The French Public Health Code requires that certain service providers hosting health data hold a specific “HDS” certification.  In order to obtain this certification, providers must comply with the requirements set out in the “HDS” certification standard.  On May 16, 2024, France officially published an updated version of this “HDS” certification standard.

  1. Key Changes

The updated standard includes a few clarifications, for instance on the activities for which hosting providers have to obtain certification (in particular the activity of “administering and operating healthcare systems”), or regarding the contractual obligations of the hosting provider.

It also incorporates changes previously made to the ISO 27001 standard into the HDS certification standard.

Importantly, it features new requirements in terms of sovereignty, in particular:

  • a requirement to restrict the storage of health data to the territory of an EEA member state; and
  • transparency requirements vis-à-vis the hosting provider’s customers in the event of transfers outside the EEA (e.g., in the form of remote access to the data).
  1. Entry into force

As of November 16, 2024, new applicants for HDS certification will be assessed against this new version of the HDS certification standard.

French authorities also highlighted that hosting providers that are already HDS-certified will need to renew their HDS certification according to the updated standard within 24 months, i.e., by May 16, 2026 at the latest.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Alix Bertrand Alix Bertrand

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix…

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix is a member of the Paris and Brussels Bars.