Health Data Hosting: How to Choose Your HDS Provider in 2026?

The essentials in 30 Seconds

Introduction

In 2026, choosing a health data hosting provider is no longer a simple technical decision. It is a strategic, legal, and ethical act. Since the entry into force of the HDS (Health Data Hosting) framework imposed by the Agence du Numérique en Santé, any hospital that outsources its patient data must ensure its provider holds a valid HDS certification — or risk violating Article L. 1111-8 of the French Public Health Code.

Yet the reality on the ground is often disappointing. Many hospitals find themselves locked into contracts with providers whose certification is partial, whose servers are located outside the European Union, and whose reversibility clauses are virtually non-existent. In this context, CIOs and hospital directors face a difficult choice between regulatory compliance, data sovereignty, and operational performance.

Galeon offers a radically different answer: rather than entrusting data to a third party, data stays on Galeon's servers. Present in 19 hospitals including 2 CHUs, with over 3 million patient records managed and 10,000 active caregivers on the platform, Galeon has built a native sovereignty architecture that meets HDS requirements without compromise.

This article gives you the keys to understanding the HDS regulatory framework, evaluating your current and future providers, and anticipating market developments in 2026.

What is HDS Certification and Why is it Mandatory?

HDS certification (Health Data Hosting) is a security framework imposed by French law. It applies to any actor that hosts, backs up, or restores personal health data on behalf of healthcare professionals or institutions.

What are the six activities covered by HDS certification?

HDS certification is structured around six distinct activities, which a provider may cover partially or in full:

• Activity 1: provision and operational maintenance of physical infrastructure
• Activity 2: provision and operational maintenance of virtual resources
• Activity 3: provision and operational maintenance of the software platform
• Activity 4: managed services for health information systems
• Activity 5: hosting of health applications for professional use
• Activity 6: outsourced managed services for workstations

What data falls under the HDS obligation?

HDS certification applies to all personal health data as defined by GDPR: medical records, test results, hospitalization reports, prescriptions, and medical imaging. By extension, data that allows inference of a person's health status also falls under this definition.

In 2026, with the widespread adoption of intelligent EHRs and medical AI, the scope of this data has expanded considerably. Behavioral data, consultation metadata, and usage traces from clinical software can now constitute health data in their own right.

What are the Essential Criteria for Choosing an HDS Provider in 2026?

HDS certification is a necessary condition, but not a sufficient one. In 2026, hospital CIOs and directors must evaluate their providers across at least seven complementary dimensions.

1. The actual scope of certification: coverage and renewal date

CIO watchpoint: A provider can be HDS certified for activities 1 and 2 only, without covering the software layers where your EHR actually resides. Before signing, request the detailed HDS certificate with the exact scope of certified activities.

HDS certification is issued for a three-year period, with annual surveillance audits. Before signing any contract, check the expiry date on the ANS public register and the exact scope of certified activities. An expired or partial certification exposes the institution to direct legal liability.

2. Geographic location of servers

French regulations require that health data be hosted within the European Union. In practice, many cloud contracts include clauses allowing transfer to data centers outside the EU in the event of maintenance or disaster recovery. Demand an explicit contractual clause anchoring data to EU geography, with no exceptions.

3. Hospital sovereignty over its data

The central question is not just "where is the data?" but "who can access it and under what conditions?" Centralized learning models, where a third party aggregates data from multiple hospitals to train AI, represent a transfer of sovereignty that many institutions accept without fully understanding the consequences.

Data never leaves our servers — those of the hospitals. That is the founding principle of Galeon's Blockchain Swarm Learning®.

4. Reversibility and data portability

Technical dependency on a hosting provider, often called "vendor lock-in", is one of the most underestimated risks in HDS contracts. Check the contractual timelines for data restitution, the guaranteed export formats (HL7 FHIR, DICOM), and the pricing conditions for data recovery.

5. Traceability of access and processing

Regulations require complete traceability of all access to health data. In 2026, the most advanced solutions use blockchain to guarantee immutable, independently auditable traceability, with no possibility of log alteration.

6. The ability to generate value from data without transferring ownership

This is the boundary that separates traditional hosting providers from next-generation actors. A standard HDS provider stores your data. Galeon allows you to generate value from it, by participating in medical research projects, while retaining full ownership and receiving 40% of the revenues generated through the $GALEON token redistribution mechanism.

7. Compliance with complementary frameworks

Beyond HDS, the health data security certification landscape also includes ISO 27001 (information security), ISO 27017 (cloud), NIS2 compliance, and SecNumCloud qualification from ANSSI. Galeon currently holds HDS and ISO 27001 certifications.

How Does Galeon Compare to Traditional HDS Providers?

The table below compares the three categories of actors present on the market in 2026: generalist clouds (hyperscalers), specialized HDS providers, and Galeon's approach based on Blockchain Swarm Learning®.

Galeon's approach stands out on one fundamental point: where traditional providers aggregate data to extract value for themselves, Galeon circulates AI algorithms between hospitals, without data ever leaving local servers. This is a complete inversion of the dominant economic and technical model.

What Does a CIO Concretely Gain from Choosing the Right HDS Provider?

For a hospital Chief Information Officer, the choice of HDS provider is not just a compliance question. It is a decision that impacts operational security, the 5-year budget, and the ability to integrate medical AI in the years ahead.

• Reduced non-compliance risk: an up-to-date HDS certification avoids CNIL sanctions that can reach 4% of the annual budget.
• Business continuity: decentralized architectures like Galeon's BSL® eliminate single points of failure (SPOF).
• Interoperability: data structured according to HL7 FHIR and DICOM standards is ready for future national integrations (Mon Espace Santé, RNIPPS).
• Readiness for medical AI: data structured at the point of care by caregivers is directly usable without costly post-processing.

