MedDeviceGuideMedDeviceGuide
Back

European Health Data Space (EHDS) Regulation: Guide for Medical Device Manufacturers

How Regulation (EU) 2025/327 applies to medical devices and IVDs. Learn about Article 27 software components, CE marking, 2027-2031 deadlines, and GDPR alignment.

Ran Chen
Ran Chen
Global MedTech Expert | 10× MedTech Global Access
Published 2026-07-08Last reviewed 2026-07-0819 min read

The Digital Health Revolution and the EU Regulatory Landscape

The European Union is undergoing an unprecedented digital transformation, building a single market for data through its European Data Strategy. At the heart of this strategy for the healthcare sector is the European Health Data Space (EHDS) Regulation (EU) 2025/327. Adopted by the European Parliament and the Council on 11 February 2025, published in the Official Journal on 5 March 2025, and entering into force on 26 March 2025, the EHDS introduces a sweeping legal framework that will fundamentally alter how health data is accessed, shared, and utilized across Europe.

While many initial analyses framed the EHDS as a piece of legislation primarily affecting hospitals, healthcare providers, and electronic health record (EHR) system vendors, the reality is far more wide-reaching. Medical device and in vitro diagnostic (IVD) manufacturers face direct, legally binding obligations under this regulation.

Specifically, under Article 27, any manufacturer of a medical device or IVD that processes priority categories of electronic health data must incorporate a European interoperability software component and a European logging software component. Furthermore, the regulation impacts how manufacturers collect and use post-market clinical follow-up (PMCF) data, introduces new CE marking conformity assessments for certain software systems, and alters the landscape of secondary data reuse via the new HealthData@EU infrastructure.

This guide provides a comprehensive, manufacturer-first breakdown of Regulation (EU) 2025/327. We translate the complex legal text into actionable compliance steps, explore the staggered implementation timeline spanning 2027 to 2031, clarify the CE marking requirements, map the interplay with existing regulations (including the Medical Device Regulation (MDR), IVD Regulation (IVDR), GDPR, AI Act, and Cyber Resilience Act), and analyze how the landmark Article 71 secondary-use opt-out impacts device-generated data.


Does the EHDS Regulation Apply to My Medical Device or IVD?

Understanding whether your device is in scope of the EHDS requires analyzing the specific legal tests set forth in the regulation, particularly Article 27 and Article 2.

The EHDS does not apply to all medical devices. Its scope is triggered by a device's interaction with electronic health data (EHD). The regulation defines electronic health data broadly as personal or non-personal data relating to the physical or mental health of a natural person, or data generated by the processing of health-related information.

The Scope Decision Flow

To determine if your medical device or IVD is subject to the direct product obligations of EHDS (specifically the Article 27 interoperability and logging software components), follow this decision flow:

                  ┌──────────────────────────────────────────────┐
                  │ Does the device or IVD process, transmit,    │
                  │ or generate electronic health data?          │
                  └──────────────────────┬───────────────────────┘
                                         │
                        Yes ┌────────────┴────────────┐ No
                            ▼                         ▼
  ┌───────────────────────────────────┐     ┌───────────────────────────────────┐
  │ Does the data fall into any of    │     │ OUT OF SCOPE OF PRODUCT DOCKING   │
  │ the Article 14(1) priority        │     │ (Standard MDR/IVDR applies)       │
  │ categories (e.g., patient summaries,│   └───────────────────────────────────┘
  │ imaging, lab results, EHRs)?      │
  └─────────────────┬─────────────────┘
                    │
   Yes ┌────────────┴────────────┐ No
       ▼                         ▼
  ┌───────────────────────────────────┐     ┌───────────────────────────────────┐
  │ Does the device declare or intend │     │ OUT OF SCOPE OF ARTICLE 27        │
  │ to interoperate with Electronic   │     │ (But check secondary-use duties)  │
  │ Health Record (EHR) systems?      │     └───────────────────────────────────┘
  └─────────────────┬─────────────────┘
                    │
                    ▼ Yes
  ┌─────────────────────────────────────────────────────────────────────────────┐
  │ IN SCOPE OF EHDS ARTICLE 27                                                 │
  │ - Must integrate European Interoperability Software Component               │
  │ - Must integrate European Logging Software Component                        │
  │ - Must conform to Annex II Section 2 Essential Requirements                 │
  │ - Must align with Article 36 Common Specifications                         │
  └─────────────────────────────────────────────────────────────────────────────┘

