Data & Privacy
- Data Act
- Data Governance Act
- EHDS
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
European Health Data Space Regulation
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
EHDS Article 104. Amendment to Regulation (EU) 2024/2847
- Regulation (EU) 2024/2847 is amended as follows:
- (1)in Article 13, paragraph 4 is replaced by the following: ‘4. When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment referred to in paragraph 3 of this Article in the technical documentation required pursuant to Article 31 and Annex VII. For products with digital elements as referred to in Article 12 and Article 32(5a), which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.’
- (2)in Article 31, paragraph 3 is replaced by the following: ‘3. For products with digital elements as referred to in Article 12 and Article 32(5a), which are also subject to other Union legal acts which provide for technical documentation, a single set of technical documentation shall be drawn up containing the information referred to in Annex VII and the information required by those Union legal acts.’
- (3)in Article 32, the following paragraph is inserted: ‘5a. Manufacturers of products with digital elements that are classified as EHR systems under Regulation (EU) 2025/327 of the European Parliament and of the Council shall demonstrate conformity with the essential requirements set out in Annex I to this Regulation using the relevant conformity assessment procedure provided for in Chapter III of Regulation (EU) 2025/327.
Relevant Recitals for this Article
This Regulation complements the essential cybersecurity requirements laid down in Regulation (EU) 2024/2847. EHR systems which are products with digital elements within the meaning of Regulation (EU) 2024/2847 should therefore also comply with the essential cybersecurity requirements set out in that Regulation. The manufacturers of those EHR systems should demonstrate conformity as required by this Regulation. To facilitate that conformity, manufacturers should be allowed to draw up a single set of technical documents containing the elements required by both legal acts. It should be possible to demonstrate conformity of EHR systems with essential cybersecurity requirements laid down in Regulation (EU) 2024/2847 through the assessment framework under this Regulation. However, the parts of the conformity assessment procedure under this Regulation which relate to the use of testing environments should not be applied, since those testing environments do not allow for an assessment of conformity with the essential cybersecurity requirements. As Regulation (EU) 2024/2847 does not cover Software as a Service (SaaS) directly as such, EHR systems offered through the SaaS licensing and delivery model do not fall within the scope of that Regulation. Similarly, EHR systems that are developed and used in-house do not fall within the scope of that Regulation, as they are not placed on the market.