With the European Health Data Space Regulation (EU) 2025/327 (“EHDS”) set to enter into force on March 26, 2025, life sciences companies must start their preparations now. Although, the key obligations will not apply until March 2029, it is crucial for companies to take proactive steps to ensure compliance. This article analyses the key considerations and actions that companies must take now. These include conducting a data due diligence and “health check” of their infrastructure, as well as performing a mapping exercise of their sensitive electronic health data and of relevant third party arrangements.
On March 5 2025, the EHDS was published in the Official Journal of the European Union in parallel with the publication of a set of Frequently Asked Questions (“FAQs”) by the European Commission. Alongside other recent laws, such as the Data Governance Act and the Data Act, the EHDS forms part of a broader EU Data Strategy to (among other things) make electronic health data (“EHD”) more widely available for research and public interest purposes. EHD is defined broadly and includes, among other items, health records, clinical trial data, human genetic data, health claims and reimbursement data, patient registries, and automatically generated personal EHD from medical devices.
One of the main goals of the EHDS is to enable the sharing of EHD for ‘secondary use’ purposes. The EHDS introduces a framework for the sharing of EHD for certain predetermined secondary use purposes, including health-related scientific research, training and testing of algorithms and AI systems in medical devices, policymaking in the healthcare sector, and activities aimed at improving delivery of care or treatment optimization.
Based on a request to access EHD for an in-scope secondary use purpose, entities holding the legal right or responsibility to process and control EHD (referred to as “data holders”) can be compelled to share such EHD. Data holders may include public or private healthcare providers as well as private companies.
The EHDS’ secondary use provisions will become applicable four years after entry into force (on March 26, 2029), with some specific EHD categories such as clinical trial data and human genetic data having an extended application period of six years (March 26, 2031).
The EHDS’ secondary use rules are of potentially significant relevance to life sciences companies that may become either data holders (by owning, holding, or controlling EHD) or data users (by accessing EHD to develop and innovate new products). As such, the EHDS will represent both opportunities as well as challenges and risks.
Strategic considerations and preparedness
One of the key opportunities of secondary use for life sciences companies is to harvest valuable data for scientific research related to product or service development, including high-quality datasets to train, test, and evaluate AI systems. These obligations are complimentary with/ in addition to existing data transparency mechanisms, such as EMA Policy 0070, CTIS and others. To benefit from the opportunities and meet the obligations and deadlines for compliance, life sciences companies should assemble the appropriate internal (and external) teams now.
- Data in scope: The first key consideration for companies engaged in the development and manufacturing of medicinal products is determining which of their valuable data will be classified as EHD and may legitimately be requested by and shared with a data user. This EHD can be highly commercially sensitive and extensive in volume. Accordingly, as a first step companies should conduct a data mapping exercise to identify all in-scope EHD (such as clinical trial data, reimbursement data, data from registries, and third-party training data) and its location.
- Actors in scope: Also relevant for determining the potential impact of the EHDS on an organization is identifying which entities may be subject to EHD requests i.e., as a data holder. This is key as depending on what EHD a data holder retains, it may be required to submit descriptions of these datasets to the relevant authorities as soon as 26 March 2029 – albeit the precise elements to be disclosed will be determined in a future implementing acts. The Commission’s FAQs re-confirm that processors would not be considered data holders under the EHDS i.e., only controllers (to the extent the EHD is personal data) and helpfully in a recent webinar given by the Commission it is made clear that only entities established in the EU would be considered a data holder meaning, for example, that US-based clinical trial sponsors would not fall within scope. Data users can however, be established in or outside of the EU.
- Infrastructure for hosting data and managing requests: Once this has been determined, data holders should establish teams, systems, and policies to manage requests for EHD and organize the EHD in a way that meets the EHDS’ requirements for sharing as well as tracking opt-outs from individuals. This will likely include planning for current and prospective clinical trials – such as determining what EHD is collected, where is it collected, and who hosts it - to enable data sharing under the EHDS. Without early preparation and adoption of appropriate data formats, converting the required EHD could become very costly and time-consuming. A major challenge is the current lack of implementing legislation to guide the expected format and technical requirements. Therefore, it is crucial to monitor EHDS developments and be prepared to adapt to new technical specifications as these are published. The joint action Towards the European Health Data Space (TEHDAS) public consultation on guidelines for EHDS implementation is ongoing, to help inform the upcoming implementing acts.
- Interoperability: Akin to establishing the infrastructure will be ensuring interoperability, meaning that companies may need to build or upgrade technical infrastructure to store and manage EHD according to the EHDS standards and platforms for data interoperability and sharing.
- Checking third party agreements: Data holders whose EHD are held by third parties (e.g., vendors) will still be subject to the mandatory secondary use sharing provisions. Consequently, companies should consider reviewing and (where necessary) updating their contracts with these third parties to ensure compliance with the EHDS’ technical standards and other requirements. Since data holders must respond to secondary use access requests within three months to avoid fines, it is important for companies to identify what datasets are “held” by whom and under what conditions they can be used/ shared. Implementing notification requirements for third parties when a data access request is received can help ensure all parties are informed, especially in cases involving commercial or other concerns.
- Identification of sensitive and confidential EHD: This highlights the importance of protecting sensitive and confidential EHD. Such EHD may be protected by intellectual property rights or constitute trade secrets. Although there are some exemptions for the protection of sensitive/protected information under the EHDS, the FAQs confirm that “intellectual property rights and trade secrets should not be an obstacle to the re-use of data” and in fact, the disclosure status will ultimately be determined by health data access bodies - the authorities designated to grant data permits upon request – albeit, with the potential for a data holder or data user to challenge the decision in court. Companies should consider developing a strategy to identify and protect sensitive and confidential EHD, and be prepared to justify any redactions in response to requests for access to commercially confidential or patent-protected EHD that could harm business interests.
- How to make the most out of the available EHD: To harvest the opportunities presented by the EHDS, life sciences companies can already start considering how to identify relevant EHD held by third parties and assess how they can justify requesting access to it (as a data user) i.e., to derive commercial and/or strategic advantages, including potentially for pricing and reimbursement. It may therefore be worthwhile to analyse the competitive landscape to determine who holds potentially valuable datasets, what EHD are involved, and where they are located.
A multidisciplinary and nuanced approach will help to ensure that companies are placed in the best position to harvest valuable data, comply with complex requirements, and protect their sensitive datasets over the years to come.
This article was first published in European Pharmaceutical Review on March 28, 2025.
The views expressed in this article are exclusively those of the authors and do not necessarily reflect those of Sidley Austin LLP and its partners. This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.