French law requires that where hosting services providers host certain types of health data, they must first obtain certification as “hébergeurs de données de santé” (“HDS”) which translates as “health data hosting service providers”. The relevant HDS certification framework was updated in 2024. This framework notably incorporates the amendments introduced by the law of 21 May 2024 aimed at securing and regulating the digital space, as well the decree of 24 March 2026, which imposes data sovereignty-related obligations that will take effect in September 2026.

Does hosting any type of health data give rise potentially to HDS certification obligations?

No. Specifically, Article L.1111-8 of the French Public Health Code provides that certification is required for “any person hosting personal health data collected in the course of prevention, diagnosis, care or social and medico-social monitoring activities” on behalf either of (i) the controller producing or collecting the data or (ii) patients (Health Data). This covers hosting both physical data (i.e. hard copy documents) and digital data.

However, organizations that are themselves controllers of such health data (e.g., healthcare professionals, hospitals, etc.) are not subject to this certification obligation when hosting their own data.

Which type of hosting services require certification?

The certification process and other regulatory requirements were established by a Decree of 28 February 2018 (“Decree of 2018”) which became effective on 1 April 2018 and established articles R1111-8-8 to R1111-11 of the Public Health Code. The Decree of 2018 was supplemented by a Decree of 26 March 2026 (“Decree of 2026”), which established Article R.1111‑9‑1 and amended Articles R.1111‑9 and R.1111‑11. Prior to the entry into force of the Decree of 2018, operating as an HDS required an authorization by the French Ministry of Health.

Article R.1111-9 sets out a detailed list of six activities that constitute relevant hosting activities and therefore require certification:

1. The provision and maintenance in operational condition of physical sites for hosting the hardware infrastructure of the information system used to process the Health Data;
2. The provision and maintenance in operational condition of the hardware infrastructure of the information system used to process the of Health Data;
3. The provision and maintenance in operational condition of the virtual infrastructure of the information system used to process the Health Data;
4. The provision and maintenance in operational condition of the platform for hosting information system application;
5. Managementand operation of an IT system containing the Health Data;
6. Backing up of Health Data, [including, in particular, their retention as part of electronic archiving].”

The 2026 Decree clarified (in the bracketed section) that electronic archiving is included within the notion of hosting.

The 2024 revision of the certification framework requirements v2.0 (see below) no longer distinguishes between the sub-groups of activities (which used to be “physical infrastructure” and “managed services”).

It clarifies that the so‑called ‘Type 5’ activity above relating to “management and operation” consists in the control and oversight of the HDS provider’s activities affecting the systems and services provided each of its clients (technically “interventions on resources”). It includes all of the following ancillary activities:

• Defining a process for the effective allocation and administration (and annual review) of authentication and access rights.
• Securing access procedures.
• Collecting and retaining access logs and the reasons for access.
• Prior approval of activities/”interventions” (including an intervention plan and intervention process). This approval consists in ensuring that such interventions do not compromise the level of security of the hosted information either for the client concerned or for the other clients of the HDS. This approval may be carried out in the following cases: beforehand, for interventions that the client can carry out independently, or at the time of the intervention request, when the client ask the HDS to carry it out.

Certification for this type 5 activity is only required when it is performed as a standalone activity and not associated with activities 1 to 4.

The 2024 revision also clarifies that: “Data backup Activity 6 should be interpreted as including only outsourced backups. The backups inherently necessary for Activities 1 to 5 are within the scope of Activities 1 to 5.”

The Public Health Code provides that an HDS must specify in its contract with clients “the scope of the certificate of conformity obtained by the Host, as well as its dates of issue and renewal” in additionto “the description of the services provided”. In addition, the certification framework requirements v2.0 (requirement n°12) requires that the HDS provides its clients with a copy of the HDS certificate of conformity and, where relevant, the certificate of its processors participating in the hosting activity when they are HDS certified.

What is the certification process?

Every HDS (i.e., organization subject to the HDS certification requirements) must either be certified by an accreditation body authorized in France by the French Accreditation Committee (COFRAC) or, elsewhere in the EU, by a national equivalent to COFRAC.

Certification must follow a two-step process: the HDS must first complete a documentary audit, which is then followed by an on-site audit. Once granted, certification lasts for three years, subject to passing an additional annual audit conducted by the certification body.

The certification framework is based mainly on the ISO/IEC 27001:2023 the title of which is “Information security, cybersecurity and privacy – Information security management systems – Requirements” (for which the HDS must also be certified), as well as certain obligations under the GDPR, and other requirements for the hosting of health data in particular.

To obtain certification, among other obligations:

• The HDS’ “personnel must be made aware of the criticality, in terms of availability, confidentiality, and integrity, of the hosted Health Data “(which is also protected by professional secrecy); and
• The HDS must not use the data for any other purpose other than the activities in respect of which it has been certified (including but not limited to, selling the data), even with the data subject’s consent. The HDS must also return the data at the end of the provision of its services and not retain any copies.

