Data Act & EHDS: What clinics, MedTech and software manufacturers need to know

Contents

The EU Data Act will apply from September 12, 2025. For MedTech manufacturers, clinics and digital health platforms, this means that users – and, where applicable, third parties – must be given easier, standardized access to standardized data from their connected products and connected services. For the first time, the Data Act creates a binding Europe-wide right to machine-readable data from connected products and connected services. Manufacturers must provide information on which data types, formats and interfaces are available before concluding a contract. Interoperability requirements and "accessibility by design" will also become mandatory.

In addition, the European Health Data Space (EHDS) Regulation will apply from 2027. Companies should therefore design their processes now so that they meet the requirements of the Data Act and the EHDS Regulation.

What will change with the Data Act?

All devices and services that generate data during use must be technically capable of providing this data to the user directly or subsequently. This applies to raw data such as measured values, log files or metadata. The Data Act places clear pressure on manufacturers, service providers and data owners to act: depending on the constellation, they must create interfaces, document processes and/or fulfill transparency obligations. The Data Act also obliges companies to provide fair and non-discriminatory access to data.

At the same time, there is a link to the EHDS Regulation: from 2027, additional obligations will apply to health data (with a staggered start of application), particularly in the case of secondary use for research or AI applications. Anyone who sets up Data Act-compliant processes now can easily add the EHDS requirements to them later.

Why the Data Act is relevant for Health & MedTech now

The Data Act is of central importance for MedTech companies and digital health providers because it creates direct and binding obligations. Patients, doctors, and researchers expect direct access to data, be it from wearables, connected implants, or connected clinical platforms. Hospitals, health insurance companies, or app providers can act as data owners within the meaning of the EHDS Regulation, while medtech manufacturers or platform operators can act as data providers under the Data Act.

Depending on the constellation, some players can also take on both roles. Those who recognize the connections can design processes in such a way that they meet the requirements of the Data Act and the EHDS Regulation at the same time. This saves technical and financial effort, prevents compliance gaps, and facilitates the use of data for care and research in the long term.

Specific rights and obligations under the Data Act

The rights and obligations of the Data Act are clearly outlined. The user has a right to machine-readable data and its disclosure to third parties. Manufacturers and service providers must comply with transparency obligations. B2B contracts between data owners and third parties must contain fair, non-discriminatory conditions. From September 2026, new products must ensure "Accessibility by Design" that data access is technically possible without any problems. The link to the EHDS Regulation is evident in the fact that from 2027, health data must also be provided for a specific purpose and, if necessary, anonymized or pseudonymized. Only if both requirements are already considered when designing systems and processes can companies avoid having to retrofit later.