The "Priority Categories" of Electronic Health Data

Under Article 14(1), the EHDS establishes specific "priority categories" of primary electronic health data. If your device processes or generates data falling within these categories and is designed to interface with EHR systems, it is firmly in scope:

  1. Patient summaries: Structured profiles containing key clinical data (allergies, active problems, implants, surgeries, medications).
  2. ePrescriptions and eDispensations: Digital drug prescriptions and records of their dispensing.
  3. Medical images and image reports: CT scans, MRIs, X-rays, ultrasounds, and their corresponding radiologist interpretations.
  4. Laboratory results and reports: Clinical chemistry, hematology, microbiology, and genetic testing reports.
  5. Hospital discharge reports: Summaries of inpatient stays, treatment plans, and post-discharge recommendations.
  6. Other health data (to be designated): The European Commission has the power to add categories (such as continuous monitoring data from wearables or implantable sensors) via implementing acts.

If you manufacture a connected pacemaker that transmits battery status, lead impedance, and arrhythmia events to a hospital EHR, or a digital pathology system that stores and shares high-resolution tissue images, your device generates and processes EHD that falls into these priority categories.


Key Manufacturer Obligations Under Article 27

If your device is in scope, you must comply with the product requirements outlined in Article 27 of Regulation (EU) 2025/327. This article establishes two primary architectural requirements that must be integrated directly into your software stack.

1. The European Interoperability Software Component

Manufacturers must build and integrate a dedicated software component that allows the device to exchange data seamlessly with EHR systems and other digital health applications in a standardized format.

This interoperability component is not just an API; it is a legally defined interface that must conform to the European Electronic Health Record Exchange Format (EEHRxF). The EEHRxF is expected to specify standardized profiles, vocabularies (such as SNOMED CT, LOINC, and ICD-11), and exchange standards built on HL7 FHIR, with the precise technical requirements set by the Article 36 Common Specifications and related implementing acts (which the Commission is to adopt by 26 March 2027). The goal is to ensure that a medical image or lab result generated by a device in Spain can be read and interpreted instantly by an EHR system in Germany without manual mapping or custom middleware.

2. The European Logging Software Component

To protect patient privacy and ensure data integrity, Article 27 requires the integration of a standardized logging component. This component must automatically, securely, and immutably record every read, write, modification, or deletion of electronic health data.

The log entries must capture:

  • The identity of the user or system accessing the data.
  • The specific data elements accessed.
  • The date and time of the transaction.
  • The authorization mechanism used.

Crucially, these logs must be designed to be accessible to the patient (via their national health portals) and to market surveillance authorities, enabling complete transparency over who has viewed or altered clinical information.

Annex II Section 2: Essential Requirements

The technical details for these software components are listed in Annex II Section 2 of the regulation. These "essential requirements" function similarly to the General Safety and Performance Requirements (GSPRs) under the MDR/IVDR. They cover:

  • Data Minimization: Ensuring that only the minimum necessary data is exchanged.
  • Semantic Interoperability: Ensuring that the meaning of the data is preserved across systems through standardized vocabularies.
  • Technical Security: Implementing robust encryption (in transit and at rest), secure key management, and protection against unauthorized access.
  • Auditability: Providing tamper-evident mechanisms for the logging component.

Article 36 Common Specifications

While Annex II defines what must be achieved, the exact how will be governed by Common Specifications adopted by the Commission under Article 36.

The Commission is mandated to adopt these Common Specifications by 26 March 2027 (the date of general application). They will detail the precise HL7 FHIR profiles, security protocols, and log schemas that manufacturers must implement. Manufacturers will have a transition period to update their designs once these specifications are published, but the core architecture should be planned immediately.


Recommended Reading
EU AI Act and MDR Single Evidence Matrix for AI Medical Devices
EU MDR / IVDR Digital Health & AI2026-05-05 · 17 min read

Phased Deadlines: When Do the EHDS Deadlines Apply?

The EHDS does not apply all at once. It features a highly structured, phased timeline that gives manufacturers and Member States time to adapt. However, because of the long design cycles of medical devices and IVDs, engineering teams must align their product roadmaps with these dates today.

