
Article 1 
This Decision provides the necessary rules for the establishment, the management and the functioning of the eHealth Network of national authorities responsible for eHealth, as provided for by Article 14 of Directive 2011/24/EU.
Article 2 

1. For the purposes of this Decision:
(a) ‘eHealth Network’ means the voluntary network connecting national authorities responsible for eHealth designated by the Member States and pursuing the objectives laid down in Article 14 of Directive 2011/24/EU;
(b) ‘National Contact Points for eHealth’ means organisational and technical gateways for the provision of Cross-Border eHealth Information Services under the responsibility of the Member States;
(c) ‘Cross-Border eHealth Information Services’ means existing services that are processed via National Contact Points for eHealth and through a core service platform developed by the Commission for the purpose of cross-border healthcare;
(d) ‘eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services’ means the infrastructure that enables the provision of Cross-Border eHealth Information Services via National Contact Points for eHealth and the European core service platform. This infrastructure includes both generic services, as defined in Article 2(2)(e) of Regulation (EU) No 283/2014, developed by the Member States and a core service platform, as defined in Article 2(2)(d) therein, developed by the Commission;
(e) ‘other shared European eHealth Services’ means digital services that may be developed in the framework of the eHealth Network and shared between Member States;
(f) ‘governance model’ means a set of rules concerning the designation of bodies participating in decision-making processes concerning the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services or other shared European eHealth Services developed in the framework of the eHealth Network, as well as description of those processes.
2. The definitions in points (1), (2), (7) and (8) of Article 4 of Regulation (EU) 2016/679 shall apply accordingly.
Article 3 

1. Members of the eHealth Network shall be Member States’ authorities responsible for eHealth, designated by those Member States participating in the eHealth Network.
2. Member States wishing to participate in the eHealth Network shall notify the Commission in writing of:
(a) the decision to participate in the eHealth Network;
(b) the national authority responsible for eHealth which will become a Member of the eHealth Network, as well as the name of the representative and that of his/her alternate.
3. Members shall notify the Commission in writing of the following:
(a) their decision to withdraw from the eHealth Network;
(b) any change in the information referred to in point (b) of paragraph 2.
4. The Commission shall make available to the public the list of Members participating in the eHealth Network.
Article 4 

1. In pursuing the objective referred to in Article 14(2)(a) of Directive 2011/24/EU the eHealth Network may, in particular:
(a) facilitate greater interoperability of the national information and communications technology systems and cross-border transferability of electronic health data in cross-border healthcare;
(b) provide guidance to Member States, in cooperation with other competent supervisory authorities, in relation to sharing health data between Member States and empowering citizens to access and share their own health data;
(c) provide guidance to Member States and facilitate the exchange of good practices concerning the development of different digital health services, such as telemedicine, m-health, or new technologies in the area of big data and artificial intelligence, taking into consideration ongoing actions at EU level;
(d) provide guidance to Member States as regards supporting health promotion, disease prevention and improved delivery of healthcare through better use of health data and by improving digital skills of patients and healthcare professionals;
(e) provide guidance to Member States and facilitate voluntary exchange of best practices on the investments in digital infrastructure;
(f) provide guidance, in collaboration with other relevant bodies and stakeholders, to Member States on the necessary use cases for clinical interoperability and the tools for achieving it;
(g) provide guidance to the Members on security of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services or other shared European eHealth Services developed in the framework of the eHealth Network, taking into account legislation and documents elaborated at Union level in particular in the area of security, as well as recommendations in the field of cybersecurity, working in close cooperation with the Network and Information Security Cooperation Group and with the European Union Agency for Network and Information Security and with national authorities, where relevant.
2. In drawing up the guidelines on effective methods for enabling the use of medical information for public health and research referred to in Article 14(2)(b)(ii) of Directive 2011/24/EU, the eHealth Network shall take into account the guidelines adopted by and, where appropriate, consult with the European Data Protection Board. These guidelines may also address information exchanged through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services or other shared European eHealth Services.
Article 5 

