1. The Digital Health Gap

A Continent in Denial

European healthcare systems are among the best-funded in the world. Universal coverage, high-quality care, and robust public health institutions have long been a source of continental pride. Yet beneath this surface lies an uncomfortable truth: Europe’s digital health infrastructure is dangerously outdated and fragmented. While the continent debates regulations, competitors are building.

The global e-health market has grown from approximately 12.9 billion dollars to over 26 billion in recent years, with annual growth rates exceeding 14.8%. In Italy alone, spending on healthcare digitalization reached 2.47 billion euros in 2024, up 12% from the previous year. Yet these numbers mask a deeper problem: the investment is scattered across incompatible regional systems, duplicated efforts, and projects that fail to achieve interoperability.

Fragmentation as a Structural Weakness

Consider Italy, the third-largest economy in the eurozone. Its Electronic Health Records (FSE) — the electronic health record system — is fragmented across twenty regions that use different providers, different standards, and different data architectures. A physician in Lombardy cannot seamlessly access the health record of a patient who received treatment in Puglia. The FSE 2.0 reform, enacted in September 2023 and updated in December 2024, acknowledges this dysfunction. The Italian Data Protection Authority has flagged significant discrepancies in implementation across regions, noting that fundamental rights such as data obscurement, delegation, and differentiated access are not uniformly guaranteed — creating what amounts to a discriminatory system where patient protections depend on geography.

This is not an Italian problem. It is a European one. Each Member State operates its own health data ecosystem with its own rules, its own infrastructure, and its own pace of modernization. The result is a continent of 450 million people whose health data exists in silos, invisible to each other, unusable for cross-border care, and inaccessible for the kind of large-scale analysis that drives modern medical innovation.

2. Learning from Competitors

The German Exception

Germany stands as Europe’s most advanced digital health market, primarily due to its Digitale Gesundheitsanwendungen (DiGA) framework — the world’s first system for prescribing and reimbursing digital therapeutics (DTx) through public health insurance. The DiGA model demonstrates that regulatory innovation can coexist with patient protection: apps must meet strict evidence standards, yet the pathway from development to reimbursement is designed to be fast and predictable. This has made Germany a global reference point for digital therapeutics and attracted significant investment in health technology.

Yet even Germany’s success is limited by its national scope. A DiGA approved in Germany must navigate entirely separate processes to reach patients in France, Spain, or Poland. The innovation remains trapped within national borders.

Estonia: Small Country, Big Vision

Estonia’s digital health infrastructure is arguably the most efficient in Europe. Its system of centralized electronic health records, integrated government services, and structured biobanks for biological samples demonstrates what is possible when a country designs its digital infrastructure from the ground up. Estonian citizens can access their health records instantly, grant or revoke access to specific providers, and track exactly who has viewed their data. The country’s biobanking system collects and organizes biological samples with a level of structure that larger European nations have not achieved.

But Estonia has a population of 1.3 million. Its success is a proof of concept, not a scalable blueprint for a continent of nearly half a billion people with deeply entrenched legacy systems.

The United States: Platform Dominance

American digital health operates under a different logic. Major technology companies — Google, Apple, Amazon, Microsoft — have entered the healthcare space not as supporting actors but as infrastructure providers. Cloud computing, AI models, data analytics platforms, and consumer health applications are overwhelmingly built on American technology stacks. When a European hospital adopts a cloud-based electronic health record system, the data frequently transits through or is stored on servers operated by US-based companies, governed by US law and subject to potential requests under frameworks like the CLOUD Act.

This creates a structural dependency that goes largely unexamined. European health data — the most intimate information about its citizens — increasingly flows through American infrastructure. The implications for sovereignty are profound.

China: The Data Superpower

China’s approach to digital health is the most strategically coordinated and, for Europe, the most concerning. The Chinese government has deployed AI for mass diagnostics at a scale no other country has attempted. This gives China control over vast datasets encompassing disease patterns, treatment outcomes, population health trends, insurance utilization, and biological samples targeting specific pathologies and demographic groups.

China’s ambitions extend well beyond its borders. Chinese technology companies and health applications are expanding into European and American markets, often through partnerships with local providers or through acquisitions. Israeli health-tech startups — many with sophisticated AI capabilities — operate in both US and European markets while maintaining development centers and partnerships with Chinese technology campuses. The question that European policymakers have yet to seriously address is: where does the data collected by these applications end up? What AI models are they training? How do the insights derived from European patient data serve geopolitical interests that may not align with Europe’s own?

