Navigating EHDS: Key compliance steps

The EHDS is not just another compliance checkbox. It is a structural shift in how healthcare data is governed, exchanged, and reused across the EU. For providers, payers, digital health companies, and researchers, this means moving from siloed systems to interoperable, patient-centric, and purpose-bound data flows. The regulation gives us a clear direction; implementing it requires deliberate, incremental planning across architecture, processes, and product. Crucially, the EHDS does not operate in isolation—it intersects with the GDPR, the AI Act, NIS2, and the forthcoming implementing acts that the Commission must finalize by March 2027.

Implementation roadmap: know your deadlines

Before diving into the compliance checklist, it is essential to internalize the phased timeline. The regulation entered into force in March 2025, but full enforcement is staged over a decade:

March 2025 — Regulation enters into force; transition period begins. Member States must start appointing National Digital Health Authorities (NDHAs) to oversee national implementation.

March 2027 — Deadline for the Commission to adopt key implementing and delegating acts that will define the technical and procedural details for the entire regulation. EHR system certification requirements become operative.

March 2029 — First major enforcement milestone. Primary-use exchange of Patient Summaries and ePrescriptions/eDispensations must be operational across all EU Member States via MyHealth@EU. Most secondary-use provisions—including access to electronic health records for research—enter into application.

March 2031 — Second group of primary-use data categories goes live: medical images, laboratory results, and hospital discharge reports. Clinical trial and human genetic data obligations for secondary use also apply from this date.

March 2035 — Third countries and international organisations may become authorised participants in HealthData@EU if they meet the required standards.

Non-compliance carries significant financial consequences: fines of up to €20 million or 4% of total worldwide annual turnover—whichever is higher—plus periodic penalty payments for each day of delayed data access.

Your practical compliance checklist

The following checklist outlines what to prioritize now, what to align in parallel, and how to build foundations that will last across all enforcement phases.

1. Scope first: classify primary vs. secondary use

Inventory your data flows and label them as primary use (care delivery: direct patient care, prescriptions, referrals) or secondary use (research, evidence-based policy, regulatory decisions, innovation). Obligations differ substantially by category, and the EHDS text explicitly structures legal requirements—rights, duties, and governance mechanisms—around this split ^[1]. Misclassification is one of the most common and costly compliance errors; address it at the data architecture level, not as an afterthought.

2. Understand the dual supervisory landscape

The EHDS introduces a layered oversight structure. Data protection authorities retain full competence to supervise GDPR compliance, while newly established Health Data Access Bodies (HDABs) will oversee the sectoral access regime, data permits, fees, and secondary-use conditions ^[7]. Both sets of obligations run concurrently. Map your processing activities against both regimes, and ensure your DPO and compliance teams are briefed on the interaction between GDPR and EHDS rules—they are complementary, not duplicative.

3. Engage with your national HDAB early

Member States are establishing HDABs as national intermediaries between health data holders and users. These bodies will evaluate secondary-use access requests, issue data permits, and maintain national dataset catalogues compliant with the HealthDCAT-AP metadata standard ^[6]. Health data holders are required to communicate the datasets they hold to their national HDAB and keep those dataset descriptions accurate and up to date at least annually ^[5]. Start that dialogue now: understand what the HDAB in your jurisdiction expects, and build the internal processes to meet catalogue and reporting obligations before they become mandatory.

4. Make interoperability a baseline, not a project

Align your data models, APIs, and EHR systems to the European Electronic Health Record Exchange Format (EEHRxF), whose technical specifications the Commission will finalize by March 2027. Expect profiles grounded in HL7 FHIR resources, standardized coded terminologies (SNOMED CT, LOINC, ICD), and machine-readable datasets that EHR systems must both ingest and emit ^[1][3][4]. EHR vendors will also be required to obtain certification demonstrating conformance with the EEHRxF—plan for this in your product roadmaps and procurement cycles. Interoperability is no longer optional; it is a legal prerequisite.

5. Operationalize patient rights as product features

Individuals must be able to access, download, transmit, and—where applicable—restrict access to their personal health data through a national electronic health data access service (portal or app). This includes proxy access for dependants and a clear mechanism for rectification of inaccurate data ^[1][8]. The EHDS also introduces a patient opt-out mechanism for secondary use: individuals can decide whether their health data may be used for research and policy purposes, and this opt-out must be technically enforceable in your data pipelines. Build these as first-class product features—not compliance bolt-ons—backed by human-readable audit logs that patients can themselves inspect.

