Logo
StreamLex Home
Logo
StreamLex Home
Laws
Laws
Recitals
Recitals
Contact
About UsNewsRecitalsTrackersNewsletterTerms of UsePrivacy NoticeLinkedIn
EHDS
  • Data & Privacy

    • Data Act
    • Data Governance Act
    • EHDS
    • ePrivacy Directive
    • GDPR
  • AI & Trust

    • Artificial Intelligence Act
    • Product Liability Directive
  • Cybersecurity

    • Cyber Resilience Act
    • Cybersecurity Act
    • DORA
    • NIS2
  • Digital Services & Media

    • Digital Markets Act
    • Digital Services Act
    • European Media Freedom Act
EHDS

Annex II. Essential requirements for the harmonised software components of EHR systems and for products for which interoperability with EHR systems has been claimed

  • The essential requirements laid down in this Annex shall apply mutatis mutandis to medical devices, in vitro diagnostic medical devices, AI systems and wellness applications claiming interoperability with EHR systems.

    • 1.

      General requirements

      • (1.1)

        The harmonised software components of an EHR system shall achieve the performance intended by its manufacturer and shall be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose and their use does not put at risk patient safety.

      • (1.2)

        The harmonised software components of the EHR system shall be designed and developed in such a way that the EHR system can be supplied and installed, taking into account the instructions and information provided by the manufacturer, without adversely affecting its characteristics and performance during its intended use.

      • (1.3)

        An EHR system shall be designed and developed in such a way that its interoperability, safety and security features uphold the rights of natural persons, in line with the intended purpose of the EHR system, as set out in Chapter II.

      • (1.4)

        The harmonised software components of an EHR system that is intended to be operated together with other products, including medical devices, shall be designed and manufactured in such a way that interoperability and compatibility are reliable and secure, and personal electronic health data can be shared between the device and the EHR system in relation to those harmonised software components of an EHR system.

    • 2.

      Requirements for interoperability

      • (2.1)

        Where an EHR system is designed to store or intermediate personal electronic health data, it shall provide an interface enabling access to the personal electronic health data processed by it in the European electronic health record exchange format, by means of the European interoperability software component for EHR systems.

      • (2.2)

        Where an EHR system is designed to store or intermediate personal electronic health data, it shall be able to receive personal electronic health data in the European electronic health record exchange format, by means of the European interoperability software component for EHR systems.

      • (2.3)

        Where an EHR system is designed to provide access to personal electronic health data, it shall be able to receive personal electronic health data in the European electronic health record exchange format, by means of the European interoperability software component for EHR systems.

      • (2.4)

        An EHR system that includes a functionality for entering structured personal electronic health data shall enable the entry of data with sufficient granularity to enable the provision of the entered personal electronic health data in the European electronic health record exchange format.

      • (2.5)

        The harmonised software components of an EHR system shall not include features that prohibit, restrict or place an undue burden on authorised access, personal electronic health data sharing or use of personal electronic health data for permitted purposes.

      • (2.6)

        The harmonised software components of an EHR system shall not include features that prohibit, restrict or place an undue burden on authorised exporting of personal electronic health data for the reasons of replacing the EHR system by another product.

    • 3.

      Requirements for security and logging

      • (3.1)

        An EHR system designed to be used by health professionals shall provide reliable mechanisms for the identification and authentication of health professionals.

      • (3.2)

        The European logging software component of an EHR system designed to enable access by healthcare providers or other individuals to personal electronic health data shall provide sufficient logging mechanisms that record at least the following information on every access event or group of events:

        • (a)

          identification of the healthcare provider or other individuals having accessed the personal electronic health data;
        • (b)

          identification of the specific natural person or persons having accessed the personal electronic health data;
        • (c)

          the categories of data accessed;
        • (d)

          the time and date of access;
        • (e)

          the origin or origins of data.
      • (3.3)

        The harmonised software components of an EHR system shall include tools or mechanisms to review and analyse the log data, or it shall support the connection and use of external software for the same purposes.

      • (3.4)

        The harmonised software components of an EHR system that store personal electronic health data shall support different retention periods and access rights that take into account the origins and categories of electronic health data.

    © 2025 StreamLex

    NewsletterAbout UsTerms of UsePrivacy NoticeManage cookies

    © 2025 StreamLex