Health and AI
HDS certification in 2026 : What every hospital must check before signing
HDS 2026 : Sovereignty and compliance. Key checkpoints for hospitals to secure data before signing.
Summary
The essentials in 30 Seconds
Introduction
Every hospital that entrusts its health data to a digital provider takes on a legal responsibility. If that provider is not HDS-certified, it is the institution that is in breach, not just the provider. This is a reality many hospital decision-makers discover too late, often at the time of an audit or an incident.
HDS certification is not an optional quality label. It is a legal obligation, and ignorance of it offers no protection.
In 2026, with the acceleration of medical AI projects, cloud-based EHR systems, and inter-hospital data exchanges, HDS compliance is more central than ever. Knowing what to check, how to check it, and what questions to ask a provider can prevent costly mistakes: legally, financially, and reputationally.
This article is a practical guide for CIOs and hospital executives. It covers what HDS certification is, what it concretely requires, and a checklist of points to verify before signing with a digital health provider.
What is HDS certification and why does it exist ?
HDS certification (Hébergeur de Données de Santé, or Health Data Host) was created by French law to specifically regulate the hosting of personal health data. It is codified in Article L1111-8 of the French Public Health Code and implemented through a technical framework published by the Agence du Numérique en Santé (ANS). The official framework is available here.
Why did France create a specific framework beyond GDPR?
The GDPR, a directly applicable European regulation, imposes general obligations on the processing of sensitive personal data. However, the French legislature determined that health data warranted additional regulation, more prescriptive on the technical and organizational aspects of hosting.
HDS and GDPR are complementary frameworks, not alternatives. A provider that is HDS-certified is not automatically GDPR-compliant, and vice versa. Both must be satisfied simultaneously.
Who is required to be HDS-certified ?
The law is clear: any natural or legal person who hosts, stores, or processes personal health data on behalf of a healthcare professional or healthcare institution must be HDS-certified.
This includes in particular:
- EHR publishers that host their clients' data
- Medical cloud providers
- Providers of secure health messaging solutions
- Telemedicine providers
- Medical imaging sharing platform operators
What are the 6 activities covered by HDS certification ?
The HDS framework covers six distinct activities, organized into two categories. A provider may be certified on all or some of these activities depending on the nature of its services.
Physical Infrastructure hosting activities
Activity 1 : Provision and operational maintenance of physical sites This covers the physical security of data centers: access controls, electrical redundancy, fire suppression systems, air conditioning. It is the lowest layer of the certification.
Activity 2 : Provision and operational maintenance of hardware infrastructure This covers the servers, storage, and network that physically host the data.
Activity 3 : Provision and operational maintenance of virtual infrastructure This covers virtualization, cloud environments, and shared computing resources.
Managed Hosting activities
Activity 4 : Provision and operational maintenance of the application hosting platform This covers the execution environment for medical applications: databases, middleware, authentication services.
Activity 5 : Administration and operation of the information system This covers the day-to-day management of the IT system: updates, monitoring, incident management, backup and recovery.
Activity 6 : Managed services for health products This is the most comprehensive activity. It covers the complete management of a digital health solution on behalf of an institution, including user support and application maintenance.
The checklist of points to verify before signing with a provider
Here is the practical checklist that every CIO or hospital management team should apply before entering into a contract with a digital health provider.
