In 2020, the European Commission announced plans to create a common market for the free movement of data within the European Union (EU) in recognition of its value in our increasingly digital society.

This proposal entails the creation of common data spaces in several key sectors. On 26 March 2025, the regulation for the first such space, the European Health Data Space (EHDS), took effect, signifying the dawn of a major shift in how we access and use health data.

What is the EHDS?

The EHDS is a recognition of the digital world we live in, but also of the under-utilisation of data within the health sector. It aims to reduce legal and technical barriers to enable the exchange of electronic health data (EHD) across the EU, facilitating both:

1. Primary use: use of EHD for the provision of healthcare and patient access to EHD; and
2. Secondary use: re-use of EHD for research, innovation, policy-making, and regulatory activities.

To create the digital space for EHD, the EHDS Regulation provides for the establishment of a central interoperability platform on which EHD can be shared. To safeguard this data, the EHDS Regulation complements and builds on the General Data Protection Regulation (GDPR), creating further rights and obligations specifically for EHD.

The EHDS Regulation presents both opportunities and challenges for life sciences companies, including those in the pharmaceutical, biotechnology, and medical technology sectors. While the EHDS will provide life sciences companies with access to a potentially vast pool of health data for secondary use in research and innovation, many will qualify as ‘health data holders’ and ‘health data users’ under the EHDS Regulation and accordingly must comply with the secondary-use obligations attributable to each.

Impact on Life Sciences and MedTech Companies: Health Data Holders and Health Data Users

1. Health Data Holders

The concept of a ‘health data holder’ under the EHDS Regulation is broad. Health data holders are entities that are involved in healthcare or related sectors, including those who develop health products or services, or wellness apps, conduct health research, or manage mortality registries, and either:

• have the legal right or duty to process personal EHD for healthcare, public health, research, policy making, patient safety, or regulatory purposes; or
• manage non-personal EHD through the design and control of related products and services.

Health data holders must communicate a description of their datasets to the national body responsible for coordinating and managing the EHDS Regulation (known as the Health Data Access Body or HDAB) and ensure this information is accurate and up-to-date annually. On the request of the HDAB, health data holders are required to provide it with relevant EHD, which may include personal EHD automatically generated through medical devices, clinical trial data, data from wellness applications and aggregated data on healthcare needs, among others. While the EHDS Regulation recognises that some of this data will be protected by intellectual property rights and trade secrets, the onus is on the health data holder to identify such data and justify its specific protection in how it is made available for secondary use. Additionally, health data holders must ensure that any non-personal EHD is accessible through trusted open databases with robust governance and transparent user access models.

2. Health Data Users

An organisation will be a ‘health data user’ where it is legally permitted to access and use EHD for secondary purposes. The EHDS Regulation specifies that health data users can only access and process EHD for secondary use with proper authorisation. They must use secure environments, avoid sharing data with unauthorised parties, and ensure that results protect the anonymity of data. Results of secondary use must be published within 18 months, acknowledging data sources and the EHDS framework. The EHDS Regulation also calls out specific prohibited uses, which include the processing of health data for marketing and advertising.

European Health Record Systems

The EHDS Regulation establishes a harmonised framework for electronic health record (EHR) systems, aiming to ensure interoperability, security, and seamless data exchange across the EU. EHR systems are broadly defined to include any appliance or software used to store, process, or exchange personal EHD. Importantly, depending on their functionality and intended use, these systems may also fall within the scope of other EU regulatory regimes, such as the Medical Devices Regulation or the AI Act, if they qualify as medical devices or high-risk AI systems. This layered regulatory approach means that manufacturers must not only meet EHDS-specific requirements, including interoperability and logging, but also ensure compliance with applicable product safety and conformity obligations under these parallel frameworks.

Supervision and Enforcement

Member States must establish a HDAB to monitor and supervise secondary use of EHD and a Digital Health Authority to manage primary use of EHD. HDABs will supervise and enforce compliance of health data holders and users. Fines are structured similarly to those under GDPR, with administrative penalties reaching up to €20m or 4% of a company’s total worldwide annual turnover, whichever is higher, for the most serious breaches. Lesser infringements may incur fines of up to €10m or 2% of global turnover. In addition, HDABs may impose non-monetary sanctions, such as exclusion from access to health data for up to five years.

Timelines

Due to the technical nature of the EHDS Regulation, its implementation will be phased. The EHDS Regulation will apply across Member States from March 2027. Key milestones include the phased rollout of data exchanges for primary use: patient summaries and e-prescriptions by March 2029, followed by medical imaging, test results, and discharge reports by March 2031. EHR system manufacturers must ensure compliance in line with these dates. For secondary use of health data, core provisions will take effect by late March 2029, with additional provisions coming into effect by 2031. The European Commission is also required to adopt key implementing acts by 26 March 2027.

Conclusion

While the EHDS Regulation’s applicability is staggered, it represents a significant change in how EHD will be used in the EU. To navigate the opportunities and challenges of the EHDS, life sciences companies should prepare for compliance in advance. For advice on initial steps to take, please contact Rachel Hayes, Leo Moore, or your usual William Fry contact

Contributed by Louisa Muldowney and Caoimhe Neill.