The table below outlines the critical milestones for medical device and IVD manufacturers:

Milestone Date Legal Reference Affected Category / Action Compliance Requirement for Manufacturers
11 February 2025 Adoption Regulation Adopted European Parliament and Council adopt the final text (published in the EU Official Journal on 5 March 2025).
26 March 2025 Article 105 Entry into Force The regulation officially enters into force, starting the clock for implementing acts.
26 March 2027 Article 105 General Application General provisions of the EHDS apply. The Commission is to adopt the Article 36 Common Specifications by this date.
26 March 2029 Article 105(a) First Priority Data Categories Article 27 obligations (interoperability & logging) become mandatory for devices processing patient summaries and ePrescriptions/eDispensations that interoperate with EHRs. Secondary-use rules apply to most data categories.
26 March 2031 Article 105(b) Advanced Data Categories Article 27 obligations become mandatory for devices processing medical images, laboratory results, and discharge reports. Secondary-use rules apply to clinical-trial and human genetic data.

[!WARNING] Do not make the mistake of assuming you have until 2029 or 2031 to begin engineering. If you are developing a Class IIa or Class IIb software-as-a-medical-device (SaMD) product in 2026 that will launch in 2028, it must be designed with the Article 27 interoperability and logging components built into the architecture, as retrofitting these components post-market can require substantial redesign and potential regulatory re-submissions under the MDR/IVDR.


Do I Need a New CE Marking for My Device Because of EHDS?

One of the most common areas of confusion for regulatory affairs leads is whether the EHDS introduces a separate CE marking process for medical devices.

The short answer is no — but with an important distinction between EHR systems and medical devices.

The Medical Device Exception

Under Article 41, the EHDS establishes a mandatory CE marking of conformity regime for Electronic Health Record (EHR) systems (which are not themselves regulated as medical devices). Manufacturers of EHR systems must draw up technical documentation under Article 37, sign an EU declaration of conformity under Article 39, and affix the CE mark of conformity under Article 41, declaring compliance with the EHDS essential requirements in Annex II.

However, the regulation explicitly prevents double CE marking for devices already regulated under the MDR or IVDR. If your product is a CE-marked medical device or IVD under Regulation (EU) 2017/745 or Regulation (EU) 2017/746, you do not perform a separate EHDS CE marking process.

Instead, the EHDS obligations are integrated directly into your existing MDR/IVDR conformity assessment. Here is how it works:

  1. You assess your device against the EHDS Article 27 interoperability and logging requirements.
  2. You incorporate these elements into your existing technical documentation (specifically mapping them as part of your software design and cybersecurity files).
  3. When you declare conformity to the MDR/IVDR, your declaration inherently covers compliance with these adjacent digital health requirements.
  4. Your Notified Body will audit these files during your standard surveillance audits or design dossier reviews.

This integration prevents regulatory duplication, but it means your MDR/IVDR technical file must be updated to show clear traceability to the EHDS essential requirements of Annex II.


How Does EHDS Interact with Other EU Regulations?

The EU has created a dense web of digital and data regulations. For medical device manufacturers, navigating how EHDS stacks on top of the MDR/IVDR, GDPR, the AI Act, and the Cyber Resilience Act is one of the most critical compliance challenges.

┌────────────────────────────────────────────────────────────────────────┐
│                        GDPR (EU) 2016/679                              │
│  (The foundational data privacy and security baseline for all EHD)     │
└───────────────────────────────────┬────────────────────────────────────┘
                                    ▼
┌────────────────────────────────────────────────────────────────────────┐
│                        EU MDR (2017/745) / IVDR                        │
│  (Governs safety, clinical performance, and medical device CE mark)    │
└───────────────────────────────────┬────────────────────────────────────┘
                                    ▼
┌────────────────────────────────────────────────────────────────────────┐
│                        EHDS (EU) 2025/327                              │
│  (Adds specific interoperability, logging, and data-sharing mandates)  │
└───────────────────────────────────┬────────────────────────────────────┘
                                    ▼
┌───────────────────────────────────┴────────────────────────────────────┐
│ Sibling Digital Regulations:                                           │
│ - EU AI Act: Governs risk classification of AI-enabled software        │
│ - Cyber Resilience Act (CRA): Mandates hardware/software cyber security│
└────────────────────────────────────────────────────────────────────────┘

1. Interplay with GDPR

The EHDS does not replace or override the General Data Protection Regulation (GDPR). Instead, it sits directly on top of it, serving as a sector-specific (lex specialis) framework for health data.

While the GDPR provides the general principles of data processing (such as consent, legitimate interest, and data minimization), the EHDS establishes specific legal bases for primary and secondary data use. For example, under EHDS, primary data exchange for care purposes is legally mandated, reducing the reliance on individual consent for standard clinical workflows. However, all GDPR principles — including data subjects' rights, data protection impact assessments (DPIAs), and security measures — remain fully active. For a deeper look at the foundational privacy baseline, see our guide on GDPR compliance for medical device and IVD companies.

