(Utkast) Kommisjonens gjennomføringsforordning (EU) .../... om MyHealth@EU
Det europeiske helsedataområdet: utveksling av personopplysninger (MyHealth@EU)
Utkast til kommisjonsforordning godkjent av komite (representanter for medlemslandene) og publisert i EUs komitologiregister 6.7.2026
Tidligere
- Utkast til forordning lagt fram av Kommisjonen 9.4.2026 med tilbakemeldingsfrist 7.5.2026
Bakgrunn
(fra kommisjonsforordningen)
(1) Regulation (EU) 2025/327 seeks to improve natural persons’ access to and control over their personal electronic health data in the context of healthcare and to improve the cross-border exchange of such data to ensure continuity of healthcare. To this end, Article 23 of that Regulation tasks the Commission with establishing MyHealth@EU, a central interoperability platform for the crossborder exchange of the priority data categories set out in Article 14 of that Regulation as well as additional categories of data. The exchange of such data is supported by the European electronic health record exchange format referred to in Article 15 of Regulation (EU) 2025/327.
(2) MyHealth@EU under Regulation (EU) 2025/327 builds upon the architecture and processes developed for the eHealth Digital Service Infrastructure for CrossBorder eHealth Information Services set up under Commission Implementing Decision 2019/17652 . That infrastructure allowed Member States to exchange patient summaries, electronic prescriptions and electronic dispensations on a voluntary basis. MyHealth@EU under Regulation (EU) 2025/327 ought to build upon this experience and the architecture of the services under Commission Implementing Decision 2019/1765 and be updated to reflect technological changes and differences with the EHDS.
(3) Article 24(2) and (3) of Regulation (EU) 2025/327 foresees the possibility for authorised participants to connect to MyHealth@EU. In such cases, Article 7, except for paragraph (1), point (a), and Articles 8 to 13 of this Regulation should apply mutatis mutandis to authorised participants, to ensure consistency in significant incident reporting, compliance checks and technical requirements to remain connected to MyHealth@EU.
(4) To facilitate the exchange of personal electronic health data between national contact points for digital health, the Commission should provide a reference implementation of software for optional use by national contact points for digital health. The reference implementation should be based on the requirements catalogue and be regularly updated to reflect any changes.
(5) To ensure the semantic interoperability of services in MyHealth@EU, the Commission should provide a central terminology service that enables Member States to provide mappings and translations to and from coding systems and values of the European electronic health record exchange format referred to in Article 15(1) of Regulation (EU) 2025/327.
(6) National contact points for digital health should exchange personal electronic health data across borders using a secure communication network that should be provided by the Commission.
(7) To allow national contact points for digital health to discover and establish trusted communication between each other, they should use a central configuration service that should be provided by the Commission.
(8) To ensure interoperability, a requirements catalogue should be drawn up by the Commission in cooperation with the MyHealth@EU steering group established by Article 95(1) of Regulation (EU) 2025/327. On the basis of these requirements, technical specifications should be proposed by the Commission and approved by the steering group. The technical specifications should be in line with the European electronic health record exchange format as set out in the implementing act to be adopted pursuant to the empowerment of Article 15(3) of Regulation (EU) 2025/327.
(9) The Commission should propose an annual work plan for the operations and management of the central interoperability platform for approval by the steering group. This work plan ought to be consistent with the two-year work plan of the EHDS Board.
(10) Changes that are either not backwards compatible with the preceding version, or that are mandatory for national contact points for digital health and authorised participants to implement, are treated as major releases subject to the full change management procedure. By contrast, corrections of defects and bugs, editorial clarifications, and other changes that do not introduce new functionalities or affect the ability of existing implementations of the requirements catalogue to exchange data without modification should follow the simplified procedure applicable to minor releases. Proposals for major changes to the requirements catalogue should be thoroughly prepared before they are submitted for evaluation and approval to the steering group. To that end, it should be required that a change proposal should be submitted either by a group of members of the steering group or by the Commission, given that it is responsible for managing MyHealth@EU.
(11) To ensure high quality in the development and operation of the exchange of personal electronic health data through MyHealth@EU, the Commission, on behalf of the MyHealth@EU steering group, should manage the procedures for authorising the exchange of personal electronic health data.
(12) National contact points for digital health should demonstrate compliance with the requirements catalogue through technical tests and compliance checks. The Commission should facilitate technical tests and conduct compliance checks. Afterwards, the Commission should indicate deviations from the requirements catalogue. Findings of compliance checks and technical tests should be classified based on factors such as risk and impact. National contact points for digital health should draw up action plans to resolve any identified risks. The Commission should regularly report to the steering group on any outstanding findings and action plans related to them.
