Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

The European Health Data Space – What EU Health Care Providers and Data Holders Need To Know

Skadden Publication / Cybersecurity and Data Privacy Update

Susanne Werry Kata Éles William E. Ridgway David A. Simon Nicola Kerr-Shaw

Executive Summary

  • On 26 March 2025, the European Health Data Space (EHDS) Regulation entered into force. The regulation establishes a comprehensive framework for health-data sharing and access in the EU, with the dual aim of supporting the use and exchange of electronic health data across the EU and facilitating secondary use of this data for research and innovation.
  • The EHDS Regulation significantly strengthens patients’ rights to access and manage their health data and imposes mandatory interoperability standards for electronic health records (EHR).
  • The EHDS Regulation applies to a broad range of stakeholders: health care providers, EHR system manufacturers, digital health companies, researchers and any entities processing health data within the EU. Notably, only health data holders established within the EU are directly subject to the EHDS Regulation. Non-EU-based health data users and holders are generally excluded unless their country of establishment is recognized as providing reciprocal access to EU-based applicants. At the time of writing, there are no countries with reciprocity established.
  • Noncompliance exposes businesses to substantial risks, including significant financial penalties and potential restrictions on market access.
  • The regulation also creates new opportunities for research and innovation by providing a transparent and organized system for accessing health data, but it introduces complex compliance challenges, particularly related to data cataloguing, intellectual property protection and patient opt-out management.

Background and Implementation Status

The EHDS Regulation is a flagship initiative under the EU strategy for data and represents the first sector-specific EU data space. The regulation’s phased implementation is as follows:

  • March 2025: The EHDS Regulation entered into force, but is not fully implemented.
  • 2025-2027: Secondary legislation phase, during which the European Commission will draft implementing and delegating acts.
  • 2027-2029: Member state preparation phase, during which EU countries will create data hubs and integrate them with EU-wide infrastructure.
  • March 2029: Most secondary use provisions become applicable, including the exchange of the first set of priority health-data categories for primary use and the majority of data categories for secondary use.
  • March 2031: Provisions related to clinical trial and human genetic data will apply, and the second group of priority health data categories will be exchanged for primary use.
  • March 2034: International organizations and third countries may apply to join HealthData@EU for secondary use.

Key Points

Who Is Affected

  • Health care providers established in the EU, including hospitals, clinics and private practices, must comply with EHDS requirements for data sharing, interoperability and patient access.
  • EHR system manufacturers and digital health companies must ensure their systems are certified and interoperable according to EHDS standards before entering the EU market.
  • Researchers and health data users can access health data for secondary use, but only if established in the EU or in a country with reciprocal access arrangements.
  • Pharmaceutical and medtech companies are particularly affected due to obligations to disclose data for secondary use, manage intellectual property and trade secrets, and handle patient opt-out requests.
  • Entities processing health data — meaning any organization established in the EU that processes health data, including clinical trial sponsors and sites — are subject to the EHDS Regulation.

Primary Use of Health Data

The EHDS will enable individuals to access, control and share their electronic health data across borders for purposes of health care delivery. A cross-border digital infrastructure that connects member states will make patient data sharing for primary use possible. For instance, access to electronic health records will be available to medical and health professionals, who should update the electronic health information of the patients they treat.

Secondary Use of Health Data

The EHDS establishes a secure, consistent and trustworthy framework for the secondary use of health data, enabling its reuse for research, innovation, policymaking and regulatory activities. Central to this framework is the creation of HealthData@EU, a decentralized EU-wide infrastructure that connects “health data access bodies” (HDABs) established in each member state. EU health data holders are required to make relevant datasets available for secondary use within secure processing environments, but only after obtaining the necessary permits from the HDABs. As part of this process, EU data holders must catalogue and provide detailed descriptions of all in-scope datasets to the HDAB, and must verify and update this information annually to ensure accuracy and transparency.

This secondary use of health data represents a significant opportunity for companies, particularly in the pharmaceutical, medtech and research sectors, to lawfully access and utilize health data from EU citizens in a transparent and regulated manner. For instance, a pharmaceutical company developing a new treatment for rare diseases could request access to specific datasets through the HealthData@EU infrastructure, enabling the company to analyze large-scale, real-world data and thereby accelerate the development and validation of new therapies. By providing a clear legal pathway and secure environment for such data access, the EHDS not only supports scientific advancement and public health objectives but also fosters innovation and competitiveness within the EU health sector. These opportunities are paired with strict compliance requirements, including duties to respect patient opt-out preferences, protect intellectual property and ensure data security throughout the process.

Interoperability and Standards for EHR Systems

The EHDS Regulation imposes stringent technical obligations to ensure the secure and efficient sharing of health data across the EU. All EHR systems must comply with requirements for interoperability, security, safety and privacy. Before being placed on the market, EHR systems are required to undergo a certification process that demonstrates their conformity with these standards, including self-certification for interoperability and security. These measures are designed to facilitate seamless data exchange among health care providers, supporting both primary and secondary uses of health data while safeguarding patient information.

