EHDS Cross-Border Records: Who Verified the Doctor?

Regulation (EU) 2025/327 — the European Health Data Space — applies from 26 March 2027. By March 2029, every Member State must exchange Patient Summaries and ePrescriptions cross-border. The infrastructure verifies the data; the member states verify the doctor. There is no EU-wide standard for proving that the doctor on the other end is the doctor.

A Latvian patient consults a German oncologist for a second opinion on a treatment plan; the German clinic accesses the patient's history through the eHealth Digital Service Infrastructure (eHDSI). A Greek pharmacist dispenses an Estonian ePrescription. A Polish radiologist reviews a Spanish CT scan. By March 2031 — when the second wave of EHDS data categories goes cross-border (medical images, lab results, hospital discharge reports) — these are routine flows, not pilots. Each one assumes the other end has verified the clinician's identity. The assumption holds inside one country. It is not formally guaranteed across borders.

The 2025/327 Timeline: What Becomes Cross-Border When

The European Health Data Space Regulation entered into force on 26 March 2025 and follows a four-stage transition (Regulation (EU) 2025/327 — EUR-Lex, European Commission — EHDS Regulation):

• June 2025 — each Member State appoints a National Digital Health Authority.
• January 2026 — healthcare providers and Electronic Health Record (EHR) vendors must certify their systems for interoperability and security compliance.
• 26 March 2027 — most provisions enter application.
• 26 March 2029 — primary use of priority data categories (Patient Summaries, ePrescriptions / eDispensations) operational across all 27 Member States. Secondary use under Chapter III applies for most data categories.
• 26 March 2031 — second wave of priority data categories: medical images, lab results, hospital discharge reports. Secondary use applies to remaining categories.

The regulation is technology-neutral on identity. It speaks of "authorised health professionals" accessing electronic health data through their Member State's National Contact Point (NCPeH), but does not prescribe a unified EU-level Health Professional Identity (HPI) verification standard. What becomes cross-border by 2031 is the data — not the trust chain that produced the credentials accessing it.

In my view, the 2027 application date is the regulatory soft deadline; the practical planning trigger for EU healthcare providers is March 2029, when ePrescription and Patient Summary exchange becomes a hard interoperability requirement, not an ongoing pilot. Hospitals that begin their HPI proofing audit in 2027 will land short on the 2029 date; the work is 18-24 months when done properly, longer when started after a finding.

eHDSI Today: How Cross-Border Health Data Actually Moves

The eHealth Digital Service Infrastructure has been operational for several waves and is the technical substrate the EHDS will scale (European Commission — Electronic Cross-Border Health Services; eHDSI state paper, Journal of Medical Systems). Each Member State runs a National Contact Point for eHealth (NCPeH); the NCPeHs talk to each other over a closed network with standard message formats for Patient Summary (PS-A) and ePrescription/eDispensation (eP/eD).

Two-factor authentication for health professionals was introduced in Wave 5 of the eHDSI Requirements catalogue. Wave 10 currently anchors 2026 deployments — Denmark's NCPeH is establishing in 2026, several "ePrescription country A" deployments come online this wave. The number of bilateral live exchanges grows quarterly.

What stays unchanged across waves is the architectural assumption: healthcare professional authentication and authorisation is handled locally in each Member State. Patient identification data crosses borders; clinician identification does not. The clinician's identity is assumed by Member State A on the basis that Member State B's NCPeH would not have authorised the request if the clinician were not legitimate. This is bilateral trust, not federated verification.

What I would push back on is the framing that "the eHDSI handles authentication." The eHDSI defines that 2FA must be present at each end. It does not define what proofing happens upstream of that 2FA — and that is the gap auditors will start asking about as the data scope widens. A 2FA log without an enrolment proofing record is a familiar pattern from NIS2 Article 21(2)(i) audits, and the same evidentiary gap will appear in EHDS audits within 18 months of the 2027 application date.

