--- title: The European Health Data Space (EHDS): What It Means for MedTech description: European Health Data Space EHDS MedTech impact: primary and secondary data use, manufacturer obligations, and how MDR PMS and PMCF connect to the EHDS. authors: Tibor Zechmeister, Felix Lenhard category: Funding, Business Models & Reimbursement primary_keyword: European Health Data Space EHDS MedTech canonical_url: https://zechmeister-solutions.com/en/blog/european-health-data-space-ehds source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # The European Health Data Space (EHDS): What It Means for MedTech *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **The European Health Data Space is a new piece of EU legislation that sits alongside the MDR, not inside it. It creates rules for primary use of electronic health data (patients and healthcare delivery) and secondary use (research, innovation, policymaking). For medical device manufacturers, the EHDS reshapes how real-world evidence flows into PMS, PMCF, and clinical evaluation, and it introduces obligations on data quality, interoperability, and access that most startups have not yet priced into their regulatory plan.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - The EHDS Regulation is a separate EU instrument from the MDR. It governs how electronic health data moves, not how devices are certified. - Primary use covers patient care, continuity of treatment, and cross-border healthcare. Secondary use covers research, innovation, public health, and policymaking. - Medical device manufacturers are both contributors to and consumers of EHDS data. Real-world data flowing out of the EHDS can feed PMS under MDR Articles 83 to 86 and PMCF under Annex XIV Part B. - The EHDS introduces data quality, interoperability, and data access obligations that overlap with, but do not replace, MDR GDPR and cybersecurity requirements. - EHDS article numbers and entry-into-force dates are flagged for verification. The regulation has been moving through EU legislative process and specific provisions apply on staggered timelines. - For startups, the practical question is not whether to comply with EHDS but how to design the data architecture now so that EHDS becomes a source of evidence rather than a compliance cost. ## Why this matters for MedTech founders Most founders Felix coaches are surprised to learn that the European Health Data Space is even on their roadmap. They have heard of it, vaguely, as a Brussels data policy initiative. They do not see the connection to their device. Tibor sees the same pattern from the notified body side. Manufacturers arrive at surveillance audits and do not have a considered position on how EHDS will affect their data collection, their real-world evidence strategy, or their cybersecurity posture. The connection is direct. Every connected or software-based medical device generates data that is, by definition, electronic health data. The EHDS governs that data. A manufacturer that ignores it today is building a data architecture that will need reworking once specific EHDS provisions take effect. A manufacturer that plans for it today has a structural advantage: the same data pipe that feeds the device's own post-market surveillance can plug into the European data space and feed the device's own post-market clinical follow-up. This post explains, at a level appropriate for startup founders, what the EHDS is, what primary and secondary use mean in practice, where the EHDS touches the MDR, and what startups should do now regardless of the fine print. Where specific EHDS article numbers, timelines, and entry-into-force dates remain in flux, claims are flagged `[MDR VERIFY]`. ## What the EHDS actually is The European Health Data Space is a regulation that establishes a common framework for the use and exchange of electronic health data across the EU. It was proposed by the European Commission in 2022 and has been working its way through the legislative process. . It distinguishes two categories of use. Primary use is the use of electronic health data for the delivery of healthcare: a patient's data being available to a doctor treating that patient, with continuity across providers and across borders. The EHDS builds on the existing eHealth Digital Service Infrastructure and the MyHealth@EU network to make health records, ePrescriptions, laboratory results, and images portable across member states. Secondary use is the use of electronic health data for purposes beyond direct patient care: research, innovation, public health, health system planning, regulatory activities, and policymaking. Under the EHDS, secondary use is mediated through national Health Data Access Bodies that receive access requests, apply the rules, and grant controlled access to pseudonymised or anonymised data. Crucially for MedTech: data from medical devices is explicitly in scope as one of the categories of electronic health data covered. . ## Primary use: what changes for device manufacturers For the manufacturer of a connected device, primary use of EHDS-covered data mostly matters on the interoperability side. If a device generates data that sits in an electronic health record, the EHDS expects that data to be in a common format so it is usable across