HDS V2 certification: a demanding framework for secure healthcare data hosting
Healthcare: a targeted sector whose resilience is improving
Today, the healthcare sector is one of the most exposed to cyberthreats. According to the Panorama de la cybermenace 2025 published by ANSSI in March 2026, it represents 10% of incidents reported to the Agency in 2025, making it the third most affected sector. In 2024, healthcare facilities accounted for 4% of victims of ransomware attacks. This figure has risen to 8% in 2025, a sign of increasing targeting.
Faced with this pressure, players in the sector are equipping and protecting themselves more effectively. Their maturity is growing. In its Observatoire 2024 des signalements d'incidents de sécurité des systèmes d'information pour les secteurs santé et médico-social, CERT Santé (a cybersecurity support unit for healthcare organizations) notes a significant improvement in the security level of healthcare establishments. While the number of reported incidents is rising, the number of major incidents is falling.
An increasingly protective regulatory framework for health data
The European NIS 2 Directive (EU Directive 2022/2555), currently being transposed in France, concerns the subject of health data protection in two ways. On the one hand, healthcare establishments themselves will be among the essential entities (EE) subject to the requirements of the European directive. Secondly, the ICT (Information and Communication Technology) management sector, which includes data hosting companies (who provide the computing power and disk space needed to run websites, applications and online messaging services), is also covered by NIS 2.
In France, the subject of health data protection is being given a great deal of attention by the Agence du Numérique en Santé (ANS). The successor to ASIP Santé, the ANS is responsible for steering the digital transformation of the healthcare system. It plays an essential role in the cybersecurity of players in the healthcare sector.
The ANS supports the HDS standard, created in 2018 and regularly updated to better respond to evolving threats. This standard is specific to France, and has no equivalent in other European countries. However, a European management framework does exist, the EHDS (European Heath Data Space): https: //www.european-health-data-space.com/
HDS certification: a response to security requirements and a guarantee of trust
HDS certification: a structuring framework for healthcare data hosting
HDS certification(Health Data Hosting) guarantees a level of security maturity for personal health data. It ensures optimized management of data protection (integrity, availability, confidentiality), regulatory compliance, and the location of hosting (generally in France, or in the EEA). It is based on the ISO/IEC 27001 standard.
Which players are affected by the transition to HDS v2?
HDS certification is mandatory for any service provider hosting healthcare data on behalf of third parties, such as hospitals, clinics, radiology practices, medical analysis laboratories, EHPADs, etc.Subcontractors hosting healthcare data (cloud hosting providers, healthcare software publishers, infrastructure operators, etc.) are obliged to commit to a certification process. Data controllers who host their own data can also commit to HDS certification, but on a voluntary basis.
Over and above the regulatory obligation, HDS certification represents a signal of trust. It attests that the data entrusted to us will be protected according to state-of-the-art risk awareness, instilling confidence among all the players involved, right up to the patient.
The transition to HDS v2 implies enhanced compliance for these players, particularly with regard to sovereignty, transparency and access management requirements.
HDS v2: enhanced sovereignty and transparency requirements
Candidates for HDS certification must now comply with the new version of the certification reference framework, known as "HDS v2". This updated version of the HDS standard reinforces requirements in terms of data sovereignty (physical location of data in the European Economic Area: EEA) and transparency in the event of remote access from a non-EU country. HDS v2 also clarifies the relationship between HDS certification and SecNumCloud qualification requirements. It also incorporates a number of changes resulting from the transition to ISO 27001:2022.
Since November 16, 2024, the HDS v2 standard has been mandatory for all new certification candidates. For organizations already certified under the previous version, the complete transition to the new requirements had to be completed by May 16, 2026 at the latest.
LSTI has been accredited by COFRAC to the HDS standard since 2019 (n°4-0064 scope available on the cofrac website), making it one of the historic players in HDS certification in France. This position gives us in-depth experience and expertise in the standard, which we can put at the service of players wishing to embark on an HDS certification process.
Securing healthcare data: an ongoing, collective effort
The regulatory framework applicable to health data hosts is constantly evolving, in response to the challenges of digital sovereignty and the risks posed by non-European legislation. Decree no. 2026-209 of March 24, 2026, amending certain provisions of the Public Health Code relating to the hosting of personal health data, bears witness to this. It follows on from the HDS v2 standard, and incorporates and consolidates several of its requirements.
This text enshrines the obligation to store healthcare data exclusively within the European Economic Area. Hosting contracts must now include information on any transfers outside the EEA and, where applicable, the mitigation measures put in place. It also requires hosting providers to publish a map of health data transfers to third countries, as well as any remote access to this data, and the risks of unauthorized access.
The drive for continuous improvement continues. The ANS is actively working on the next evolution of the HDS repository (v2.1), in the form of a consultation with a call for contributions from members of the ecosystem. The aim of this new version of the HDS standard is to adapt security measures to current threats, reinforce the protection of healthcare data, and improve the resilience of healthcare establishments.
The approach adopted by the ANS clearly illustrates the prevailing logic on this subject: improving healthcare data security requires constant adaptation and a collective effort.
LSTI, thanks to its historical position, its experience and its expertise in this field, has played an active role in the consultations led by the ANS to develop the HDS standard and build an ever more protective framework of trust around healthcare data.
An HDS certification project?
FAQ
-
Why has the HDS repository been upgraded to HDS v2?
The HDS repository has evolved to version HDS v2 in order to adapt the security of healthcare data hosting to a sharply rising threat level, particularly in the face of increasing cyberattacks in the healthcare sector. This evolution reinforces the requirements of data sovereignty, access transparency and alignment with European regulations such as the RGPD and the NIS 2 directive, with a view to continuously improving the security of healthcare data hosting providers. -
What are the deadlines for HDS v2 certification?
The deadlines for compliance with HDS v2 certification mean that all new candidate health data hosts must apply the HDS v2 standard by the end of 2024, while organizations already certified must complete their transition by May 16, 2026 at the latest. By this date, all HDS certificates must attest to compliance with the new requirements, particularly in terms of sovereignty and transparency. -
Is ISO 27001 certification enough to host healthcare data?
ISO 27001 certification is not sufficient to host healthcare data in France, as it provides a basis for information security management without covering the specific requirements of the healthcare sector. HDS certification complements ISO 27001 by imposing additional mandatory controls on healthcare data hosts, in order to guarantee the confidentiality, integrity and availability of medical data. -
How does HDS v2 certification deal with the sovereignty of healthcare data?
HDS v2 certification addresses healthcare data sovereignty by requiring data to be hosted within the European Economic Area, and by reinforcing transparency obligations on data transfers and remote access. Healthcare data hosts must document these flows and publish an access map, in order to better control legal risks and the risks of unauthorized access. -
Does HDS certification protect against cyber attacks?
HDS certification does not provide absolute protection against cyber attacks, but it does guarantee that the health data host implements a structured, state-of-the-art security framework based on a risk management approach. It certifies that measures are in place to prevent, detect and respond to incidents, thereby significantly reducing their probability and impact. -
Why use an accredited certification body like LSTI?
Using an accredited certification body such as LSTI guarantees an independent, recognized assessment of HDS certification compliance, in accordance with ISO/IEC 17021-1. This independence is based on a strict separation between auditing and consulting, ensuring the impartiality of assessments and reinforcing the credibility of certification with authorities, partners and customers.