European Health Data Space: Regulation (EU) 2025/327 and the new European health data frame

AIHealth

On-premise clinical platform with local LLMs, RAG on FHIR/DICOM data, diagnostic support, remote follow-up. Architecture designed for the MDR pathway.

Discover AIHealth →

Digital Health

Medical software development compliant with CE and MDR regulatory standards. Clinical decision support systems, AI integration in clinical workflows.

Discover →

A European frame for healthcare data

Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 — “on the European Health Data Space” — was published in the Official Journal of the European Union on 5 March 2025 and entered into force on 26 March 2025. This is the regulation that establishes the European Health Data Space (EHDS): the European regulatory, infrastructural and governance frame for the circulation of healthcare data.

The legislative path was long. The Commission’s proposal — COM(2022) 197 final — was presented on 3 May 2022. After almost two years of negotiations between co-legislators, a provisional political trilogue agreement was reached on 24 April 2024. The European Parliament voted the final text on 15 January 2025, the Council on 21 January 2025, with signature on 11 February 2025. The Regulation is the first sector “Data Space” adopted by the EU after the 2020 European Strategy for Data.

The two pillars: primary use and secondary use

EHDS regulates two distinct but coordinated areas:

• Primary use — use of healthcare data to deliver care to the individual patient. EHDS strengthens patient rights over electronic access to their own data, harmonises the requirements of EHR systems (systems used by healthcare providers), makes the MyHealth@EU infrastructure mandatory for cross-border clinical document exchange
• Secondary use — use of healthcare data for scientific research, innovation, official statistics, public health policy, regulatory activities. EHDS establishes a Health Data Access Body (HDAB) in each Member State, defines the data permit procedure for data access, and builds the European HealthData@EU infrastructure for cross-border access

The two pillars have distinct regimes, timelines and infrastructures but fit into the same regulatory architecture: Chapters II, III and V of the Regulation for primary use and governance; Chapter IV for secondary use.

Primary use: citizens’ rights and providers’ obligations

Chapter II of the Regulation governs the rights of data subjects over their electronic healthcare data:

• Right of immediate and free electronic access to healthcare data held in their providers’ systems and by public bodies
• Right of portability of data towards other Member States, at no cost
• Right of rectification with a simplified procedure
• Right of masking of specific documents, analogous to the one already provided by the Italian FSE
• Right to enter information by the patient (the equivalent of the Italian personal notebook)
• Right to the access log with detail on who consulted, when, for what purpose

Chapter III places obligations on healthcare providers and EHR system manufacturers:

• Providers must populate national systems (regional EHRs, FSE) with the prescribed contents, in interoperable formats, with no further exceptions or deferrals
• EHR system manufacturers must submit products to conformity assessment against the essential requirements set by the Regulation, with a harmonised European certification
• Wellness apps that handle health data are subject to a labelling and voluntary opt-in regime

The mandatory infrastructure for cross-border interoperability is MyHealth@EU — which thus moves from a voluntary European project to a mandatory participation for all Member States, with the service perimeter progressively broadened: patient summary, ePrescription, medical imaging, laboratory results, discharge reports.

Exchange formats: the role of FHIR

The Regulation does not prescribe specific technical standards but refers to European harmonised standards and to Commission implementing acts. The reference standards already widely used in EHDS preparatory work and in eHDSI/MyHealth@EU activities are:

• HL7 FHIR R4 as exchange standard
• IPS (International Patient Summary) as base content of the European patient summary
• HL7 IPS Implementation Guide FHIR as reference profile
• eIDAS for citizen identification in cross-border services
• SNOMED CT, LOINC, ATC, ICD-10, UCUM as reference terminologies

Specific implementing acts will be adopted in the months following entry into force, with public consultation of stakeholders and involvement of the EHDS Board.

