EHDS
  • Data & Privacy

    • Data Act
    • Data Governance Act
    • EHDS
    • ePrivacy Directive
    • GDPR
  • AI & Trust

    • Artificial Intelligence Act
    • Product Liability Directive
  • Cybersecurity

    • Cyber Resilience Act
    • Cybersecurity Act
    • DORA
    • NIS2
  • Digital Services & Media

    • Digital Markets Act
    • Digital Services Act
    • European Media Freedom Act

EHDS Article 73. Secure processing environment

  • 1.
    Health data access bodies shall provide access to electronic health data pursuant to a data permit only through a secure processing environment which is subject to technical and organisational measures and security and interoperability requirements. In particular, the secure processing environment shall comply with the following security measures:
    • (a)
      the restriction of access to the secure processing environment to authorised natural persons listed in the data permit issued pursuant to Article 68;
    • (b)
      the minimisation of the risk of the unauthorised reading, copying, modification or removal of electronic health data hosted in the secure processing environment through state-of-the-art technical and organisational measures;
    • (c)
      the limitation of the input of electronic health data and the inspection, modification or deletion of electronic health data hosted in the secure processing environment to a limited number of authorised identifiable individuals;
    • (d)
      ensuring that health data users have access only to the electronic health data covered by their data permit, by means of individual and unique user identities and confidential access modes only;
    • (e)
      the keeping of identifiable logs of access to and activities in the secure processing environment for the period necessary to verify and audit all processing operations in that environment; logs of access shall be kept for at least one year;
    • (f)
      ensuring compliance and monitoring the security measures referred to in this paragraph to mitigate potential security threats.
  • 2.
    Health data access bodies shall ensure that electronic health data from health data holders in the format specified in the data permit can be uploaded by those health data holders and can be accessed by the health data user in a secure processing environment. Health data access bodies shall review the electronic health data included in a download request to ensure that health data users are only able to download non-personal electronic health data, including electronic health data in an anonymised statistical format, from the secure processing environment.
  • 3.
    Health data access bodies shall ensure that audits of the secure processing environments are carried out on a regular basis, including by third parties, and shall take corrective action for any shortcomings, risks or vulnerabilities identified by those audits in the secure processing environments.
  • 4.
    Where recognised data altruism organisations under Chapter IV of Regulation (EU) 2022/868 process personal electronic health data using a secure processing environment, those environments shall also comply with the security measures set out in paragraph 1, points (a) to (f), of this Article.
  • 5.
    By 26 March 2027, the Commission shall, by means of implementing acts, lay down the technical, organisational, information security, confidentiality, data protection and interoperability requirements for the secure processing environments, including with regard to the technical characteristics and tools available to the health data user within the secure processing environments. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2).

Relevant Recitals for this Article