Regulatory context · 2026-03-31 · Read time: ~8 min.

EHDS - What the European Health Data Space technically requires from hospitals and research organisations

The European Health Data Space (EHDS) has been in force since March 2025 and is one of the largest EU health-data initiatives. This article explains technical implications without providing legal advice.

What EHDS is

EHDS aims to structure both primary and secondary use of health data across the EU. Primary use concerns care delivery and information exchange; secondary use concerns research, innovation, policy, and other specifically defined purposes.

Hospitals, research organisations, pharma, insurers, and public bodies may all be in scope depending on role. Governance is central: Health Data Access Bodies (HDABs) in each member state mediate and supervise secondary-use access.

Timeline

  • March 2025: EHDS enters into force.
  • 2026: Certification obligations for EHR systems begin.
  • 2027: Implementing acts with technical details gain force.
  • 2029: Main obligations on secondary use, EHR exchange, and sanctions apply broadly.
  • 2031: Additional domains such as genomics and imaging follow under extended milestones.

Four core technical duties

  • HealthDCAT-AP dataset catalogs: data holders provide machine-readable metadata to competent bodies.
  • Pseudonymisation at the data holder: identifying attributes must be handled before handover into controlled environments.
  • Secure Processing Environment (SPE): analysis runs in approved isolated environments; raw exports are restricted.
  • Opt-out management: secondary-use objections must propagate quickly and completely across relevant pipelines.

What EHDS is not

  • Not a mandatory GA4GH implementation act.
  • Not a replacement for GDPR; both frameworks operate in parallel.
  • Not only a data format exercise; HDAB governance remains central.

Infrastructure implications

Teams need robust interoperability layers (including FHIR-oriented models), export capabilities for semantic metadata, and reproducible audit logs. Role models, approval workflows, and controlled compute become first-class architecture concerns.

For operating models (on-premise vs cloud), technical and organisational control over access, pseudonymisation, and traceability becomes a core design decision, not an afterthought.

Sources

This article reflects the current understanding of EHDS requirements (last updated: 2026-03-31). Some implementing acts are still evolving. For binding legal interpretation, consult specialised legal counsel.

Last updated: 2026-03-31

Related context

GDPR and health data - Special categories, processor roles, and implications for bioinformatics pipelines · NIS2 - What the Network and Information Security Directive means for healthcare organisations

Relevance for Synaptic Four

Ferrum targets technical building blocks relevant to dataset catalogs, controlled execution environments, and provenance-oriented traceability.

BioResearch Assistant supports on-premise pseudonymisation. It does not replace legal assessment, but can support technical execution of data-holder duties.

For a structured gap scan, we offer the EHDS Technical Readiness Review (core pillars; optional add-ons for secondary-use intake and MII/FDPG readiness). For implementation projects, Ferrum EHDS Edition is the practical path.

EHDS Technical Readiness Review · Clinical AI compliance review · EHDS implementation with Ferrum