Logo
StreamLex Home
Logo
StreamLex Home
Laws
Laws
Recitals
Recitals
Contact
About UsNewsRecitalsTrackersNewsletterTerms of UsePrivacy NoticeLinkedIn
EHDS
  • Data & Privacy

    • Data Act
    • Data Governance Act
    • EHDS
    • ePrivacy Directive
    • GDPR
  • AI & Trust

    • Artificial Intelligence Act
    • Product Liability Directive
  • Cybersecurity

    • Cyber Resilience Act
    • Cybersecurity Act
    • DORA
    • NIS2
  • Digital Services & Media

    • Digital Markets Act
    • Digital Services Act
    • European Media Freedom Act
EHDS

EHDS Article 44. Handling of risks posed by EHR systems and of serious incidents

  • 1.
    Where a market surveillance authority of one Member State has reason to believe that an EHR system poses a risk to the health, safety or rights of natural persons or to the protection of personal data, that market surveillance authority shall carry out an evaluation in relation to the EHR system concerned covering all relevant requirements laid down in this Regulation. The manufacturer, the manufacturer’s authorised representative and all other relevant economic operators shall cooperate as necessary with the market surveillance authority for that purpose and take all appropriate measures to ensure that the EHR system concerned no longer poses that risk when placed on the market or to recall or withdraw the EHR system from the market within a reasonable period.
  • 2.
    Where the market surveillance authorities of a Member State consider that the non-compliance of the EHR system is not limited to their national territory, they shall inform the Commission and the other Member States’ market surveillance authorities of the results of the evaluation referred to in paragraph 1 of this Article and of the corrective action which they have required the economic operator to take pursuant to Article 16(2) of Regulation (EU) 2019/1020.
  • 3.
    Where a market surveillance authority finds that an EHR system has caused harm to the health or safety of natural persons or to certain aspects of public interest protection, the manufacturer shall immediately provide information and documentation, as applicable, to the affected natural person or user and, where applicable, other third parties affected by that harm, without prejudice to data protection rules.
  • 4.
    The economic operator concerned referred to in paragraph 1 shall ensure that corrective action is taken in respect of all the EHR systems concerned that it has placed on the market throughout the Union.
  • 5.
    The market surveillance authority shall without undue delay inform the Commission and the market surveillance authorities, or, if applicable, the supervisory authorities under Regulation (EU) 2016/679, of other Member States of the corrective action referred to in paragraph 2. That information shall include all available details, in particular the data necessary for the identification of the EHR system concerned, the origin and the supply chain of the EHR system, the nature of the risk involved and the nature and duration of the national measures taken.
  • 6.
    Where a finding of a market surveillance authority, or a serious incident it is informed of, concerns personal data protection, that market surveillance authority shall without undue delay inform the relevant supervisory authorities under Regulation (EU) 2016/679 and cooperate with them.
  • 7.
    Manufacturers of EHR systems placed on the market or put into service shall report any serious incident involving an EHR system to the market surveillance authorities of the Member States where such serious incident occurred and of the Member States where such EHR systems are placed on the market or put into service. That reporting shall also include a description of the corrective action taken or envisaged by the manufacturer. Member States may provide for users of EHR systems placed on the market or put into service to be able to report such incidents. The reporting required pursuant to the first subparagraph of this paragraph shall be carried out, without prejudice to incident notification requirements under Directive (EU) 2022/2555, immediately after the manufacturer has established a causal link between the EHR system and the serious incident or the reasonable likelihood of such a link and, in any event, not later than three days after the manufacturer becomes aware of the serious incident involving the EHR system.
  • 8.
    The market surveillance authorities referred to in paragraph 7 shall inform the other market surveillance authorities, without delay, of the serious incident and the corrective action taken or envisaged by the manufacturer or required of it to minimise the risk of recurrence of the serious incident.
  • 9.
    Where its tasks are not performed by the digital health authority, the market surveillance authority shall cooperate with the digital health authority. The market surveillance authority shall inform the digital health authority of any serious incidents, of EHR systems presenting a risk, including risks related to interoperability, security and patient safety, of any corrective action and of any recall or withdrawal of such EHR systems.
  • 10.
    In the event of incidents putting at risk patient safety or information security, the market surveillance authorities may take immediate action and require the manufacturer of the EHR system concerned, its authorised representative and other economic operators, if applicable, to take immediate corrective action.

© 2025 StreamLex

NewsletterAbout UsTerms of UsePrivacy NoticeManage cookies

© 2025 StreamLex