Where Identity Verification Quietly Stops Working

The local-verification model holds when three assumptions hold simultaneously:

1. The clinician on the requesting side is registered in their home country's professional register and verified at registration.
2. The clinician's employer (hospital, clinic) issued credentials based on that registration and continues to vouch for the linkage.
3. The home country's NCPeH does not authorise outbound requests on behalf of unverified clinicians.

Three things break this in 2026-2031.

Telemedicine and second-opinion consultations. A hospital in Germany consults a specialist in Italy via a third-party telemedicine platform. The German requesting clinician is registered in Germany; the Italian responding clinician is registered in Italy. The platform sits in between. Neither NCPeH has visibility into who actually saw the data inside the third-party platform's session. The eHDSI authentication is between national systems; the platform is not in the trust chain.

Subcontracted clinical staff. Cross-border healthcare staffing has grown substantially in the post-pandemic period. A Polish anaesthetist working temporarily in a Belgian hospital uses Belgian credentials when accessing Belgian patients' data — but their professional registration is Polish. A NIS2 audit at the Belgian hospital asks: where is the proofing record that ties the Belgian credential back to the Polish registration?

Non-EU specialists. A US oncologist consults on a complex Estonian case, or a Korean radiology team reads images for a Spanish hospital. The eHDSI is structurally an EU-only network. Non-EU clinicians sit outside it entirely. The data leaves through interfaces that the regulation acknowledges (cross-border telemedicine recital wording) but does not verify identity for.

In my experience, the third case is the one that gets least operational attention today and the most legal attention by the time auditors and procurement teams start to evaluate the EHDS implementation in 2027-2028. Hospital legal departments will not bless a workflow where a clinician outside the EU sees a patient's full health record without a documented identity-proofing step. The eHDSI does not provide one.

The Non-EU Specialist Question

The structural gap matters because the data scope grows exactly where non-EU specialist consultation is most useful. By 2031, medical images, lab results, and hospital discharge reports are routinely cross-border. That is the layer where complex-case second opinions, rare-disease consultations, and AI-assisted diagnostic services typically reach outside the EU for specialist input.

The EUDI Wallet covers 27 Member States by design — and only EU citizens and residents. The non-EU specialist's identity is not proofed by EUDI; it is not proofed by the eHDSI; and the third-party telemedicine platform's KYC is typically a marketing claim rather than an audit-defensible proofing record.

Three things have to be true simultaneously for the gap to close:

• The non-EU specialist's identity must be proofed against a document the requesting hospital can independently verify. Across the roughly 150 ICAO 9303-compliant passport-issuing countries, the biometric passport is the only common artefact that travels between jurisdictions and survives a chain-of-custody question.
• The proofing event must produce a cryptographic record — not a photocopy of a passport in a vendor's system — that ties to the credential later used in the consultation session.
• The consultation event must produce a signed audit log where the clinician's verified identity is bound to the access decision. The signature level required is advanced electronic signature (AdES) under eIDAS — qualified electronic signatures are not a regulatory requirement here, and over-buying QES adds cost and lead-time friction to a workflow that sees thousands of cross-border consultations per month.

In my view, the layer that is missing is exactly the cross-border identity-proofing step for non-EU specialists, and it does not look like the eHDSI architecture is going to fill it. It is going to be filled by hospital procurement, individually and inconsistently, unless somebody — most likely the Joint Action on EHDS Implementation, or the National Digital Health Authorities — defines a common pattern in the next two years. Hospitals that wait for that common pattern will end up adopting whatever their largest telemedicine vendor decides; hospitals that pick a documented proofing pathway now will keep the choice in-house.

What Healthcare Providers Should Be Doing Now

The 2027 application deadline is roughly 22 months away from the date of this post. The 2029 hard interoperability deadline is roughly 46 months away. For a hospital, an integrated care provider, or a health-data platform planning EHDS readiness, the practical 2026-2028 work concentrates in four areas.

