hat is the European Health Data Space (EHDS) and Why Does It Matter?
The EHDS is a new piece of European law, forming part of a growing regulatory and policy ecosystem for digital and data, including artificial intelligence (AI) (see figure 1 below), and was established in line with the European Commission’s 2020 Strategy for Data. The EHDS ultimately aims to establish a common framework for the use and exchange of electronic health data across the EU and aims to address specific bottlenecks currently observed with data sharing in Europe: the lack of citizen access, power, and rights over their health data; lowered quality of care in primary settings due to the insufficient capacity for sharing and portability of patient data across borders; and the fact that health data is currently trapped in silos across Europe, with various legal and technical challenges prohibiting efficient secondary use.

Figure 1

More specifically, the EHDS can be viewed as an “EU wide health specific ecosystem comprised of rules, common standards and practices, infrastructures and a governance framework.” This speaks to the setup of a harmonized, secure ecosystem for health data made up of both the technical specifications and the expected data governance rules for operators within the system.

The framework includes both primary and secondary uses of health data defined in the EHDS:

Primary use of health data: Processing personal electronic health data for the provision of health services and patient care. This includes the sharing of health data (such as Electronic Health Record [EHR] data, prescriptions, medical test results, etc.) across EU borders to support better individual patient care. For example, if a doctor in France accesses the records of a German patient visiting France on holiday, the doctor will be able to see the patient’s medical history and relevant health data to enable emergency or ongoing treatment and care.

Secondary use of health data: Processing electronic health data for secondary purposes such as scientific research, but which are distinct from the initial reason for collecting the data. This will include the sharing of 17 types of health data defined in the law such as registry data, EHR data, medical device data, and data from clinical trials. Each EU member state will have to designate or establish a health data access body (HDAB) which will govern access to all the health data in scope within their country. These HDABs will work closely with the data holders (the entity legally controlling the data) and together be part of the broader secondary data use node-based network. The HDABs will also be responsible for ensuring the technical setup of secure processing environments (SPE) within which data can be shared and accessed in compliance with existing EU laws concerning privacy and cybersecurity. The overarching idea is that the data is, unless necessary, not further transferred but processed within these SPEs (the concept of “Bring your questions to the data instead of moving the data”).

Each of these types of data-sharing uses will have their own technical framework and data-governance rules.

The Commission clearly understands that these data will play an ever-increasing role in healthcare innovation in cutting-edge medicinal products and medical technologies, and positions this regulation as a key enabler of future innovation and competitiveness in Europe; for example, the EHDS was specifically mentioned in recent competitiveness reports (such as Mario Draghi’s report on EU competitiveness and Enrico Letta’s report Much more than a market). However, it is also clear from multiple panel discussions across numerous events that some consider the EHDS to be the most ambitious overhaul of health data policy in the world so far, largely due to the technical and legal complexity which lies ahead in its implementation.

To ensure a fully functioning EHDS which brings value to patients, businesses, and society, without negatively disrupting the current ecosystems, there will need to be significant effort, time, and resources invested across all stakeholder groups in the public and private sector to implement the law in a compliant way, including researchers and academics, hospitals and healthcare professionals, the pharmaceutical industry, and policy makers and regulators.

The clock has started ticking since the EHDS officially entered into force in March 2025, and the various legal requirements will become applicable in a phased approach. Most of the secondary data use requirements, for example, will be applicable as of March 2029. This may presently seem a long time from now, but the pressure is on those involved in the deeper technicalities of health data sharing and compliance with European law to meet its requirements in time.

What compliance with the EHDS means for Pharma

What compliance with the EHDS means for the pharmaceutical sector cannot be underestimated. Focusing only on the Secondary use of health data framework, this sector will play two important legally defined roles:

1) As a data user: This role enables a pharmaceutical company (like all other stakeholders) to search EU data catalogues hosted by the HDABs and request a permit to conduct research on any identified data sets of interest. The HDAB holds the legal remit to review and approve or reject permit applications. If a permit is granted, access to data is provided and research can be conducted. Such research on data sets holds the potential for the pharmaceutical sector to advance discovery and development of new medicines and other healthcare technologies.

