(Utkast) Kommisjonens gjennomføringsforordning (EU) .../... om en interoperabel, identifikasjons- og autentiseringsmekanisme for fysiske personer, helsepersonell og helsepersonell med formål om utveksling av personlige elektroniske helseopplysninger over landegrensene
Det europeiske helsedataområdet: identitetsforvaltning over landegrensene
Utkast til kommisjonsforordning godkjent av komite (representanter for medlemslandene) og publisert i EUs komitologiregister 6.7.2026
Tidligere
- Utkast til forordning lagt fram av Kommisjonen 9.4.2026 med tilbakemeldingsfrist 7.5.2026
Bakgrunn
(fra kommisjonsforordningen)
(1) Regulation (EU) 2025/327 seeks to improve the cross-border exchange of personal electronic health data to ensure continuity of healthcare. A growing number of natural persons living in one Member State of the Union receive healthcare in another Member State and their electronic health records are increasingly dispersed among the healthcare systems of different Member States, which use different identifiers to identify natural persons and their records. Similarly, the means for identifying health professionals and healthcare providers differ among Member States. To facilitate the exchange of personal electronic health data in a cross-border context through the MyHealth@EU platform referred to in Article 23(1) of Regulation (EU) 2025/327, it is necessary to identify the actors involved in the exchange and match the identities of natural persons to their electronic health records. It is therefore necessary to determine the requirements for an interoperable, cross-border identification and authentication mechanism for natural persons and health professionals and healthcare providers.
(2) An efficient and non-intrusive way to locate personal electronic health data is using the identification data assigned to natural persons in the national health system of their Member State of affiliation. Since the identification data used in the various Member States differ, it is appropriate to require Member States to determine the identification data that are to be used to identify natural persons for the purposes of the cross-border exchange of personal electronic health data and to notify them to the Commission in view of their publication. The requirements for cross-border identification and authentication mechanism are to comply with Regulation (EU) No 910/2014 of the European Parliament and of the Council. Furthermore, in accordance with Article 5f(1) and (2) of Regulation (EU) No 910/2014, systems provided by public sector bodies and online services provided by private relying parties that require electronic identification or authentication for access to online services are to accept European Digital Identity Wallets as referred to in Article 5a of Regulation (EU) 910/2014, where natural persons choose to use them. In order to facilitate the cross-border exchange of personal electronic health data, natural persons should be able to request from their Member State of affiliation the issuance of their identification data for cross-border healthcare in the form of an electronic attestation of healthcare attributes to be stored in their European Digital Identity Wallet. Furthermore, natural persons should be able to share their healthcare attributes with health professionals and healthcare providers established in another Member State to enable the health professional or healthcare provider to locate the personal electronic health data at their source.
(3) Where a natural person, acting either as an authorised representative or as a legal representative, seeks to access the personal electronic health data of another natural person through MyHealth@EU, the health professional or healthcare provider should verify that first person’s identity. For the verification of the validity of that first person's mandate to act in that capacity, the health professional or healthcare provider can rely on the information provided by the relevant Member State of affiliation, as it is that Member State that has the source of information on representation mandates
(4) Before initiating or requesting the cross-border exchange of personal electronic health data of a natural person through MyHealth@EU, health professionals and healthcare providers should be identified and authenticated, and the natural person concerned should be identified. Such identification and authentication are necessary to ensure the secure processing of personal electronic health data, to prevent unauthorised access, and to enable the provision of information on data accesses as required by Article 9 of Regulation (EU) 2025/327.Where electronic identification means are used for those purposes, they should provide at least the assurance level ‘substantial’ referred to in Article 8(2), point (b), of Regulation (EU) No 910/2014. The European Digital Identity Wallet provides the assurance level ‘high’ referred to in Article 8(2), point (c), of that Regulation. From 26 March 2030 onwards, all electronic identification means used for the identification of natural persons whose personal electronic health data are exchanged through MyHealth@EU should provide the assurance level ‘high’. From 26 March 2032 onwards, all electronic identification means used for the identification and authentication of health professionals for the purposes of such exchanges should provide the assurance level ‘high’. This phased approach serves to allow sufficient time for the full rollout of electronic identification means in the Member States.
(5) Where Member States use an electronic identification means that has not been notified to the Commission pursuant to Regulation (EU) No 910/2014, the assurance level ‘high’ of that means should be confirmed by a conformity assessment body referred to in Article 2, point (13), of Regulation (EC) No 765/2008 or an equivalent body. This requirement should apply irrespective of whether the cross-border exchange concerns the transmission of data to, or the reception of data from, another Member State.
(6) The national contact point for digital health that requests the cross-border exchange of personal electronic health data of a natural person should communicate the identification data of the health professional or healthcare provider to the national contact point for digital health of the Member State to which the request is sent.
(7) The processing of personal data pursuant to this Regulation is subject to Regulations (EU)2016/6793 and (EU)2018/17254 of the European Parliament and of the Council, as applicable. Issuing healthcare attributes is a task in the public interest assigned to the competent authorities to be designated by the Member States.
(8) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on 5 May 2026.
(9) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 98(1) of Regulation (EU) 2025/327.