Sep 232025

Navigating the European Health Data Space Regulation: What Life Sciences Companies Need to Know About Secondary Use Implementation (Now) – A Tracking Tool (September 2025)

Josefine Sommer, Francesca Blythe and Belinda Baum
, , , , , ,

The European Health Data Space Regulation took effect on March 26, 2025. While its key requirements regarding the secondary use of health data will not apply until March 2029, these provisions are set to bring about substantial changes for life sciences companies operating within the EU. This blog marks the beginning of a dedicated series of blogs exploring the implementation of the EHDS Regulation, with a particular focus on secondary use obligations. Our aim is to keep life sciences organizations informed about the latest EHDS Regulation developments, by offering an overview of relevant publications, consultations, and guidance on emerging best practices.

This blog sets out:

What Is the EHDS Regulation?

The EHDS Regulation builds on existing EU legislation, including the General Data Protection Regulation, the Data Governance Act, and the Data Act. It introduces sector-specific rules intended to ensure that electronic health data (EHD) is processed with the highest standards of privacy, security, and ethical oversight and that it is used for innovation and public benefits in a responsible manner.

The EHDS Regulation establishes the first sector-specific data space, representing a significant milestone in the governance, use, and sharing of EHD across all the Member States. It has the potential to significantly change how EHD is used in the EU for research, innovation, and policymaking.

For life sciences companies, the EHDS Regulation presents challenges (such as protection of IP, managing opt-outs, etc.) but also opportunities (such as access to high-quality volumes of data). These risks and opportunities can be managed and harnessed if they planned and manage well. This first in a series of updates aim to help life sciences organizations stay informed about the latest EHDS Regulation developments, by offering an overview of relevant publications, consultations, and guidance on emerging best practices.

What Are the Secondary Use Rules?

A key goal of the EHDS Regulation is to enable the sharing of EHD for “secondary use” purposes. (See further details in a Sidley update here, European Health Data Space Regulation Adopted: What’s Next for Life Sciences Companies? March 2025). The EHDS Regulation introduces a framework for the sharing of EHD for certain predetermined secondary use purposes, including health-related scientific research, training and testing of algorithms and AI systems in medical devices, and policymaking in the healthcare sector. Individuals may opt-out of certain secondary uses of their EHD at any time and without providing any reason. Data holders, including life sciences companies, may be required to share EHD with third parties (i.e., data users) for in-scope secondary use purposes.

Commercially sensitive and confidential information is not subject to the secondary use data sharing provisions of the EHDS Regulation. So-called Health Data Access Bodies (HDABs) are assigned the crucial role of assessing what data should be redacted from data sets that are subject to access requests, essentially acting as gatekeepers protecting intellectual property (IP) rights and trade secrets. The development of a robust HDAB framework will therefore be crucial for the life sciences sector’s ability to protect data that contains IP, in particular considering the EHDS Regulation does not foresee any adjudicating authority to rule on disagreements between HDABs and data holders.

The EHDS Regulation’s secondary use provisions will in most part apply from March 2029, with the remainder (e.g., those relating to clinical trial data and human genetic data) only applying beginning in March 2031. These rules will have a significant impact on life sciences companies, whether they own, hold, or control EHD or become data users by accessing EHD. Companies must consider how the EHDS Regulation will impact their own data or data they may wish to access.

What Are the Key Application Dates?

The implementation of the EHDS Regulation will unfold over the next decade, with several critical milestones:

  • By March 2027: The Commission will adopt implementing acts, setting out detailed operational rules.
  • By March 2029: Key provisions enabling secondary use of most health data categories (e.g., data from electronic health records) will take effect. In parallel, the mandatory exchange of the first group of priority health data categories (e.g., Patient Summaries and ePrescriptions) for primary use will commence.
  • By March 2031: The scope of secondary use health data categories will expand further to include genomic data. The exchange of the second group of priority health data categories (e.g., medical images, lab results, and hospital discharge reports) for primary use will become operational.
  • By March 2034: HealthData@EU, the platform for secondary use, will open to third countries and international organizations.