2) As a data holder: This role requires covered entities to enable access to health data sets they collect and host across a range of different data types. This will likely involve, at the time of this writing, data curation, cataloguing, anonymization, and security measures in alignment with the HDABs to enable appropriate access to data users with a valid permit to access the data.

Reflecting more closely on these two roles, clear opportunities emerge, but some significant challenges will need to be overcome.

For example, accessing novel sources of healthcare data within the EHDS could advance further scientific research and the development of new medicines. This will inevitably be done by harnessing the power of AI not only to train, test, and validate new models (e.g., for better diagnostics solutions), but also to generate new insights on diseases and unmet medical needs. There could even be opportunities, in the self-reflection that EHDS compliance will provoke on our own data sets, for triggering innovation from our internal proprietary data reuse.

However, at the same time, there will be significant impact in particular regarding compliance as a data holder due to the fact that many major multinational pharmaceutical companies with a large portfolio of innovative products across two major divisions naturally invest significantly in the collection and hosting of a high number of health data sets across different therapeutic areas, many of which will fall in the scope of the EHDS for sharing. This raises a number of implementation and compliance challenges:

• Data holders will have to map, catalogue, and describe every single data set they host, and create mechanisms to curate, anonymize, and share these data sets in secure and privacy-compliant ways. This will be new discourse for the majority of data sets listed in the EHDS, and as such these compliance requirements will likely impact numerous processes and infrastructures (and, possibly, employees and roles).
• Some ambiguity in the text remains; for example, the complex definition of data holder, which could potentially lead to legal uncertainties about which data is or is not in scope in some cases.
• The law does not specify measures for the protection of data holders’ intellectual property (IP) and trade secrets. Health Data Access Bodies will be the ultimate judge of the appropriateness of such measures. Without reasonable safeguards, the EHDS risks expropriation of data holders’ rights over their data and weakening the EU’s attractiveness for healthcare research, innovation, and even clinical trials.
• There is the issue of how compatible the EHDS requirements and definitions are with other relevant EU laws such as the General Data Protection Regulation (GDPR), EU Data Act, and Clinical Trials Regulation (CTR).
• The HDABs’ readiness across the EU will be a key issue, directly followed by the question of process consistency and harmonization, both from the perspective of data user (data access) and data holder (data sharing). This concern stems from the fact that data ecosystem maturity varies across EU member states, which means that compliance and setup will be harder for some countries than for others.

While these challenges are specific to the secondary use of health data, pharmaceutical companies developing and using medical device technologies will also face a range of compliance requirements for EHR systems; conformity assessments and interoperability requirements for IVD/MDs that claim interoperability with EHR systems, for example, or solutions that are EHR systems themselves.

One sticking point is the need for a clearer definition of what actually constitutes an EHR system. The current definition is very broad, and there has been to date no agreed definition of the EHR at the international level and very few formal EHR definitions even at a national level. But vagueness on the EHR system definition invites local interpretation. Each EU Member State has its own legacy digital infrastructure. Without a precise definition, Germany might define an EHR one way, while France defines it in another. The potential result: Instead of a “Single Market” for health data, we risk ending up with 27 more or less different versions of the rules, defeating the purpose of the EHDS. (Multiply this by different industry players’ definitions, too.)

One Approach to Implementation and Compliance

A holistic and structured strategy relies on the following key components:

• Ensuring alignment, buy-in, and sponsorship of the proposed strategy at the highest organizational levels (such as the Corporate Executive Committee).
• Identification and appointment of clear, accountable implementation leads, representing key functions impacted by the law.
• Creation of an internal, cross-divisional, cross-functional implementation team with key SMEs representing all major parts of the organization impacted by the compliance requirements.
• Categorization of specific subteams within this overarching team, dedicated to the implementation and oversight of the two chapters of the EHDS (the primary and the secondary data use requirements).
• A robust project plan mapping key milestones and timelines relative to the legal requirements and timelines specified in the law.

