There is a piece of EU legislation that is already in force, carries fines of up to €20 million, and will fundamentally change how healthcare organisations handle, share, and secure patient data. Most of the healthcare executives we speak to have not yet heard of it. The European Health Data Space, known as EHDS, entered into force in March 2025 marking the beginning of a period of multi-year transition and enforcement phases. With the first of those in early 2027, organisations have less than twelve months to understand what is required and to start building a credible response.
This article explains what EHDS is, who it affects, what it demands, and why the cyber security implications deserve serious attention from healthcare CIOs and technology leads. Whether you have been aware of EHDS and putting action off, or whether this is the first time you have seen the acronym, the position is the same: the time to act is now.
This piece builds on our recent coverage of how NHS data access governance and clinical risk intersect in practice, where we examined what robust access controls look like for healthcare providers navigating increasing regulatory pressure.
The European Health Data Space is a regulation designed to create a common EU-wide framework for accessing, exchanging, and reusing electronic health data. It aims to give EU citizens portable access to their own health records across borders, enable health data to be used for research and policy purposes, and establish a single interoperable market for electronic health record systems across all 27 member states.
The regulation covers two distinct areas. The first is primary use: the right of patients and healthcare professionals to access and share personal electronic health data across borders. The second is secondary use: the structured reuse of health data for research, innovation, and public health purposes under a governed access framework.
For healthcare providers, the immediate practical significance lies in the primary use framework. Your systems and your infrastructure will be expected to participate in a standardised, interoperable European data exchange. The compliance clock is already running.
EHDS is an EU regulation, which means it applies directly in Ireland and across all EU member states without national transposition. For healthcare organisations in Ireland, it is already law. For organisations operating across both the UK and EU, it affects the EU-facing parts of your operations and any systems that process or exchange health data with EU counterparts.
The regulation places obligations on healthcare providers, EHR system manufacturers and vendors, research bodies, and life sciences companies. Healthcare providers must ensure their systems can meet interoperability standards. EHR vendors must certify their products. Research bodies seeking access to health data for secondary purposes must work through newly established Health Data Access Bodies, which will govern who can access data, and under what conditions.
The regulation entered into force in March 2025. Full enforcement begins in March 2027. The first major application deadline for primary data exchange across all member states is March 2029, with commercial EHR systems required to comply by 2029 and in-house systems by 2031.
The gap between 2027 and 2029 does not mean organisations can wait. Governance structures, system assessments, security upgrades, and vendor alignment all need to be underway now in order to achieve compliance by the deadline.
EHDS is most commonly discussed as a data governance and interoperability regulation. That framing is accurate, but it understates a significant and underappreciated risk.
To meet EHDS requirements, healthcare systems and EHR vendors must expose standardised APIs through which patient data flows between organisations and across borders. Systems that have historically operated as closed, local environments must now become externally reachable. The result is a substantially expanded attack surface.
The dependency model this creates is new. Once connected to the EHDS ecosystem, a healthcare organisation's digital perimeter extends beyond its own network to include national exchange nodes, authentication services, data access bodies, and external entities entitled to request or receive data. The security of your environment becomes partly dependent on every other node in that chain.
This connects directly to obligations many organisations are already managing under NIS2. EHDS does not replace NIS2 or the GDPR. It sits alongside them, creating a cumulative compliance burden that demands a coordinated rather than a siloed response. Santegic has worked with healthcare organisations across the UK and Ireland to map exactly this kind of regulatory convergence and build practical responses to it.
Organisations in scope must demonstrate that data processing takes place in secure environments meeting defined cybersecurity standards. Access controls, identity management, audit logging, and output controls will all be subject to scrutiny. EHR systems, whether commercial or in-house, must meet interoperability and security certification requirements before participating in the EHDS framework.
For many healthcare organisations, this will require infrastructure investment, vendor reassessment, and a clear-eyed review of where current systems fall short.
The most common mistake with EHDS is treating it as a future problem. The 2027 enforcement date is less than twelve months away. The 2029 application deadline sounds further off, but the lead time required to assess systems, certify infrastructure, and establish governance structures means preparation needs to begin well before that date arrives.
The steps that matter most now are these. Establish whether your organisation is in scope and which obligations apply to your specific role. Assess your current systems against the interoperability and security requirements EHDS demands. Identify the gaps and build a realistic roadmap to close them. Review how EHDS interacts with your existing NIS2, GDPR, and AI Act compliance programmes so you are building a coherent regulatory response rather than managing each framework in isolation.
The European Health Data Space is one of the most significant pieces of healthcare regulation to arrive in a decade. It is already law. Enforcement begins in 2027. The organisations best positioned when that deadline arrives will be those that start their readiness work now, before the pressure of imminent compliance forces rushed responses.
Whether EHDS is familiar ground you have been meaning to act on, or this article is your first real introduction to it, the next step is straightforward. Book a call with Clare to talk through where your organisation stands and what getting ready actually looks like. Santegic's healthcare consulting services are here to help you cut through the complexity and build a compliance roadmap that works.
Santegic is a specialist healthcare consulting and cyber security firm working with healthcare providers, health technology companies, and MedTech organisations across the UK and Ireland.
One conversation. The right expertise.