providers and across borders. The European electronic health record exchange format is the reference, and national implementations are aligning to it. Practically, this means two things for a startup building a new device. First, early decisions about data models and export formats should assume the device will need to emit EHDS-compatible records. Retrofitting interoperability onto a device designed without it is expensive. Second, cybersecurity and data protection, already mandatory under MDR Annex I §17.2 and §17.4 and under GDPR, get a second layer of expectation through the EHDS. The overlap is close but not identical. Tibor's observation from the cybersecurity side is that the lifecycle matters. A device whose data export format was correct at CE marking in 2024 may not be correct in 2027 once EHDS implementing acts and interoperability specifications harden. This is the same problem as SBOM and CVE lifecycle: cybersecurity and data interoperability are continuous, not one-time. ## Secondary use: real-world evidence as infrastructure The secondary use side of the EHDS is the one most likely to change how manufacturers think about real-world evidence. Today, if a manufacturer wants real-world data on device performance in routine clinical use, they assemble it themselves: hospital partnerships, registry access, their own device telemetry, PMCF studies. Every data source is a bilateral negotiation. Under the EHDS secondary use framework, certain categories of electronic health data become accessible through a standardised access request process via national Health Data Access Bodies. Manufacturers will be one category of data user among several, alongside academic researchers, public authorities, and other innovators. Access is controlled, permitted purposes are defined, and pseudonymisation or anonymisation is typically required. For MDR post-market surveillance and post-market clinical follow-up, this is a meaningful shift. Article 83 requires manufacturers to plan, establish, and maintain a PMS system. Article 84 and Annex III specify the PMS plan content. Article 86 requires PSURs for higher-risk devices. Annex XIV Part B requires a PMCF plan. All of these benefit from access to structured real-world data that is comparable across countries and across time. The EHDS makes that kind of access, in principle, a more predictable route than ad hoc hospital partnerships. The catch is that the EHDS secondary use process is not a free data buffet. It is a governed, permission-based access with defined purposes, defined protections, and defined obligations on data users. Manufacturers will need to articulate a purpose, submit an access request, justify the public interest case for their research or innovation, and comply with the conditions the Health Data Access Body imposes. . ## Where the EHDS meets the MDR The MDR and the EHDS are separate regulations. The MDR governs whether a device can be placed on the market. The EHDS governs how the data flows before and after that point. But they touch at several points. Classification and intended purpose under MDR Article 2(1) remain unchanged by the EHDS. A device is a device. The EHDS does not add new classification rules and does not change Annex VIII Rule 11. Post-market surveillance under MDR Articles 83 to 86 and Annex III is where the EHDS starts to bite. Manufacturers planning their PMS data sources today should at least consider how EHDS secondary use access could become a structured, comparable, cross-border source of PMS data in future. For higher-risk devices, where PSURs are due at defined intervals, this matters more. Post-market clinical follow-up under MDR Annex XIV Part B is the clearest near-term overlap. A PMCF plan that relies on registry data, hospital cohorts, or multi-centre real-world studies can, in principle, be built on top of EHDS secondary use access once the relevant national bodies are operational. Cybersecurity and data protection under MDR Annex I §17.2 and §17.4, GDPR, and the EHDS overlap but do not duplicate. MDR and MDCG 2019-16 Rev.1 set the device-level cybersecurity expectations. GDPR sets the personal data baseline. The EHDS adds interoperability format expectations and access governance on top. For a connected SaMD, all three apply. . ## A worked example A team has a Class IIa continuous glucose monitoring app. The device is CE marked. Post-market data comes from the device's own telemetry, from a hospital partnership in one member state, and from a voluntary user diary. The PMCF plan is thin because real-world data is expensive to collect and the team has no registry access. Under the emerging EHDS, the secondary use route offers a structured option. The team submits an access request to the relevant national Health Data Access Body asking for access to diabetes management data from cooperating member states, with a defined research purpose tied to the device's PMCF obligations. Approval is not automatic, and pseudonymisation conditions apply, but the route exists and is reproducible. The effect on the PMCF plan is structural. Instead of one hospital partnership and a voluntary diary, the plan draws on a broader, more representative, cross-border dataset that is comparable over time. The MDR Article 86 PSUR