EHDS FAQs: Operational and Governance Perspectives

The recently published Frequently Asked Questions on the European Health Data Space (EHDS) Regulation 2025/327 sheds light on many of the practical and technical issues that stakeholders -from patients and health professionals to system manufacturers and data holders- will face as the Regulation is phased into practice. While previous discussions have provided an overview of the EHDS concept, this document delves deeper into the operational mechanisms, technical specifications and governance frameworks that will underpin its implementation.

One of the key contributions of the document is its detailed explanation of how the Regulation intends to create a robust infrastructure for both primary and secondary use of electronic health data. For primary use, the EHDS will establish secure online services that will enable patients to access and manage key categories of data, such as patient summaries, electronic prescriptions and dispensations. Of particular note is the inclusion of functionality to support data portability. Patients will be able to receive and exchange their health information using a standardised format -the European Electronic Health Record Exchange Format (EEHRxF)- designed to promote seamless interoperability between different healthcare systems. These technical measures go beyond the GDPR's traditional data portability rights, as they require both data export and import capabilities on the part of healthcare providers.

The regulation also sets out precise requirements for electronic health record (EHR) systems themselves. Manufacturers must ensure that their products include two harmonised software components: an interoperability component to facilitate data exchange, and a logging component to increase transparency of data access. The requirement for these components means that all EHR systems entering the market must pass rigorous automated testing before they are deployed. This not only promotes a level playing field among technology providers, but also assures healthcare professionals and patients that systems meet uniform standards of security and functionality.

Another important section of the FAQs deals with the obligations of health data holders and users in the context of secondary use of data. Secondary use refers to the re-use of data for purposes such as research, policy making or public health planning. The Regulation defines detailed categories of data that must be made available by data holders and sets out the phased timetable for these obligations to take effect. Importantly, it introduces mechanisms to balance the benefits of data sharing with the need to protect sensitive information. For example, health data holders will be able to notify the designated access points if their datasets contain information protected by intellectual property rights or trade secrets, thereby triggering additional safeguards.

The EHDS also introduces the concept of trusted health data holders: entities designated by Member States due to their advanced expertise and secure processing environments. These trusted holders may be given additional responsibilities, such as assessing requests for access to data or preparing data for analysis. Such measures not only streamline the administrative process of accessing data, but also enhance the overall integrity and reliability of information exchanged across borders.

Governance and oversight emerge as critical issues throughout the document. The Regulation requires Member States to establish Digital Health Authorities to oversee the implementation of the EHDS and ensure that all technical and operational requirements are met. These authorities will also manage the national contact points, which are essential for coordinating data exchange between countries. In addition, the introduction of the EHDS Board and various steering groups indicates a multi-layered approach to governance, where both high-level policy decisions and detailed technical guidelines are addressed in parallel.

Beyond the technicalities, the document places a strong emphasis on user experience and privacy. Secure access services for both patients and healthcare professionals are designed to be user-friendly, with built-in support for people with disabilities and low digital literacy. Authentication procedures, based on trusted electronic identification methods, ensure that only authorised users can access sensitive health data, while facilitating ease of use.

Overall, these FAQs document represents an important step in clarifying the operational design of the EHDS. It defines not only the roles and responsibilities of all parties involved, but also the technical and administrative processes that will ensure data interoperability, secure access and quality data governance. For those interested in the intricate details of the regulation's implementation -from automated testing environments for EHR systems to data quality labelling mechanisms- the document provides a comprehensive resource that will undoubtedly shape the future landscape of digital health in Europe.

For further context on the broader European Health Data Space initiative, please see our previous post.