Ringholm-Logo Ringholm
 EHDS Reference 		Ringholm page header
EHDS-Index    Training   
Home | Ringholm bv | Learn * Share * Connect | info@ringholm.com

16(2) Implementing Act

Implementing Act related to EHDS Article 16(2)

Subject of this implementing act is the definition of requirements for the interoperable, cross-border identification and authentication mechanism for natural persons and health professionals, in accordance with Regulation (EU) No 910/2014 [e-IDAS]. That mechanism shall facilitate the transferability of personal electronic health data in a cross-border context.

Summary

To summarize the identification/authentication requirements for natural persons:
  1. Each member state defines the set of identifying attributes for natural persons.
  2. To support the patient rights: (mandatory support) eIDAS (2029+), and (optional support) member state specific authentication mechanism.
  3. Other local (within member state) data exchange scenarios: up to the member state to decide.
  4. In order to support cross border scenarios: (mandatory) eIDAS ('substantial' <=2030, 'high afterwards). Mandatory support for EUDIW (2029+).

To summarize the identification/authentication requirements for healthcare professionals:

  1. Each member state defines the set of identifying attributes for healthcare professionals; at least those listed in the appendex of Implementing Act 16 [see below].
  2. Local (within member state) exchange scenarios: up to the member state to decide.
  3. In order to support cross-border and HPAS Logging scenarios: eIDAS ('substantial'<=2032, 'high' afterwards).
  4. Support for EUDIW is left to the member state to decide and mandate.

Implementing Act (draft)

Below the text of the draft (2026-04) version of the article 16(2) implementing act. Whereas:
  1. Regulation (EU) 2025/327 [EHDS] seeks to improve the cross-border exchange of personal electronic health data to ensure continuity of healthcare. A growing number of natural persons living in one Member State of the Union receive healthcare in another Member State and their electronic health records are increasingly dispersed among the healthcare systems of different Member States, which use different identifiers to identify natural persons and their records. Similarly, the means for identifying health professionals and healthcare providers differ among Member States. To facilitate the exchange of personal electronic health data in a cross-border context through the MyHealth@EU platform referred to in Article 23(1) of Regulation (EU) 2025/327 [EHDS], it is necessary to identify the actors involved in the exchange and match the identities of natural persons to their electronic health records. It is therefore necessary to determine the requirements for an interoperable, cross-border identification and authentication mechanism for natural persons and health professionals and healthcare providers.
  2. An efficient and non-intrusive way to locate personal electronic health data is using the identification data assigned to natural persons in the national health system of their Member State of affiliation. Since the identification data used in the various Member States differ, it is appropriate to require Member States to determine the identification data that are to be used to identify natural persons for the purposes of the cross-border exchange of personal electronic health data and to notify them to the Commission in view of their publication. The requirements for cross-border identification and authentication mechanism are to comply with Regulation (EU) No 910/2014 [e-IDAS] of the European Parliament and of the Council. Furthermore, in accordance with Article 5f(1) and (2) of Regulation (EU) No 910/2014 [e-IDAS], systems provided by public sector bodies and online services provided by private relying parties that require electronic identification or authentication for access to online services are to accept European Digital Identity Wallets as referred to in Article 5a of Regulation (EU) No 910/2014 [e-IDAS], where natural persons choose to use them. In order to facilitate the cross-border exchange of personal electronic health data, natural persons should be able to request from their Member State of affiliation the issuance of their identification data for cross-border healthcare in the form of an electronic attestation of healthcare attributes to be stored in their European Digital Identity Wallet. Furthermore, natural persons should be able to share their healthcare attributes with health professionals and healthcare providers established in another Member State to enable the health professional or healthcare provider to locate the personal electronic health data at their source.
  3. Before initiating or requesting the cross-border exchange of personal electronic health data of a natural person through MyHealth@EU, health professionals and healthcare providers should be identified and authenticated, and the natural person concerned should be identified. Such identification and authentication are necessary to ensure the secure processing of personal electronic health data, to prevent unauthorised access, and to enable the provision of information on data accesses as required by Article 9 [access to logging] of Regulation (EU) 2025/327 [EHDS]. Where electronic identification means are used for those purposes, they should provide at least the assurance level 'substantial' referred to in Article 8(2), point (b), of Regulation (EU) No 910/2014 [e-IDAS]. The European Digital Identity Wallet provides the assurance level 'high' referred to in Article 8(2), point (c), of that Regulation. From 26 March 2030 onwards, all electronic identification means used for the identification of natural persons whose personal electronic health data are exchanged through MyHealth@EU should provide the assurance level 'high'. From 26 March 2032 onwards, all electronic identification means used for the identification and authentication of health professionals and healthcare providers for the purposes of such exchanges should provide the assurance level 'high'. This phased approach serves to allow sufficient time for the full rollout of electronic identification means in the Member States.
  4. Where Member States use an electronic identification means that has not been notified to the Commission pursuant to Regulation (EU) No 910/2014 [e-IDAS], the assurance level 'high' of that means should be confirmed by a conformity assessment body referred to in Article 2, point (13), of Regulation (EC) No 765/2008 or an equivalent body. This requirement should apply irrespective of whether the cross-border exchange concerns the transmission of data to, or the reception of data from, another Member State.
  5. The national contact point for digital health that requests the cross-border exchange of personal electronic health data of a natural person should communicate the identification data of the health professional or healthcare provider to the national contact point for digital health of the Member State to which the request is sent.
  6. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on XX XX 2026.
  7. The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 98(1) of Regulation (EU) 2025/327 [EHDS].