Implementation Status

A key player in the implementation of the EHDS Regulation is a collaborative project known as Towards the European Health Data Space (TEHDAS), which is funded by the EU and designed to support the development and implementation of the EHDS Regulation. Its primary goal is to bring together the Member States, stakeholders, and leading experts to create practical solutions, comprehensive guidelines, and best practices for the cross-border use of health data within the EU. The joint action is currently in its second phase, called TEHDAS2.

The implementation of the EHDS Regulation is already underway. Below is an overview of the current status (September 2025):

a. Issued guidance

b.  Concluded public consultation

  • January 2025: Conclusion of public consultation on the first four TEHDAS2 guidelines and technical specifications for cross-border health data use. These guidelines and specifications included:
    • A guideline for data holders on data description;
    • A guideline for data users on good application practices for data access and requests;
    • A guideline for data users on how to use data in a secure processing environment; and
    • Technical specifications for the national metadata catalogue.

The public consultation ended with over 350 responses. Responses are being reviewed by TEHDAS2 and final versions of the guidelines are expected to be published in Q4 2025.

c. Open public consultations

d. Upcoming public consultations

  • September 2025: Expected launch of consultations on processes to manage permits or data pseudonymization:
    • Ten documents, including draft guidelines for data holders on making personal and non-personal electronic health data available for reuse and for HDABs on implementing opt-out from the secondary use of health data and on minimum categories and limitations on the reuse of health data.
  • May 2026: Expected launch of consultations on collaboration with third countries, data enrichment, and informing citizens:
    • Six documents, including a draft guideline for HDABs on collaboration with other parties and on international and third-country access and transfer of electronic health data.

What Can Life Sciences Companies Do?

The EHDS Regulation presents challenges for life sciences companies as data users. However, the Regulation also presents plenty of opportunities, in particular if companies plan ahead and manage those challenges well. For example, data users may access datasets to drive cross-border clinical trials (because medical records and genomic data will become accessible across EU Member States), enhance AI development for medical devices (because more high-quality data will be available), or advance personalized medicine (because data may help identify patterns, correlations, and trends that are crucial for developing personalized therapies). Life sciences companies, whether data holders or data users, will also need to consider compliance challenges, such as how to manage opt-outs.

As the EHDS Regulation moves from concept to reality, life sciences companies should take a structured approach to ensure readiness for the phased implementation of the secondary use provisions. The following steps aim to help companies start preparing for the transition.

