European Health Data Space (EHDS): The Complete Compliance Guide
The European Health Data Space (EHDS) is the most significant change to European healthcare data regulation in a generation. Regulation (EU) 2025/327 transforms how every hospital, clinic, pharmacy, laboratory, and health software vendor in the EU handles patient data. The regulation entered into force on 25 March 2025 and starts applying on 26 March 2027 (Article 105). The first mandatory deadline for primary-use interoperability obligations — Patient Summary, ePrescription, and eDispensation — is 26 March 2029.
This guide is written for executives, compliance officers, and technology leaders who need to understand EHDS beyond the regulatory summaries. It covers what the regulation actually requires, the phased timeline in Article 105, who must comply, and — critically — the practical obstacles facing private healthcare providers in Spain and across Europe.
What is the European Health Data Space?
The European Health Data Space is a regulation that creates a common framework for the use and exchange of electronic health data across the European Union. It was formally adopted as Regulation (EU) 2025/327 and entered into force in March 2025, with substantive obligations phased in over the following six years.
EHDS establishes two distinct data flows:
Primary use — enabling patients to access their health data across borders and giving healthcare providers interoperable access to patient records. When you seek care in another EU country, your Patient Summary and ePrescription must be accessible to the treating clinician in a standardized European format.
Secondary use — allowing researchers, policy-makers, regulators, and industry to access pseudonymised health data for legitimate purposes (research, innovation, public health, regulatory assessment) through national Health Data Access Bodies.
EHDS is not GDPR replacement. GDPR remains the foundational data protection law; EHDS sits on top of it, creating specific rights and obligations for the health sector that GDPR does not address.
Who must comply with EHDS?
EHDS obligations fall on a broader set of actors than many initially assume:
Healthcare providers — all hospitals, clinics, pharmacies, and laboratories that create, receive, or process electronic health data. This includes private providers, not just public health services. In Spain, this means every private clinic, mutua, hospital group, and diagnostic lab.
Electronic Health Record (EHR) system vendors — manufacturers of EHR systems must ensure their products meet EHDS interoperability and security requirements. EHR systems placed on the EU market after the transition period must carry a compliance declaration.
Wellness application providers — wellness apps that integrate with EHR systems face a voluntary labelling scheme, but interoperability claims become legally meaningful.
Health data holders for secondary use — any entity holding significant volumes of health data (providers, public health bodies, research institutions, medical device manufacturers handling clinical data) must be prepared to respond to secondary-use data requests through the national Health Data Access Body.
Medical device and IVD manufacturers — manufacturers whose devices generate or process electronic health data have specific obligations around making that data available for both primary and secondary use.
For Spanish private healthcare specifically, this means that the ~100,000 private clinics, ~450 private hospitals, every mutua, and every private laboratory chain are in scope. No size exemption exists: a three-physician dental clinic has the same baseline obligations for Patient Summary and ePrescription generation as a major hospital group.
The EHDS compliance timeline
Article 105 of Regulation (EU) 2025/327 sets a phased schedule. These are the legally binding dates:
25 March 2025 — Regulation entered into force (20 days after publication in the Official Journal on 5 March 2025).
26 March 2027 — General application of the Regulation. Most provisions start applying on this date: national digital health authority designations, national contact points for digital health, health data access bodies, MyHealth@EU joining obligations, and the Commission's own deadline to publish implementing acts with technical specifications for the European EHR exchange format.
26 March 2029 — Priority Category 1 obligations become mandatory. Articles 3–15 and the EHR-system obligations apply to Patient Summaries, ePrescriptions, and eDispensations, and to EHR systems intended to process those categories. Chapter IV (secondary use) also starts applying on this date. This is the first hard compliance deadline for the patient-facing obligations most healthcare providers associate with EHDS.
26 March 2031 — Priority Category 2 obligations become mandatory. The same Articles 3–15 obligations extend to medical imaging studies and reports, laboratory results, and discharge reports, and to EHR systems intended to process those categories. Chapter III (EHR systems in service) also starts applying.
26 March 2035 — Final transitional provisions complete.
The practical implication: March 2029 is the operational deadline that matters for most healthcare providers. Every provider in the EU must have working Patient Summary generation, ePrescription generation, eDispensation recording, and MyHealth@EU connectivity by then. For the Spanish private sector, where the overwhelming majority of clinic management systems have no FHIR capability and no REST API today, this is not a trivial lift. Migrations take 6-18 months; vendor decisions must be locked in by 2027 to hit 2029 on an orderly budget.
