Navigating the European Health Data Space Regulation in the life sciences sector

The European Health Data Space (EHDS) Regulation, which came into effect on 26 March 2025, introduces new requirements governing the management and cross-border sharing of health data across the EU. Designed to facilitate research, innovation and medical breakthroughs while reinforcing patient rights by enhancing their ability to control and access their personal data, the EHDS Regulation imposes specific obligations on lifesciences companies dealing with sensitive medical data. For businesses operating in pharmaceuticals, medical devices or AI-driven diagnostics, Data Protection Officers (DPOs) are uniquely positioned to support the privacy function in successfully navigating the EHDS Regulation, ensuring compliance whilst balancing this against strategic opportunities.  

Core obligations under the EHDS Regulation

Unlike the broader data protection framework established under the GDPR, the EHDS Regulation focuses explicitly on health-related datasets and establishing standardised processes for anonymised or pseudonymised data sharing through centralised platforms.

A core aim of the Regulation is to give patients greater control over their electronic health data; it establishes a formal right for individuals to access and obtain copies of their personal electronic health records instantly, free of charge, in a readable format. Article 15 of the EHDS Regulation confirms that the framework builds on data portability and requires that health professionals accept electronic health data shared from other Member States via the common European format. In practice, this means hospitals and clinicians must not obstruct patient data sharing. If a patient brings their records from another EU country in the European EHR Exchange Format, providers are expected to take that data into account.

This means life sciences businesses may act as both data holders and data users under the EHDS Regulation. As data holders, life sciences companies are required to share specific health datasets in anonymised or pseudonymised forms with authorised entities, including researchers or public health authorities. These datasets can include clinical trial outcomes, genomic information, or patient registries. Data-sharing requests must be submitted through national Health Data Access Bodies (HDABs), which manage and coordinate cross-border data transfers via the EU-wide HealthData@EU platform.

Data sharing timelines are tightly regulated. For example, businesses must respond to HDAB requests within three months, while HDABs themselves have two months to prepare datasets. Critically, the EHDS Regulation prohibits the use of shared data for commercial advertising, insurance underwriting or employment decisions.

Patients have the right to opt out of secondary use of their data at any time, without providing reasons. Companies must respect these opt-outs by filtering or excluding opted-out patient data when fulfilling data requests. Compliance teams should actively monitor opt-out rates and engage with HDABs to manage data accordingly, recognising national variations in opt-out implementation to prevent compliance errors. Non-compliance with the Regulation risks fines of up to €10 million or 2% of the business’ global turnover, alongside reputational damage from public opt-outs.

A three-phase roadmap for compliance

Preparing for the EHDS Regulation requires a structured approach that integrates existing GDPR processes with new sector-specific requirements. Most obligations will apply from 2029, giving stakeholders time to prepare. By 2027, the EU will issue implementing acts with technical and procedural details. From 2029, key provisions such as cross-border health data exchange and rules on secondary use will become operational. The scope will expand further by 2031 to include more health data categories. Impacted organisations should therefore align their compliance planning with this phased implementation timeline and are advised to structure their compliance efforts in three phases aligned with these milestones to ensure a smooth transition to full EHDS Regulation compliance:

• The first phase involves mapping and assessing all health data assets. Businesses should begin by thoroughly mapping all health data under their control, including clinical trial records, genomic databases, historical patient data, and any data managed by third-party vendors. A comprehensive data mapping exercise helps identify compliance gaps. Recommended practical tools at this stage include standardised data mapping templates and data inventory management software.
• Phase two focuses on legal and technical risk mitigation. IT and governance teams should align and enhance privacy controls in line with secure processing requirements. Operational processes must support secondary-use requests, with properly pseudonymised data delivered through compliant environments. Differential privacy techniques, which add statistical noise to datasets, have proven effective in maintaining research utility while preventing individual identification. Organisations should reference guidance provided by the European Data Protection Board (EDPB) on acceptable anonymisation standards and tools, ensuring consistent compliance practices. Testing processes in 2028 will help ensure readiness for 2029.
• The final phase focuses on entrenching ongoing governance mechanisms. Starting in 2029, organisations must see EHDS Regulation compliance as daily practice and establish persistent monitoring and governance procedures to maintain adherence. Effective approaches include deploying automated tools to track data access, regularly scheduled internal audits, and implementing real-time logging to detect and manage compliance incidents. Organisations should also maintain up-to-date Records of Processing Activities (ROPAs), clearly documenting EHDS-specific data flows and ensuring transparency in case of regulatory inquiries.

The critical role of DPOs in EHDS Regulation compliance

For Data Protection Officers (DPOs), EHDS Regulation introduces an additional layer of sector-specific complexity to the already existing obligations under GDPR. Their key responsibilities have expanded to include conducting detailed data flow analyses to pinpoint datasets regulated by the EHDS Regulation, liaising with Health Data Access Bodies (HDABs) to streamline responses to data requests, overseeing third-party vendor audits with a strong emphasis on ISO 27001 certification and data anonymisation techniques, and developing opt-out management protocols that ensure a balance between compliance and the continuity of research. Proactive DPOs are integrating EHDS Regulation requirements into broader data governance strategies, which involves updating records of processing activities to highlight EHDS-specific obligations and delivering staff training programmes focused on the principles of ethical data reuse.

Strategic opportunities and operational challenges

The EHDS Regulation offers significant advantages for proactive life sciences companies. Centralised access to anonymised EU-wide datasets through the portal could accelerate research timelines, particularly for rare disease treatments where fragmented data currently delays breakthroughs. However, operational hurdles threaten to undermine these benefits. Variations in HDAB implementation across member states create inconsistencies in data request handling, while unresolved questions about dataset standardisation risk duplicative compliance efforts.

Crucially, the EHDS Regulation redefines health data as a collective European asset. Its potential to drive personalised medicine and pandemic preparedness will only materialise if businesses maintain public trust through rigorous privacy protections and unambiguous ethical guidelines for data reuse.

HewardMills’ team of lifesceinces data protection experts can support your business in effectively preparing for the EHDS Regulation. Our specialists provide practical tools and detailed data mapping templates designed specifically for life sciences organisations managing sensitive health data. With strategic guidance from HewardMills, you can confidently address EHDS Regulation compliance requirements while unlocking new opportunities for research innovation and business growth.