Establish a multi-functional group: Form a cross-functional team that includes, for example, legal, compliance, IT, data governance, and business stakeholders. This group may be responsible for overseeing the EHDS Regulation implementation, monitoring relevant publications and consultations, and ensuring that the organization remains up to date with emerging guidance and technical specifications.
Perform a data scope assessment: Conduct a mapping exercise to identify all EHD within the company that may fall within the scope of the EHDS Regulation. This may include clinical trial data, health records, reimbursement data, registry data, and any third-party data used for research or product development.
Classify actors: Assess which entities within the company may be classified as data holders or (may wish to be) data users. Current Commission FAQs indicate that only entities established in the EU and acting as controllers of EHD (to the extent the EHD is personal data) will be considered data holders, while data users may be established inside or outside the EU.
Keep a record: Keep a record of unanswered questions. Numerous questions will come up as companies consider how to implement the EHDS Regulation. For example, the territorial scope of the EHDS Regulation and the scope of the specific data sets that will be subject to the secondary use obligations are currently opaque (albeit there is some guidance in the Commission FAQs) and further guidance is necessary to build strong internal policies. Companies will also need to consider, for example, how the ‘opt-out’ right for secondary use should be addressed in Informed Consent Forms, and how to handle requests for access to sensitive or confidential data. Companies should keep track of questions that cannot be definitively answered now but which, with time, will be clarified by guidance, implementing acts, or industry best practices.
Establish procedures: Develop and document internal procedures for managing EHD, responding to data access requests, and tracking opt-out requests from individuals. This may include, for example, setting up systems to ensure timely responses to requests (within the required three-month period) and organizing data in formats that will facilitate sharing and interoperability in line with EHDS Regulation requirements.
Protect ‘sensitive’ data: Identify commercially sensitive or confidential EHD, such as trade secrets or data protected by IP rights, and implement appropriate measures to ensure its protection.
Create checklists, library clauses, etc.: Prepare practical tools such as checklists for compliance, template contract clauses for third-party agreements, and standard language for Informed Consent Forms. Review and update existing agreements with vendors and partners to ensure they align with the EHDS Regulation’s technical and legal requirements, particularly regarding data sharing and notification obligations.
Refine all of the above as guidance gradually becomes available: Guidelines and technical standards will become available in a slow and steady stream. Ensure processes are in place to regularly review and refine internal policies, procedures, and documentation to maintain alignment with the latest regulatory developments.
Consider how to leverage the EHDS Regulation’s opportunities: Explore how to access EHD held by others for commercial or strategic benefits, i.e., as a data user. The Regulation presents plenty of opportunities – in particular if they are planned ahead and managed well. For example, data users may access datasets to drive cross-border clinical trials (because medical records and genomic data will become accessible across EU Member States), enhance AI development for medical devices (because more high-quality data will be available), or advance personalized medicine (because data may help identify patterns, correlations, and trends that are crucial for developing personalized therapies).

Sidley’s Global Life Sciences team continues to closely monitor the EHDS Regulation and address these issues as further guidance and best practices emerge. We are available to assist companies in anticipating and managing EHDS-related challenges, including secondary use obligations, data sharing requirements, and related compliance issues. For further information, see previous Sidley alerts on the EHDS Regulation here and here.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Josefine Sommer

Brussels

josefine.sommer@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Belinda Baum

Brussels

belinda.baum@sidley.com

You might also like
EU Pharma Package: Sharp New Tools With Limited Protections

Last week, concluding a seven-year process, the Council of the European Union and the European Parliament agreed on the EU Pharma Package consisting of a new Pharmaceutical Directive and Pharmaceutical Regulation. The Package introduces pivotal changes to the EU pharmaceutical legislation, most significantly the introduction of new launch and supply obligations with only limited safeguards and a reduction and modulation of regulatory data protection and market protection, requiring companies to re-think their pipeline strategies. The provisional agreement now needs to be endorsed by both the Council and the Parliament before being formally adopted and entering into force upon publication in the Official Journal of the European Union. The final text is expected to become available in the coming weeks.

What the U.S.–UK Drug Pricing Agreement Reveals About How MFN Drug Policy Could Impact the UK and EU

As reported here, on December 1, 2025, the Office of the United States Trade Representative and the UK Government announced an agreement in principle regarding the pricing of pharmaceutical products. The headlines include (i) an agreement on 0% tariffs on UK pharmaceutical exports to the U.S. and assurance that UK pharmaceutical pricing practices will not be targeted under Section 301 of the Trade Act of 1974; and (ii) a cumulative 25% increase in the UK’s investment in innovative drugs delivered through increases in the UK’s thresholds for valuing cost-effectiveness of new drugs, and reduced clawback payments on sales of innovative drugs. But what is the deeper context of this agreement and what does it tell us about the wider potential impact of U.S. MFN policies in Europe? In this Update, Sidley’s transatlantic drug pricing team provides their views and look ahead to the potential impacts for manufacturers in the UK and EU.

SEC Remains Focused on Public Disclosures Made By Life Sciences Companies

On September 5, 2025, the U.S. Securities and Exchange Commission (SEC) announced a US$1.25 million settlement with biopharmaceutical company, FibroGen, Inc. (FibroGen), finding that FibroGen made false and misleading statements regarding the results of cardiovascular safety analyses of FibroGen’s anemia drug candidate, Roxadustat.