The Israeli Corridor: Where Innovation Meets Opacity

Israel has established itself as a global leader in health-tech innovation, producing sophisticated AI-powered diagnostic tools, telemedicine platforms, and cybersecurity solutions for healthcare. Many of these companies operate primarily in the US and European markets, serving millions of patients. However, the technology development ecosystem tells a more complex story. Several Israeli health-tech firms maintain research partnerships, development campuses, and investment relationships with Chinese technology giants. Data flows through these corridors with minimal transparency about ultimate destinations and uses.

This creates a triangular dynamic that European policymakers have largely ignored. European patients use an application developed by an Israeli company, which processes data through infrastructure that may be partially developed in or connected to Chinese technology ecosystems. The data governance frameworks of the GDPR and the EHDS address direct transfers, but the indirect pathways — through subsidiaries, development partnerships, shared AI training pools, and cloud infrastructure layering — are far more difficult to trace and regulate.

The question is not whether these companies produce good technology — many of them do. The question is whether Europe can afford to remain ignorant about the full lifecycle of its citizens’ health data once it enters these complex, multi-jurisdictional technology ecosystems.

Japan: Quiet Innovation

Japan has pursued a methodical approach to digital health, integrating AI into clinical workflows, investing in robotic surgery and elder care technology, and building sophisticated health data platforms. Japan’s aging population has made healthcare innovation a matter of national survival, driving investment and adoption at rates that dwarf most European countries.

3. The Geopolitics of Health Data

Data as a Strategic Asset

Health data is not merely a clinical resource. It is a geopolitical asset of the first order. Nations that control large, structured health datasets can train superior AI models for drug discovery, disease prediction, and precision medicine. They can identify population-level vulnerabilities — genetic predispositions, endemic conditions, behavioral patterns — that inform both commercial strategy and state-level decision-making. They can build insurance models, target pharmaceutical development, and shape global health governance from a position of informational superiority.

Europe generates an enormous amount of health data. But it does not control it. The platforms that collect it, the cloud services that store it, the AI models that analyze it, and the companies that monetize it are overwhelmingly headquartered outside Europe. This represents a transfer of strategic value that is largely invisible to the European public and insufficiently addressed by European policy.

The Sovereignty Question

Digital sovereignty has become a central concern of European policy, from the European Data Strategy launched in 2020 to the Data Governance Act (EU 2022/868) and the Data Act (EU 2023/2854). These frameworks aim to create a single European market for data, promote sharing and innovation, and establish common standards. Yet their application to health data remains incomplete.

The European Health Data Space (EHDS), signed into law in March 2025 and applicable from March 2027, represents the most ambitious attempt to date. It establishes a unified framework for the use and exchange of electronic health data across the EU, with a dual structure: primary use (for clinical care, through the MyHealth@EU infrastructure) and secondary use (for research, innovation, and policy, through the HealthData@EU platform). The regulation introduces critical protections — patient rights to access, port, and restrict their data; strict governance for secondary use; and technical requirements for interoperability.

But infrastructure alone does not create sovereignty. If the servers running MyHealth@EU and HealthData@EU depend on non-European cloud providers, if the AI models analyzing the data are trained and owned by non-European companies, and if the cybersecurity frameworks protecting the data are developed outside Europe, then the EHDS becomes a well-regulated pipeline for the export of European health intelligence.

Cybersecurity: The Unprotected Flank

The healthcare sector is among the most targeted by cyberattacks globally. The CLUSIT 2025 report documented 810 cyber-attacks on healthcare organizations in 2024, representing a 30% increase over the previous year and a fourfold increase since 2021. Notable incidents include a ransomware attack on the ASL Città di Torino that rendered data and applications temporarily unavailable, and a patient death in Germany linked to a hospital cyberattack that diverted emergency services.

In January 2025, the European Commission published an Action Plan for the cybersecurity of hospitals and healthcare providers, establishing a European Support Centre for Cybersecurity through ENISA. The plan addresses prevention, early warning, and rapid response. Yet implementation timelines stretch through 2025 and 2026, and the fundamental vulnerability remains: European healthcare infrastructure is increasingly digital, increasingly connected, and increasingly dependent on technology stacks whose security is managed by entities outside European control.