6. Prepare for cross-border infrastructure

Two EU-level digital infrastructures are central to EHDS operation. MyHealth@EU handles primary-use cross-border exchange (Patient Summaries, ePrescriptions, imaging reports). The emerging HealthData@EU federated platform will enable cross-border discovery and access for secondary-use data, connecting national HDAB catalogues and secure processing environments ^[7][9]. Design your systems now for conformance with both: ensure you can produce standards-compliant datasets for MyHealth@EU profiles, and that your metadata is structured for HealthDCAT-AP cataloguing ahead of the 2029 deadline.

7. Build for data permits, not data dumps

Under the EHDS, access to health data for secondary use is not automatic. Applicants—researchers, public authorities, life-science companies—must submit a formal request to the relevant HDAB, which evaluates it against criteria including intended purpose, adequacy of safeguards, GDPR compliance, and the public-interest value of the proposed use ^[5]. Only after a permit is issued may data be accessed, and processing must take place within accredited secure processing environments (SPEs)—not on the applicant's own infrastructure. Build your pipelines to produce minimally necessary, de-identified datasets with full provenance metadata, and design your data architecture to support permit-scoped, time-limited access from the outset.

8. Security and governance by design

Anchor your controls in ISO/IEC 27001 and align with NIS2 where applicable—particularly around incident reporting timelines, supply chain risk management, and essential-service classification. At the technical level, implement zero-trust access controls, granular RBAC/ABAC policies tied to both user roles and processing purposes, end-to-end encryption with robust key management, and immutable, queryable audit trails ^[10]. Security and confidentiality controls are explicitly listed in the EHDS as preconditions for HDAB-authorised access; they are not optional enhancements. Build them into your baseline architecture, not into a separate compliance layer.

9. Align AI and analytics governance early

The EHDS intersects directly with the EU AI Act, which classifies many healthcare AI systems as high-risk and imposes requirements for transparency, human oversight, and technical robustness. Maintain model registries, data lineage documentation, evaluation reports, and risk logs for any AI system trained on or processing health data. For secondary-use workloads, ensure reproducible analytical workspaces—signed notebooks, pinned and versioned datasets—that are explicitly tied to a data permit, a stated purpose, and an expiry ^[1]. Treat AI governance as part of your EHDS compliance programme, not as a parallel track.

10. Catalogue your datasets and maintain them actively

One of the most operationally intensive obligations for health data holders is the requirement to maintain accurate, structured dataset descriptions in national HDAB catalogues. These must conform to the HealthDCAT-AP metadata profile and be updated at least annually. Start by inventorying all datasets that could fall within EHDS scope—EHR data, imaging repositories, genomic datasets, clinical trial records, wellness-app data where health-relevant—and assign dataset owners accountable for catalogue maintenance. Poor catalogue quality is likely to be an early friction point in the permit-approval process; address it proactively.

11. Document once, reuse often

Centralize your policies and standard operating procedures—data subject rights workflows, de-identification protocols, incident response plans, EEHRxF/FHIR conformance documentation, DPIAs, and HDAB reporting templates—in a versioned, living repository that your auditors, legal team, and engineering teams can all access and trust. The EHDS will generate significant documentation obligations over the coming years; build the infrastructure for managing them now, not when the deadlines arrive.

EHDS rewards teams that turn compliance into product craft—clean interfaces, predictable pipelines, verifiable logs, and auditable AI. The organizations that invest in this now will face fewer downstream costs and move faster when the enforcement milestones arrive.

The EHDS will unfold over a decade, but the implementation clock is already running. The organizations that align early—on interoperability, patient rights, dataset cataloguing, and security by design—will be better positioned to participate in cross-border care delivery, access EU research data ecosystems, and build trust with patients and regulators alike. Think of this not as a regulatory burden, but as a long-overdue modernization of health data infrastructure: interoperability as a foundation, patient agency as a feature, and governed access as a competitive advantage. Start with your data inventory, identify your EHDS obligations by role, and build momentum one milestone at a time.