Keeping pace at national and European level.

The European Health Data Space (EHDS) turned one year old this month – yet it is still very much in its infancy. The EHDS Regulation was published in the Official Journal of the European Union on 5 March 2025 and entered into force on 26 March 2025. Around one year later, it is becoming clear how extensive the remaining work and implementation steps are that are still required to make the legislation “operational” – both at EU level and at national level in Germany.

German progress

For the national implementation, Germany has already adopted two key laws on primary and secondary data use with the Digital Act and the Health Data Use Act. The current focus is on the Federal Ministry of Health (BMG), from which a draft bill for a further law is expected – a law on data and digital innovation in healthcare  - “Gesetz für Daten und digitale Innovation im Gesundheitswesen”. This is intended to further specify the national implementation of the EHDS. Planned measures include binding interoperability requirements between IT systems, new responsibilities for supervision and implementation, as well as a strengthened role for the digital health agency gematik in operating the digital infrastructure. In substantive terms, the focus is also on cross-border data exchange via MyHealth@EU, improved access to health data for research and innovation, as well as new rules for health data access bodies, data subject rights, and the use of health insurance and care data.

European progress

The EHDS Regulation provides for almost 30 implementing acts that must be prepared by the European Commission in the coming years to further specify the new rules – in some cases with tight deadlines by 2027, in others with longer implementation periods. They concern key issues of primary and secondary data use as well as aspects of governance, cooperation and supervision. All of this takes place under the EU comitology procedure, through which the European Commission adopts so-called implementing acts under the control of the Member States. Many crucial detailed questions are therefore only being clarified now, after the EHDS Regulation established the overarching framework.

The EHDS Board as steering body

The first and therefore particularly important step was the establishment of the EHDS Board. On 8 April, the first implementing regulation on the organization and working methods of this body was published in the Official Journal of the EU. The Board under Article 92 of the EHDS Regulation supports the implementation of the EHDS, discusses draft implementing acts and votes on them. It therefore serves as the central steering forum for European implementation.

In addition, three further implementing acts are currently under discussion and have already been published in draft form.

Identity and authentication management

One draft concerns identity and authentification management. It provides for rules on an interoperable, cross-border identification and authentication mechanism for citizens and health professionals in line with the eIDAS Regulation. This creates the basis for practically implementing secure access to health data via MyHealth@EU. The key legal basis here is Article 16 of the EHDS Regulation.

Cross-border exchange of personal health data (MyHealth@EU)

A further draft concerns MyHealth@EU – the European infrastructure for the exchange of personal health data, such as patient summaries or prescriptions. It sets out detailed technical and organizational requirements, including the role of the European Commission as processor of personal data. The legal basis is found primarily in Article 23 of the EHDS Regulation.

Dataset descriptions

The third draft is an implementing regulation on dataset descriptions. It lays down which information health data holders will in future have to submit about their datasets to the access bodies so that these can be included in national and European dataset catalogues. Covered datasets include, for example, health insurance claims data, hospital and registry data, study data, or user-authorized data from electronic health records. Information to be provided includes the origin, content, scope and access conditions of the data. The aim is a common European standard so that datasets can be found more easily, compared more effectively and used for secondary use purposes. The legal basis is found, among others, in Article 77 of the EHDS Regulation.

Against the background of the many open detailed questions and the wide range of implementation processes, the complexity of the next steps becomes clear. To return to the metaphor used at the beginning: the EHDS may now be one year old, but it is still in its infancy. Many of its practical first steps are only now being taken. With developments progressing in parallel at national and European level, it will be crucial that it moves in the same direction and does not stumble along the way. Only if regulation, technical implementation and governance are closely aligned will the EHDS be able to realize its full potential.