benefits. The underlying CER benefits. And the team's competitive position benefits, because their real-world evidence is harder to replicate than another team's single-site cohort. . ## The Subtract to Ship playbook Do four things now, before the fine detail is settled. First, design your device data model assuming EHDS interoperability. Use the European electronic health record exchange format as the reference. It is cheaper to get this right at version 1 than to retrofit later. Second, treat your PMS plan as an evidence architecture, not a compliance artefact. Document the current data sources, the gaps, and the path by which EHDS secondary use could fill those gaps once access is operational. MDR Articles 83 to 86 and Annex III are the anchor, and MDCG 2025-10 is the current authoritative interpretation for PMS. Third, integrate EHDS interoperability into your cybersecurity and data protection posture now. GDPR, MDR Annex I §17.2 and §17.4, MDCG 2019-16 Rev.1, and EN IEC 81001-5-1:2022 are the existing baseline. EHDS sits on top and does not replace them. Fourth, appoint one person on the team as the EHDS monitor. Their job is to track the regulation's progress, the implementing acts, the national Health Data Access Body operationalisation, and any member state transpositions. The landscape is moving and a quarterly review cadence is the minimum viable discipline. ## Reality Check 1. Do you have a current, accurate map of every data category your device generates, and do you know which are in EHDS scope? 2. Has your product team designed the device's data export formats against the European electronic health record exchange format, or against an ad hoc vendor format that will need rework? 3. Does your PMS plan under MDR Article 84 and Annex III name real-world data sources, and do you have a route to those sources that does not depend on a single hospital partnership? 4. Is your PMCF plan under Annex XIV Part B designed to absorb EHDS secondary use data once access becomes operational? 5. Do you know where the EHDS overlaps with, and does not replace, your MDR cybersecurity and GDPR obligations? 6. Who on your team is responsible for monitoring EHDS implementation, and what is their review cadence? 7. Have you modelled the business-case upside of EHDS secondary use access as a PMCF cost reducer, not just as a compliance cost? ## Frequently Asked Questions **Is the EHDS part of the MDR?** No. The EHDS is a separate EU regulation. It governs how electronic health data is used and shared. The MDR continues to govern whether a device can be placed on the market and what evidence is needed. **Do I need to comply with the EHDS before CE marking my device?** EHDS obligations apply on their own timeline, which is staggered and not fully in force yet. CE marking under MDR is unaffected. A sensible plan designs for EHDS now so the device is ready when specific provisions apply. . **What is the difference between primary and secondary use?** Primary use is data used for direct patient care, including cross-border continuity. Secondary use is data used for research, innovation, public health, and policymaking, accessed via national Health Data Access Bodies. **Can I use EHDS secondary use data for my PMCF?** In principle, yes, once the secondary use access framework is operational in the relevant member states. The use would be subject to the defined access procedure, permitted purposes, and conditions on data users. . **Does the EHDS replace GDPR for health data?** No. GDPR continues to apply. The EHDS adds interoperability and access obligations on top and is intended to work alongside GDPR, not to replace it. **Is the EHDS relevant to Class I devices?** Yes, if the device generates electronic health data. The EHDS obligations attach to the data, not to the device risk class. A Class I device whose software exports clinical data falls in scope. ## Related reading - [What is post-market surveillance under MDR](/blog/what-is-post-market-surveillance-mdr) for the MDR PMS backbone that EHDS data can feed. - [PMCF for software and AI ML devices](/blog/pmcf-software-ai-ml-devices) for the post-market clinical follow-up layer that EHDS secondary use can support. - [Cybersecurity for medical devices and MDCG 2019-16](/blog/cybersecurity-medical-devices-mdcg-2019-16) for the device-level security baseline the EHDS sits on top of. - [MDR classification Rule 11 for software](/blog/mdr-classification-rule-11-software) for the classification gate that comes before any data strategy. - [GDPR and medical devices under MDR](/blog/gdpr-medical-devices-mdr) for the personal data baseline that the EHDS extends. ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 83 to 86, Annex III, Annex XIV Part B, Annex I §17.2 and §17.4. 2. MDCG 2019-16 Rev.1 (December 2019, Rev.1 July 2020). Cybersecurity for medical devices. 3. MDCG 2025-10 (December 2025). Post-market surveillance. 4. European Commission proposal for a Regulation on the European Health Data Space, COM(2022) 197 final, and subsequent legislative developments. . --- *This post is part of the [Funding, Business Models & Reimbursement](https://zechmeister-solutions.com/en/blog/category/funding-reimbursement) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*