European Health Data Space Regulation Published in the EU Official Journal

On March 5, 2025, Regulation 2025/327 (EHDS Regulation), creating a European Health Data Space (EHDS), was published in the European Union Official Journal (EU Official Journal), marking the end of the legislative process of the EHDS Regulation.

Background

The EHDS Regulation is based on the European Commission proposal for a regulation creating a European Health Data Space, published in May 2022. (See our previous Blog for details on the European Commission proposal.) The European Commission proposal underwent substantial amendments by the European Parliament and Council of the European Union (EU legislators) as a result of intense debates. The debates touched upon, among other things, the possibility for EU citizens to object (opt-out) to the collection and use of their health data and to consent (opt-in) in specific cases. Another sensitive topic was the ability of the EU Member States to opt-out from the EHDS and to introduce additional restrictions to the use of health data.

The EU legislators reached an agreement on the text of the EHDS Regulation on March 15, 2024. (See more details on the agreement in our previous Blog.) It was then formally adopted by each of the EU legislators separately on April 24, 2024 and January 21, 2025.

The EHDS Regulation establishes rules for the:

• Access to electronic health data (health data) for healthcare purposes (i.e., primary use)
• Sharing and access of specific electronic health data for purposes other than the initial purposes for which the data was initially collected or produced (i.e., secondary use)

Life Sciences companies can apply for access to health data (health data applicant) for secondary use, but primary use is restricted to patients and healthcare professionals. At the same time, Life Sciences companies are required to share certain health data they hold when acting as data holders (health data holder).

This Advisory analyzes the final text of the EHDS Regulation, focusing on the key elements relevant to the secondary use of health data for Life Sciences companies.

Key Elements of the EHDS Regulation and Its Relevance for Companies

The EHDS Regulation officially establishes HealthData@EU, a cross-border infrastructure enabling the secondary use of health data, which has been operational as a pilot since 2022. This platform will maintain a publicly available EU dataset catalogue, listing the health data that may be requested for secondary use.

1. Obligations for Health Data Holders

The EHDS Regulation introduces the concept of “health data holder,” which can include any legal person operating in the healthcare sector, developing health products or services, or conducting health-related research, as well as public authorities, agencies, and bodies, including reimbursement services that either:

• Have the right or obligation to process personal health data, or
• Have the ability to make non-personal health data available

Life Sciences companies handling health data may qualify as health data holders. Natural persons and microenterprises (i.e., enterprises employing fewer than 10 people and with an annual turnover or balance sheet of less than €2 million) are excluded from qualifying as health data holders. However, EU Member States may extend the obligations for health data holders to natural persons and microenterprises.

Key obligations for health data holders include:

• Obligation to share health data: When access to health data is granted by the health data access body (HDAB, a national body responsible for assessing health data access requests and applications), health data holders must share the requested health data, unless the patients concerned have opted out of sharing. The data must be shared with the HDAB of the health data holder’s country of establishment within three months. The HDAB will then provide access to the health data applicant who has been granted access, who will only be able to download non-personal health data.
• Obligation to communicate the dataset: Health data holders must inform the HDAB of their country of establishment about the datasets they hold and ensure that the dataset descriptions in the national dataset catalogue are accurate and up to date, at least annually.

2. Possibility to Access Health Data for Secondary Use

The EHDS Regulation introduces the concept of a “health data applicant,” which can include any natural or legal person established in the EU (or, under certain criteria, in a non-EU country). Health data applicants are eligible to request access to health data, but access is only granted if deemed lawful by a HDAB. The HDAB evaluates requests based on criteria such as: intended use, purpose, safeguards against data misuse, compliance with the General Data Protection Regulation, or justification for relying on a national exception to the opt-out right (if applicable).

2.1 Access Routes

Access requests must be submitted to the relevant HDAB (i.e., the one where the health data holder holding the data intended to be accessed is registered). The EHDS offers different access routes, which vary in terms of the data access format (i.e., anonymized/pseudonymized format or statistical format) and processing time.

• Health data request:
  • Access format: Access to data is granted in anonymized statistical format.
  • Timeframe: Six months.
  • Outcome: If successful, HDAB grants an approval.
• Health data application:
  • Access format: Access to data is granted in anonymized or pseudonymized format (the latter when justified only).
  • Timeframe: Three to six months.
  • Outcome: If successful, the HDAB issues a data permit valid for up to 10 years (extendable for an additional 10 years).
• Simplified procedure: When health data is held by a designated trusted health data holder (i.e., designated by an EU Member State when meeting certain conditions such as having a secure processing environment or expertise in handling data access applications/requests), health data applicants may follow the simplified route. The trusted health data holder conducts an initial assessment and sends a recommendation to the HDAB.
  • Access format: Dependent on whether it is a request or an application (i.e., anonymized statistical format, or anonymized or pseudonymized format).
  • Timeframe: Four months.
  • Outcome: If successful, the outcome depends on whether it is a request or an application (i.e., an approval or a data permit).

For data held by health data holders across multiple EU Member States, health data applicants can submit a single data application, either:

• Through the HDAB of the health data applicant’s EU Member State of its main establishment
• Through the European Commission’s HealthData@EU services

Data permits issued by one HDAB may also be recognized by other HDABs.