Health care providers, in turn, must ensure that their digital infrastructure is fully updated to meet the EHDS requirements. Compliance with these technical standards is essential not only for legal conformity but also for enabling participation in the evolving European health data ecosystem.

Intellectual Property and Trade Secrets

EU health data holders are entitled to inform an HDAB if any datasets made available for secondary use contain intellectual property rights or trade secrets. In such cases, the HDAB is responsible for taking all specific, appropriate and proportionate measures to protect these interests, which may include contractual safeguards such as nondisclosure agreements with data users. If access to the data would pose a serious risk of infringement that cannot be satisfactorily mitigated, the HDAB is required to refuse access to the relevant data. However, the ultimate decision on whether the proposed protective measures are sufficient rests with the HDAB rather than the data holder, and the EHDS Regulation does not provide any mechanism for compensation or licensing fees to the data holder for the use or benefits derived from their valuable data.

Compensation for Health EU Data Holders

  • No compensation for primary use: If health care providers share patient data for treatment purposes, neither the transferring nor the receiving party can demand financial compensation.1
  • Secondary use fees: EU data holders may charge proportionate, transparent fees for providing data, but these must not restrict competition and are subject to oversight by the HDAB.2

Fines for Noncompliance

Businesses should take compliance seriously to avoid financial and reputational risks. The EHDS Regulation includes GDPR-like fines for noncompliance, namely up to:

  • €10 million or 2% of global annual turnover (whichever is higher) for minor infringements,3 for example, if the data holder does not provide the health data upon request.
  • €20 million or 4% of global turnover (whichever is higher) for severe violations,4 for example, in the case of a prohibited secondary use, e.g., where the health data holder obtained health data via an issued data permit in order to process the data and make decisions to the detriment of an individual or a group of individuals based on their electronic health data.

Implications for Businesses

The EHDS Regulation introduces a comprehensive set of operational and compliance obligations for businesses handling health data within the EU. Organizations in the space must ensure all electronic health data is collected and maintained in structured, interoperable formats. This is essential not only for facilitating seamless data exchange for primary use (such as patient care) but also for enabling lawful secondary use, including research and innovation. For secondary use, data must be properly anonymized or pseudonymized and handled in accordance with strict data security requirements. Access to such data is only permitted within secure processing environments and is subject to prior authorization by the relevant HDAB, which assesses applications based on established criteria.

Businesses seeking to use health data must implement robust internal controls to ensure that data is processed exclusively for authorized purposes, such as scientific research or the development of artificial intelligence in health care. The EHDS Regulation explicitly prohibits the use of health data for commercial marketing or for the creation of products that could be detrimental to health. Additionally, organizations must establish and maintain secure processing environments to prevent unauthorized access or misuse of sensitive health information. For EHR system developers and distributors, the obligations (i) to ensure that their products are fully compatible with EHDS interoperability and security standards and (ii) to complete the required certification processes before bringing systems to market will demand ongoing vigilance and adaptation, as compliance will be subject to both EU-wide and member state-specific rules and oversight.

Next Steps and To-Do List

To ensure compliance and minimize legal and financial risks, businesses should consider the following steps:

  • Map and catalogue datasets. Begin a comprehensive mapping and cataloguing of all health data held, identifying which datasets are in scope, where they are stored, their format and any restrictions (including intellectual property or trade secrets).
  • Assess technical capabilities. Evaluate and upgrade technical systems to ensure the ability to scan, label, anonymize and purge data, including managing patient opt-out selections.
  • Review and update EHR systems. Ensure all EHR systems are compliant with EU interoperability and certification standards.
  • Prepare for secondary use requests. Establish internal policies, teams and systems to handle requests for secondary use, including processes to catalogue, anonymize and secure data sharing.
  • Engage with legal, privacy and IP experts. Involve multidisciplinary teams to address ongoing compliance, particularly regarding intellectual property, trade secrets and patient rights.
  • Monitor member state implementation. Track national developments regarding opt-out mechanisms, data localization and additional data categories to ensure compliance with both EU and member state requirements.
  • Maintain ongoing compliance. Implement dynamic compliance processes to ensure that new datasets are properly analyzed, labeled and anonymized as they are acquired.

Conclusion

The EHDS Regulation introduces significant new obligations for a wide range of stakeholders in the health sector. Early and thorough preparation is essential to manage compliance risks, protect valuable data and take advantage of new opportunities for research and innovation. Entities should act now to map their data, upgrade systems and establish robust compliance frameworks in anticipation of the phased implementation of the EHDS.

_______________

1 Art. 18 EHDS Regulation.

2 Art. 62 EHDS Regulation.

3 Art. 64 §4 EHDS Regulation.

4 Art. 64 §5 EHDS Regulation.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP