The European Health Data Space (EHDS)



What is the European Health Data Space (EHDS)?

The European Health Data Space is a health specific ecosystem comprised of rules, common standards and practices, infrastructures and a governance framework that aims at:

1. Empowering individuals through increased digital access to and control of their electronic personal health data, at national level and EU-wide.

2. Fostering a single market for electronic health record systems, relevant medical devices and high risk AI systems.

3. Providing a trustworthy and efficient set-up for the use of health data for research, innovation, policy-making and regulatory activities (secondary use of data).

The European Health Data Space is a key pillar of the European Health Union. It builds further on the General Data Protection Regulation (GDPR), and the NIS 2 Directive.

The European Union is building a strong European Health Union, in which all EU countries prepare and respond to health crises, have available, affordable, innovative and adequate medical supplies, and member countries work together to improve prevention, treatment and aftercare for diseases.

The COVID-19 pandemic shows the importance of coordination among European countries to protect health, both during a crisis and in normal times. The European Health Union improves EU-level protection, prevention, preparedness and response against human health hazards.


24 April 2024 - The Members of the European Parliament (MEPs) approved the creation of the European Health Data Space (EHDS)

MEPs voted with 445 in favour and 142 against (39 abstentions) to approve the inter-institutional agreement on establishing a European Health Data Space. It will empower patients to access their health data in an electronic format, including from a different member state to the one in which they live, and allow health professionals to consult their patients’ files with their consent (so-called primary use), also from other EU countries. These electronic health records (EHR) would include patient summaries, electronic prescriptions, medical imagery and laboratory results.

The law will make it possible to transfer health data safely to health professionals in other EU countries (based on MyHealth@EU infrastructure), for example when citizens move to another state. It will be possible to download the health record free of charge.

Additionally, the Health Data Space would unleash the research potential of health data in an anonymised or pseudonymised format. Data including health records, clinical trials, pathogens, health claims and reimbursements, genetic data, public health registry information, wellness data and information on healthcare resources, expenditure and financing, could be processed for public interest purposes, including research, statistics and policy-making (so-called secondary use). Data could, for example, be used to find treatments for rare diseases, where small datasets and fragmentation currently prevent advances in treatments.

Secondary use will not be allowed for commercial purposes including advertising, assessing insurance requests or lending conditions or making job market decisions. Access decisions will be made by national data access bodies.

Next steps

The provisional agreement still needs to be formally approved by the Council. Once published in the EU’s Official Journal, it will enter into force twenty days later. It will be applied two years after, with certain exceptions, including primary and secondary use of data categories, which will apply four to six years later, depending on the category.


15 March 2024 - political agreement reached between the European Parliament and the Council of the EU on the European Health Data Space (EHDS), one of the central building blocks of a strong European Health Union.

Next step: The European Parliament and the Council will formally adopt the new Regulation.


European Health Data Space (EHDS)

The agreement reached by the co-legislators establishes clear rules for the use of health data for better healthcare delivery, research, innovation, and policymaking.

The new rules will harness the potential offered by the safe and secure exchange, use, and re-use of health data, while ensuring full compliance with the EU's high data protection standards.

Under the new rules, citizens will have immediate and easy access to their digital health data wherever they are in the EU. Health professionals will be able to access the medical records of a patient when required for treatment in a different Member State, allowing for evidence-based decision making, in full compliance with EU data protection rules.

The EHDS also creates a strong legal framework for the re-use of health data for research, innovation, and public health purposes. The data will help develop life-saving treatments and personalised medicines, but also improve crisis preparedness, under strict data security and access conditions, and respecting fundamental rights.


6 December 2023 - Agreement on the Council’s proposal for the European Health Data Space (EHDS)

After this agreement, the EU Council presidency begins negotiations with the European Parliament, with a view to reaching a provisional agreement on the proposed regulation.

The Council’s mandate provides clarity on issues such as the scope of the regulation, alignment with the General Data Protection Regulation (GDPR) and the criteria for providing access to electronic health data.