2. Interplay with MDR/IVDR

The MDR and IVDR govern the safety, quality, and clinical performance of devices. The EHDS governs the exchange and reuse of the data those devices generate.

If there is a conflict between the EHDS and the MDR/IVDR regarding a device's safety, the MDR/IVDR takes precedence. For example, if an EHDS interoperability profile requires sharing a specific raw data stream, but your clinical evaluation or risk management file shows that exposing that raw stream introduces clinical risks (e.g., patient misinterpretation of raw diagnostic signals), you must prioritize safety and restrict the data exchange accordingly, documenting the risk justification in your files.

3. Interplay with the EU AI Act

If your medical device incorporates artificial intelligence (e.g., machine-learning image analysis software), it is likely classified as a High-Risk AI system under the EU AI Act.

The AI Act requires strict data governance, bias testing, and human oversight. The EHDS complements this by providing access to high-quality, representative datasets for training, validating, and testing these AI models through the secondary-use infrastructure. Manufacturers must ensure their AI development pipelines align with both frameworks. For detailed strategies on harmonizing these dual requirements, review our guide on the EU AI Act for medical devices.

4. Interplay with the Cyber Resilience Act (CRA) and NIS2

The Cyber Resilience Act (CRA) and the NIS2 Directive mandate cybersecurity controls for connected products and critical infrastructure. The EHDS relies on these security baselines.

The logging and access controls required under Article 27 of the EHDS must be built on the secure hardware and software foundations required by the CRA. You cannot have compliant EHDS logging if your device lacks secure boot, encrypted storage, or vulnerabilities management. For a comprehensive comparison of how these security frameworks align globally, refer to our analysis of FDA vs EU cybersecurity requirements and our detailed walkthrough of the EU Cyber Resilience Act and NIS2 for medical devices.


Recommended Reading
Hologic Global Footprint: Genius 3D Mammography, Genius AI, and IVD Market Access
Regulatory Digital Health & AI2026-07-06 · 19 min read

Secondary Use of Health Data: HealthData@EU and the Article 71 Opt-Out

Perhaps the most transformative aspect of the EHDS is Chapter IV, which establishes a legal framework for the secondary use of electronic health data. This framework allows researchers, industry partners, and regulators to access health data for purposes such as scientific research, clinical trials, product development, post-market surveillance, and health technology assessment.

The HealthData@EU Infrastructure

The EHDS mandates the creation of HealthData@EU, a decentralized cross-border infrastructure connecting national Health Data Access Bodies (HDABs).

Rather than requesting data from individual hospitals or clinical trial sponsors, researchers (including medical device manufacturers) submit a data access application to an HDAB. If approved, the HDAB retrieves the data, anonymizes or pseudonymizes it, and provides access within a secure, controlled processing environment.

For medical device manufacturers, this is a double-edged sword:

  • The Opportunity: You can gain access to massive, real-world clinical datasets across multiple EU Member States to support product design, run virtual clinical evaluations, train AI models, or conduct post-market clinical follow-up (PMCF) studies.
  • The Obligation: As a "data holder," if your device generates clinical data stored in a hospital or repository, you may be legally required to make that data available to the HDABs for secondary use by others, subject to intellectual property and trade secret protections.

The Article 71 Reversible Opt-Out

During the legislative negotiations, the most heavily debated topic was patient consent. The final text resolved this by introducing Article 71, which grants individuals a reversible right to opt out of the secondary use of their personal electronic health data.

Here is how the opt-out mechanism operates and affects data availability:

  • The Baseline: Personal electronic health data is available for secondary use by default, without requiring explicit consent, provided the processing is approved by an HDAB.
  • The Opt-Out: Patients can exercise their right to opt out at any time through their national digital health portal. Once opted out, their data cannot be shared for secondary use.
  • Reversibility: Patients can choose to opt back in at any time if they wish to support specific research initiatives.
  • Exceptions: The opt-out does not apply to primary care use, or to public health emergencies where data sharing is necessary to prevent widespread harm.
  • Data Holder Impact: When manufacturers pull datasets from HDABs for research or PMCF, they must recognize that the data represents a self-selected cohort that excludes patients who opted out, introducing potential selection bias that must be addressed in clinical evaluation reports.