HAS ADOPTED THIS REGULATION

Article 1 - Subject matter

This Regulation lays down the requirements for the interoperable, cross-border identification and authentication mechanism for natural persons, health professionals and healthcare providers for the purposes of cross-border exchange of electronic health data.

Article 2 - Definitions

For the purposes of this Regulation the following shall definitions apply:
  1. 'healthcare attribute' means an attribute that is used for the identification of a natural person for the purposes of cross-border exchange of electronic health data;
  2. 'attribute' means attribute as defined in Article 3, point (43), of Regulation (EU) No 910/2014 [e-IDAS];
  3. 'electronic attestation of attributes' means electronic attestation of attribute as defined in Article 3, point (44), of Regulation (EU) No 910/2014 [e-IDAS];
  4. 'European Digital Identity Wallet' means European Digital Identity Wallet as defined in Article 3, point (42), of Regulation (EU) No 910/2014 [e-IDAS];
  5. 'authentication' means authentication as defined in Article 3, point (5), of Regulation (EU) No 910/2014 [e-IDAS].

Article 3 - National sets of healthcare attributes of natural persons

  1. Each Member State shall determine a set of healthcare attributes to be used to verify the identity of natural persons in connection with their electronic health records for the purposes of the cross-border exchange of their personal electronic health data.
  2. Each Member State shall notify its set of healthcare attributes to the Commission by 26 March 2028. The Commission shall publish the Member States' sets of healthcare attributes.
  3. Upon request by a natural person, the competent authority in the Member State of affiliation of that person shall issue the healthcare attributes of that natural person in the form of an electronic attestation of attributes in accordance with the set of healthcare attributes defined pursuant to paragraph 1 to that person's European Digital Identity Wallet.

Article 4 - Identification and authentication of natural persons for the cross-border exchange of personal electronic health data

  1. Before requesting the exchange of personal electronic health data of a natural person through MyHealth@EU, the health professional or healthcare provider shall identify and authenticate that natural person. For that purpose, the health professional or healthcare provider may collect the healthcare attributes of the Member State of affiliation of the natural person.
  2. Where a health professional or healthcare provider requests the exchange of personal electronic health data of a natural person through MyHealth@EU following a natural person's request submitted online, that health professional or healthcare provider shall identify and authenticate that natural person using electronic identification means issued in accordance with Regulation (EU) No 910/2014 [e-IDAS]. The electronic identification means shall comply with the requirements of Regulation (EU) No 910/2014 [e-IDAS] and provide an assurance level that is at least substantial as referred to in Article 8(2), point (b), of Regulation (EU) No 910/2014 [e-IDAS]. From 26 March 2030 the electronic identification means shall provide the assurance level high, referred to in Article 8(2), point (c), of the same Regulation.
  3. Where a natural person has been authorised by another natural person to access their personal electronic health data, or part thereof, on their behalf or acts as the legal representative of another natural person in accordance with Article 4(2) [proxy service] of Regulation (EU) 2025/327 [EHDS], the health professional or healthcare provider shall identify that natural person and verify that the authorised natural person or the legal representative satisfy the necessary requirements to act in that capacity.