Primary use vs secondary use: the two EHDS flows
Primary use covers data used in the course of providing healthcare to an individual patient. A clinician in Berlin accessing the Patient Summary of a Spanish patient presenting in emergency care is a primary-use scenario. Every healthcare provider must:
- Generate Patient Summaries, ePrescriptions, and eDispensations in the European electronic health record exchange format (European EHR-XF) - Make these available through the national contact point connected to MyHealth@EU - Provide patients with electronic access to their own records, including the ability to add information and restrict access - Record and honour patient consent and restriction preferences
Secondary use covers data used for purposes beyond the immediate care of the patient: research, policy-making, regulatory assessment, public health surveillance, innovation, and personalised medicine development. For secondary use:
- Data holders must register with the national Health Data Access Body - Requests from researchers, public bodies, and industry are processed through the Access Body - Data is provided in pseudonymised or anonymised form, typically within a secure processing environment - Data holders are compensated for the costs of making data available
These two flows have different legal bases, different technical infrastructure, and different operational workflows. Most EHDS compliance programmes focus on primary use first because it is more directly customer-facing and the March 2029 deadline is closer than the Priority Category 2 date of March 2031.
Priority Category 1 and Category 2 data
Priority Category 1 (March 2029 deadline):
- Patient Summary — a structured clinical overview covering allergies, current problems, medications, medical history, vaccinations, and relevant social history. The European format is based on HL7 FHIR International Patient Summary profiles. - ePrescription — electronic prescription with standardised medication identification, dosage, and prescriber details. Must be machine-readable and cross-border dispensable. - eDispensation — the record of medication actually dispensed, enabling cross-border follow-up and medication reconciliation.
Priority Category 2 (March 2031 deadline):
- Medical images and image reports — DICOM-based imaging data with standardised reports. This is a major technical lift for organisations using proprietary imaging formats. - Laboratory results — structured lab results with LOINC coding and standardised reference ranges. - Hospital discharge letters — structured summaries of hospital admissions, procedures, and discharge instructions.
For private clinics, Category 1 is the immediate concern. Category 2 matters for hospital groups, labs, and specialty practices with significant imaging or laboratory output.
Why EHDS compliance is hard for Spanish private healthcare
Spain presents a compliance landscape that is uniquely challenging compared to other major EU markets:
Fragmented vendor market — Spanish private clinics use over 50 different clinical management systems. Most are small vendors with limited engineering capacity. Only one major Spanish HIS (Klinikare) has a publicly documented REST API, and essentially zero have production FHIR capability.
Dual-track regulation — beyond EHDS, Spain is implementing its own Ley de Salud Digital (Digital Health Law), which adds national-level requirements on top of EU obligations. Compliance programmes must address both.
Autonomous community variation — healthcare in Spain is administered at the autonomous-community level, meaning the 17 regional health services each have their own digital infrastructure, data exchange agreements, and interpretation of EHDS obligations.
Private sector density — Spain has ~100,000 private clinics and ~450 private hospitals, the majority of which operate with management software focused on scheduling and billing rather than clinical interoperability. The gap between current capability and March 2029 requirements is substantial, and the March 2027 implementing acts will not give vendors enough runway if migration decisions are deferred.
Autonomous community certification requirements — for providers connecting to regional systems, each autonomous community may require specific certification or integration testing beyond the EU-level EHDS requirements.
The practical consequence: EHDS compliance in Spain requires both a technology layer (FHIR transformation, MyHealth@EU connectivity, consent management) and a regulatory navigation layer (national + EU + autonomous community). Off-the-shelf solutions from non-Spanish vendors typically miss the regional and national regulatory layer entirely.
How to prepare: a six-step framework
Step 1: Conduct a readiness audit. Before committing budget, establish a baseline. Which of the Priority Category 1 data types can you currently generate? Can your HIS export in any standardised format? Do you have documented patient consent workflows? A structured audit takes 2-4 hours with the right questionnaire and produces a gap analysis that justifies the investment case internally.
Step 2: Inventory your data holdings and vendors. For each HIS, LIMS, RIS, PACS, and ancillary system: vendor name, version, data formats supported, API availability, vendor roadmap for EHDS support, and support contract status.
Step 3: Define your integration strategy. Three broad options: (a) wait for your HIS vendor to add native EHDS support — risky and unpredictable for Spanish HIS market; (b) build integration layer in-house — requires FHIR expertise and 6-12 months of engineering; (c) deploy a compliance layer that sits in front of your existing systems and generates the required EHDS data types without HIS replacement.
Step 4: Implement consent and patient access workflows. EHDS gives patients specific rights that many organisations do not currently support: electronic access to their own records, the right to add annotations, the right to restrict access by specific providers or for specific data types. Operational workflows must be updated, not just technical systems.
