The European Health Data Space Regulation (EU) 2025/327 ("EHDS Regulation") entered into force on 26 March 2025. It creates a harmonized EU framework for using and reusing electronic health data, and is directly relevant for life sciences companies that collect, generate, process, or control health-related data. A key feature of the EHDS Regulation is its distinction between primary use and secondary use of electronic health data:

• Primary use relates to the processing of electronic health data for the provision of health care.
• Secondary use covers processing for purposes other than those for which the data was originally collected or produced, such as research, innovation, policymaking, official statistics, patient safety, and regulatory activities.

This secondary-use framework is particularly relevant for pharmaceutical, biotechnology, and medical device companies seeking to generate real-world evidence, support regulatory submissions, or advance data-driven innovation.

The EHDS Regulation adopts an expansive view of the types of electronic health data that may be made available for secondary use. This includes all data related to health or known to influence health. This covers not only traditional health care datasets, such as electronic health records, claims and reimbursement data, dispensing data, disease registries, and genomic data, but also data originally collected for research, statistics, regulatory activities, patient safety, or policymaking.

Importantly, the scope extends to automatically generated data from medical devices and person-generated data, including data from wellness and health applications. As a result, companies active in these fields may fall within scope of the EHDS Regulation.

The concept of the "health data holder" is central to the secondary-use system. It applies to a wide range of entities, including entities developing products or services intended for health care, as well as certain private-sector actors beyond traditional health care providers. An entity qualifies as a health data holder if it is established in the EU and:

• (jointly) processes personal electronic health data as a controller for purposes such as research or innovation; or
• controls the technical design of a product or service through which non-personal electronic health data is made available.

Subject to the EHDS Regulation's conditions, safeguards, and procedures, these health data holders may be required to make specific categories of electronic health data available for secondary use. Depending on the data category, these obligations will apply after the relevant transition periods, four or six years after entry into force of the EHDS Regulation.

Early preparation will be key to managing risk and unlocking opportunities under the EHDS Regulation. Companies in the life science and health care sector should prepare now by:

• assessing whether they qualify as health data holders;
• identifying which datasets may fall within scope; and
• evaluating how EHDS obligations interact with existing data governance structures, intellectual property protection strategies, and compliance frameworks.