The initial 2018 certification framework requirements v1.1 was revised in 2024 and has applied (in its revised form) to new certifications since November 2024. All HDS systems certified under the V1.1 had to comply with the updated certification framework requirements v2.0 of 2024 by 16 May 2026.

In its introduction, the certification framework requirements v2.0 of 2024 sets out that it focuses particularly on:

• “Improving the readability [or accessibility] of the guarantees provided by a Certified Host on the services it performs for a given client.” (see below)
• “Clarifying the contractual obligations of the Host as defined in the Public Health Code”. (see below)
• “More stringent requirements for the protection of personal data in relation to data transfers outside the European Union”. (see below)

Amongst the changes, requirement n°5 introduces eight pre-defined events that must be taken into account with respect to risk assessment in addition to what is provided in chapter 6.1.2 of ISO 27001.

A list of certified HDS is available on the website of the Ministry of Health’s “agency for digital in health” (agence du numérique en santé) with the list of the activities covered and the version of the certification.

Are there any mandatory contractual obligations?

Article R1111-11 of the French Public Health Code (as modified by the Decree of 2026) and the revised 2024 certification framework requirements v2.0 list the obligations that must be included in the data hosting agreement between the HDS and its controller client, including with respect to the data protection rights of the patient, data security and access. The Decree of 2026 has expanded the rights of data subjects to meet the requirements of GDPR (effective March 2026).

One of the changes brought by the certification framework requirements V2.0 (requirement n° 27) is that the agreement must include a reversibility clause which, among other obligations, sets out:

• “The procedures for calculating the costs and deadlines for returning copies;”
• “[…] where applicable, the modalities for moving virtual machines/containers.”

HDS are required to audit their contracts to ensure these clauses are included and have the contracts amended, if necessary.

HDS must also communicate specific information and in some cases certain “guarantees” to their clients in a standard-form table (as set out in chapter 8 of the certification framework requirement V2.0). The HDS must set out in the table, for instance, whether:

• the HDS is SecNumCloudV2.3 certified (SecNumCloud is a French security qualification developed by the French National Cybersecurity Agency (ANSSI), aiming to ensure the robustness of cloud solutions in the face of an increase in cyberattacks and which has an even stricter sovereignty requirement);
• there is access to data from an non-EEA country and, as the case may be, the relevant safeguards provided by GDPR; and whether
• there is a risk of third-party access from a non-EEA country imposed by a non-EEA law.

The certification framework requirement V2.0 must also, on this point, be supplemented by the amendments introduced by the Decree of 2026, which will take effect in September 2026 (see in particular below).

The new data sovereignty requirements

The 2024 revision of the certification framework requirements v2.0 and the 2026 Decree have introduced important new requirements relating to data sovereignty:

• Health Data must now be hosted exclusively in the European Economic Area (EEA) (European Union plus Norway, Iceland, and Liechtenstein);
• However, data may be accessed remotely from other locations subject to certain safeguards. If the HDS or any of its processors access the data remotely from a country outside the EEA (in a jurisdiction which is not subject to an adequacy decision by the European Commission), the HDS must inform its controller clients and specify the associated risks as well as the technical and legal measures implemented to mitigate them. Article R.1111‑11, as amended by the Decree of 2026 (which will take effect in September 2026), provides amongst other things that the contract must include “the list of non‑European regulations pursuant to which the host or one of its subcontractors involved in the hosting service is required to allow a data transfer or unauthorized access to personal health data, within the meaning of Article 48 of the [GDPR]”;
• This transparency is considered to be essential in the relationship between the HDS and the client as the controller; and
• The HDS must publish a map on its website of any extra-EEA transfers of Health Data. This transparency is considered essential for citizens, healthcare professionals, and civil society as a whole.

Sanctions

Failure to obtain an HDS certificate where required can lead to criminal sanctions under article L.1115-1 of the French Public Health Code can result in sanctions of up to three years imprisonment and/or a fine of €45,000 for individuals (e.g. legal representatives), and €225,000 for legal entities.

In the event of breaches of the GDPR (mainly the security obligations provided under article 32 GDPR), the French data protection authority (“CNIL”) can impose a fine of up to €20 million or 4% of an organization’s worldwide turnover, as well as issue injunctions requiring an organization to cease its infringing data processing activities.

Breaches of data protection or professional secrecy obligations can also give rise to criminal fines.

All organizations that were already certified under the V1.1 version are expected to have met the 16 May 2026 deadline. Providers with operations in France that are considering offering such services should proactively prepare to meet the requirements of this regulation. They will also need to prepare for a new version of the framework that is currently being developed and will incorporate the changes introduced by the Decree of 2026 in relation to the content of HDS’ agreements with their clients.