A new phase for EU data governance, cross-border GDPR enforcement and the European Health Data Space

The European Union continues to refine how personal data is governed and data protection enforced across borders. Two developments highlight this shift: ongoing EU reforms designed to strengthen and accelerate cross-border GDPR enforcement, and the ongoing implementation of the European Health Data Space (EHDS).

These initiatives operate in different contexts but they reflect a common objective: to improve the effectiveness of cross-border cooperation, enable more consistent enforcement and support the secure sharing and reuse of data within the EU.
 

Strengthening cross-border GDPR enforcement

The European Parliament has approved new rules, currently pending formal adoption by the Council, designed to clarify and streamline the enforcement of the GDPR in cross-border cases. These rules build on existing cooperation mechanisms between national data protection authorities and aim to address long-standing challenges in the speed and consistency of enforcement.

A key feature of the reform is the introduction of clear procedural deadlines. Once a lead supervisory authority has been identified, investigations must generally be completed within 15 months, with a possible extension of up to 12 months in more complex cases. In more straightforward cases, a simplified cooperation procedure allows investigations to be concluded within 12 months, helping to reduce delays.

The regulation also places greater emphasis on early cooperation and consensus-building between authorities. An early resolution procedure is introduced, allowing cases to be closed more efficiently where the infringement has ceased and the complainant does not object within 4 weeks.

In addition, the reform strengthens procedural rights for complainants. Individuals will have enhanced rights to be heard during proceedings and improved access to information about how their complaint is being handled. Member States may also provide for broader access rights at a national level.

Overall, these changes make cross-border enforcement more predictable, transparent and efficient as well as reinforcing trust in the GDPR framework.
 

European Health Data Space: a sector-specific data governance shift

Running in parallel with the enforcement reforms is the development of the European Health Data Space (EHDS), which introduces a sector-specific framework for the use and exchange of electronic health data across the EU.

The EHDS establishes a common legal and technical framework for health data:

  • the primary use of data for healthcare delivery (e.g. cross-border access to patient records)
  • the secondary use of data for research, innovation, policy-making and regulatory purposes


The EHDS also establishes harmonised requirements for electronic health record (EHR) systems supporting interoperability, security and the functioning of the internal market for digital health services and products.

The regulation enhances individuals’ rights by giving them greater control over their electronic health data. This includes the ability to access, share and restrict access to their data across Member States. At the same time, the regulation creates a structured system for data reuse, subject to strict safeguards and oversight. Importantly, the EHDS introduces a structured framework for the secondary use of health data, subject to specific conditions and oversight. This includes access through secure processing environments, restrictions on re-identification, and prohibitions on certain uses, including marketing or decision-making that could be detrimental to individuals.

The Regulation entered into force in March 2025 with major application milestones expected between 2027 and 2031. This reflects the complexity of building a pan-European health data ecosystem. The phased application of the EHDS is defined in more detail in recent European Commission guidance.

Key provisions on primary use, including patient access rights and EHR systems, and secondary use will begin to apply from March 2029. Additional data categories, such as genetic data, becoming subject to the framework from March 2031. Governance structures, including the EHDS Board, are expected to be operational by 2027.
 

A common direction: more structured data governance

Although the GDPR enforcement reform and the EHDS operate in different areas, they reflect a shared direction of travel in EU data policy as both initiatives aim to improve cross-border coordination. The enforcement reform strengthens cooperation between data protection authorities, while the EHDS enables cross-border data access and sharing within a harmonised framework.

Second, they emphasise clearer accountability and procedural certainty. Defined timelines, structured cooperation mechanisms and formalised data access processes reduce ambiguity for both regulators and organisations.

Third, they signal a move towards more structured data sharing frameworks, particularly for high-risk or sensitive data. The EHDS, in particular, demonstrates how sector-specific regimes can build on the GDPR to enable data use while maintaining strong safeguards.
 

What does this mean for organisations?

These developments have practical implications for organisations operating across the EU.

  • Organisations can expect greater regulatory scrutiny in cross-border cases and more structured and coordinated enforcement processes, with clearer procedural timelines for investigations
  • Organisations will need to respond more quickly and consistently to regulatory requests with the introduction of more structured engagement with regulators, clear timelines and cooperation mechanisms
  • Organisations operating in the healthcare or life sciences sectors will need to prepare for the EHDS framework, including data access controls, interoperability requirements and restrictions on secondary use
  • Organisations will need robust internal processes, clear accountability structures and well-documented data handling practices
 

Organisations should not treat these developments in isolation. Instead, they should consider how evolving enforcement practices and sector-specific frameworks interact, particularly where cross-border data flows and high-risk data processing are involved.

This is an opportunity to review existing data governance frameworks, assess exposure to cross-border enforcement risk, and prepare for more structured and coordinated regulatory oversight across the EU.

We continue to monitor developments in this area, including the implementation of the new cross-border enforcement framework and the rollout of the European Health Data Space, and provide further updates as these initiatives progress.

We would be delighted to discuss how we can help you address the issues raised by these recent developments or your wider data protection challenges. Please complete the enquiry form below or contact Christopher Beveridge.