The execution of the implementation strategy itself is made up of a series of phases which follow a sequential, stepwise approach (shown in figure 2). At a high level, this begins with an assessment/scoping phase, which assesses all internal data sets and systems in scope for the EHDS. In the mapping phase, a full mapping of the legal requirements of the EHDS according to roles such as data user and data holder is conducted. The development phase involves creating or adjusting processes that enable connection to the EHDS, from a technical (such as the technical infrastructure needed to connect with the secure processing environments) or legal standpoint. The implementation phase executes the changes needed in new processes, systems, and capabilities in preparing the organization for the testing phase prior to “go live” full implementation.

These steps ensure complete implementation and full compliance with the EHDS after the requirements become legally applicable.

Figure 2

Where do we collectively go from here?

The European Commission initially positioned the EHDS as a “triple win” for European society: empowering individuals rights, improving clinical outcomes in primary care settings, and accelerating scientific discovery, research, and development.

While the authors applaud and welcome this ambition, we also believe that, under the right conditions, we could break down EU data silos to create clearer, more efficient data-sharing frameworks. We also believe that the EHDS should not put certain stakeholders at risk; for industry, the EHDS must function in a way that doesn’t stifle the EU’s competitiveness or attractiveness for the healthcare sector.

The law indeed contains significant issues and ambiguities with the potential to hinder the promise of the EHDS if not addressed. To resolve them in a collaborative and proactive way, we propose four next steps:

1) Ensure clear dialogue and constructive actions for secondary legislation: The TEHDAS2 guidances designed to help stakeholders interpret and implement the EHDS rules have so far been a one-directional process: Stakeholders have had the opportunity to comment and join certain workshops, but there have been no major opportunities for in-depth discussion on all guidances to cocreate meaningful clarity and solutions. The technicalities of data sharing will require far deeper actual discussion and action with policy makers than are currently planned.

Furthermore, the guidance published so far offers very little (if any) clarity on fundamental aspects not sufficiently addressed in the law, such as measures for the protection of intellectual property and trade secrets. The guidances as they are now written will remain unhelpful and ambiguous. We suggest a series of multistakeholder workshops or roundtable discussions, each addressing key areas identified by industry where the law presents substantial risks or lacks clarity.

2) Learn from industry’s existing data-sharing experience: Industry has significant collective experience in sharing clinical trial data, one of the 17 types of health data listed for sharing for secondary use in the EHDS, based on joint EFPIA/PhRMA principles established in 2014. We can leverage this experience when formulating approaches to share other data types; for example, industry could share and discuss use cases and experience with EU policy makers in roundtables/workshops.

3) Ensure constructive collaboration amongst all stakeholders: It is of paramount importance that all relevant stakeholders speak up and share ideas and best practices during this critical implementation phase to drive toward solutions which ensure that the system works for everyone. This article outlines considerations for industry but argues that researchers, healthcare practitioners, policy makers, and regulators must raise their voices, too.

4) EU Member States must be open and willing to think beyond national boundaries: A fully functioning EU-wide harmonized system should be the ultimate goal (shared by the Commission, we believe) if Europe is to derive any value from the EHDS. The power of a regional data space such as the EHDS lies in the ability to identify, link, and pool the many varied data sets scattered across all 27 member states, and to provide access to these data in a fair and proportionate way, based on clear and consistent rules. However, this will depend on Member States’ willingness to implement these rules in a consistent and harmonized way (in particular at the HDAB level), so that they operate consistently across the EU without complicating and increasing the regulatory burden for data users and data holders. This would otherwise run detrimentally to the aims of the EHDS.