4. The Regulatory Landscape

The European Data Strategy

The European Data Strategy, launched by the Commission in 2020, aims to create a single market for data through two foundational regulations. The Data Governance Act (2022) establishes frameworks for data intermediation services, altruistic data organizations, and the reuse of public sector data including health. The Data Act (2023) addresses access rights for IoT-generated data, cloud switching, and interoperability requirements. Together, they provide the general legal architecture for European data governance. The strategy is scheduled for an update in the third quarter of 2025, with a focus on strengthening AI development through better data access and addressing cross-border data flow obstacles.

The EHDS: Promise and Limits

The European Health Data Space regulation, published in the Official Journal on March 5, 2025, is the first sector-specific data space under the European Data Strategy. Its implementation is gradual: by March 2029, the first categories of data (patient summaries, electronic prescriptions, dispensations) must be available for primary use, and most categories for secondary use. By March 2031, additional categories including medical imaging, laboratory results, and discharge letters must be operational. By 2034, third countries may become authorized participants.

The EHDS introduces significant patient rights that go beyond the GDPR. The right to data portability under the EHDS applies regardless of the legal basis for processing and extends to inferred data, unlike the GDPR’s more limited version. Patients can access their data immediately, in a consolidated format, through a standardized European Exchange Format for Electronic Health Records (EEHRxF). They can grant or restrict access, delegate access to others, and track who has viewed their data.

For secondary use, the regulation establishes Health Data Access Bodies (HDABs) in each Member State, responsible for processing requests, ensuring data is pseudonymized or anonymized, and providing secure processing environments. Access is authorized for purposes including public health, research, innovation, policymaking, and healthcare quality improvement. Critically, it is prohibited for discriminatory decisions, unfavorable insurance or credit terms, marketing, or the development of harmful products.

The AI Act and Healthcare

The AI Act (EU 2024/1689) classifies AI systems used in healthcare — particularly for diagnosis, clinical decision support, and triage — as high-risk. This imposes mandatory requirements including quality assurance for training data, technical documentation, human oversight, transparency toward both clinicians and patients, and ongoing monitoring. Healthcare facilities must ensure that clinical staff understand when they are interacting with AI-based systemes and that final decisions remain with human clinicians.

Italy’s national implementation, Law 132/2025, aligns with the AI Act while adding specific provisions for healthcare research. Article 8 declares data processing for AI research in healthcare to be of relevant public interest under Article 32 of the Italian Constitution, enabling secondary use of de-identified data without additional consent, subject to notification to the Garante. This represents a potentially significant acceleration of AI research, though questions remain about the adequacy of safeguards.

The Garante published a decalogue for AI in national health services in September 2023, establishing ten principles including accountability, privacy by design, data quality, algorithmic transparency, non-discrimination, and mandatory human supervision. In July 2025, the Garante issued a warning to citizens about sharing health data with generative AI platforms, noting that responses should always be verified with medical professionals.

Ethical Frameworks: From Principles to Practice

The regulatory landscape does not exist in isolation from broader ethical considerations. The EU Treaty framework recognizes the diversity of ethical traditions across Member States, from Ireland’s constitutional protection of the right to life to Poland’s declaration preserving national competence over public morality. The Directive on Patients’ Rights (2011/24) explicitly states that it does not prejudice Member States’ fundamental ethical choices. This pluralism is a feature, not a bug, of European governance — but it creates challenges for harmonized digital health systems that must operate across these ethical boundaries.

The Rome Call for AI Ethics, launched in 2020 by the Pontifical Academy for Life and signed by Microsoft, IBM, the FAO, and other major organizations, established six principles — transparency, inclusion, responsibility, impartiality, reliability, and security — that have influenced European AI governance. The concept of algoretica (algorithmic ethics), developed in response to growing concerns about autonomous decision-making, provides a framework for moderating AI systems that is particularly relevant to healthcare, where algorithmic decisions can have life-altering consequences.

The EHDS itself incorporates ethical considerations at multiple levels. Recital 4 emphasizes the need for “ethical use of data.” Recital 10 acknowledges that immediate electronic access to certain diagnoses could be harmful to patients, allowing Member States to delay access until a clinician has communicated the information in person. The regulation on Health Technology Assessment (2021/2282) explicitly includes ethical dimensions alongside clinical, economic, and organizational assessments.

For European digital health sovereignty, these ethical frameworks are not constraints but differentiators. A digital health ecosystem that embeds ethical considerations — informed consent, human oversight, algorithmic transparency, protection of vulnerable populations — offers something that no other global competitor can credibly claim. This is Europe’s comparative advantage, and it should be protected and promoted rather than treated as a burden.

