Regulus
Install See the diff
EU

EHDS

Regulation (EU) 2025/327 — European Health Data Space

EU horizontal regulation on primary and secondary use of electronic health data. Agent workflows on EHR data are constrained by purpose tagging and cross-border residency.

Who does it apply to?

  • EU healthcare providers, electronic health record (EHR) vendors, and clinical software vendors operating in EU member states.
  • AI agents accessing EU electronic health data for clinical decision support, administrative automation, or research.
  • Cross-border research consortia using EU EHR data — EHDS introduces a structured authorisation regime for secondary use.
  • Data altruism organisations registered to receive EHR data for research purposes.

Two-minute explainer

The European Health Data Space (EHDS, Regulation (EU) 2025/327) entered into force on 26 March 2025. Phased application runs through to 2031, with the primary-use provisions binding earliest and the secondary-use cross-border infrastructure following.

EHDS is the first EU horizontal regulation specifically targeting electronic health data. It introduces two distinct regimes:

Primary use — using EHR data for the clinical care of the individual it refers to. The patient’s GP accessing their records. A consultant reading a discharge summary. An AI agent providing decision support during a consultation. EHDS strengthens the individual’s rights here — access, rectification, portability — and introduces a structured EU-wide infrastructure (MyHealth@EU) for cross-border primary use.

Secondary use — using EHR data for research, statistics, policy making, regulatory activities, personalised medicine development. EHDS introduces Health Data Access Bodies (HDABs) in each member state. Researchers apply to the relevant HDAB for a data permit specifying the purpose, scope, and duration of access. The HDAB authorises (or denies) and the data is provided in a controlled environment (typically a secure-processing-environment, SPE).

For AI agents, the practical distinctions:

  • A clinical-decision-support agent in primary care: primary use; flows under clinical-purpose claim; standard medical-confidentiality obligations apply.
  • A research-platform agent analysing cohort data: secondary use; requires an HDAB permit; data is typically pseudonymised; processing happens in an SPE.
  • An administrative agent for billing or care coordination: primary use for the patient at hand; secondary use if aggregated.

Data altruism is the third major piece. EHDS provides for individuals to opt in to making their data available for altruism purposes — research, public-health work — through registered data altruism organisations. The opt-in is patient-specific and must be captured per event when relevant.

The Regulus ehds profile encodes the use-category classification, the HDAB permit enforcement, the cross-border residency, and the data altruism opt-in surface. It composes with gdpr (EHDS sits on top of GDPR’s general personal-data regime), with eu-ai-act (clinical AI is typically Annex III high-risk), and — for NHS-EU hybrid research operations — with nhs-dspt.

What EHDS doesn’t reduce to runtime: the EHR interoperability work (FHIR profile alignment, code-system mapping), the member-state HDAB infrastructure (which national authority hosts the HDAB, how permits are reviewed), and the clinical-safety case for AI in healthcare (which is MDR / IVDR territory). Regulus delivers the runtime evidence the wider EHDS compliance story references.

What it actually requires of an engineer

  1. Primary vs secondary use distinction is operational. Primary use (clinical care, individual benefit) flows differently from secondary use (research, statistics, policy). Tag every event with the use category.
  2. Cross-border health-data flows are highly restricted. EHDS introduces structured cross-border access via Health Data Access Bodies (HDABs); ad-hoc cross-border transfers aren't compliant.
  3. Secondary use requires explicit authorisation. Each secondary-use access is tied to an HDAB-issued data permit. The Principal's claims must include the permit ID.
  4. Data altruism opt-in must be surfaced. If an individual has opted in (or out) of data altruism, that consent must reach the agent's decision point.

What Regulus does for you

Regulus control Delivers
RegulusPolicyPlugin Primary/secondary use classification + HDAB permit enforcement. Tool calls without a valid permit for secondary use are denied; primary use is allowed under the clinical purpose claim.
RegulusDataResidencyPlugin EHDS cross-border restriction — EU EHR data cannot leave the EU; intra-EU cross-border requires structured authorisation. The plugin enforces both.
RegulusPrivacyPlugin EHDS-specific PII patterns — EU health-identifier formats, EHDS-defined sensitive categories. Re-redaction on memory writes for secondary-use scenarios.
RegulusAuditPlugin Data altruism opt-in evidence — the Principal's altruism claim is captured per event; the audit chain shows which events processed altruism-consented data.
RegulusGovernanceEvidencePlugin HDAB-formatted evidence envelope — secondary-use events routed to the issuing HDAB's API endpoint with the permit ID and data-access scope referenced.

Saves you ~9 engineer-weeks

Estimate based on the following honest assumptions:

  • Primary / secondary use classification logic (2 weeks).
  • HDAB permit handling + enforcement (3 weeks).
  • Cross-border health-data residency (2 weeks).
  • Data altruism opt-in surface + audit (1 week).
  • HDAB-format evidence envelope export (1 week).
  • Assumes existing FHIR / HL7 integration handles raw EHR shape; this is the compliance layer on top.

What an auditor will ask

The questions you'll see in a real walkthrough — and where to point them.

  1. How do you distinguish primary from secondary use of EHR data?

    Every event carries a use_category field — values primary or secondary. Secondary use is denied without a valid HDAB permit; primary use requires a clinical-purpose claim.

  2. Show me your secondary-use HDAB permits in operation.

    Filter the audit chain by use_category = secondary. Each event includes the permit ID, the issuing HDAB, and the granted-scope. regulus ehds permits list shows active permits.

  3. How is data altruism handled?

    The Principal's altruism claim captures the individual's opt-in or opt-out. Events processing altruism-consented data are flagged; opt-out individuals' data flows for altruism purposes are denied.

What this doesn't cover

  • EHR interoperability standards — EHDS prescribes interoperability (FHIR-based) but Regulus operates above the raw exchange layer.
  • Clinical safety of AI outputs — Regulus is a compliance plane; clinical safety follows MDR (Medical Device Regulation) and CDSS-specific frameworks.
  • MDR/IVDR conformity assessment — out of scope; EHDS is data regulation, MDR is medical-device regulation, they're separate.

Citations

  1. Regulation (EU) 2025/327 — European Health Data Space ↗
  2. European Commission — EHDS landing page ↗

Activate this profile in your agent

regulus init my-agent --profiles=ehds
Install the CLI All 10 regulations