European Health Data Space Regulation and TEHDAS2 lay down a new roadmap for cross‑border data use

The official publication of Regulation (EU) 2025/327 on the European Health Data Space (EHDS) Regulation on March 2025 marked an unprecedented milestone in the digital integration of the European Union. This Regulation not only seeks to harmonise citizens’ access to their medical records but also establishes an ambitious framework for health information to become the driving force behind scientific research, technological innovation and evidence-based public policymaking. The EHDS is the first common European data "space" dedicated to a specific sector, designed to overcome the legislative and technical fragmentation that has historically hindered cross‑border collaboration in health.

The entry into force of the regulation on 26 March 2025 marked the beginning of a structured transition phase. Although the general framework has started to become operational, the application of the more complex provisions will be progressive, extending until 2035 to cover all data categories and functionalities envisaged. This phased calendar responds to the scale of the changes required in national technological infrastructures and the need to adapt the legal frameworks of the 27 member states.

The core of the EHDS is divided into two fundamental "pillars": the primary and the secondary use of data. Primary use focuses on patient empowerment, allowing patients to access and share their electronic health data both free of charge and without obstacles throughout the Union. By contrast, secondary use – the subject of intense debate and current technical development – opens the door for researchers, companies and regulators to use large volumes of data to develop new treatments, train artificial intelligence (AI) algorithms and improve the efficiency of healthcare systems.

Governance is structured through the creation of digital health authorities in each member state for primary use and health data access bodies (HDABs) to manage secondary use.

Secondary use of data: a catalyst for research and AI

Chapter four of the regulation governs secondary use, allowing the reuse of data for purposes of public interest, scientific research and technological development. This provision is particularly relevant for the training, testing and evaluation of AI algorithms in the health sector, where the quality and volume of data are decisive for the accuracy of diagnostic and predictive models.

Unlike primary use, access to data for secondary use does not require individual consent for each study; instead, it is founded on a public-interest legal basis, provided that a specific permission is obtained from the relevant HDAB. However, an opt‑out right is established, allowing individuals to decide that their data will not be used for these purposes, apart from in exceptional cases of overriding public interest.

TEHDAS2: the technical roadmap for operational implementation

The joint action TEHDAS2 (Towards the European Health Data Space 2) is the main technical instrument tasked with developing the guidelines and specifications needed to make Chapter four of the regulation a functional reality. With the participation of 29 countries and coordinated by the Finnish Innovation Fund, or Sitra, TEHDAS2 builds on the foundations of its predecessor to ensure that the ecosystem is practical, secure and interoperable.

TEHDAS2’s work is organised through public consultations that allow stakeholders – from patient associations to the pharmaceutical industry – to contribute their views on draft guidelines. The second wave of consultations was completed on 19 January and received more than 750 responses, reflecting the high level of engagement of sector stakeholders with the implementation of the EHDS Regulation.

Key points from the recent TEHDAS2 consultations

Recent consultations have focused on critical operational aspects that will determine the feasibility of the secondary use system for health data. Among the documents analysed, the following guidance stands out:

• Fees. These guidelines propose that HDAB establish transparent, proportionate fees based on the actual cost of the service. A centralised billing model is recommended to simplify bureaucracy for data users, with fee reductions envisaged for certain categories of users, such as public bodies, universities or micro‑enterprises, as defined by each member state.
• Penalties. TEHDAS2 has worked on harmonising enforcement measures to ensure that infringements of the regulation are dealt with consistently across the Union, in alignment with national legal systems. Fines may reach up to 4% of an entity’s global turnover.
• Secure processing environments (SPEs). It is recommended that data should never abandon controlled infrastructures. Users will carry out their analyses within SPEs and will only be able to extract aggregated or anonymous results. TEHDAS2 describes common cybersecurity, interoperability and traceability requirements for these environments.
• Data description. In order to solve the problem of not knowing what data exists, the HealthDCAT‑AP (data-catalogue vocabulary and application profile) standard has been proposed. This metadata model will allow data holders to describe their datasets so that they can be easily located through national catalogues and the European HealthData@EU portal.

Regulatory convergence: EHDS, AI Act and Data Act

For technology and healthcare companies, the challenge is not only to comply with the EHDS, but to consolidate its interaction with other key laws such as the AI Act and the Data Act. In particular, certain digital health systems that incorporate artificial intelligence – especially those with a diagnostic, therapeutic or clinical decision‑support purpose – may be classified as “high risk” AI systems under the AI Act, triggering additional obligations relating to risk management, data governance and human oversight.

To avoid regulatory overload, the European Commission is promoting the “Digital Omnibus”, a regulatory simplification package aimed at reducing administrative burdens, avoiding duplication and harmonising compliance requirements.

Osborne Clarke comment

The Regulation 2025/327 represents a tectonic shift in the legal responsibility of healthcare and technology operators. Businesses need to be aware that compliance is no longer limited to classic data protection obligations, but now incorporates a much more dynamic dimension of regulated data sharing and access. The figure of the health data holder imposes active data‑sharing duties that must be managed with extreme caution so as not to compromise trade secrets or intellectual property rights, aspects that the regulation protects but which require explicit signalling to HDABs.

For companies in the sector, the key in 2026 will be monitoring the European Commission’s implementing acts and the regulatory development of the EHDS. Proactivity in designing products based on interoperability principles will be the determining factor in capitalising on the opportunities of an ecosystem that promises to save billions of euros and lives through the collective intelligence of data.