(13) A national contact point for digital health should always be compliant with the latest release of the requirements catalogue. To facilitate trust in the network and show to all other national contact points that they are compliant, compliance checks should be conducted on a regular basis. A compliance check ought to be a thorough procedure and be done on a frequency proportionate to the level of risk to protection of personal electronic health data, security and confidentiality which the exchange of personal electronic health data poses. If there are any reasons to suspect a national contact point for digital health is in breach of the requirements, the Commission should be empowered to initiate an ad-hoc compliance check.
(14) Whenever a national contact point for digital health starts the exchange of personal electronic health data, it should be based on an authorisation from the steering group. This ensures that the steering group has control over the exchange of personal electronic health data. To ensure predictability for the national contact points for digital health starting the exchange, the foundation for the steering group decision should be the outcome of a relevant compliance check and technical test.
(15) To ensure interoperability between national contact points for digital health when exchanging personal electronic health data, they should operate using the same release of the requirements catalogue. Technical solutions following those requirements should be thoroughly tested before being used for exchange of personal electronic health data. The steering group should assess the outcome of these tests and authorise a national contact point for digital health to upgrade to a new major release.
(16) Following a compliance check of a national contact point for digital health already exchanging personal electronic health data, the steering group should assess the outcome and give its authorisation for continuing the exchange.
(17) A national contact point for digital health may discover that the exchange of personal electronic health data is not functioning correctly. The Commission, in cooperation with the steering group should detail types of such incidents and identify proper responses to handle them in an operations framework.
(18) There should be a clear definition of what personal electronic health data can be processed through MyHealth@EU and it should correspond to the obligations set out in Regulation (EU) 2025/327.
(19) Article 23 of Regulation (EU) 2025/327 assigns the role of joint controllers to the national contact points for digital health and that of processor to the Commission for providing MyHealth@EU. To ensure uniform conditions in order to implement Regulation (EU) 2025/327, this Regulation should detail the roles and responsibilities of the national contact points for digital health and of the Commission on the basis of that assignment. To that end, this Regulation should set out the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller, insofar as these are not already defined in Regulation (EU) 2025/327. It should also lay down the respective responsibilities of the joint controllers.
(20) Regulation (EU) 2025/327 establishes that the Commission shall act as processor for the processing of personal data in MyHealth@EU, on behalf of the Member States as joint controllers. In accordance with data protection rules, the processor’s obligations are to be set out in a contract or other legal act that is binding on the processor with regard to the controller. This Regulation sets out the Commission’s detailed obligations as a processor in a binding legal act. Similarly, joint controllers are to determine their respective responsibilities for compliance with their data protection obligations by means of an arrangement between them unless, and in so far as, the respective responsibilities of the joint controllers are determined by Union or Member State law to which the joint controllers are subject. This Regulation determines the respective responsibilities of the joint controllers by law.
(21) The processing of personal data pursuant to this Regulation is subject to Regulations (EU) 2016/679 and (EU) 2018/1725 of the European Parliament and of the Council, as applicable. The Commission’s personal data processing operations in its role as a processor support the data exchange between the national contact points for digital health that is a task in the public interest assigned to them by Regulation (EU) 2025/327.
(22) Rules on IT security set out in Commission Decision (EU, Euratom) 2017/46 apply to MyHealth@EU.
(23) As MyHealth@EU is an evolution of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services set up under Commission Implementing Decision 2019/1765, it is appropriate to take lessons learned from it into account. In particular, given that the detailed technical requirements for the exchange of data are essentially equivalent, it is appropriate that where a national contact point for electronic health is already connected in production usage to the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services, and the same contact point is designated as that Member State’s national contact point for digital health, that contact point does not have to repeat the initial compliance check for the services that it has in production usage, as it has already proven its ability to connect to the central platform.
(24) Regulation (EU) 2025/327 will become applicable in a phased way. The obligations to exchange data through MyHealth@EU will become applicable on 26 March 2029 as regards the exchange of patient summaries, electronic prescriptions and electronic dispensations, and on 26 March 2031 for the exchange of medical imaging studies and related imaging reports, medical test results, including laboratory and other diagnostic results and related reports, and discharge reports. The present Regulation establishes the detailed rules on how MyHealth@EU will function; the obligation on Member States’ national contact points for digital health to exchange the priority categories of personal electronic health data through MyHealth@EU will become applicable in accordance with Article 105 of Regulation (EU) 2025/327.
(25) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council6 and delivered its opinion on 18 May 2026.
(26) This Implementing Regulation introduces binding requirements for cross-border digital public services within the meaning of Regulation (EU) 2024/903 of the Parliament and of the Council. Accordingly, an interoperability assessment has been carried out and the resulting report will be published on the Interoperable Europe Portal when the legal act is adopted.
(27) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 98(1) of Regulation (EU) 2025/327,