Regulation (EU) 2025/327, on the European Health Data Space, has been in force since 26 March 2025, twenty days after its publication in the Official Journal of the European Union on 5 March 2025. Adopted on 11 February 2025 on the legal basis of Articles 16 and 114 TFEU, it is the first sectoral data space the Union has carried from the 2020 data strategy to a directly applicable regulation, and it amends Directive 2011/24/EU and Regulation (EU) 2024/2847.
Context
The process starts with proposal COM(2022) 197 of 3 May 2022 and closes almost three years later. The text addresses a concrete problem: across Europe a citizen’s health data stays confined to the system that generated it. Someone admitted to hospital outside their own Member State has no guarantee that the report reaches whoever is treating them; a research group studying a condition at continental scale must negotiate access dataset by dataset, authority by authority. The European Health Data Space (EHDS) gives both scenarios a single frame, but keeps the two uses under distinct regimes.
That distinction is the way to read the Regulation. Primary use is the use of data to treat the individual; secondary use is reuse for research, innovation, statistics, public policy and regulatory activity. Chapters, infrastructures and deadlines change from one to the other, and keeping the two uses apart clears away most of the confusion stirred up in the debate around the text.
Primary use
On primary use the Regulation acts on two fronts. Towards the citizen it grants a right of immediate, free electronic access to one’s own health data, a right of portability to different providers and Member States, and the rights of rectification, of masking specific documents, and of consulting the access log. Some of these exist already — Italy’s electronic health record provides masking and a personal notebook — but here they become a harmonised obligation, enforceable across the Union.
Towards providers and manufacturers the text introduces technical obligations. Providers must populate national systems with the required content in an interoperable format. Manufacturers of EHR (Electronic Health Record) systems must put their products through a conformity assessment against the essential requirements set out in the Regulation, on a scheme that follows the logic of European marking already familiar to anyone working with medical devices. Wellness apps that handle health data fall under a voluntary labelling regime.
The cross-border exchange infrastructure is MyHealth@EU, born as a voluntary project under Directive 2011/24/EU and now a participation obligation for every Member State. The scope starts from the priority categories — patient summary and electronic prescription — and widens step by step to imaging, laboratory results and discharge letters.
Secondary-use architecture
Chapter IV, on secondary use, is the technically densest part and the one that generated most tension in negotiation. The mechanism turns on four elements.
The first is the Health Data Access Body (HDAB), the authority each Member State must establish. It receives requests, assesses them, grants or refuses the data permit with a reasoned, appealable decision, and makes the data available. It does not hand over copies: it works through the second element, secure processing environments, infrastructures where the applicant analyses the data without being able to extract it and takes away only aggregated results. It is an architectural choice that shifts the model from moving the data to computing at the data, with direct consequences for how analysis pipelines must be designed.
The third element is scope. The Regulation lists the reusable data categories — EHR data, disease and mortality registries, clinical research data, biobanks, genomic and omics data, device data, wellness-app data — and the permitted purposes, which include public-interest research, health technology assessment and regulatory activity. Symmetrically it sets the prohibited uses: decisions that harm the data subject, exclusion from insurance cover, marketing, pricing schemes to the patient’s detriment.
The fourth is HealthData@EU, the federated infrastructure that connects the national HDABs and holds a European dataset catalogue. Federated, not centralised: the data stays at the national nodes and interoperability is provided by the connecting layer, not by a single repository.
The critical point
The relationship with Regulation (EU) 2016/679 (GDPR) is where the design is really tested. The EHDS neither replaces the GDPR nor creates new legal bases: primary use stays anchored to Article 9(2)(h) GDPR for care purposes, secondary use rests on Articles 9(2)(i) and 9(2)(j). What the EHDS adds is the operational procedure — who decides, in what time, in which environment.
The technical hinge is the HDAB’s role. Whoever applies for a data permit does not become a controller in the GDPR sense: they operate in an environment controlled by the authority, on pseudonymised data, without the ability to re-identify subjects. From this follows a precise design constraint. If the analysis needs identifiable data, the EHDS is not the route; if it can live on pseudonymised data in a confined environment, then the secure processing environment must be treated as a system requirement from the outset, not as a later adaptation. The quality of pseudonymisation and the robustness of extraction controls become the ground on which compliance is decided, and that is exactly where a national authority grants or refuses the permit.
Implications
The timeline is staggered and should be read as a sequence of technical deadlines, not a single date. Entry into force is 26 March 2025; most provisions apply from 26 March 2027; Chapter IV on secondary use, with HDABs and HealthData@EU operational, applies from 26 March 2029; for certain categories — medical imaging, test results, discharge letters on the secondary-use side — the data holders’ obligation slips to 26 March 2031.
In Italy the work grafts onto the FSE 2.0 programme, already partly aligned on primary use through the FSE Gateway and through MyHealth@EU participation started under Directive 2011/24/EU. The heavier work is on secondary use: establishing a national HDAB or a federated structure with regional branches, building the secure processing environments, aligning the existing governance. Clinical-record and management-software vendors will face EHR-system conformity assessment, with knock-on effects on procurement specifications and product roadmaps.
Limits
The Regulation is a frame, not a technical specification. The details that matter to implementers — the exchange profiles, the mandatory terminologies, the precise requirements of secure processing environments, the essential requirements of EHR systems — are deferred to Commission implementing and delegated acts, not yet adopted at the time of writing. The candidate standards that surfaced in the preparatory work and the MyHealth@EU activities — FHIR, the International Patient Summary, terminologies such as SNOMED CT and LOINC — indicate a direction, they are not obligations crystallised in the text. Until the implementing acts fix the profiles, anyone planning does so against a provisional perimeter, and that is the main unknown of the next two years.
https://eur-lex.europa.eu/eli/reg/2025/327/oj/eng https://eur-lex.europa.eu/legal-content/EN/HIS/?uri=CELEX:32025R0327 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022PC0197 https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng https://eur-lex.europa.eu/eli/dir/2011/24/oj/eng https://www.noze.it/en/insights/ehds-regulation-2025-327/
Cover image: The Berlaymont building in Brussels, headquarters of the European Commission, with the European Union flag on its glass facade — photo by Euro Pictures, CC BY 2.0 — https://commons.wikimedia.org/wiki/File:Berlaymont_building_2022.jpg