Step 5: Connect to the national contact point. In Spain, primary-use data exchange flows through the Ministry of Health's national contact point, which connects to MyHealth@EU. Technical integration and regulatory approval have lead time — begin the conversation at least 9 months before your go-live target.
Step 6: Document and governance. EHDS compliance requires documented policies, records of processing activities (expanded from GDPR Article 30 requirements), data protection impact assessments for secondary-use scenarios, and contractual updates with every data processor. Treat documentation as a parallel track to technical work, not a final step.
Frequently asked questions
When does EHDS come into effect?
Regulation (EU) 2025/327 entered into force on 25 March 2025 and starts applying on 26 March 2027 per Article 105. Obligations for Priority Category 1 data (Patient Summary, ePrescription, eDispensation) and the EHR systems that process them become mandatory on 26 March 2029, together with Chapter IV (secondary use). Priority Category 2 obligations (medical imaging, labs, discharge reports) and Chapter III (EHR systems in service) become mandatory on 26 March 2031. Final transitional provisions complete on 26 March 2035.
Does EHDS apply to private healthcare providers?
Yes. EHDS applies to all healthcare providers in the EU that create, receive, or process electronic health data, regardless of whether they are public or private, large or small. A three-physician private clinic has the same baseline obligations for Patient Summary and ePrescription generation as a major hospital group.
Is EHDS the same as GDPR?
No. GDPR is the foundational data protection law covering all personal data. EHDS is a sector-specific regulation that sits on top of GDPR and creates specific obligations for health data: mandatory interoperability formats, cross-border data exchange infrastructure, secondary-use frameworks, and patient-facing rights that GDPR does not address.
What is MyHealth@EU?
MyHealth@EU is the cross-border eHealth infrastructure that connects national contact points across EU member states. When a patient from one EU country seeks care in another, their Patient Summary and ePrescription flow through MyHealth@EU. EHDS makes connection to the national contact point mandatory for all healthcare providers from March 2029.
What is a Patient Summary under EHDS?
A Patient Summary is a structured clinical overview covering active problems, medications, allergies, relevant medical history, vaccinations, and social history. The EHDS format is based on HL7 FHIR International Patient Summary profiles and must be generated in a standardised machine-readable form that other EU healthcare systems can consume.
What happens if we are not compliant by March 2029?
National authorities (in Spain, AEPD and the Ministry of Health) have enforcement powers including administrative fines. More practically, non-compliance will be operationally visible: patients will be unable to access their data electronically, cross-border care flows will fail, and health data access requests for secondary use will be unmet — creating both regulatory and reputational exposure. Mutuas and insurers are also expected to add EHDS compliance clauses to provider contracts from 2027-2028, meaning exclusion from provider panels becomes a commercial consequence well before the regulatory one.
Can we rely on our HIS vendor to handle EHDS compliance?
Most Spanish private HIS vendors do not have production FHIR capability or documented EHDS roadmaps. Relying on vendor-delivered compliance requires either (a) verified vendor commitments with specific delivery dates tied to contractual SLAs, or (b) a compliance layer that works independently of the HIS. For most organisations, option (b) is the lower-risk path given the timeline.
How long does EHDS compliance implementation take?
From decision to go-live, expect 6-18 months depending on organisational complexity. The audit and planning phase is 4-8 weeks. Technical implementation is 3-6 months for a compliance-layer approach or 9-15 months for HIS replacement. Workflow and governance changes run in parallel. For March 2029 compliance, starting audit and vendor evaluation in 2026 leaves comfortable runway; waiting until after the March 2027 implementing acts are published compresses the timeline and typically pushes organisations into the more expensive HIS replacement path.
What is the cost of EHDS compliance?
Cost varies with organisational complexity. For a single private clinic, a compliance-layer approach typically runs €5-15K one-time plus annual subscription. For mid-size hospital groups (the IDIS member profile), full programmes run €50-200K in total cost, including technology, integration, documentation, and certification. Big Four consultancies price similar scope at €300-800K; specialised compliance vendors price at a fraction of that.
Does EHDS apply outside Spain?
Yes. EHDS is an EU regulation applying to all 27 member states. Spain is implementing EHDS alongside its own Ley de Salud Digital, which adds national requirements. Other member states have their own national-level implementation layers. If your organisation operates in multiple EU countries, each country's national requirements apply on top of EHDS.
Start your EHDS readiness audit
The fastest way to move from abstract compliance concern to concrete plan is to establish your current baseline. SaludComply's EHDS Readiness Audit is a free 15-minute assessment that produces a structured compliance score, per-category gap analysis, and a prioritised action plan specific to your organisation. The assessment is built on the actual requirements of Regulation 2025/327 and accounts for Spanish-market specifics including Ley de Salud Digital and autonomous community certification requirements.