The regulation is adopted and 29 countries are implementing — but the hardest part of Europe’s health data ambition lies ahead
On 5 March 2025, Regulation (EU) 2025/327 — the European Health Data Space — was published in the Official Journal of the European Union and entered into force 20 days later. The regulation had been in negotiation since the Commission’s initial proposal in May 2022, moving through the European Parliament and Council against the backdrop of persistent disagreement over the balance between data access for research and the protection of individual health information. Its adoption was, in the language of EU policymaking, a significant moment. What it does not mark, however, is the resolution of the harder political and technical questions the EHDS framework raises — questions about implementation capacity, data infrastructure readiness, and whether the regulation’s ambitions can be delivered by the deadlines it sets.
The EHDS is structured around two distinct but related ambitions. The first — primary use — concerns the exchange of personal health data for direct care: enabling a patient’s electronic health record to follow them across borders, ensuring that a Finnish patient treated in a Portuguese hospital can have their prescription dispensed, or their medical history accessed by a treating clinician. The second — secondary use — concerns the deployment of health data, typically in de-identified or aggregated form, for research, public health surveillance, and policy analysis. Both ambitions are operationally complex; they face different obstacles and move on different timelines.
Primary Use: MyHealth@EU and the Cross-Border Infrastructure
The primary use framework builds on an infrastructure that has been under development for more than a decade. MyHealth@EU — the EU’s central interoperability platform for cross-border exchange of health data — began as a project connecting a handful of member states for the exchange of patient summaries and electronic prescriptions. By the time the EHDS regulation entered into force, a significant number of EU countries had connected to the platform in at least one service domain, though coverage remained uneven and functionality limited compared to what the EHDS envisions. The TEHDAS2 joint action — involving 29 countries and running until December 2026 — is providing the preparatory infrastructure and governance frameworks that member states need to meet the regulation’s deadlines.
Under the EHDS timeline, the first group of priority data categories — patient summaries and ePrescriptions — must be exchangeable across all 27 member states via MyHealth@EU by March 2029. A second group, covering medical images, laboratory results, and hospital discharge reports, is required to follow by March 2031. These deadlines reflect both a recognition that the infrastructure buildout is technically demanding and a political judgment that too long a timeline risks losing momentum and allowing national divergence to deepen.
Achieving the 2029 target will require member states that have made limited progress on electronic health record infrastructure to close significant gaps in a compressed timeframe. Countries with well-developed national EHR systems — Estonia is frequently cited as a reference case, having operated a nationwide digital health record since 2008 — face a different challenge: ensuring their existing systems can interoperate with the EHDS standards, which may require technical adaptation rather than fresh construction. The EHDS regulation requires member states to appoint National Digital Health Authorities by June 2025, creating the governance structures that will oversee national compliance — a deadline that itself represents a test of implementation seriousness. Health Data Access Bodies, which will govern secondary use of health data, must be established by March 2027.
The regulation also extends the reach of existing patients’ rights regarding their own health data, building on the framework established by Directive 2011/24/EU on cross-border healthcare. Individuals will be entitled to access their health data through the MyHealth@EU infrastructure and to exercise data portability rights across borders. A patient data access service — providing individuals with a personal health data space — is among the regulation’s mandated features. How robustly these rights will be operationalised, and whether the user experience will be accessible to people with limited digital literacy, are questions that the implementing acts expected through 2027 will need to address. The challenge of the digital skills gap in healthcare extends to patients as well as professionals — and without functional digital literacy support, formal data access rights risk remaining theoretical.
Secondary Use: Research Access and the GDPR Tension
The secondary use framework is, in several respects, the regulation’s more politically contested element. It establishes a system under which researchers, health authorities, and commercial entities can apply to access health data — held by healthcare providers, public health agencies, and other data holders — for purposes including clinical research, pharmacovigilance, and health technology assessment. Access is mediated by Health Data Access Bodies, which each member state is required to establish, and is channelled through HealthData@EU — a cross-border infrastructure for secondary use that has been operational as a pilot since 2022.
The tension between secondary data access and the protections established by the General Data Protection Regulation generated significant debate during the EHDS negotiation. The European Data Protection Board and the European Data Protection Supervisor raised concerns that provisions creating a presumption of access for certain research purposes could weaken rather than reinforce individual rights, particularly regarding sensitive health information. The final text attempted to address these concerns by anchoring secondary use in existing GDPR legal bases — Recital 52 explicitly connects secondary use permissions to Article 9(2)(j) of the GDPR, the research and public interest provision — and by requiring access to occur within ring-fenced technical environments that prevent re-identification and restrict data use to approved purposes.
