Loading...
Loading...
French Health Data Hosting standard, version 2.0
French certification standard for hosts of personal health data, operated by the ANS (Agence du Numérique en Santé). Version 2.0 comes into force with a recertification deadline set at 16 May 2026: any host not recertified by that date is no longer compliant. Concerns hospitals, health software vendors, medical platforms, and telemedicine applications.
HDS certification (Hébergeur de Données de Santé — Health Data Host) is mandatory in France for anyone hosting personal health data on behalf of a third party — whether a public cloud, private hosting, a health SaaS vendor, or a telemedicine platform. The framework is defined by the French Public Health Code (article L.1111-8) and specified by Decree No. 2018-137 of 26 February 2018.
The HDS v2.0 standard was published by the ANS (Agence du Numérique en Santé) in 2024. It succeeds the v1.1 standard and incorporates the ISO/IEC 27001:2022 and ISO/IEC 27018 evolutions, as well as an explicit reinforcement of sovereignty and European data localization requirements.
Two levels of certification exist: physical infrastructure host (datacenter) and managed services host (managed services on the infrastructure). A single provider can hold both. Certification is issued by an accredited body (LSTI, BSI, AFNOR Certification, etc.) after audit, for a three-year duration with annual surveillance audits.
The recertification deadline of 16 May 2026 concerns all hosts already certified v1.1: they must move to v2.0 before that date or fall off the registry of certified hosts. New entrants since 2025 are directly certified v2.0.
The HDS framework was created in 2006 by article L.1111-8 of the French Public Health Code, in the wake of the law of 4 March 2002 on patients' rights. Originally, it was an accreditation issued by the Ministry of Health. The 2018 decree transformed this scheme into a certification operated by accredited third-party bodies, to align France with European practices.
The ANS, created in 2019 through the merger of ASIP Santé, is now responsible for developing the standard. Version 2.0 emerged from a consultation effort with hosts, health software vendors, and the CNIL, finalized at the end of 2024. The date of 16 May 2026 was set to give stakeholders an 18-month period after the publication of the standard.
According to the ANS public directory, several hundred hosts are HDS-certified in France, including the hyperscalers (AWS, Microsoft Azure, Google Cloud), national players (OVHcloud, Outscale, Scaleway, Equinix), and many health software vendors.
For an executive of a health software vendor, a care facility, or a telemedicine operator, the absence of HDS v2.0 recertification by 16 May 2026 can lead to: removal from public procurement (university hospitals and regional health agencies contractually require a certified host), loss of private contracts, and potentially CNIL sanctions under the GDPR for processing health data without sufficient guarantees.
The cost of recertification depends on the perimeter already covered: for a host already ISO 27001 with a mature ISMS, the delta toward HDS v2.0 remains measured (audits, documentation update, process adjustments). For an actor discovering the topic, the path is longer — count six to twelve months between launching the project and the certification audit.
The right reflex: audit your HDS status before summer 2025 to have a margin on the recertification audit.
For health software vendors and medical platforms, we support HDS v2.0 compliance on three fronts: scoping and gap analysis (assessment of ISO 27001 / 27018 / HDS v1.1, identification of gaps toward v2.0), industrialization of documentation (security policy, registries, procedures, runbooks — AI-assisted to reduce production time), and audit preparation (mock review before the certification audit).
On the AI-applied-to-health front (patient chatbots, medical documentation assistance, image analysis), we systematically cross-reference HDS v2.0, GDPR article 9, and EU AI Act high-risk to produce a single compliance matrix, rather than three separate projects that contradict each other.
Our principle: HDS compliance is not an end-of-project deliverable. It is built with the architecture, from the first sprint.
GDPR article prohibiting in principle the processing of sensitive personal data: racial or ethnic origin, political opinions, religious or p…
Category of the EU AI Act covering AI systems with significant impact on health, safety, or fundamental rights: biometric identification, cr…
Free initial scoping. We assess your context and identify concrete levers.