The Council proposes the creation of two steering groups, made up of member-state representatives, to manage MyHealth@EU and HealthData@EU; other stakeholders may be invited as observers to discuss relevant issues.

The Council’s mandate expands the role of EU member states in the proposed EHDS governing board, and requires national digital health authorities to publish an activity report every two years.

Under the Council’s mandate, member states will have the discretion to allow patients to opt out of the new data-sharing system.


3 May 2022 - The European Commission launched the European Health Data Space (EHDS)

1. Thanks to the EHDS, people will have immediate, and easy access to the data in electronic form, free of charge. They can easily share these data with other health professionals in and across Member States to improve health care delivery. Citizens will be in full control of their data and will be able to add information, rectify wrong data, restrict access to others and obtain information on how their data are used and for which purpose.

2. Member States will ensure that patient summaries, ePrescriptions, images and image reports, laboratory results, discharge reports are issued and accepted in a common European format.

3. Interoperability and security will become mandatory requirements. Manufacturers of electronic health record systems will need to certify compliance with these standards.

4. To ensure that citizens' rights are safeguarded, all Member States have to appoint digital health authorities. These authorities will participate in the cross-border digital infrastructure (MyHealth@EU) that will support patients to share their data across borders.

5. The EHDS creates a strong legal framework for the use of health data for research, innovation, public health, policy-making and regulatory purposes. Under strict conditions, researchers, innovators, public institutions or industry will have access to large amounts of high-quality health data, crucial to develop life-saving treatments, vaccines or medical devices and ensuring better access to healthcare and more resilient health systems.

6. The access to such data by researchers, companies or institutions will require a permit from a health data access body, to be set up in all Member States. Access will only be granted if the requested data is used for specific purposes, in closed, secure environments and without revealing the identity of the individual. It is also strictly prohibited to use the data for decisions, which are detrimental to citizens such as designing harmful products or services or increasing an insurance premium.

7. The health data access bodies will be connected to the new decentralised EU-infrastructure for secondary use (HealthData@EU) which will be set up to support cross-border projects.


Understanding the European Health Data Space (EHDS)

Digitalisation is essential for the future of healthcare. The digital transformation is crucial to provide better healthcare to citizens, to build stronger and more resilient health systems, to support long-term competitiveness and innovation in the EU’s medical industry, and to help the EU recover from the pandemic.

Data is an indispensable part of today’s world. When used responsibly and in full respect of fundamental rights, it can bring incredible benefits to every aspect of our everyday lives, including our health. Member States’ health systems already generate, process and store a vast amount of data. Yet it often remains difficult for citizens to access their health data electronically and for researchers to use it to improve diagnosis and treatments.

A vast amount of health data is generated every second, providing healthcare services and researchers with potential valuable insights. Health data reuse is estimated to be worth around EUR 25-30 billion annually. That figure is expected to reach around EUR 50 billion within 10 years.

However, the complexity and divergence of rules, structures and processes within and across Member States makes it difficult to easily access and share health data. This creates barriers to healthcare delivery and innovation, leaving patients unable to benefit from its potential.

Moreover, health systems are becoming the target of cyberattacks. Therefore, the healthcare sector and relevant cyber security authorities need to consider cybersecurity as a key factor for ensuring the resilience and availability of key healthcare services.

In essence, the EU health sector is rich in data, but poor in making it work for people and science. The EU needs to tap into this huge potential to turn the wealth of health data across Europe into knowledge at the service of citizens, and to better prevent, diagnose and treat diseases.

Health data can help achieve more efficient, higher-quality, safer and more personalised care, and help improve healthcare delivery. Health data3 and data science could dramatically transform public health and revolutionise healthcare systems, enabling lifesaving healthcare improvements. Health data can also play a crucial role in speeding up the development of new medical products and treatments for patients who need them most.