2.2 Use for a Permitted Purpose

The EHDS Regulation allows health data to be used for the following secondary purposes:

• Public interest in the areas of public or occupational health
• Policy-making
• Statistics
• Education
• Scientific research
• Health treatment optimization

For Life Sciences companies, scientific research is the key permitted purpose. The EHDS Regulation provides that scientific research should be interpreted “in a broad manner, including technological development and demonstration, fundamental research, applied research and privately funded research.” (EHDS Regulation Recital 61) At the same time, scientific research must:

• Contribute to public health or health technology assessments
• Ensure high levels of quality and safety of healthcare, medicines, or medical devices, with the aim of benefitting end-users (e.g., patients, health professionals, and health administrators)

and:

• Include the development and innovation of products or services
• Train, test, and evaluate algorithms, including in medical devices, in vitro diagnostic medical devices, AI systems, and digital health applications

The EHDS provides examples of scientific research for public interest, such as “research addressing unmet medical needs, including for rare diseases, or emerging health threats.” (EHDS Regulation Recital 54)

3. Health Data Categories Concerned by the EHDS Regulation

The EHDS Regulation specifies the categories of health data that health data holders must share, and which may be requested for access, including:

• Genetic, epigenomic, genomic, proteomic, transcriptomic, metabolomic, lipidomic, and other omic data
• Data from clinical trials, clinical studies, clinical investigations, and performance studies (note that clinical trial and clinical investigations data may be shared once the trial has ended)
• Personal health data automatically generated through medical devices and “other” health data from medical devices (note that it is not specified what “other” means)
• Health data from biobanks and associated databases
• Healthcare-related administrative data, including on dispensations, reimbursement claims, and reimbursements
• Data from registries for medicinal products and medical devices
• Data from medical and mortality registries
• Data from population-based health data registries (i.e., public health registries)
• Data from health research cohorts, questionnaires, and surveys after the first publication of the results
• Data on professional status, and on the specialization and institution of health professionals involved in the treatment of a natural person
• Data from wellness applications

These are the minimum categories of health data concerned by the EHDS Regulation, though EU Member States may add additional categories of health data at the national level.

4. Protections

The EHDS Regulation acknowledges that health data may be protected by intellectual property rights (IPR), trade secrets, or regulatory data protection (RDP). Health data holders must inform the HDAB about these protections and justify their necessity.

For clinical trial and clinical investigations data, the EHDS Regulation adopts a more cautious approach, stating that such data “should be made available to the extent possible, while taking all necessary measures to protect intellectual property rights and trade secrets.”

The HDAB ultimately determines whether the health data requires protection measures before being shared, and specifies the applicable measures (i.e., legal, organizational, and technical measures, or contractual arrangements between health data holders and health data applicants). If the HDAB concludes that sharing the health data poses a serious risk to IPR, trade secrets, or RDP, it may reject the data application/request.

5. International Health Data Transfers

The EHDS Regulation allows health data applicants established in non-EU countries to request access to health data if their country:

• Complies with the EHDS Regulation
• Provides health data applicants established in the EU access on terms and conditions equivalent to those of the EHDS Regulation
• Has confirmation from the European Commission that the two criteria are met

For international transfers of non-personal health data (as referred to in Article 88 of the EHDS Regulation) from the EU to a non-EU country, the EHDS Regulation classifies data as highly sensitive if there is “a risk of re-identification through means going beyond those reasonably likely to be used, in particular in view of the limited number of natural persons to whom those data relate, the fact that they are geographically scattered or the technological developments expected in the near future.” (EHDS Regulation Article 88.1) Specific conditions for such international transfers of highly sensitive data will be set out in a future delegated act under the EU Data Governance Act, which has not yet been adopted.

6. Other Elements

Other elements that may be relevant for Life Sciences companies include:

• Stricter national measures: EU Member States may impose stricter measures and safeguards for sensitive data categories (e.g., genetic data and health data from biobanks).
• Obligation to publish results of data use: When health data is used for secondary purposes, the results of the use must be published within 18 months in an anonymized format.
• Penalties: Health data holders and users of health data for secondary use who fail to comply with the EHDS Regulation may face penalties from HDABs, such as exclusion from accessing health data for up to five years or penalty payments.
• Gradual application of the EHDS Regulation:
  • Primary use and general provisions: The EHDS Regulation will apply two years after it becomes law (i.e., March 25, 2027). This includes provisions on primary use, and other provisions such as regarding international health data transfers and non-personal health data requests.
  • Secondary use: Provisions on the secondary use of the data (except for specific data such as human genetic, molecular, or clinical trials data) will apply four years after the EHDS Regulation becomes law (i.e., March 25, 2029).
  • Previously excluded data: Provisions on secondary use of previously excluded data types (e.g., genetic, molecular, or clinical trials data) will apply six years after the EHDS Regulation becomes law (i.e., March 25, 2031).

How Companies Can Prepare

The implementation of the EHDS Regulation is likely to raise unresolved questions, which future European Commission implementing regulations or guidelines may clarify. Some uncertainties include: whether the obligations of the EHDS Regulation will apply to datasets produced before the EHDS comes into effect, the criteria that HDABs will use to decide on the protection of sensitive and confidential information, or how the opt-out mechanism for patients will be handled.

Companies that may qualify as health data holders should prepare ahead of the application of the EHDS Regulation by adapting and setting up internal procedures and policies (e.g., with data redaction procedures and identifying the data subject to the sharing obligations under the EHDS Regulation). Additionally, companies could also train the relevant personnel on the practical aspects of the EHDS. These steps may help ensure compliance and allow companies to take full advantage of the opportunities for accessing health data under the EHDS Regulation.

Next Steps

The EHDS Regulation will become law on March 25, 2025, 20 days after its publication in the EU Official Journal.

To facilitate a harmonized implementation of the EHDS Regulation, guidelines on the secondary use of health data will be published and open for consultation in Autumn 2025 and Spring 2026.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.