On 26 March 2025, the European Health Data Space (EHDS) Regulation entered into force. We therefore recommend that suppliers of electronic health record systems (EHRs) start taking the first preparatory steps now. The first obligations will apply within two years at the latest, and the impact on technical requirements, functionalities and contracts will be significant.
Together with the Data Act and the Data Governance Act, the EHDS forms part of the broader European data strategy. While the Data Act sets horizontal rules on data availability and fair data use across all sectors, the EHDS focuses on one specific sector: healthcare.
In this blog, as a follow-up to our earlier blog on the relationship between the Data Act and the EHDS, we outline the main consequences of these regulations for EHR suppliers and examine how the obligations under the two regulations complement each other in practice.
From horizontal to sector-specific
The Data Act has been formally applicable since 12 September 2025. It introduces general obligations and rights relating to the sharing of data generated or processed via devices or digital services, the so-called connected products (such as medical wearables) and related services. These rules apply to anyone offering or using such products within the EU, from manufacturers to hospitals, and even individual patients using a smart health app. In addition, the Data Act applies to providers of data processing services (for example SaaS and cloud services), which are required to make data available to users and to offer transparent terms.
The EHDS builds on this framework but is expressly focused on the handling of health data. It sets out, for example, how medical data must be shared between healthcare providers (nationally and across Europe), which interoperability standards apply, and which rights citizens have in relation to their health data.
In short: the Data Act creates the general framework for data access and data sharing; the EHDS translates this framework into concrete rules for health data. Compliance with the EHDS does not automatically mean compliance with the Data Act. There is overlap, but also important differences in scope and obligations.
Obligations for EHR suppliers
The EHDS harmonises the rules on product safety, security and interoperability for EHR systems and interoperable wellness apps. This means, among other things, that every EHR system must include an interoperability component and a logging component. Responsibility for compliance rests with the manufacturer. Manufacturers must self-certify their systems through a European testing environment in which these components are assessed. They must also prepare and maintain technical documentation and establish a complaints procedure. Member States may impose additional national requirements for EHR systems.
Interoperability in line with European standards
Manufacturers must adapt their systems to the European technical specifications that the Commission will establish in the coming years. This includes standards for data exchange formats, interoperability and the logging component used to track who has accessed or amended which data. For logging, greater clarity already exists: the NPR 7523 helps healthcare providers and software suppliers comply with the logging obligations under NEN 7513 and the broader requirements of the EHDS. How the other standards will relate precisely to the Dutch NEN standards is still under assessment.
Certification and market surveillance
EHR systems fall under a new European supervisory regime based on self-certification by manufacturers. Certified EHR systems will be included in a public EU register, creating transparency on compliance. Member States must also designate a market surveillance authority that exercises risk-based supervision and can intervene in cases of non-compliance. This means that manufacturers (and, where relevant, suppliers) must be able to demonstrate that their systems comply with the European rules, particularly where updates or releases affect interoperability, the logging component or security.
Mandatory data access and data sharing
Manufacturers must design their systems so that healthcare providers can access electronic health data via standardised interfaces. This includes, on the one hand, patients’ rights of access and to receive electronic copies, and, on the other hand, access by healthcare providers to data within the European infrastructure (MyHealth@EU) for primary use. The distinction is important: the right of access and the right to a copy concern access and information, whereas MyHealth@EU is intended for sharing data between healthcare providers within the European infrastructure.
The link with the Data Act: more than just health data
Although the EHDS focuses on electronic health data, in particular priority data such as patient summaries, prescriptions, test results and medical imaging, other types of data come into scope under the Data Act once an EHR or related service also processes non-health data.
An EHR may, for example, qualify as a ‘related service’ or as a ‘data processing service’ under the Data Act. Depending on this qualification, different obligations apply towards different actors, such as healthcare institutions or, in certain circumstances, patients.
For related services, suppliers must enable users to transfer data generated via their systems to another party. For data processing services, additional obligations apply, such as facilitating switching to an alternative provider. In the context of the Data Act, this concerns virtually all data generated via the system or service, such as log files, device settings or usage statistics, rather than the medical data governed by the EHDS.
Suppliers must also be transparent about which data are collected and made available, and must ensure interoperability where a data processing service is involved. The obligations under the Data Act are therefore broader than those under the EHDS: they also cover non-health data and regulate the availability and portability of those data within the EU infrastructure.
What can you do now?
Map your data flows and classifications
Identify which data your EHR generates and processes, and determine for each data type and each qualification under the EHDS and the Data Act which obligations apply and towards which parties. Consider, for example, electronic health data (EHDS) versus usage data from devices or software (Data Act).
Review interoperability and documentation
Assess which interfaces and technical documentation are required to comply with the obligations under both laws, including interoperability requirements and standardised data access.
Update contractual arrangements
Review and update contracts, service terms and documentation on data access and data sharing to ensure alignment with the new obligations under the EHDS and the Data Act.
Monitor national implementation and implementing acts
Many details still need to be specified through implementing acts. Monitor these developments closely to anticipate requirements that are relevant for EHR suppliers in a timely manner.
The first obligations under the EHDS will apply from 2027. The obligations under the Data Act have been applicable since September 2025, depending on the qualification of the service or product. For EHR suppliers, this means now is the right time to start preparations and ensure that systems, documentation and processes are compliant in good time.
Would you like to know how your organisation can prepare for the EHDS and the Data Act? We would be happy to help map your legal and organisational obligations, review contractual arrangements and develop a future-proof data strategy.
Want to know more about the EHDS? Read our other blogs.
EHDS-blogs