Italy’s Digital Health Architecture: FSE, DSE, and EDS

Italy’s digital health journey illustrates both the ambition and the difficulty of national-level transformation. The FSE 2.0 decree of September 2023, building on legislation dating back to 2012, aimed to make the electronic health record the single point of access for digital health services nationwide. Following the Garante’s negative opinion in August 2022 — which flagged inadequate privacy protections, unclear data governance, and insufficient rights for citizens — the framework was substantially revised.

The current FSE 2.0 includes differentiated access profiles for healthcare professionals, rights for patients to consent to or refuse consultation of their records for different purposes (care, prevention, international prophylaxis), rights to data obscurement (including obscurement of the obscurement itself), and emergency access provisions. Implementation follows a phased schedule: obscurement and operation logging by March 2025, delegations and the Patient Summary Report by September 2025, and complete content and private provider access by March 2026.

The Health Data Ecosystem (EDS), established by decree on December 31, 2024, and published in the Official Journal in March 2025, represents a complementary system that extracts and processes FSE data for care, prevention, governance, and research. The EDS architecture includes three separate data components — clear text, pseudonymized, and anonymized — with strict segregation and alignment with patient choices on the FSE. Operational from March 2026, the EDS will provide 23 types of services, including a pharmaceutical dossier, clinical data visualization, and anonymized data extraction for research.

5. Data Protection as a Competitive Advantage

The GDPR Paradox

Europe’s data protection framework is often portrayed as an obstacle to innovation. This analysis is superficial. The GDPR and its healthcare-specific applications — including the requirements for Data Protection Impact Assessments, the principles of privacy by design and by default, and the accountability obligations on data controllers — create a framework of trust that is essential for the kind of large-scale health data sharing that the EHDS envisions.

The Deloitte ruling (CJEU, September 2024, C-413/23 P) has clarified important aspects of data governance relevant to digital health. The Court established that the qualification of pseudonymized data as personal data depends on the perspective of the recipient: if a data recipient lacks reasonable means to re-identify individuals, the data may not constitute personal data for that recipient. This has significant implications for research, AI training, and cross-border data sharing, as it allows for more nuanced assessments of privacy risk rather than blanket restrictions.

The challenge is not to weaken these protections but to operationalize them efficiently. European companies that can demonstrate compliance with the world’s most rigorous data protection standards hold a competitive advantage in markets where trust matters — and in healthcare, trust is everything.

Patient Rights as System Design Principles

The layered consent architecture of the FSE 2.0 and EDS — with separate, disjoint consents for different purposes and different categories of recipients — is complex to implement. But it embodies a principle that should guide all European digital health development: the patient is not merely a data subject to be protected but an active participant in the data ecosystem. The right to obscure specific records, to delegate access, to track who has viewed their data, and to refuse participation without consequence for care — these are not regulatory burdens. They are features of a system designed around dignity.

6. A Strategy for European Digital Health Sovereignty

Regulated but Flexible

The core tension in European digital health policy is between the need for harmonized standards and the reality of diverse national health systems. The EHDS provides the regulatory ceiling; national implementations like Italy’s FSE 2.0 and Germany’s DiGA provide the operational floor. Between these levels, there must be room for flexible, rapidly deployable solutions.

France’s approach to digital health — characterized by centralized coordination with decentralized execution, expedited funding mechanisms, and modular system design — offers a model. European digital health platforms should be designed with modular architectures that allow components to be upgraded, replaced, or extended without rebuilding entire systems. Interoperability standards should be mandatory; implementation of choices should be flexible.

Scalable and Targeted

One-size-fits-all solutions have consistently failed in European healthcare. Instead, digital health initiatives should be designed for specific pathologies and populations, leveraging the strengths of different national systems. A network of converging companies — startups, established health tech firms, research institutions, and public health agencies — can achieve modularity and specialization while maintaining interoperability through shared standards.

Funding mechanisms must match this model. The current system of multi-year framework programs and slow procurement cycles is incompatible with the pace of digital health innovation. Europe needs fast-track funding instruments for networks of companies working on modular, interoperable health technology, like the IPCEI (Important Projects of Common European Interest) model that has been applied in semiconductors and hydrogen.