Secondary use: Chapter IV

Chapter IV is the most innovative part of the Regulation and was also the most debated in trilogue. It introduces:

• Categories of reusable healthcare data (art. 51): EHR data, registries (disease, mortality, rare disease), clinical research data, cohort data, insurance claims, biobank data, genomic and omic data, medical device data, wellness app data, population study data
• Data holders obliged to make data available: public and private healthcare providers (with derogations for micro entities), national agencies, IRCCS and research bodies, public biobanks, registry managers. Private data holders (insurers, pharma) are subject to the regime with some specificities
• Health Data Access Body (HDAB) in each Member State — public authority responsible for assessing access requests, issuing data permits, providing data in secure processing environments, managing fees and audit
• Data permit — structured request procedure specifying purpose, requested data, security measures; reasoned and appealable HDAB decision
• Secure processing environments — analysis infrastructures in which the requester accesses data without extraction capability, only aggregate outputs
• HealthData@EU — European federated infrastructure connecting national HDABs, operated by the Commission with Member State support
• Data source catalogue — public dataset dictionary at European level

Permitted purposes for secondary use (art. 53) include: scientific research of public interest, healthcare innovation, health technology assessment (HTA), regulatory activities, public statistics, quality of care improvement. Prohibited uses (art. 54) cover use against subjects’ interest (discrimination, insurance exclusion, marketing, pricing patterns).

Relationship with GDPR

EHDS does not replace GDPR — it complements it. Legal bases for processing remain those of the GDPR (art. 6 and art. 9), with EHDS specifying operational obligations and rights for the healthcare domain. The relationship:

• Primary use is anchored to Art. 9(2)(h) GDPR (care purposes) — the Regulation strengthens access and portability rights without changing the legal basis
• Secondary use rests on Art. 9(2)(i) — public interest in the healthcare area — and 9(2)(j) — scientific research. The Regulation specifies operational procedures
• Data protection authorities (Garante in Italy, EDPB at European level) cooperate with HDABs

The Regulation expressly provides that a data permit requester does not become controller of the data under GDPR — it operates in an environment controlled by the HDAB, with pseudonymised data.

Application calendar

The Regulation has a progressive application calendar. Key dates:

• 26 March 2025 — entry into force
• 26 March 2027 — application of most Chapter II and III provisions (primary use): patient rights, provider obligations for priority document categories (patient summary, ePrescription), mandatory MyHealth@EU
• 26 March 2028 — extension to EHR systems (manufacturer conformity obligations)
• 26 March 2029 — application of Chapter IV (secondary use): operational HDABs, HealthData@EU operational, data permits available
• Later dates for specific categories (genomic data, some registry types) up to 2031

The Regulation provides for periodic review and the possibility of adjustment through implementing and delegated acts.

Impact on the Italian system

For Italy, EHDS builds on the ongoing FSE 2.0 path — in part anticipating European obligations, in part requiring adjustments:

• Primary use — FSE 2.0 with the Sogei FSE Gateway is structurally compatible with EHDS. MyHealth@EU adherence — already under way under Directive 2011/24 — becomes a full obligation. Regional EDSs will have to expose contents in FHIR IT conformantly with harmonised European profiles
• Secondary use — here the work is heavier. Italy will have to establish a national Health Data Access Body (or a federated structure with regional articulations), define data permit procedures, build secure processing environments, align existing governance (Garante, Ethics Committees, Agenas, ISS, AIFA) with the new regime
• EHR system manufacturers — Italian clinical record and healthcare management system vendors will have to submit products to conformity assessment against EU standards, with effects on tenders and supply chains
• National legislation — Legislative Decree 196/2003 (Privacy Code) and FSE implementing decrees will require alignment; the Garante will have to update its guidelines

What to do now

The twenty-four months separating us from the first major deadline (26 March 2027) are a dense work period for every actor in the Italian healthcare system:

• Regions — completing EDSs, adopting FHIR IT profiles, integrating with the FSE Gateway, preparing for full MyHealth@EU participation
• Healthcare providers — verifying conformity of clinical records in use, adapting population processes, training staff
• EHR system vendors — launching EU conformity paths, updating product roadmaps
• Researchers and research centres — preparing data permit requests, familiarising with HDAB procedures, structuring existing datasets towards the harmonised European format
• Public administration — designing the Italian HDAB, updating the national regulatory frame, dialogue with European counterparts

The EHDS frame, read together with FSE 2.0, MDR, GDPR and the EU AI Act, composes a regulatory ecosystem that shapes the European healthcare data infrastructure for the next decade.

Legislative references: Regulation (EU) 2025/327 of the European Parliament and of the Council, 11 February 2025, published in OJ EU L 2025/327 of 5 March 2025, in force 26 March 2025. Proposal COM(2022) 197 final, 3 May 2022. Regulation (EU) 2016/679 (GDPR). Directive 2011/24/EU. Regulation (EU) 2017/745 (MDR). Regulation (EU) 2024/1689 (EU AI Act).