Additionally, Article 8 grants patients the right to restrict health professionals from accessing certain parts of their electronic health records for primary care, meaning that even for direct treatment, data availability may be gated by patient preferences.


Intellectual Property and Prohibited Uses

To protect commercial innovation, the EHDS includes safeguards for data holders. Under Article 52, data access bodies must ensure that intellectual property, commercial confidentiality, and trade secrets are protected before granting access to data. If a dataset generated by your device contains proprietary sensor calibration algorithms or trade-secret device designs, that data can be redacted or restricted.

Silence on the part of the manufacturer concerning IP classifications can result in data exposure, so classifying data streams prior to HDAB transmission is highly recommended.

Furthermore, secondary data access is strictly prohibited for certain harmful or non-clinical purposes, including:

  • Developing advertising or marketing campaigns.
  • Taking decisions detrimental to a person (such as increasing insurance premiums or denying coverage).
  • Developing illicit, dangerous, or harmful products.

Summary of Action Items for Device Manufacturers

To prepare for the EHDS, medical device and IVD manufacturers should execute the following plan:

  1. Conduct a Scope Audit: Review your product portfolio. Identify which devices generate, transmit, or process data that falls within the Article 14(1) priority categories and connect to EHRs.
  2. Review Software Architecture: Ensure your R&D teams are planning for modular software architectures that can easily integrate the Article 27 European Interoperability and Logging components once the Article 36 Common Specifications are published in 2027.
  3. Update Technical Files: Align your MDR/IVDR technical documentation templates to include specific sections mapping compliance with the EHDS Annex II essential requirements.
  4. Coordinate with Notified Bodies: Discuss the EHDS transition timeline during your standard MDR/IVDR surveillance audits to align on how the transition will be audited.
  5. Establish HDAB Protocols: Set up internal processes to handle requests for secondary data access from national Health Data Access Bodies, ensuring your IP and trade secrets are clearly categorized and protected.

Recommended Reading
GDPR Compliance for Medical Device and IVD Companies in 2026
EU MDR / IVDR Regulatory2026-04-23 · 15 min read

Frequently Asked Questions

Do already CE-marked medical devices need an additional CE mark under EHDS?

No. Already CE-marked medical devices and IVDs do not need a separate, additional CE mark to declare compliance with the EHDS. The EHDS requirements (such as the Article 27 interoperability and logging software components) are integrated directly into the device's existing MDR or IVDR conformity assessment and declaration of conformity.

What are the priority categories of electronic health data and which deadlines apply to each?

The primary categories of data subject to the EHDS requirements are:

  • Patient Summaries and ePrescriptions/eDispensations: The Article 27 requirements apply starting 26 March 2029.
  • Medical Images, Laboratory Results, and Hospital Discharge Reports: The Article 27 requirements apply starting 26 March 2031.

How does the EHDS secondary-use opt-out affect device-generated data?

Under Article 71, patients have a reversible right to opt out of having their electronic health data used for secondary research, clinical trials, or product development. If a patient opts out, any data generated by a medical device or IVD used in their care cannot be shared via national Health Data Access Bodies (HDABs) for research purposes. Manufacturers utilizing HDAB datasets must account for this opt-out in their data analysis and bias assessments.

Does the EHDS apply to non-EU manufacturers?

Yes. If your medical device or IVD is placed on the EU market and processes priority categories of electronic health data that interface with EU EHR systems, you must comply with the Article 27 requirements, regardless of where your corporate headquarters or manufacturing sites are located.

How does EHDS handle international transfers of health data?

Any transfer of electronic health data from the EU to a third country (such as the US) must comply with both the EHDS and the GDPR (Chapter V). The EHDS introduces additional safeguards for non-personal electronic health data, requiring third-country recipients to guarantee equivalent levels of protection for intellectual property and trade secrets, and prohibiting transfers that would violate EU security interests.


References

  1. Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space. EUR-Lex.
  2. European Commission (DG SANTE). European Health Data Space Regulation (EHDS) official portal and FAQ. EC Health Portal.
  3. Johner Institute. European Health Data Space EHDS: An overview for medical device and IVD manufacturers. published 11 April 2025. Johner Institute Blog.
  4. Sidley Austin LLP. European Health Data Space Regulation Adopted: What's Next for Life Sciences Companies?. published March 2025. Sidley Insights.
  5. Taylor Wessing. EHDS implementation: preparing for health data access and reuse. published April 2025. Taylor Wessing Life Sciences.