Certification Verification
- Request the current valid HDS certificate: not a compliance attestation, but a certificate issued by a COFRAC-accredited body
- Verify that the certified activities match the services you will be using: a provider certified on Activity 1 is not necessarily certified on Activity 5
- Check the certificate's validity date: HDS certification is granted for 3 years and must be renewed
- Consult the public registry of HDS-certified providers on the ANS website (HDS) to independently confirm validity
Data Location Verification
- Confirm that data will be hosted in France or within the European Union: transfers outside the EU are subject to additional conditions under GDPR
- Check subcontracting conditions: if the provider uses subcontractors for hosting, those subcontractors must also be HDS-certified
- Require a data flow map specifying where each category of data is hosted and processed
Technical Security Verification
- Verify the encryption policy for data at rest and in transit
- Check strong authentication mechanisms for data access
- Confirm the existence of a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) that are regularly tested
- Verify availability SLAs and contractual penalties for non-compliance
Data Governance Verification
- Require a GDPR-compliant subcontracting agreement (Article 28) specifying the provider's obligations
- Check reversibility conditions: how to recover your data if you change providers
- Verify data breach notification procedures (timeline, format, channel)
- Confirm audit arrangements: your hospital must be able to audit the provider or have it audited by a third party
Scalability Verification
- Verify compatibility with interoperability standards (FHIR, HL7) if you plan data exchanges with other systems
- Confirm the provider's regulatory roadmap in light of anticipated changes (AI Act, EHDS, ANS framework updates)
HDS, GDPR, and Medical AI : How the three frameworks interact
What are the limits and blind spots of HDS Certification ?
HDS certification does not guarantee GDPR compliance. This is a common mistake. A provider that is HDS-certified has demonstrated that its hosting meets specific technical and organizational requirements, but it may still fail to comply with all GDPR obligations.
Certification covers the certified activities, not all services. A provider may be certified for infrastructure hosting (Activities 1-3) without being certified for managed services (Activity 6). Checking which activities are covered by the certificate presented is essential.
Chain subcontracting is a frequent blind spot. If your HDS provider uses a non-HDS-certified cloud host for part of its services, you are in breach even if your main contract is with a certified provider.
Certification is a snapshot in time. A provider that was certified at the time of contract signing may no longer be so two years later if its certification has expired or been suspended. An annual check of certification validity is good practice.
FAQ : Practical questions about HDS certification
How do you verify that a provider is genuinely HDS-certified ?
The list of HDS-certified providers is public and available on the Agence du Numérique en Santé website (HDS). It specifies the certified activities and the certificate's validity date. This check should be made directly from this source, independently of what the provider claims.
Can a public hospital host its own health data without being HDS-certified ?
Yes, provided that hosting is carried out entirely in-house, without recourse to an external provider. In this case, the institution does not need HDS certification for itself. But as soon as it calls on a third party to host or process its data, that third party must be certified.
Is HDS certification recognized in other EU countries ?
HDS certification is specific to France. It is not automatically recognized in other EU member states. For cross-border projects, you should refer to the regulatory requirements of the country concerned and, in time, to the standards of the European Health Data Space (EHDS).
How much does HDS certification cost a provider ?
The cost of HDS certification varies depending on the scope of the audit and the size of the organization. Certification audits typically run to several tens of thousands of euros, to which internal preparation and compliance costs are added. This cost is borne by the provider, not the hospital.
What should you do if a provider you work with loses its HDS certification ?
The hospital must be immediately notified of any change to the certification scope of its provider: this is a contractual obligation to establish at the time of signing. If certification is lost, the institution must migrate to a certified provider as quickly as possible to restore compliance.
Summary : what you need to know about HDS certification in 2026
HDS certification is a non-negotiable legal obligation for any provider that hosts personal health data in France. As a healthcare institution, you are responsible for your providers: verifying their certification before signing is a minimum due diligence that protects you legally.
Certification covers six distinct activities: above all, verify that the certified activities match the services you will be using. A partial certificate does not cover a full service. Always complement this check with GDPR compliance verification: the two frameworks are complementary and must both be satisfied simultaneously.
In 2026, with the acceleration of medical AI projects and the entry into force of the AI Act, regulatory compliance of digital health solutions is a selection criterion as important as functionality. Choosing a partner like Galeon, HDS-certified, GDPR-compliant by design, and whose BSL® architecture ensures that data never leaves hospital servers, means choosing structural compliance, not just contractual compliance.
Want to learn more about other health-related safety terms ? Check out our health glossary.
