The European Health Data Space (EHDS) is on its way. These rules stem from European ambitions for a digital health space and aim to improve data exchange, safeguard security and give citizens greater control over their data. But what do these obligations mean in practice for ICT service providers in the Netherlands? In this blog, we take a closer look at the five key obligations and explain what you need to know to remain compliant.
The EHDS covers both primary use (healthcare delivery) and secondary use (for example research and policymaking). For ICT service providers that develop and supply systems, such as electronic patient records (EPRs) or wellness apps, this translates into five concrete obligations.
1. Interoperability of systems
One of the pillars of the new rules is that systems must comply with the European Electronic Health Record Exchange Format (EEHRxF). This means that health data must be exchangeable not only between systems within the Netherlands, but across Europe as a whole. For ICT service providers, this requires adapting their systems to these standards. In the Netherlands, where existing standards such as NEN standards are already in use, this may present additional challenges. How do you ensure that your system is compliant at both national and European level?
2. Cybersecurity
Cybersecurity remains a top priority in healthcare. ICT systems must comply with the General Data Protection Regulation (GDPR) and with additional frameworks such as the Network and Information Security Directive 2 (NIS2). As an ICT service provider, this means implementing robust measures. Examples include end-to-end encryption of data, detailed logging of who has access to which data, and protection against data breaches and cyber-attacks.
The NIS2 Directive further tightens requirements for organisations classified as important or essential. For example, you must draw up a risk management plan and report incidents within 24 hours. This requires not only technical adjustments, but also organisational processes, such as staff training and the establishment of an incident response team (IRT).
3. Access to medical data for citizens
Patients are gaining increasing control over their own medical data, and ICT service providers play a key role in this. They must ensure that citizens can access their data through Personal Health Environments (PHEs) or comparable tools. This means that, as a service provider, you must not only make data available but also ensure that this is done in a user-friendly and secure manner.
In the Netherlands, PHEs are already gaining traction, partly due to the MedMij programme. The European obligation builds on this but also sets requirements for the accessibility and standardisation of the data made available.
4. Certification
A notable difference from the Dutch approach is the requirement for self-certification. Systems must obtain a conformity label, based on a self-assessment of whether the system meets the European requirements. This label may be reviewed retrospectively by supervisory authorities.
5. Data availability for secondary use
Finally, ICT systems must make data from priority categories available for secondary use, such as scientific research and policymaking. Examples include patient summaries, laboratory results and prescriptions. This takes place under strict conditions, such as anonymisation and a new consent regime.
This means that systems must support not only primary use but also be able to generate structured datasets for external parties.
Practical implementation: how do you get started?
These obligations may sound abstract, but how do you translate them into practice? The EHDS will be implemented in phases over six years, from its entry into force to full applicability in 2031.
EHDS roadmap for ICT service providers:
-
2025: Preparation. Analyse your systems, draw up a project plan and start initial technical adjustments. The EHDS enters into force, but immediate obligations are still limited.
-
2026–2027: Ensure that priority categories (patient summaries, prescriptions) comply with the EEHRxF. Start self-certification.
-
2028–2029: Implement full interoperability for all categories (imaging, laboratory results, discharge letters) and introduce access via PHEs.
-
2030–2031: Systems must be fully interoperable, certified and ready for secondary use. Enforcement is expected to increase by this stage.
You may be thinking: mandatory standards already apply, do they not? That is correct. The Electronic Data Exchange in Healthcare Act (Wet elektronische gegevensuitwisseling in de zorg, Wegiz), in force in the Netherlands since July 2023, requires healthcare providers and ICT suppliers to standardise specific electronic data exchanges. But how does this relate to the EHDS? There is overlap, but also divergence.
At first glance, the Wegiz and the EHDS appear to serve the same purpose. Both aim to improve the electronic exchange of health data. However, there are significant differences that make compliance complex. The Wegiz focuses primarily on the primary process, data sharing between healthcare providers. The EHDS goes a step further by also regulating access to data by citizens and secondary use. There is also a difference in implementation. The Wegiz requires third-party certification based on Dutch standards such as NEN. The EHDS relies solely on self-certification.
In the meantime, the multi-year agenda under the Wegiz continues as planned. Through this agenda and the related Orders in Council (AMvBs), deadlines are set for the electronic standards that must be used for data exchange, the so-called tracks. Electronic prescribing has been mandatory since 1 January 2024 under NEN 7503. The Basic Healthcare Data Set (BgZ) must be mandatory by Q3 2025 in accordance with NEN 754, and medication transfer will follow in 2026. All of this is based on Dutch NEN standards. The EHDS, however, introduces its own standard. How these standards will be aligned remains unclear. The Ministry of Health, Welfare and Sport recognises this tension and is working on an impact assessment to provide clarity. Until that assessment is available, ICT-service providers are caught in a dilemma. Do you fully commit to the Wegiz, with the risk that the EHDS may override it, or do you wait to see how Europe and the Netherlands will align their approaches?
Conclusion
In the short term, the Wegiz cannot be ignored. The BgZ deadline is approaching. In the long term, however, the challenge becomes more complex. Your systems must comply not only with the Wegiz, but also with the EHDS. The EHDS does not override the Wegiz, but national rules must not conflict with European requirements. This makes compliance a complex puzzle.
The EHDS will have a significant impact on ICT-service providers in healthcare. By taking steps now, providers can ensure timely compliance with the new obligations. Start with an internal analysis and develop a roadmap to ensure a smooth transition to EHDS-compliance.
We are happy to help you answer these questions. Whether you need support with implementation, legal compliance or defining and developing a strategy, together we ensure that you are ready for the future of digital healthcare.