The practical architecture for secondary use draws on Privacy Enhancing Technologies — techniques including synthetic data generation, federated analysis, and differential privacy — that allow researchers to extract analytical value from health datasets without direct access to identifiable records. The HealthData@EU pilot has been testing these approaches since 2022, generating experience of the technical challenges of cross-border federated analysis, where computation is distributed across national data nodes rather than centralised. The pilot has also exposed governance fragmentation: different national legal frameworks for research data access, varying definitions of what counts as anonymised data, and inconsistent interpretations of research ethics requirements have complicated the cross-border dimension of secondary use even at the pilot stage.
Implementation Realities: Capacity Gaps Across 27 Member States
The EHDS regulation was designed to apply uniformly across 27 member states with highly variable digital health infrastructure. The implementation challenge is, at its core, a capacity challenge: the technical, administrative, and financial capacity to deliver a fully interoperable cross-border health data infrastructure varies considerably across the EU, and the regulation does not resolve that variation — it creates obligations that expose it.
Several member states face the dual challenge of upgrading national EHR infrastructure while simultaneously building the new governance structures — National Digital Health Authorities, Health Data Access Bodies — that the regulation requires. The European Commission has allocated funding through the Digital Europe Programme to support member states’ digital health investments, but the amounts involved are modest relative to the buildout required in countries starting from a low baseline of EHR digitisation. The pattern familiar from previous EU health policy initiatives — Northern and Western European countries moving at speed, Central and Eastern European countries constrained by administrative and fiscal capacity — is likely to repeat in EHDS implementation, potentially resulting in a two-tier health data space that contradicts the regulation’s universalist ambitions.
The regulation’s governance architecture also creates coordination requirements between bodies that do not yet exist. National Digital Health Authorities are required to cooperate through a European Digital Health Authority — a body the regulation establishes, with responsibilities including issuing guidelines, certifying interoperability components, and managing the MyHealth@EU infrastructure. The practical standing-up of these institutions, with appropriate expertise and resources, will determine whether the implementation timeline can be met.
The 2029 Milestone and Beyond: What the Timeline Actually Means
The EHDS implementation timeline is structured to create accountability through specificity, but the milestones tell only part of the story. By January 2026, healthcare providers and EHR systems are required to certify their systems for interoperability and security compliance under the new standards — a requirement that, if enforced, would expose significant gaps in several member states. By March 2027, the Commission is required to have adopted several key implementing acts providing detailed operational rules. The 2029 deadline for priority data exchange represents the earliest point at which the primary use framework becomes fully operational across the EU.
What the timeline does not resolve is the question of functional quality. A patient summary exchanged via MyHealth@EU in 2029 will only be clinically useful if it is complete, structured consistently with clinical practice, and accessible to treating clinicians in a format that integrates with their workflows. Electronic health records in many EU member states are digitised in form but fragmented in practice — different systems used by primary care, hospitals, and specialist services, with limited interoperability even at the national level. Achieving cross-border data exchange of genuine clinical utility requires addressing those national integration failures, not merely connecting national systems to a cross-border platform.
The EHDS also intersects with the EU’s broader digital health agenda in ways that complicate the implementation picture. The regulation’s secondary use framework creates data infrastructure that will be essential for training and validating AI-powered diagnostics, but the timeline for secondary use operational readiness extends beyond 2029 for many data categories. The interaction between EHDS implementation and the EU AI Act’s requirements for high-quality training data for health AI systems creates a sequencing challenge: the data governance architecture needed to support health AI development will not be fully operational for several years after the AI Act’s compliance obligations begin to apply.
Measuring Progress: What to Watch
The EHDS regulation creates a dense set of obligations with specified deadlines, which means that progress — or the absence of it — should be more visible than is typical for EU health policy. Several early indicators will signal whether the implementation trajectory is on course. The completeness and quality of National Digital Health Authority designations across all 27 member states by June 2025 will provide a first data point. The Commission’s schedule for adopting implementing acts through 2025 and 2026 will indicate whether the regulatory architecture is being built at the speed the timeline requires. And the HealthData@EU pilot’s evolution from experimental to operational, including the volume and quality of approved research data access requests, will test whether secondary use governance works in practice.
What the regulation cannot guarantee is political will sustained over a multi-year implementation period that will extend across at least two European Commission mandate cycles. The ambition embedded in the EHDS — a genuinely interoperable European health data infrastructure that enables both better care across borders and a world-class research environment for health science — is real. The distance between that ambition and current implementation reality is also real. Closing that distance is an administrative and political project as much as a technical one, and the record of EU digital health initiatives suggests that the technical challenges are easier to solve than the governance ones.