The COVID-19 pandemic has clearly demonstrated the importance of digital services in the health domain. It has shown that up-to-date, reliable and FAIR health data is key in providing an efficient public health response to crisis and in developing effective treatments and vaccines. It has also significantly accelerated the uptake of digital tools, such as electronic health records (personal medical records or similar documents in digital form), e-prescriptions and digital health applications, as well as the sharing of research data. Digital health products and services, including telehealth, are no longer novelties. They are becoming a part of everyday care delivery.

Harnessing the power of health data through the digital transformation is especially relevant when patients move within or to other EU countries; and when researchers, innovators, policy-makers or regulators need critical data that can enable the power of science to help patients. Similarly, sharing health data in border regions where individuals access healthcare services across the border much more frequently will be far easier.


Current challenges in using health data.

People cannot always easily access their health data electronically, and if they want to consult doctors in more than one hospital or medical centre, they often cannot share the data with other health professionals. Today, a patient’s health data is often still recorded on paper, untraceable and scattered across various places (hospitals, general practitioners’ venues, medical centres, etc.).

The situation becomes even more difficult when crossing national borders. If a patient visits a doctor in another country, their medical information (including diagnostic images) is often not accessible, which can lead to delays and errors in diagnosis or treatment. In most cases, doctors cannot see the patient’s health data if they have undergone health interventions in another country. Continuity of care and rapid access to personal electronic health data is even more important for residents in border regions, crossing the border frequently to receive healthcare.

The open public consultation23 for the European Health Data Space proposal showed that 88% of respondents think it should promote citizens’ control over their own health data, including access to health data and transmission of their health data in electronic format. 84% of respondents say that citizens should have the right to transmit one’s health data in electronic format to another professional or entity of their choice and 82% feel that they should have the right to request public healthcare providers to share their health data electronically with other healthcare providers/entities of their choice. 83% of respondents say that the European Health Data Space should facilitate delivery of healthcare for citizens across borders.

Researchers and industry, along with policy-makers and innovators, face important obstacles in accessing the data they need to develop new products, to take informed decisions or to monitor the side effects of medicinal products over the long term, based on real-world evidence, with impact on patient safety. In many cases, consent is the only way to access data for research, policy-making and regulatory purposes. It is very costly and cumbersome for researchers to get consent from every patient to use the patient’s data in their research.

Even when the patient consents, data holders are sometimes reluctant to provide data for reasons other than data protection and prefer to keep the health data for their activities. The current regulatory fragmentation between Member States hampers research and innovation by small players, as well as cross-border research.


Primary use of health data.

1. Patients will have their electronic health data available via access points established by Member States. A cross-border digital infrastructure for primary use will connect Member States and allow patients to share their health data.

2. Patients will be empowered to control and share their electronic health data with a healthcare provider of their choice.

3. Member States will be required to make priority categories of data available in a common European electronic health record exchange format, such as patient summaries, e-prescriptions, e-dispensations, medical images and image reports, laboratory results and discharge reports.

4. Where personal health data has not been collected electronically prior to the application of this Regulation, Member States may decide not to convert it into an electronic format.

5. Health professionals will be able to access electronic health records and should update the electronic health data of the patients they treat.

6. To support data being shared between healthcare providers, mandatory requirements for interoperability, security, safety and privacy will be introduced, as well as mandatory self-certification of electronic health records covering interoperability and security.

7. All Member States will be required to participate in cross-border digital infrastructure for the exchange of health data for healthcare delivery (MyHealth@EU).

8. A pilot project will support patients having access to their data on a mobile device in the language of the country of destination.

9. To facilitate the implementation, transitional periods will apply for certain obligations including the registration of health data, access of health professionals to data, making data available in the European format, the participation in the cross border digital infrastructure, self-certification of electronic health record systems, as well as the voluntary label for wellness applications.

10. Member States will have to set up a digital health authority to ensure that the additional rights for individuals are properly implemented.


Secondary use of health data.

