EU establishes mandatory CE marking for electronic health record systems

The European Health Data Space (EHDS) regulation has introduced a comprehensive regulatory framework for electronic health record (EHR) systems operating within the European Union. It establishes mandatory CE marking procedures, clarifies supply chain obligations, and introduces detailed information requirements for EHR systems processing priority categories of health data. The landmark legislation will be applicable from March 2027.

The regulation's EHR provisions represent a shift from the previous fragmented approach to health data systems, creating unified standards for interoperability, security and compliance across all 27 Member States while maintaining safeguards for patient data protection.

EHDS framework

The EHDS regulation defines an electronic health record as a collection of electronic health data related to a natural person and collected in the health system, processed for the purpose of the provision of healthcare. This encompasses the full spectrum of patient data collected across healthcare encounters, from primary care consultations to specialist treatments and hospital admissions.

An EHR system is characterised as any system whereby the software, or a combination of the hardware and the software of that system, allows personal electronic health data that belong to the priority categories of personal electronic health data established under this regulation to be stored, intermediated, exported, imported, converted, edited or viewed. The system must be specifically intended by the manufacturer for use by healthcare providers in patient care delivery or by patients accessing their own health data.

The regulation introduces a nuanced approach by focusing on harmonised software components rather than entire EHR systems. These comprise two mandatory elements: the European interoperability software component (enabling data exchange in the European electronic health record exchange format) and the European logging software component (providing comprehensive audit trails of data access).

CE marking

Applying the EU's recently amended new legislative framework (NLF), the EHDS establishes a mandatory conformity self-assessment scheme for EHR systems processing priority categories of personal electronic health data. In line with NLF standards, the procedure requires manufacturers to demonstrate compliance with essential requirements – laid down in Annex II of the regulation – before placing systems on the EU market.

The conformity assessment process follows a structured pathway. Manufacturers must first ensure their harmonised software components comply with essential requirements covering general functionality, interoperability standards, and security and logging capabilities.

Prior to market placement, manufacturers must draw up technical documentation, demonstrating system compliance with essential requirements.

A critical component of the assessment involves testing in European digital testing environments, established under the regulation. The Commission develops open-source testing software, while Member States operate testing environments complying with common specifications. Manufacturers must use these environments to assess their harmonised software components before market placement, with positive test results creating a presumption of regulatory compliance.

Following successful assessment, manufacturers issue an EU declaration of conformity under Article 39, stating that essential requirements have been fulfilled. The final step involves affixing the CE marking of conformity to accompanying documents and, where applicable, system packaging. The marking indicates compliance with the EHDS regulation and other applicable Union law requiring such marking, such as the EU Artificial Intelligence (AI) Act.

Supply chain operator obligations

The EHDS creates a comprehensive framework of obligations for different supply chain participants, recognising the complex ecosystem surrounding EHR systems' deployment and maintenance.

Manufacturers bear primary responsibility for system compliance. Their obligations encompass ensuring harmonised software components meet essential requirements and common specifications, preventing adverse effects from other system components, maintaining up-to-date technical documentation, and providing mandatory information sheets and clear instructions for use. They must also draw up EU declarations of conformity, affix CE markings, maintain complaint channels and non-conformity registers, and take corrective action when systems fail to meet requirements.

Manufacturers face ongoing responsibilities including cooperation with market surveillance authorities, providing necessary information and documentation in easily understood languages, and implementing procedures ensuring continued compliance throughout the system lifecycle.

Authorised representatives, mandatory for non-EU manufacturers, perform specified tasks including maintaining documentation for market surveillance authorities, providing compliance information upon request, informing manufacturers of non-conformity concerns, and ensuring technical documentation availability. These representatives face joint and several liability with manufacturers for non-compliance in certain circumstances.

Importers also assume significant responsibilities, including verifying manufacturer compliance, ensuring proper identification and authorised representative appointment, confirming CE marking affixing, and ensuring information sheet accompaniment. They must establish their own identification on accompanying documentation, maintain system conformity during their responsibility period, and implement reporting channels for user complaints while investigating and following up on incident reports.

Distributors must verify manufacturer EU declarations of conformity, CE marking presence, and information sheet accompaniment before market placement. They bear responsibility for maintaining system conformity and must refrain from making non-compliant systems available, informing relevant parties of conformity concerns and cooperating with market surveillance authorities when required.

