What will be the impact of the European Health Data Space Regulation on life sciences companies?

The European Health Data Space (EHDS) will form the first common EU data space and is one of the cornerstones of the European Health Union. For the first time, a European ecosystem for health data will be created providing new opportunities for secondary use, including development and training of AI.

The underlying regulation was adopted by the Council of the European Union on 21 January 2025 (official text). Twenty days after its publication in the Official Journal of the European Union, it will enter into force. Large parts of the EHDS Regulation will be applicable at the beginning of 2027. However, the EHDS Regulation will only fully apply up to ten years after its entry into force.

Key objectives of the EHDS Regulation

The regulation aims to:

• give natural persons more control over their electronic health data, for example through specific rights of information, access, rectification, and restriction, as well as certain opt out rights;
• provide healthcare professionals (especially doctors, nurses, dentists, midwives, pharmacists) with EU-wide access to the electronic health data of EU citizens for primary purposes (providing healthcare services) via specially protected infrastructure;
• require health data holders, such as healthcare professionals or other natural or legal persons processing health data (for example, life sciences companies or research institutions), to make certain health data they process accessible for purposes other than the provision of healthcare services (so-called secondary purposes) via a prescribed infrastructure; and
• enable natural and legal persons (possibly also from third countries) to access electronic health data under certain conditions so that they can process the data for conclusively defined secondary purposes as health data users in a legally secure manner.

Newly created health data access bodies will review applications from natural and legal persons for access to health data for secondary purposes, manage access to electronic health data, monitor the enforcement of the EHDS Regulation, and act as an interface between health data holders, health data users and the public.

Rights and obligations for actors in the health care system

To achieve these objectives, the EHDS Regulation will establish rights and obligations, particularly for the following:

• data collection obligations for healthcare providers (healthcare professionals, but also clinics or medical practices) in the EU for primary purposes;
• extensive transmission obligations for health data holders for secondary purposes;
• access rights for healthcare professionals for primary purposes, as well as access and usage rights for health data users, such as research institutions and life sciences companies, for secondary purposes;
• testing, standardisation and documentation obligations for manufacturers, importers and distributors of software and devices for electronic health records, so-called EHR systems.

EU-wide use of health data for the provision of healthcare

Among other things, the EHDS Regulation will create a uniform digital infrastructure for the processing and transmission of electronic health data for the provision of healthcare services. 

Cross-border access to electronic health data will be significantly facilitated, enabling doctors to easily access the electronic health data of patients residing in another EU member state. For example, the administrative burden for medical treatments abroad will be significantly reduced, and the quality of medical care will be improved.

Member states can grant natural persons the right to opt out from access to their electronic health data for primary purposes (the provision of healthcare services) at the national level.

Legal certainty for the secondary use of health data

The EHDS Regulation creates a European infrastructure for the data protection-compliant secondary use of health data, which is strictly protected as special categories of personal data and therefore may only be processed under special conditions (Article 9 GDPR).

So far, the secondary use of health data has been associated with significant legal uncertainties due to the lack of a clear legal basis under data protection law. Innovative research on and with health data has thus been hampered – particularly with regard to the possibilities of artificial intelligence.

The EHDS Regulation aims to reduce these uncertainties by creating an explicit legal basis for the secondary use of health data. Permissible secondary purposes are conclusively defined by the regulation and include, for example:

• scientific research;
• development and innovation activities for products or services in the healthcare sector,
• training, testing, and evaluating algorithms in medical devices, AI systems, and digital health applications; or
• improving care, optimising treatment and healthcare.

In contrast, health data may not be used for prohibited purposes, such as advertising or marketing activities or the development of products or services that could harm individuals, public health, or society as a whole, such as illicit drugs, alcoholic beverages, or tobacco and nicotine products.

Obligation to provide health data

The EHDS Regulation obliges health data holders to provide certain health data for secondary purposes to the health data access bodies.

Health data holders are not only healthcare professionals but may also include, in particular:

• companies developing products or services for healthcare, the health sector, or the care sector;
• developers and manufacturers of wellness applications; or
• research companies in the health or care sector.

The health data access bodies will then provide this data to health data users upon request via the new infrastructure. Health data users can generally be any natural or legal persons, including public authorities in the EU, who are authorised to use it for secondary purposes.

Affected individuals can opt out from the processing of their health data for secondary purposes at any time and without giving reasons. As long as such an opt out is not declared, the health data may generally be processed.

The specific health data that may need to be made available is defined in the EHDS Regulation. It includes, for example, data on factors affecting health, automatically generated personal electronic health data by medical devices, as well as other data from medical devices, data from wellness applications, data from clinical trials and studies, but also health data from biobanks and associated databases.

The privacy of natural persons whose electronic health data is processed for secondary purposes is protected, among other things, by providing health data users with anonymised data only (as a general rule) and ensuring that it is processed only in secure environments where technical and organisational measures minimise the risk of unauthorised access. Pseudonymised data is only made available on special request.

In detail, health data that may be protected by intellectual property rights or trade secrets or subject to special legal protections under the Community Code for Human Medicines or the Regulation on the European Medicines Agency may also need to be made available. However, the EHDS Regulation provides for specific measures to protect such data, such as contractual agreements based on official templates. If serious risks to the protection of such confidential data remain, the health data access point may also deny access to it.

Further obligations for economic operators

In addition to the regulations on the processing of health data, the EHDS Regulation also includes product-specific obligations for manufacturers, importers and distributors of so-called EHR systems. These are systems where the software or a combination of hardware and software allows the processing of health data covered by the regulation and is intended by the manufacturer for use by healthcare providers in patient care or by patients for access to their health data.

These economic operators are subject to graduated obligations based on their respective roles in the value chain. For example, manufacturers are required to ensure that their EHR systems comply with the specifications of the EHDS Regulation and to affix a CE marking, while importers are only allowed to place EHR systems on the market that comply with the specifications of the EHDS Regulation and have the appropriate CE marking. Distributors are then required to verify whether the manufacturer has issued an EU declaration of conformity or whether the importer has complied with certain legal requirements.

If the EHR systems are also products with digital elements, manufacturers, importers and distributors must also comply with the provisions of the Cyber Resilience Act, whose requirements the EHDS Regulation is intended to complement in terms of electronic health records.

Osborne Clarke comment

The EHDS Regulation will bring a multitude of new obligations for life sciences companies and other players in the life science and healthcare sector. In return, life sciences companies, in particular, will benefit from new opportunities to use health data for secondary purposes such as research and development, including training and improving AI.

Manufacturers, importers and distributors of EHR systems will also be subject to numerous new obligations. Without the associated standardisation and the secure environment for processing highly sensitive health data created by such regulatory requirements, the EHDS would be almost unachievable. For any digitised healthcare system, trust in the secure processing of health data is critical.