The European Health Data Space (EHDS), enacted as Regulation (EU) 2025/327, entered into force on 26 March 2025. The first wave of obligations on patient access, provider duties, and MyHealth@EU connectivity becomes applicable on 26 March 2027, with manufacturer conformity for Electronic Health Record (EHR) systems following on 26 March 2028 and the secondary-use regime under Chapter IV starting 26 March 2029. Healthcare CIOs in insurance carriers, ministries, hospitals, established healthcare companies, and digital-health ISVs have a 22-month window to get their patient-record systems, consent flows, and cross-border interfaces ready.
What EHDS is, in one paragraph
The European Health Data Space is a horizontal regulation, separate from the General Data Protection Regulation (GDPR) and the Medical Device Regulation (MDR), that creates a single set of rules for two uses of electronic health data across the 27 member states. Primary use covers a citizen's right to access, port, and transmit their own personal health record to any provider in any member state through the central MyHealth@EU platform. Secondary use covers reuse of pseudonymised or anonymised data for research, innovation, policy-making, regulatory activity, and public-interest statistics, governed by Health Data Access Bodies (HDABs) and the HealthData@EU network. The regulation was published in the Official Journal on 5 March 2025 and applies in phases through 2031. Sources: EUR-Lex Regulation (EU) 2025/327, European Commission EHDS page.
The rollout timeline by milestone
The table below consolidates the dates fixed in the regulation text and the implementing-act deadlines the Commission must hit. Where a date depends on a future implementing act, the row says so plainly.
MilestoneEffective dateWho it applies toWhat needs to be readyRegulation enters into force26 March 2025All EU and EEA member statesTransition phase begins. Member states start appointing national digital health authorities.National Digital Health Authority designationBy 26 March 2027Each member state ministry of healthNamed authority for primary use, named Health Data Access Body for secondary use, published contact details to the Commission.Commission implementing acts dueBy 26 March 2027European CommissionDetailed rules on EEHRxF technical specifications, conformity assessment for EHR systems, data quality and utility label, and secure processing environment requirements.Chapter II and III primary use applies26 March 2027Public and private healthcare providers, payers handling clinical dataPatient rights to electronic access. MyHealth@EU connectivity for Patient Summary and ePrescription. National contact point for digital health operational.EHR system manufacturer obligations apply26 March 2028EHR vendors placing systems on the EU marketConformity declaration against the European Electronic Health Record Exchange Format (EEHRxF). CE-style marking for interoperability and security. Technical documentation, post-market monitoring.Chapter IV secondary use applies26 March 2029Health Data Access Bodies, data holders, data usersHDABs operational. HealthData@EU node live. Data permits issued. Secure processing environments certified. First priority categories exchangeable: Patient Summary, ePrescription, eDispensation.Second wave of priority categories26 March 2031All healthcare providers and EHR vendorsMedical imaging studies and reports, laboratory results, hospital discharge reports exchangeable across MyHealth@EU.Genomic and registry secondary useEffective date pending implementing acts, expected 2031Genomic registries, disease registries, clinical-trial sponsorsConformity of registry datasets to the EEHRxF, data quality label assigned, federated query support.
Sources: EUR-Lex Regulation (EU) 2025/327, EY tax alert on Regulation 2025/327, European Commission EHDS rollout page.
Country-by-country: where are the national rollouts now?
Germany. The elektronische Patientenakte (ePA) entered the nationwide "ePA für alle" phase in January 2025, with statutory health insurance funds auto-provisioning a record for every insured citizen unless they opt out. Since 1 October 2025, use of the ePA has been mandatory for physician practices, hospitals, and other care providers under §75c SGB V. gematik administers the telematics infrastructure and publishes the conformance specifications that EHR and practice-management vendors test against. The German Health Data Use Act (Gesundheitsdatennutzungsgesetz, GDNG) creates the secondary-use rails that will connect to the EHDS HealthData@EU node once Chapter IV applies in 2029.
France. Mon espace santé, run by the Caisse nationale de l'assurance maladie (CNAM) and the Agence du Numérique en Santé (ANS), reached near-universal automatic enrolment in 2022. Health-data hosting on French soil falls under the Hébergeur de Données de Santé (HDS) certification, governed by ANS. The Commission Nationale de l'Informatique et des Libertés (CNIL) is the data protection authority for the GDPR Article 9 conditions that EHDS layers on top of. France's Health Data Hub already operates as a national secondary-use platform and will need to align its data permit workflow with the HDAB model defined in Chapter IV.
Italy. The Fascicolo Sanitario Elettronico (FSE) 2.0 is the national EHR, coordinated by the Ministero della Salute and AGENAS, with regional implementations across the 21 regions and autonomous provinces. The Garante per la protezione dei dati personali oversees GDPR enforcement and has issued specific guidance on FSE secondary use that hospital CIOs must reconcile with EHDS rules. The 2022 PNRR funded the FSE 2.0 upgrade, and Italy has committed to MyHealth@EU connectivity for Patient Summary and ePrescription within the 2027 window.