1. The European Health Data Space sets out a common EU framework allowing for use of health data for research, innovation, public health, policy-making, regulatory activities and personalised medicine. It will draw on the creation of a new and decentralised EUinfrastructure for secondary use of health data (HealthData@EU) that will connect health data access bodies which should be set up in all Member States.

2. Those who wish to re-use health data will need to apply for a permit from a health data access body. The data permit sets out how the data may be used and for what purpose.

3. The data can only be accessed and processed in closed secure environments to be provided by the health data access bodies with clear standards for cyber security.

4. Only anonymous data can be extracted by the user who applied for the permit from the secure processing environment. Where researchers, companies or public institutions need access to personal electronic health data they can only access it in pseudonymised form, i.e. data offering information about the disease, symptoms and medication, without revealing to the user the identity of the individual. It is forbidden for the user to attempt to re-identify the data subjects.

5. It will be forbidden to use the data to take decisions detrimental to individuals, to increase insurance premiums, to market health products towards health professionals or patients or to design harmful products or services.

6. Health data access bodies will have to ensure transparency: information will be published about data access applications. In addition, data users must make public the results of their electronic health data uses and inform the health data access bodies of any significant findings relevant for the health of individuals.

7. For simple cases, users can directly request data from a single health data provider as long as the same safeguards for privacy and security are ensured.

8. Researchers and innovators from third countries can access data for secondary use under the same conditions and requirements as those from inside the EU.

9. All Member States will be required to participate in the EU-infrastructure for secondary use (HealthData@EU) to facilitate cross-border studies. This infrastructure will be piloted in a EU4Health project starting in 2022.

EU governance mechanism.

1. A new European Health Data Space Board chaired by the Commission will be created, composed of the representatives of digital health authorities and health data access bodies from all the Member States, and observers, depending on area of work.

2. It will contribute to the consistent application of the Regulation throughout the EU, to coordinate and exchange best practices and will cooperate with other bodies at EU level.

3. Member States will cooperate at EU level to ensure the smooth functioning of the two cross-border digital infrastructures (primary and secondary).


The European Health Data Space, together with the GDPR, will give people the right to:

1. Access their health data in electronic form immediately, free of charge and in an easily readable, accessible and commonly used format. Data can be accessed using patient portals, on computers or smart phones, depending on how the Member States make available this information at national level. For people with disabilities to be able to enjoy their rights, the access must be accessible in line with the requirements of the European Accessibility Act (Directive 2019/882);

2. Share their data in electronic form with other health professionals when going to another hospital, without hindrance from previous healthcare providers or manufacturers;

3. Add data to their electronic health record for themselves or for people who trust them, such as their children;

4. Request changes to erroneous data online;

5. Restrict access to their electronic health data or part of the data; in cases of vital interest, where their life is at stake, such data may however be made available with additional restrictions;

6. Easily obtain information on which professional(s) accessed their data.

Member States are required to designate digital health authorities that will have a fundamental role in enforcing the above-mentioned rights.


Examples of how the EHDS will function

Example 1: A woman living in Portugal is going on holidays to France. Unfortunately, she gets sick in France and therefore needs to see a local general practitioner. Thanks to the EHDS and MyHealth@EU, a doctor in France will see on his/her computer the medical history of this patient in French. The doctor can prescribe the necessary medicine based on the medical history of the patient, avoiding for instance products to which the patient is allergic.

Example 2: A health tech company is developing a new AI-based medical decision support tool that assists doctors to make diagnostic and treatment decisions following a review of the patient's laboratory images. The AI compares the patient's images with those of many other previous patients. Through the EHDS, the company is able to have efficient and secure access to a large number of medical images to train the AI algorithm and optimise its accuracy and effectiveness before seeking market approval.

Example 3: A man has a medical image of his lungs, taken in the public hospital where he was brought in by the emergency team. Shortly after, he visits his regular pulmonologist in another hospital. Thanks to the EHDS, his pulmonologist can see the medical image performed in the other hospital, thus avoiding a new, unnecessary test.


Cyber Risk GmbH, some of our clients