Concrete example: A Galeon partner CHU could participate in a research project on rehospitalization prediction without ever transferring a single patient record outside its walls. The algorithm was trained locally, the results consolidated via blockchain. The CHU received its share of the value created.

Why is HDS Compliance a Value Driver for HealthTech Investors?

For a digital health investor, a solution's HDS certification is a strong signal of regulatory maturity and scalability. In 2026, according to KPMG's report on French HealthTech, HDS-certified startups raise on average 2.3 times more than their non-certified competitors, and display client retention rates 40% higher.

Galeon goes beyond simple compliance. Its economic model based on the $GALEON token creates an unprecedented value-sharing mechanism: each use of health data by the BSL® generates transactions distributed between hospitals (40%), the Galeon DAO fund (30%), token buyback and burn (20%), and Galeon (10%). This model aligns the interests of all stakeholders over the long term.

With over 30,000 $GALEON token holders and an active pioneer community since 2016, Galeon is one of the rare HealthTech companies to have demonstrated real adoption in a sector where resistance to change is structural.

What are the Real Limits and Challenges of HDS Hosting in 2026?

An honest analysis of the sector requires presenting the challenges that remain, including for the most advanced solutions.

Limit 1: the complexity of initial compliance. HDS certification involves a rigorous audit covering organizational, technical, and contractual dimensions. For a hospital starting from a legacy architecture, achieving compliance can require 12 to 24 months of work. Internal resources are often insufficient, creating dependency on CISO consulting providers.

Limit 2: the HDS provider market remains concentrated. In 2026, the French market of HDS-certified providers numbers fewer than 80 actors referenced by the ANS. This concentration creates dependency risks for institutions, particularly in the medical imaging and complex EHR segments. The choice is more limited than it appears.

Limit 3: adoption of decentralized approaches remains gradual. Architectures based on Blockchain Swarm Learning® represent a significant paradigm shift for CIO teams. The learning curve is real, and the transformation of internal processes — data governance, team training, PSSI revision — requires dedicated support.

Limit 4: frameworks evolve faster than certifications. The NIS2 directive, transposed into French law in 2024, imposes new cybersecurity requirements on healthcare institutions classified as Essential Entities. HDS certification does not yet fully integrate these NIS2 requirements, creating areas of regulatory overlap that CIOs must manage manually.

Limit 5: data valorization requires a mature governance framework. Participating in a health data valorization network such as Galeon's requires the institution to have previously established solid governance: GDPR-compliant patient consent policies, an operational ethics committee, and an up-to-date PSSI. For hospitals whose digital maturity is still partial, these prerequisites can represent a significant obstacle.

FAQ — HDS Hosting: Frequently Asked Questions

Is HDS certification mandatory for all medical software?No, HDS certification applies to data hosting, not to the software itself. An EHR publisher that hosts its clients' data must be HDS certified. If it provides only the software and the hospital hosts its own data, the hospital is responsible for the compliance of its infrastructure.

How can I verify that a provider is genuinely HDS certified?The public register of HDS-certified providers is available on the ANS website. You can check the provider's name, the certified activities, and the certificate expiry date. Do not rely solely on the provider's commercial declarations.

Can a public cloud (AWS, Azure, Google Cloud) be HDS certified?Yes. AWS France, Microsoft Azure, and Google Cloud Platform have obtained HDS certification for certain activities and regions. However, certification generally covers infrastructure layers, not all services. It remains the responsibility of the hospital or software publisher to verify that the application layer is also covered.

What is the difference between HDS and the ANSSI SecNumCloud qualification?HDS is the mandatory regulatory certification for hosting health data. SecNumCloud is an optional qualification issued by ANSSI for high-security cloud offerings. In practice, SecNumCloud provides additional guarantees against foreign extraterritorial laws (US Cloud Act). For the most sensitive data, both are complementary.

How does Galeon's Blockchain Swarm Learning® guarantee HDS compliance?Galeon's BSL® is designed so that health data never leaves the hospital's servers. Only AI models travel between institutions via the blockchain, to be trained locally. This model eliminates the risk of non-compliant data transfer and guarantees that the hospital remains the sole host of its data — and therefore solely responsible for HDS compliance.

What questions should I ask an HDS provider before signing a contract?Request: the complete HDS certificate with the scope of covered activities, the list of subcontractors with access to the data, the precise location of each data center, the guaranteed timelines and formats for data restitution, the conditions of the Disaster Recovery Plan, and contractual commitments in the event of a data breach. A serious provider answers these questions without delay.

What to Remember Before Choosing Your HDS Provider

In 2026, HDS certification is the compliance floor, not the ceiling of ambition. Hospitals that settle for checking the regulatory box miss the major strategic issue: sovereignty over their health data and the ability to generate value from it in service of medical research.

The real differentiating criterion between providers is not the certification itself, but the technical architecture behind it: data centralized with a third party, or sovereign data on the hospital's own servers? Partial logs or immutable blockchain traceability? Pure cost or a shared value model?

Galeon is present in 19 hospitals (including 2 CHUs), with over 3 million patient records and 10,000 active caregivers. Its Blockchain Swarm Learning® architecture was built from the ground up to answer these questions: data does not move, AI comes to it. This approach guarantees HDS compliance while preparing institutions for the era of data-driven medicine.

Choosing your HDS provider in 2026 means choosing which digital world your hospital will be sovereign in ten years from now.

‍

Want to learn more about other health-related safety terms ? Check out our health glossary.

‍

‍

‍