From Reactive to Predictive

The ultimate objective of European digital health sovereignty is not merely to protect data or to digitize existing processes. It is to transform European healthcare from a reactive model — treating illness after it occurs — to a predictive model that identifies risks before they materialize, targets interventions to specific populations, and continuously improves through data-driven feedback loops.

This transformation requires sovereign AI capabilities. Europe cannot rely on American or Chinese AI models to analyze the health data of its citizens and expect the resulting insights to serve European interests. The EU must invest in European health AI infrastructure: training datasets built from European health data, processed on European servers, governed by European law, and developed by European companies and research institutions.

The EHDS provides a regulatory framework. The EDS and similar national platforms provide data infrastructure. The AI Act provides safety guardrails. What is missing is the strategic will to connect these pieces into a coherent industrial policy for digital health — one that treats health data sovereignty with the same urgency as energy sovereignty or semiconductor independence.

Concrete Recommendations

First, establish a European Digital Health Sovereignty Fund dedicated to financing interoperable, modular health technology developed by European companies. Funding should be fast-tracked, with decision cycles measured in months, not years.

Second, mandate that all health data processed under the EHDS and national frameworks be stored and processed on European-controlled infrastructure. This does not exclude the use of non-European technology, but it requires that European entities maintain operational control and legal jurisdiction.

Third, create a European Health AI Initiative, modeled on existing IPCEI structures, to develop sovereign AI capabilities specifically for healthcare. This initiative should bring together academic research, clinical expertise, and industrial capacity around common training datasets derived from European health data.

Fourth, accelerate the implementation of the EHDS by providing technical assistance and funding to Member States with less developed digital health infrastructure. The current phased timeline risks creating a multi-speed Europe where the digital health gap within the continent widens even as the gap with external competitors narrows.

Fifth, conduct a comprehensive audit of the current dependency of European healthcare systems on non-European technology providers, including cloud services, AI tools, medical devices with data transmission capabilities, and health applications. The results should inform a phased strategy for achieving technological independence in critical areas.

7. Conclusions: A Call to Strategic Action

Digital health is not a technical issue that can be delegated to IT departments and procurement offices. It is a matter of sovereignty, competitiveness, and democratic governance. Europe’s health data is a strategic resource of immense value. The question is whether Europe will develop the capacity to use it in the interest of its own citizens, or whether it will continue to export this value to competitors who are investing in greater urgency and fewer constraints.

The Cost of Inaction

Every year of delay carries a compounding cost. Data that flows outward today trains AI models that will compete against European systems tomorrow. Research insights derived from European patient populations benefit non-European pharmaceutical companies and technology firms. Cybersecurity vulnerabilities in underfunded European health infrastructure create risks that growth each month. The dependency deepens not through dramatic policy failures but through the quiet accumulation of thousands of procurement decisions, each individually rational, collectively catastrophic.

Consider the trajectory: by 2030, most AI-powered diagnostic tools used in European hospitals will likely be developed by non-European companies, trained on data that includes European patient information, and operated through cloud infrastructure controlled by non-European entities. The clinical decisions informed by these tools will reflect the priorities, biases, and commercial interests of their developers. European clinicians will have sophisticated technology at their disposal but diminishing capacity to understand, evaluate, or control it.

The Opportunity Before Us

Yet this trajectory is not inevitable. Europe possesses advantages that no competitor can replicate: a regulatory framework that commands global respect, universal healthcare systems that generate comprehensive population-level data, a tradition of public health governance that prioritizes equity over profit, and a data protection framework that has become the global standard. These are not weaknesses to be apologized for but foundations to be built upon.

The EHDS, when fully implemented, will create the world’s largest governed health data space. The AI Act will provide the world’s most comprehensive safety framework for health AI. National implementations like Germany’s DiGA, Estonia’s integrated digital infrastructure, and Italy’s FSE 2.0 and EDS demonstrate that innovation within a rights-respecting framework is possible and productive.

What is needed is the political will to treat digital health as what it truly is: a critical infrastructure priority equivalent to energy, defense, and telecommunications. The investments required are substantial but modest compared to the value at stake. The organizational changes needed are significant but achievable within existing institutional frameworks. The strategic vision required is clear but demands leadership willing to act with urgency.

Europe has built regulatory architecture. Now it must build the infrastructure, industry, and strategic capacity to match. The citizens of this continent deserve a healthcare system that is not only compassionate and equitable but also technologically sovereign and future-proof.

The time to act is now.