Spain. The Historia Clínica Digital del Sistema Nacional de Salud (HCDSNS) connects the 17 autonomous communities through the Ministerio de Sanidad. Each autonomía runs its own EHR (Diraya in Andalucía, HCE in Cataluña, Selene in Madrid, and others), with the national layer brokering portability between them. The Agencia Española de Protección de Datos (AEPD) is the GDPR authority. Spain already participates in MyHealth@EU for ePrescription with several member states, which gives Spanish hospitals a head start on the 2027 primary-use deadline.
Netherlands. The Landelijk Schakelpunt (LSP), operated by the Vereniging van Zorgaanbieders voor Zorgcommunicatie (VZVZ), is the national exchange backbone for general practitioners, pharmacies, and hospitals. MedMij is the open standard for patient-mediated exchange between providers and citizen-held personal health environments, with a published framework of agreements and a trust scheme. The Autoriteit Persoonsgegevens (AP) is the data protection authority. Dutch CIOs will need to map MedMij flows to EHDS Patient Summary semantics and confirm LSP node certification against the EEHRxF.
Nordics. Finland's Kanta service, run by Kela (Social Insurance Institution), already operates as a centralised EHR and pharmacy record for the entire population and is widely regarded as the most mature national system in the EU. Findata is the Finnish HDAB equivalent and has been issuing secondary-use data permits since 2020 under the Act on Secondary Use of Health and Social Data. Sweden runs the Nationell patientöversikt (NPÖ) under Inera, with the Integritetsskyddsmyndigheten (IMY) as data protection authority. Denmark operates sundhed.dk as the patient-facing portal on top of the National Service Platform (NSP), with the Datatilsynet as supervisory authority and a strong track record on cross-border ePrescription via MyHealth@EU.
The CIO checklist (12 items)
The most common gaps we see
Across the seven Life Value ICPs, the same gaps repeat. Insurance carriers and payers underestimate how much of their claims-adjacent data falls under EHDS secondary use, because the regulation reaches reimbursement data, not only clinical records. Public health systems and ministries appoint a National Digital Health Authority on paper but underfund its operational headcount, leaving the actual certification work to overstretched gematik-style agencies that already have national mandates. Private hospitals, clinics, and integrated delivery networks assume their EHR vendor will deliver EEHRxF conformance as a free upgrade, then discover during procurement renewal that it is a paid module. Established healthcare companies (medical-device, pharma, diagnostics, distributors, labs) treat EHDS as a data-protection problem when it is also a market-access problem, because devices generating health data feed records that must comply with EEHRxF. Healthcare ISVs and digital-health platforms build patient-facing apps without the IPS rendering capability, then have to retrofit it under time pressure. Healthtech founders pre-seed through Series B skip the conformity-declaration question entirely, which makes enterprise sales conversations stall once they reach a hospital procurement team. Individuals using patient-held personal health environments often hold data in formats that do not round-trip into a Patient Summary, which is exactly the gap a FHIR-native patient wallet closes.
What the FHIR R4 conformance audit actually looks like
A real audit on a hospital EHR or a payer claims platform runs against two specification stacks. The first is HL7 US Core (for organisations with US operations), and the second is the HL7 Europe Implementation Guides, in particular the European Patient Summary v1.0.0 and the EHDS Logical Information Models published on build.fhir.org. The audit checks the conformance of these FHIR R4 resources: Patient, Encounter, Observation, MedicationStatement, MedicationRequest, AllergyIntolerance, Condition, Procedure, Immunization, DocumentReference, DiagnosticReport, and the bundled Composition resource that ties an IPS document together. The validator of record is the HL7 FHIR Validator, run against each endpoint's Capability Statement. Every test must produce a documented pass or a documented exception with a remediation date. The output is a Conformance Statement signed by the CIO, kept on file, and referenced in the EHR vendor's technical documentation for the 2028 conformity declaration.
Where Life Value sits in this
Life Value partners with healthcare organisations on EHDS preparation through three programmes. HealthTech Consulting handles the EHDS lead role on a fractional basis: we run the PHI flow mapping, the FHIR conformance audit, and the gap analysis against EEHRxF. Agile Compliance Navigation handles the DPIA refresh, the consent and opt-out workflow design, and the cross-border data agreement review, with HIPAA, GDPR, ISO/IEC 27001:2022, and HDS as anchor frameworks. Rapid HealthTech Navigation handles the procurement-side work for hospital and payer CIOs: vendor questionnaire, EHR conformity readiness review, and the staff training plan.
On the engineering side, we maintain fhir_ips_export, an open-source Flutter package that produces a valid HL7 International Patient Summary bundle from a patient-held record, and we contribute it back to the HealthWallet.me project. This is the same on-device, FHIR-native pattern Brendan Keeler describes as the architecturally honest answer to patient-mediated exchange: the patient holds the keys, the record is portable, and the IPS bundle is the lingua franca that MyHealth@EU and every certified EHR will accept by 2027.



.webp)
.webp)
.webp)
.webp)
















.webp)
.webp)