Article 5 - Requirements for the cross-border exchange of healthcare attributes of natural persons

  1. Where a national contact point for digital health requests the exchange of personal electronic health data of a natural person from or to another national contact point for digital health, the first national contact point shall submit the healthcare attributes of the natural person's Member State of affiliation to the second national contact point.
  2. The health professional or healthcare provider requesting the exchange of personal electronic health data pursuant to Article 4(1), regardless of whether the natural person's request is made in-person or online, shall accept the healthcare attributes provided in the form of an electronic attestation of attributes using a European Digital Identity Wallet.
  3. Where the identification means used do not provide the healthcare attributes in full, the health professional or healthcare provider requesting the exchange of personal electronic health data may request additional information from the natural person to complete the set of healthcare attributes of the Member State of affiliation of the natural person.

Article 6 - Identification, authentication and authorisation of health professionals and healthcare providers for the cross-border exchange of personal electronic health data

  1. Each Member State shall list the entity or entities responsible for identifying, authenticating and authorising the health professional or healthcare provider requesting the cross-border exchange of personal electronic health data.
  2. Before requesting the cross-border exchange of personal electronic health data through MyHealth@EU, the entity or entities referred to in paragraph 1 shall identify, authenticate and authorise the health professional or healthcare provider requesting that exchange.
  3. The entity or entities referred to in paragraph 1 shall identify and authenticate the health professional or healthcare provider using electronic authentication means that provides at least the assurance level substantial referred to in Article 8(2), point (b), of Regulation (EU) No 910/2014 [e-IDAS]. From 26 March 2032, the electronic authentication means shall provide the assurance level high referred to in Article 8(2), point (c), of that Regulation.

Article 7 - Requirements for the exchange of the health professional and healthcare provider identification data

When the health professional or healthcare provider requests the cross-border exchange of personal electronic health data through MyHealth@EU, the national contact point for digital health competent for that health professional or healthcare provider shall communicate to the national contact point for digital health receiving the request the identification data of the health professional or healthcare provider. The identification data shall comply with the technical specifications set out in the Annex [see below].

Article 8 - Mechanism for the exchange of identification data through MyHealth@EU

The mechanism for the exchange of identification data through MyHealth@EU shall support:
  • a) the notification and the publication of the sets of healthcare attributes referred to in Article 3(2) of this Regulation;
  • b) the exchange of the healthcare attributes between national contact points for digital health described in Article 5(1);
  • c) the exchange of the identification data of the health professional or healthcare provider between national contact points for digital health described in Article 7.

Article 9 - Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 26 March 2027.
However, Article 3(3) and Article 5(2) shall apply from 26 March 2029.

Annex

TECHNICAL SPECIFICATIONS FOR HEALTH PROFESSIONAL AND HEALTHCARE PROVIDER IDENTIFICATION DATA REFERRED TO IN ARTICLE 7

Table 1 -Mandatory data for the health professional

  • family_name The hereditary surname(s) of the health professional.
  • given_name First name(s), including middle name(s) where applicable, of the health professional.
  • date_of_birth The point in time on which the health professional was born.
  • country_code Alpha-2 country code as specified in ISO 3166-1, representing the Member State that issued the health professional identification data.
  • hp_identifier A health professional identifier assigned to the health professional that is unique among all health professional identifiers issued in the Member State where the health professional is registered.
  • issuing_authority_name The name of the agency responsible for issuing the health professional identifier.
  • hp_professional_role The professional role of the health professional.
  • healthcare_provider_identifier An identifier of the healthcare provider organisation or healthcare facility where the health professional is providing treatment. This identifier is unique in the Member State that issued it.

Table 2 - Mandatory data for the healthcare provider

  • healthcare_provider_identifier An identifier of the healthcare provider organisation or healthcare facility where the health professional is providing the treatment. This identifier is unique in the Member State that issued it.
  • issuing_authority_name The name of the agency responsible for issuing the healthcare provider identifier.
  • healthcare_provider_name Name of the healthcare provider.
  • healthcare_provider_address Official registered full address of the healthcare provider.

Feedback

Please e-mail ehds@ringholm.com should the information on this page be incorrect or incomplete; we welcome your suggestions to improve its content.

About Ringholm bv

Ringholm bv is a group of European experts in the field of messaging standards and systems integration in healthcare IT. We provide the industry's most advanced training courses and consulting on healthcare information exchange standards.