Information requirements and transparency

The EHDS introduces comprehensive information requirements designed to ensure transparency and facilitate informed decision-making by healthcare providers and system users.

The information sheet, mandated under Article 38 of the regulation, must provide concise, complete, correct and clear information that is relevant, accessible and comprehensible to professional users. It must specify manufacturer identity and contact details, system name and version with release date, intended purpose description, categories of electronic health data the system processes, and supported standards, formats and specifications with their respective versions.

Manufacturers may alternatively enter this information into the EU database for registration of EHR systems, providing a centralised repository for system information accessible to healthcare providers, procurement professionals and market surveillance authorities.

Instructions for use must be "clear and complete", including maintenance guidance and accessible formats for persons with disabilities. They must enable proper system installation and operation without adversely affecting characteristics and performance during intended use.

Technical documentation requirements further contribute to the creation of comprehensive system records. These requirements include detailed system descriptions, intended purposes and data processing categories, hardware and software interaction explanations, system architecture descriptions with labelled diagrams, technical specifications and performance attributes, lifecycle change descriptions, and user instructions including installation guidance.

Registration obligations under the EHDS regulation require manufacturers to enter specified data into the EU database before market placement or service commencement. This database, maintained by the Commission and publicly available, enhances transparency while supporting procurement decisions and market surveillance activities.

Interoperability with medical devices and AI systems

The EHDS regulation recognises the increasingly complex landscape where EHR systems interface with medical devices, in vitro diagnostic medical devices, and artificial intelligence systems. Article 27 addresses these intersections by establishing that manufacturers claiming interoperability between their medical devices or high-risk AI systems and EHR harmonised software components must prove compliance with essential requirements for both the European interoperability and logging software components.

This provision is intended to ensure that the broader digital health ecosystem maintains consistent standards while avoiding regulatory gaps or duplicative requirements. The regulation acknowledges that some EHR system components may themselves constitute medical devices or high-risk AI systems subject to other EU legislation. This requires coordinated conformity assessment procedures to limit administrative burdens on manufacturers.

Transition periods and implementation timeline

The EHDS establishes structured transition periods. It specifies that Chapter III provisions, which specifically deal with EHR systems, apply to different categories of priority health data and corresponding EHR systems from specific dates.

Systems processing patient summaries, electronic prescriptions and electronic dispensations become subject to regulation from March 2029. Systems processing medical imaging studies, medical test results, and discharge reports face compliance requirements from March 2031.

EHR systems put into service within health institutions (as opposed to being placed on the broader EU market) benefit from an extended transition period, with Chapter III requirements applying from March 2031. This recognises that healthcare providers developing and using internal systems may require additional preparation time.

These staggered timelines enable systematic implementation and should allow manufacturers, healthcare providers and regulatory authorities to develop necessary expertise and infrastructure progressively.

Osborne Clarke comment

The EHDS regulation's EHR provisions represent an ambitious attempt to harmonise complex health information systems across diverse national healthcare environments. Whereas the focus on harmonised software components rather than entire systems suggests regulatory sophistication, the practical implications of distinguishing between regulated and non-regulated system elements may prove more challenging than the legislation anticipates.

The mandatory CE marking procedure, though framed as proportionate self-assessment, introduces significant compliance obligations for what are often collaborative, iterative software development processes. The European digital testing environments, while innovative in concept, remain largely theoretical pending their actual development and deployment by Member States with varying technical capabilities and priorities.

The regulation's comprehensive supply chain obligations reflect the reality of modern EHR ecosystems, though the allocation of responsibilities across manufacturers, importers, distributors and authorised representatives may create practical coordination challenges that the legislative framework does not fully address. The extensive documentation and information requirements are likely to serve transparency objectives; however, they could represent considerable administrative overhead for organisations already navigating complex healthcare procurement processes.

Given the regulation's breadth and the interconnected nature of modern healthcare technology, organisations across the medtech and digital health sectors might find themselves unexpectedly within scope through interoperability claims or data processing activities. The staggered implementation timeline provides some breathing space, though the underlying complexity of compliance requirements suggests that early engagement with the evolving regulatory landscape could prove prudent for businesses seeking to understand their obligations before enforcement begins.