By Eirini Schiza, Member of the Xt-EHR Joint Action Scientific Team, Medical School, University of Cyprus, and Christos N. Schizas, Coordinator of the Xt-EHR Joint Action, National eHealth Authority.
The European Commission has promoted the establishment of the European Health Data Space (EHDS), one of the key building blocks for the development of a strong European Health Union. The EHDS will strengthen the EU by enabling significant progress in the way healthcare is delivered to its citizens across Europe. It will give citizens meaningful control over their data, both in their own country and in other EU member states. At the same time, it promotes the single market for digital health services and products and provides a coherent, reliable and effective framework for the use of health data in research, innovation, policymaking and regulatory activities, ensuring full compliance with the EU’s high data protection standards.
Rationale, necessity, implementation and prospects
With the contribution of all EU member states and in order to fully exploit the potential of health data, the European Commission prepared and set in motion the relevant regulation for the creation of the European Health Data Space. This is a framework for the exchange of data exclusively for health purposes, which defines clear rules, common standards, practices and the necessary infrastructure. At the same time, it constitutes a governance framework for the use of health data, both for the benefit of patients and for purposes of research, innovation, policymaking, patient safety, statistical analysis and regulatory compliance.
Based on the regulation, all member states are called upon to adopt a common approach to the management of health data and electronic health records. Cyprus has adopted this philosophy since 2015 and is today the first European country to proceed with legislative regulation for eHealth, with a dedicated law that comprehensively regulates the management and use of health data with the citizen at the centre. The same philosophy is now followed by the European Commission with the adoption of the regulation for the European Health Data Space.
The National eHealth Authority, which was established in 2019 under the eHealth Law (Law 59(I)/2019), has undertaken a particularly important role in implementing the law. It has fulfilled its obligations as the National Contact Point for eHealth (Article 17), as provided for in Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare. As a result of this course, Cyprus became the 16th EU member state capable of offering cross-border services and the 8th to provide all cross-border services as a member of the MyHealth@EU network.
The regulation concerns healthcare providers, patients and, more broadly, citizens in matters of health and personal data, the legal aspects of its implementation and the applicable national legal framework, the business sector, particularly software development companies and manufacturers of medical devices, both wearable and non-wearable, as well as research and academic institutions, biobanks and other related organisations.
It is evident that the implementation of the provisions of the regulation will bring significant economic and social changes in Europe. Each member state, regardless of its size, must actively participate in shaping policies that may affect it in the future. It is also important that each member state formulates and submits its position in a timely manner and that the often-expressed perception that “Europe will do it and we, as a small country, will follow” comes to an end.
Cyprus, particularly after the establishment of the National eHealth Authority, has demonstrated through its initiatives that it is capable of assuming responsible roles at the European level in matters of eHealth and governance. This was demonstrated in practice through the coordination, at European level, of the flagship Xt-EHR Joint Action, Extended EHR@EU Data Space for Primary Use. This project, with a duration of 30 months, is completed this month (April 2026) and its results will be presented at a special meeting of representatives of the EU member states participating in the project, as well as Norway. The meeting will take place in Cyprus, with the participation of officials of the European Commission. In summary, this project has laid the foundations on which the implementation of the EHDS Regulation by all EU member states and Norway will be based, as regards the primary use of health data. A dedicated article on this project will follow.
Key provisions of the EHDS Regulation
The successful implementation of the regulation will help the EU achieve significant progress in the way healthcare is provided across Europe, as it:
Enhances individuals’ ability to control their health data.
Strengthens the use of health data to improve healthcare provision, prevention, research, innovation and health policymaking.
Enables the secure exchange and reuse of health data.
The European Health Data Space is an ecosystem specifically designed for the health sector, consisting of rules, common standards and practices, infrastructure without geographical limitations and a common governance framework. It aims:
to empower individuals through increased digital access and control over their electronic personal health data, at national and European level, while supporting their free movement. At the same time, it promotes a genuine single market for electronic health record systems, related medical products and high-risk artificial intelligence systems (primary use of health data);
to provide a coherent, reliable and effective framework for the use of health data in research, innovation, policymaking and regulatory activities (secondary use of health data).
Citizens in control of their health data
Thanks to the European Health Data Space ecosystem, individuals will have immediate and easy access to their health data in electronic form, free of charge. They will be able to share it easily with healthcare professionals, both within their own country and across member states, with the aim of improving healthcare provision. Citizens will have full control over their data and will be able to add information, update existing records, restrict access by third parties and receive information about how and for what purpose their data are used.
Member states will ensure that patient summaries, electronic prescriptions, medical imaging and related reports, laboratory results and discharge reports follow a common European format when issued and accepted.
Interoperability and security will be mandatory requirements. Manufacturers of electronic health record systems will have to certify their compliance with the relevant standards.
In order to safeguard citizens’ rights, all member states are required to designate National Digital Health Authorities, as Cyprus has already done by appointing the National eHealth Authority under the eHealth Law. These authorities will participate in the cross-border digital infrastructure MyHealth@EU through National Contact Points, supporting both healthcare providers and patients to enable data exchange at cross-border level.
Improving the use of health data for research and policymaking
As already noted, the European Health Data Space establishes a strong legal framework for research, innovation, public health, policymaking and regulatory purposes. Under strict conditions, researchers, innovation bodies, public organisations and industry will have access to large volumes of high-quality health data. These data are vital for the development of life-saving treatments, vaccines and medical products, as well as for ensuring better access to healthcare and more resilient health systems.
To gain access to these data, which will be fully anonymised and irreversible, researchers, companies and organisations will need authorisation from the relevant health data access body, which will be established in all member states under the provisions of the EHDS Regulation. Access will only be granted when the requested data are used for specific purposes, in closed and secure environments and without revealing the identity of individuals. The use of data for decisions harmful to citizens, such as the design of harmful products or services or the increase of insurance premiums, will be strictly prohibited.
Health data access bodies will be connected to the new decentralised EU infrastructure for secondary use, HealthData@EU, which will be created to support cross-border projects. This role has already been undertaken by the National eHealth Authority as the competent authority and has been implemented since 2023, with funding secured from the European Commission following a competitive process. Further details will be provided in a separate article.