuring that a serious diagnosis is communicated by a health professional (Article 3 [3]). The EHDS regulation also instructs member states in ensuring electronic health data access services to support these rights (Article 4[1]), and to allow citizens the option to delegate their own rights to other natural persons (Article 4[2a]). The EHDS regulation also provides citizens with the option to insert information in their own electronic health record (Article 5). Such information must be clearly marked as inserted by the patient. Citizens may submit an online request to rectify information in their electronic health record (Article 6). The regulation clarifies data portability rights so that patients can share data from one health provider with another, and across borders as well (Article 7). Furthermore, patients have the right to restrict access by health professionals to data in their electronic health record (Article 8). Patients are also entitled to know who has accessed their data (Article 9) and to opt out of data use as well as rescind an opt out (Article 10). These rights are to be exercised through an infrastructure called MyData@EU (Article 23).  

With the EHDS regulation data holders become obligated to share electronic health data for specified secondary purposes, with some exemptions for natural persons (including individual researchers) and microenterprises (50[1a and b]), or when sharing might compromise intellectual property rights (52). The data must be shared through an infrastructure called HealthData@EU (75). The regulation specifies which data must be made available for sharing (51) and. defines the purposes for which shared data can be used (53). In short, the data use must be in the public interest. Explicitly prohibited uses include making decisions that are detrimental to persons (54[a]), or in relation to job offers, leading to less favourable terms in the provision of goods or services including insurance or credit contracts or other forms of discrimination (54[b]), or to carry out marketing activities (54[c]), to develop products that can be harmful to persons, public health, or society at large, such as addictive substances (54[d]), or simply uses that are in conflict with ethical provisions laid down in national law (54[e]).

The shared data shall be anonymized (60) and users are not allowed to attempt reidentification (61[3]). Health Data Access Bodies must ensure data minimization and purpose limitation (66). Natural persons who do not wish to let their data be used for secondary purposes can at any time opt out (71[1]). The analysis of data must take place in secure processing environments under the control of an HDAB (73).

Data holders have the right to be compensated for the time spent on making data available by charging a fee (62). Data holders who do not share data can be subject to certain measures outlined in the regulation (63).

The EHDS lays out the governance structure in Chapter VI of the regulation. The EHDS regulation provides a mandate to the Commissions and to member states for various acts, and it establishes some new bodies of authority. The Commission acquires the right to establish standards that ensure interoperability^{[2]: Art. 15} and cross-border identification and authentication mechanisms for natural persons (patients and health professionals).^{[2]: Art. 16} These prohibitions are most likely only applicable for data accessed through Health Data Access Bodies. The EHDS regulation also allows data holders the right to be compensated for making health data available for secondary uses.^{[2]: Art. 18}

There will be an EHDS Board (92) with two representatives per member state (one for primary and one for secondary purposes), and representatives from the Commission. There shall also be a stakeholder forum (93), and steering groups for MyHealth@EU and HealthData@EU (95). The EHDS mandates establishment of at least one national Health Data Access Body (HDAB) in each member state through which secondary users can apply for data (55). The HDABs shall also establish and maintain a national dataset catalogue (57[1j]) and inform the public about uses (58) as well as report back to the Commission (59). The regulation also mandates member states to establish a digital health authority responsible for the implementation (19) as well as reporting (20). The Commission shall establish a central interoperability platform for digital health (called MyHealth@EU) (23). Member states shall ensure market surveillance authorities responsible for reporting harms caused by electronic health record systems (44[3]) The Commission shall establish an EU database for registration of health record systems and labelled wellness applications (49). Furthermore, the Commission is to support capacity building (82) and establish training programmes and information for health professionals (83) and patients (84)

The EHDS is scheduled to be implemented in two-year stages. Within the first two years after the entry into force date (26 March 2025), EU member states are mandated to set up their digital health authorities. Two years later, on 26 March 2029, the first set of cross-border functionalities is supposed to be available. These include access to a summary of a patient's medical history, e-prescriptions and electronic dispensations. At the same time, Health Data Access Bodies in member states will be expected to process requests for data, and data holders will be expected to comply with accepted requests. However, some categories of data, such as genomic and other -omics data, will not be included until two years later, from 26 March 2031. For patients, this is when data such as lab results or imaging data should be accessible across the EU.^[5]

This section is empty. You can help by adding to it. (May 2025)

While the regulation was positively received by many potential data users in the first public hearing, it was also obvious from the responses that many citizens were reluctant towards sharing their data.^{[citation needed]} This resonates with existing research into public attitudes that clearly illustrate general support for medical research using health data, but more limited support for cross-border sharing and sharing with commercial actors.^[6][7] The regulation has also been discussed in academic literature, and here both seen as having a potential for lifting public health if the data are used to investigate the right issues,^[8] and as being too ambitious to succeed.^[9] Other types of academic critique has focused on the regulation as having too narrow a techno-legal focus, ignoring the ways in which data sharing demand social engagement for data users to understand where data come from, what they mean, and what it takes for people to be willing to share in a manner that sustains data integrity.^[10] Previous research has shown that repurposing health data and making data standards interoperable requires substantial data work and can disrupt primary uses of data.^{[citation needed]} Ethicist Tamar Sharon has criticized the regulation for opening up European data for the purposes of Big Tech.^[11]

• Healthcare in the European Union
• Data Act
• Data Governance Act
• General Data Protection Regulation

• Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the European Health Data Space
• European Parliament Legislative Observatory page for EHDS regulation
• European Commission European Health Data Space explainer page