v2.4.0 | Report Errata
docs security docs security

EU Data Act & EHDS Overlays

Two additional regulatory instruments have cybersecurity relevance for specific system categories. The EU Data Act (Regulation (EU) 2023/2854), applicable from 12 September 2025, governs access to and use of data generated by connected products. AI systems embedded in IoT devices or connected products may face data-sharing obligations that require Module 9’s security architecture to accommodate secure data export mechanisms, access-controlled sharing interfaces, and audit logging of shared data.

The European Health Data Space (EHDS) Regulation establishes rules for the secondary use of electronic health data, including for AI training and development. Healthcare AI systems (Annex III, Area 5(a)) using health data must comply with EHDS security requirements for data access environments: data minimisation, access controls, audit trails, and prohibition on re-identification.

Healthcare AI systems face a particularly dense regulatory overlay: the AI Act, NIS2, the CRA (if embedded in a medical device), the Medical Devices Regulation, GDPR, and the EHDS. Module 9 for such systems will be among the most complex. The AI System Assessor monitors the development of both instruments and documents their applicability and any additional security requirements in Module 9.

Key outputs

  • EU Data Act applicability assessment for IoT/connected product AI systems
  • EHDS applicability assessment for healthcare AI systems
  • Additional security requirements identified from each instrument
  • Module 9 AISDP documentation
On This Page