The EU regulation designed to facilitate secondary use of clinical data for research brings benefits for health research, but also poses challenges for companies.
On 5 March 2025, Regulation 2025/327 creating the European Health Data Space (the EHDS Regulation) was published in the Official Journal of the European Union and entered into force on 26 March 2025. The European Commission also published FAQs on the European Health Data Space on 5 March 2025.
For a more detailed overview of the EHDS Regulation, including its purpose, scope, and the challenges it aims to address, please see our previous blog post. Broadly, one of the key goals of the EHDS Regulation is to facilitate secondary use of clinical data for research purposes. It aims to achieve this goal by requiring “health data holders” to make data available and enabling “health data users” to access that data in secure processing environments and based on permits issued by “health data access bodies” (HDABs).
As detailed in our previous post, the EHDS Regulation brings potentially huge benefits for health research but also presents many challenges for the pharmaceutical and med-tech industries. In this post, we provide an update on some of those key challenges and what companies can do to prepare.
Challenges
Territorial Scope
One of the initial key uncertainties when the EHDS Regulation was first published was its territorial scope. The recently published European Commission FAQs helpfully clarify that the EHDS Regulation only applies to health data holders established within the EU. It will not apply to health data holders in third countries without an EU establishment, such as non-EU-based sponsors of clinical trials conducted in the EU. However, in such cases the EHDS Regulation may still apply to other EU-based controllers (as that term is defined in the GDPR) involved in that clinical trial; for example, trial sites if they are considered controllers or joint controllers of the clinical data, meaning in practice that the non-EU sponsor’s data may still be subject to disclosure. How these obligations will be managed in practice in the context of the sponsor’s contracts with such sites remains to be seen. Furthermore, non-EU-based health data users will not be able to submit application for data permits and benefit from the EHDS unless their country of establishment is recognised as providing reciprocal access to EU-based applicants.
One remaining question which the FAQs unfortunately do not address is whether all in-scope data of an EU-based health data holder is subject to disclosure. For example, if an EU-based sponsor of a clinical trial has sites both within the EU and outside the EU, is the data from all such sites subject to the EHDS Regulation or just the data from EU sites? In the absence of guidance to the contrary, the broadly drafted wording of the EHDS Regulation would suggest the former approach.
Protecting Valuable Intellectual Property
Since the publication of the initial draft regulation in May 2022, one of the main concerns for the pharmaceutical and med-tech industries was how to balance their obligations to disclose data with the need to protect valuable intellectual property and trade secrets.
The compromise in the final text is a weaker version of similar protections provided for in the EU Data Act, which entered into force in January 2024. In essence, a health data holder has a right to inform the HDAB of any data which contains intellectual property rights or trade secrets. The HDAB will then take “all specific appropriate and proportionate measures” to protect such intellectual property and trade secrets. Such measures may include contractual arrangements with the health data users, such as non-disclosure agreements. If access to the data entails a serious risk of infringement of intellectual property rights or trade secrets that cannot be addressed satisfactorily, the HDAB must refuse access to such data.
However, whereas the EU Data Act empowers the data holder to determine if the proposed measures are satisfactory and, if not, to withhold the data, the EHDS Regulation puts this decision in the hands of the HDAB, with a mere right to object on the part of the health data holder. The EHDS Regulation also offers no mechanism to compensate the health data holder for use of its valuable data or resulting benefits to the health data user, such as a reasonable license fee.
Managing Patient Opt-Outs
Another important concession introduced in EU lawmakers’ trilogue negotiations is the opt-out mechanism. The initial text did not include an opt-out mechanism and, although some stakeholders advocated for a stricter opt-in mechanism, the eventual compromise was to introduce the possibility for patients to opt-out of their data being processed for secondary purposes through the EHDS. However, the opt-out mechanism is left to Member States to implement, which could lead to divergent approaches. The only common criterion is that the opt-out mechanism must be easily understandable, accessible, and user-friendly. Concerns also remain over how health data holders can manage this opt out and purge such data from all datasets they hold prior to disclosure to the HDAB, as well as the resulting impact on diversity and quality of the resulting dataset.
Cataloguing Datasets
One of the first steps in the data disclosure process is for each health data holder to provide a description of all in-scope datasets to the HDAB. The HDAB will then catalogue and publish all datasets. Given the breadth of health data within the scope of the EHDS Regulation, this is no easy task for data intensive businesses such as research-focussed pharmaceutical and med-tech companies. The time limit for this initial disclosure is not specified and the format and mechanism will need to be built out in guidance or implementing regulations. The EHDS Regulation also requires health data holders to verify annually that the description of their datasets in the catalogue is accurate.
Fragmentation
One of the consequences of the extended trilogue negotiations has been to defer to EU Member States on several key topics, which will inevitably lead to fragmentation and divergent approaches throughout the EU. For example, in addition to implementing the opt-out mechanism, Member States can decide on localisation requirements for data, can impose stricter measures for genetic, biobank, and wellness data, and can specify additional categories of in-scope data.
Timeline and Next Steps
The EHDS Regulation will be implemented in several phases, given the breadth of preparatory work needed to set up the legal and technical infrastructure to operationalise the EHDS:
- 2025–2027: Secondary legislation phase, focusing on drafting Implementing and Delegating Acts
- 2027–2029: Member State preparation phase, involving the creation of data hubs and integration with EU-wide infrastructure
- 26 March 2029: Most secondary use provisions will apply
- 26 March 2031: Provisions related to clinical trial and human genetic data will apply
However, this timeline remains uncertain and many commentators believe it will likely change given the complexity of the technical and organisational measures that need to be implemented, both at EU and Member State level.
What Companies Can Do to Prepare for the EHDS?
While many unknowns remain and details will need to be resolved through implementing regulations and guidance, companies should act now to prepare for the above deadlines.
Companies holding health data should start mapping and cataloguing their datasets to understand what data will be subject to the EHDS Regulation, where such data is held, in what format, and any restrictions it is subject to. As part of this data mapping, companies should consider whether any of these datasets constitute valuable or sensitive intellectual property or trade secrets. Companies should also consider their technical capabilities and any additional systems or measures they will need to scan and label data, anonymise it, and purge opted-out data.
As with other recent ambitious EU Digital Acts initiatives, the workload for companies will not just be in preparatory steps but will also involve an ongoing and dynamic compliance exercise after the EHDS Regulation comes into effect. For example, as companies compile and obtain new datasets, each will need to be analysed, labelled, and anonymised in preparation for potential disclosure. This exercise will necessarily involve a variety of stakeholders including legal, privacy, intellectual property, and technical experts.
