EHDS 2026 Council: what changes for hospitals, pharmaceuticals and technology companies

Key data

Companies managing health data in Europe have a new regulatory counterpart: the European Health Data Space Council (EHDS). Implementing Regulation 2026/771, in force since 7 April 2026, establishes the operational rules of this body and marks the beginning of a new stage in the governance of health data at European scale.

This is not a theoretical regulation. Any entity that accesses, processes or shares health data in more than one EU country—from a hospital to a digital health startup—will have to align its processes with the decisions made by this Council.

What does this regulation establish?

Regulation 2026/771 is an implementing regulation that develops the operational rules of the EHDS Council. It does not create the EHDS framework from scratch—that role is fulfilled by the previously approved EHDS Regulation—but rather defines how the body that governs it will function in practice.

The specific elements it regulates are:

• Composition of the EHDS Council: defines who is part of the body and in what capacity.
• Voting procedures: establishes how decisions are made within the Council.
• Coordination between Member States: sets the mechanisms for EU countries to work in an aligned manner on health data matters.
• Supervision of interoperability frameworks: the Council will be responsible for ensuring that health data systems are compatible between countries.
• Secondary access to health data: regulates how entities such as pharmaceuticals or researchers can access health data for purposes other than direct clinical treatment.

This regulation complements the already approved EHDS Regulation and strengthens patient rights over their data throughout the EU. It does not replace or repeal it.

Economic and operational impact

The impact is not immediate in the form of a fine or fee, but it is structural: the decisions of the EHDS Council will generate compliance obligations that will affect the operational models of health sector entities.

The main vectors of impact are:

• Technology adaptation costs: health sector technology companies will have to anticipate new interoperability requirements that the Council will define. This involves investment in data architecture, APIs and certifications.
• Review of secondary access processes: pharmaceuticals and researchers using health data for studies, trials or product development will have to adjust to the access rules that the Council oversees.
• Cross-border compliance: entities operating in several EU countries will have to ensure that their health data flows comply with the interoperability frameworks approved by the Council.
• Strengthened patient rights: the regulation strengthens patient rights over their data, which may generate new transparency and information obligations for hospitals and insurers.

Entities already working on GDPR compliance and adaptation to the main EHDS Regulation have an advantage: Regulation 2026/771 is a further step in the same direction, not a change of course.

Who does it affect?

• Hospitals and health centers: as generators and custodians of clinical data, they will have to align with the interoperability frameworks that the EHDS Council oversees.
• Health insurers: they manage large volumes of health data and will have to adapt to new access and processing rules.
• Pharmaceuticals: secondary access to health data for drug research and development will be subject to the rules defined by the Council.
• Researchers and research centers: any entity using health data for scientific research in the EU falls within the scope of supervision of the EHDS Council.
• Technology companies in the health sector: from electronic health record platforms to digital health applications, they will have to anticipate new regulatory compliance requirements arising from the Council's decisions.

Practical example

A Spanish technology company that develops an electronic health record platform and operates in Spain, Portugal and France manages patient health data in three EU countries.

With Regulation 2026/771 in force, this company will have to:

• Follow the EHDS Council's decisions on interoperability to ensure that its platform is compatible with the systems of the three countries.
• Adapt its secondary access processes if any of its clients—for example, a university hospital—wants to share anonymized data with a pharmaceutical group for a clinical trial.
• Review its patient rights policy to reflect the strengthened rights that the EHDS Regulation and this implementing regulation recognize throughout the EU.

The cost of not anticipating is not an immediate fine, but the risk of being excluded from approved interoperability frameworks, which could mean exclusion from public contracts or agreements with European health entities.

What should companies do now?

1. Identify if you manage cross-border health data: if your company operates in more than one EU country and processes health data, the scope of the EHDS Council directly affects you.
2. Review your compliance with the main EHDS Regulation: Regulation 2026/771 is an operational development of the EHDS. If you have not analyzed the base EHDS Regulation, that is the first step.
3. Map your secondary access flows to data: if you use health data for research, product development or analysis, identify what processes will fall under the supervision of the EHDS Council.
4. Evaluate your interoperability architecture: technology companies must anticipate that the Council will define interoperability standards. Reviewing your technical architecture now avoids urgent adaptation costs later.
5. Update patient rights policy: hospitals and insurers should review their information and consent documents to reflect the strengthened rights that the EHDS framework recognizes.
6. Monitor EHDS Council decisions: specific compliance obligations will be clarified in the resolutions of this body. Establishing a regulatory monitoring system is key to not being late.