• Map your cross-border data flows by category. Patient Summary and ePrescription are 2029; medical images, lab results, and hospital discharge reports are 2031. The clinician populations involved are different — primary care for the first wave, specialist care for the second. Identity-proofing requirements scale accordingly.
• Audit your current Health Professional Identity model country-by-country. For each jurisdiction your staff or sub-contracted staff is registered in, document the proofing chain at registration and the linkage to the credential used in your systems. NIS2 audits are already asking the same kind of question for the cybersecurity perimeter; the EHDS audit will ask it for the clinical perimeter.
• Add a non-EU specialist pathway to your identity-proofing architecture. This means a passport-NFC-based proofing step that produces a cryptographic record, plus an advanced electronic signature on every consultation-access decision. The eIDAS Article 25 non-discrimination principle covers admissibility; the AdES technical criteria in Article 26 cover bindability. QES is not required at this scale, and the cost difference matters at consultation volumes.
• Treat your EHR vendor's January 2026 certification as a starting line, not a finish line. Vendor certification covers interoperability and security compliance for the system. It does not cover the proofing chain behind every clinician account. That is the provider's responsibility, not the vendor's.

The same identity-proofing primitive shows up in adjacent regulatory regimes — NIS2 Article 21(2)(d) for the cybersecurity supply chain, CER Directive Article 13(e) for critical-entity personnel (healthcare is one of the 11 CER sectors), and AMLR Article 22(6) for non-EU customer due diligence in financial flows. Hospitals that solve it for one regime tend to solve it for all of them at once. From the operational angle, this is the one identity layer that pays off across multiple compliance programmes — and that is the practical case for getting it documented now, regardless of which regulatory deadline is closest.

FAQ

When does the EHDS Regulation start applying? Most provisions on 26 March 2027. The first wave of cross-border priority data exchange (Patient Summaries, ePrescriptions/eDispensations) becomes operational by 26 March 2029. The second wave (medical images, lab results, hospital discharge reports) by 26 March 2031.

Does the EHDS Regulation specify a Health Professional Identity (HPI) verification standard? No. The regulation requires that authorised health professionals access electronic health data through their Member State's National Contact Point and that 2FA is in place. It does not prescribe a unified EU-level proofing standard. HPI verification is handled locally per Member State, with bilateral trust between NCPeHs.

Does AdES suffice for EHDS-related signing, or is QES required? Advanced Electronic Signature under eIDAS Article 26 is sufficient for the audit trail of clinical-access decisions in cross-border eHDSI contexts. eIDAS Article 25 (non-discrimination) and Article 27 (QES as ceiling, not floor in public services) make AdES admissible. QES is reserved for specific national-law contexts and is not an EHDS requirement.

What about non-EU specialists consulting on EU patient data? The eHDSI is an EU-only network. Non-EU specialist access flows outside the eHDSI through bilateral or third-party platforms. Identity-proofing of non-EU clinicians is not covered by the EU eHealth infrastructure. The biometric passport (ICAO 9303) is the only common identity artefact that reaches the roughly 150 countries from which most cross-border specialist consultations originate.

How does EHDS interact with NIS2 / CER / GDPR? EHDS is the data-sharing framework; NIS2 is the cybersecurity baseline for healthcare providers as essential entities; CER covers physical resilience and personnel security (healthcare is one of the 11 CER sectors). GDPR underpins all three as the data-protection baseline. The identity-proofing layer is shared infrastructure across them — solving it for one regime tends to solve it for all.

Sources

EHDS Regulation primary texts

• Regulation (EU) 2025/327 — EUR-Lex
• European Commission — European Health Data Space Regulation
• Arnold & Porter advisory — EHDS Regulation published 03.2025
• EY Greece — Regulation 2025/327 establishing EHDS

eHDSI infrastructure

• European Commission — Electronic cross-border health services
• The Current State and Usage of European Electronic Cross-border Health Services (eHDSI) — Journal of Medical Systems
• MyHealth@EU on E-Rezept

Cross-border healthcare framework

• Toolbox for Cross-Border Healthcare — European Commission
• Cross-border healthcare — European Commission overview
• Xt-EHR — Requirements on cross-border telemedicine services

About the author

Mairi Kutberg is co-founder of IdentiGate, where she runs operations and content. She works at the intersection of EU regulation (eIDAS, NIS2, AMLR, eFTI), cross-border digital identity, and the practical compliance angles of advanced electronic signatures.