Regulation (EU) 2025/327 establishes the European Health Data Space: the first common European sectoral data space, with staggered application from 26 March 2027. Interoperable health records for care, access bodies for research, and a catalogue of expressly prohibited uses. The essential coordinates of a regulation set to reshape European digital health.
With Regulation (EU) 2025/327 of 11 February 2025 “on the European Health Data Space”, the Union launched the first of its common sectoral data spaces: the EHDS. This seems the right place to set out its coordinates, given that the most advanced applications of digital health — from the patient’s digital twin to federated research infrastructures — will find in the EHDS their reference frame.
Subject-matter and calendar
Article 1 states the subject-matter: the Regulation “establishes the European Health Data Space (EHDS) by providing for common rules, standards and infrastructures and a governance framework in order to facilitate access to electronic health data for the primary use of electronic health data and the secondary use of such data”. As to the calendar, Article 105 provides that the Regulation, which entered into force on 26 March 2025, “applies from 26 March 2027”, with staggered application for the various categories of data and functionalities: certain provisions will apply from 26 March 2029 for the priority data categories (including synthetic patient health profiles and electronic prescriptions) and from 26 March 2031 for further categories. A long horizon that must not mislead: the infrastructural and organisational adaptation of health systems and operators requires the whole available period.
Primary and secondary use: the cardinal distinction
The whole framework turns on a definitional distinction. Article 2 defines “primary use” as “the processing of electronic health data for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates”: it is the care front, overseen by data subjects’ reinforced rights and by the interoperability of electronic health records through the MyHealth@EU infrastructure. “Secondary use” is instead “the processing of electronic health data for the purposes set out in Chapter IV […], which are different from the initial purposes for which the data were collected or produced”: scientific research, innovation, public health, policy-making, according to the exhaustive catalogue of Chapter IV.
Access bodies and data categories
Chapter IV builds the governance of secondary use around a new actor: the health-data access body. Article 55 provides that “Member States shall designate one or more health data access bodies responsible for carrying out the tasks and fulfilling the obligations set out in Articles 57, 58 and 59”: it is to such bodies that researchers and other data users must turn to obtain authorisations, with processing in secure environments. As to the information assets, Article 51 lists the minimum data categories for secondary use, from “electronic health data from electronic health records” to genetic and epigenomic data, administrative data and data on health determinants and pathogens.
The prohibited uses
Perhaps the most defining trait is the catalogue of prohibited uses. Article 54 provides that “access to electronic health data for secondary use […] and the processing of such data for the following uses shall be prohibited: (a) taking decisions that are detrimental to a natural person or a group of natural persons on the basis of their data”; there follow, among others, the prohibitions relating to discriminatory insurance and credit uses, marketing and the development of harmful products. Here is the systemic message: the sharing of health data serves the common good of research and public health, not commercial profiling or detrimental decisions about individuals.
EHDS, GDPR and the open construction site
The EHDS does not derogate from the GDPR: it overlaps with it as a special sectoral discipline, and the coordination between the two planes — from the legal bases of secondary use to data subjects’ rights, including the opt-out regime — will be the most delicate interpretive terrain of the coming years, also in light of the EDPB’s Guidelines 1/2026 on processing of personal data for scientific research purposes. For healthcare facilities, the manufacturers of electronic-health-record systems (subjected by the Regulation to specific obligations) and researchers, the 2027-2031 period will be a transition as demanding as that, now historic, of the GDPR.
Conclusions
The EHDS is the European bet to reconcile what elsewhere is in conflict: the circulation of health data and the protection of the person. The architecture is there: typified uses, access bodies, secure environments, explicit prohibitions. Its success will depend on implementation in the Member States and on citizens’ trust. In the light of the above, one wonders whether national health systems, starting with the Italian one, will be ready for the 26 March 2027 appointment, preparing in good time an infrastructure genuinely serving care and research, and not a mere documentary compliance exercise, so as to keep the promise on which the whole edifice rests: that health data serve, first of all, health.
