The European Health Data Space Regulation (EHDS Regulation), Regulation (EU) 2025/327, has moved the European health data agenda from policy ambition to implementation. For companies within the life sciences sector, the key issue is no longer whether electronic health data will become more accessible across the European Union. The real question is how access, reuse and governance will work in practice, and how companies should prepare their research, innovation and compliance struc-tures before the main obligations start to apply.
The EHDS Regulation creates a common framework for both primary use and secondary use of elec-tronic health data. Primary use concerns access to health data for healthcare delivery, including patient summaries, ePrescriptions, eDispensations, medical imaging, laboratory results and discharge reports. Secondary use is more strategic for the life sciences sector: it allows electronic health data to be ac-cessed for research, innovation, public health, regulatory activities, patient safety, statistics, education and the development of data-driven health technologies.
That secondary-use framework is broad. It covers, among others, data from electronic health records (EHRs), administrative and claims data, registries, genetic, genomic and other omics data, data gener-ated by medical devices, data generated by health applications and certain wellness-related digital ser-vices, clinical trial and clinical investigation data, research cohorts and biobanks. For pharma, biotech, medtech and digital health businesses, this creates a new access architecture for data that has histori-cally been fragmented, difficult to locate and governed by diverging national rules.
The most important operational innovation is the role of Health Data Access Bodies (HDABs). Access to health data for secondary use will not be based on bilateral requests to hospitals, registries or public authorities alone. Instead, HDABs will act as gatekeepers. They will assess data access applications, issue data permits, request the relevant data from health data holders and provide access through secure processing environments. The framework is therefore designed as controlled access, not open access.
For companies working with artificial intelligence (AI), this is particularly relevant. The EHDS Regulation expressly recognises scientific research in the life sciences and healthcare sector as a permitted pur-pose for secondary use, including development and innovation activities as well as the training, testing and evaluation of algorithms. This includes algorithms in medical devices, in vitro diagnostics (IVDs), AI systems and digital health applications. The EHDS will therefore become closely connected to the Artifi-cial Intelligence Act (AI Act), Regulation (EU) 2024/1689, and to the Medical Devices Regulation (MDR), Regulation (EU) 2017/745, and the In Vitro Diagnostic Medical Devices Regulation (IVDR), Regulation (EU) 2017/746.
This does not make the EHDS Regulation a shortcut around data protection law. The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, remains central. The EHDS adds a sector-specific access and governance layer, with data minimisation, anonymisation or pseudonymisation, purpose limitation, transparency obligations, secure processing environments and strict rules against re-identification. It also introduces an opt-out right for individuals against secondary use, subject to lim-ited national exceptions for defined public-interest purposes.
The Regulation also draws a clear line around prohibited uses. Health data made available under the EHDS may not be used to make decisions to the detriment of individuals, to discriminate in employ-ment, insurance, credit or similar contexts, for advertising or marketing, or to develop products that may harm individuals, public health or society. This will matter for platform operators and digital health businesses as much as for traditional life sciences companies, because permitted research and innova-tion use must be separated from commercial targeting and individual decision-making.
Another key issue is the protection of intellectual property, trade secrets and regulatory data protection. The EHDS Regulation does not exclude such data from the outset. Instead, health data holders must identify protected content, and HDABs may impose legal, organisational and technical safeguards. If the risk to IP rights, trade secrets or regulatory data protection cannot be adequately mitigated, access may be refused. This is highly relevant for clinical trial sponsors, medtech manufacturers and compa-nies whose datasets contain commercially sensitive product or development information.
Timing is now becoming practical. The EHDS Regulation entered into force in 2025 and will apply in stages. The general application date is 26 March 2027. The first wave of primary-use rights and EHR-system obligations applies from 26 March 2029 for patient summaries, ePrescriptions and eDispensa-tions, with further categories such as medical imaging, laboratory results and discharge reports follow-ing from 26 March 2031. Chapter IV on secondary use also applies from 26 March 2029, with certain data categories and cross-border structures following later. In April 2026, Commission Implementing Regulation (EU) 2026/771 established the operating framework for the EHDS Board, confirming that the implementation machinery is now being built.
For life sciences companies, 2026 should therefore be treated as a preparation year. Companies should not wait until access requests begin at scale. The practical task is to map data assets, identify whether the organisation may act as a health data holder, a health data user, or both, review how da-tasets can be described, protected and made available, and align EHDS governance with GDPR, AI Act, MDR/IVDR, clinical trial and trade secret processes. The companies that prepare early will be bet-ter placed to access data lawfully, defend their own protected datasets and use the EHDS as part of a credible research and innovation strategy.
This is important | To Do | Key Takeaways etc.:
- Identify relevant EHDS roles early. A life sciences company may be a health data user when it seeks access to data for research, AI training, regulatory evidence or product development. It may also be a health data holder where it controls clinical, registry, device-generated, app-generated or research data that falls within the EHDS categories.
- Map secondary-use cases against the permitted EHDS purposes. Research and innovation use, in-cluding algorithm training and evaluation, will need to be framed clearly. Companies should separate permitted scientific or regulatory use from prohibited uses such as individual decision-making, insur-ance or employment profiling, advertising and marketing.
- Prepare dataset governance now. Data inventories, metadata, data quality information, access logs, pseudonymisation workflows and secure processing arrangements should be reviewed before HDAB processes become operational. This will reduce friction when data permits, data requests and HealthData@EU workflows begin to develop.
- Protect IP, trade secrets and regulatory data protection. Sponsors and manufacturers should identify commercially sensitive content in clinical trial, device, IVD and research datasets, and prepare ar-guments for proportionate safeguards where access requests could affect confidential know-how or regulatory exclusivity interests.
- Align EHDS readiness with GDPR, AI Act and MDR/IVDR compliance. The same datasets may sup-port clinical research, AI validation, post-market monitoring and regulatory evidence. A single gov-ernance model will be more defensible than separate data, product and AI compliance tracks.
- Monitor implementing acts and national implementation. The practical shape of the EHDS will depend on HDAB structures, templates for data access applications, secure processing environments, data quality labels, HealthData@EU and national rules on the opt-out mechanism and additional safe-guards.