1. The eHealth Network shall establish its own Rules of Procedure, by simple majority of its Members.
2. The eHealth Network shall adopt a multiannual work programme and an evaluation instrument on the implementation of such programme.
3. To accomplish its tasks, the eHealth Network may set up permanent subgroups in relation to specific tasks, in particular related to the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services or the other shared European eHealth Services developed in the framework of the eHealth Network.
4. The eHealth Network may also set up temporary sub-groups, including with experts to examine specific questions on the basis of terms of reference defined by the eHealth Network itself. Such sub-groups shall be disbanded as soon as their mandate is fulfilled.
5. When Members of the eHealth Network decide to advance their cooperation in some areas covered by the tasks of the eHealth Network, they should agree on and commit to the rules of the advanced cooperation.
6. In pursuing its objectives, the eHealth Network shall work in close cooperation with the Joint Actions supporting the activities of the eHealth Network where such joint actions exist, with stakeholders or other concerned bodies or supporting mechanisms and shall take into account the results achieved in the framework of those activities.
7. The eHealth Network shall elaborate, together with the Commission, the governance models of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services and participate in that governance by:
((i)) agreeing on the priorities of the eHealth Digital Service Infrastructure, and overseeing their operation;
((ii)) drawing up guidelines and requirements for the operation, including the selection of the standards used for the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services;
((iii)) agreeing whether the Members of the eHealth Network should be allowed to start and continue exchanging electronic health data through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services via their National Contact Points for eHealth, based on their compliance with the requirements established by the eHealth Network, as evaluated in tests provided and audits carried out by the Commission;
((iv)) endorsing the annual work plan for the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services.
8. The eHealth Network may elaborate, together with the Commission, the governance models of other shared European eHealth Services developed in the framework of the eHealth Network and participate in their governance. The Network may also set the priorities, together with the Commission, and draw up guidelines for the operation of such shared European eHealth Services.
9. The Rules of Procedure may envisage that countries, other than Member States, applying Directive 2011/24/EU, may participate in the meetings of the eHealth Network as observers.
10. Members of the eHealth Network and their representatives, as well as invited experts and observers, shall comply with the obligations of professional secrecy as laid down by Article 339 of the Treaty, as well as with the Commission’s rules on security regarding the protection of EU classified information, as laid down in Commission Decision (EU, Euratom) 2015/444. Should they fail to respect these obligations, the Chair of the eHealth Network may take all appropriate measures as provided for in the Rules of Procedure.
Article 6 

1. The Commission shall:
(a) attend and co-chair the meetings of the eHealth Network together with the representative of the Members;
(b) cooperate with and provide support to the eHealth Network in relation to its activities;
(c) provide secretarial services for the eHealth Network;
(d) develop, implement and maintain appropriate technical and organisational measures related to the core services of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services;
(e) support the eHealth Network in agreeing on the technical and organisational compliance of National Contact Points for eHealth with the requirements for the cross-border exchange of health data by providing and carrying out the necessary tests and audits. Experts from the Member States may assist Commission auditors.
2. The Commission may attend the meetings of the eHealth Network sub-groups.
3. The Commission may consult the eHealth Network on matters relating to eHealth at Union level and eHealth best practices exchange.
4. The Commission shall make available to the public information on activities carried out by the eHealth Network.
Article 7 

1. The Member States, represented by the relevant National Authorities or other designated bodies shall be regarded as controllers of personal data they process through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services and shall clearly and transparently allocate the responsibilities between controllers.
2. The Commission shall be regarded as data processor for patients’ personal data processed through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services. In its capacity as processor, the Commission shall manage the core services of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services and shall comply with the obligations of a processor laid down in the Annex to this Decision. The Commission shall not have access to patients’ personal data processed through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services.
3. The Commission shall be regarded as controller of the processing of personal data necessary to grant and manage access rights to the core services of eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services. Such data are contact details of users, including name, surname and email address and their affiliation.
Article 8 

1. Participants in the activities of the eHealth Network shall not be remunerated by the Commission for their services.
2. Travel and subsistence expenses incurred by participants in the activities of the eHealth Network shall be reimbursed by the Commission in accordance with the provisions in force within the Commission on reimbursement of expenses incurred by people from outside the Commission invited to attend meetings in an expert capacity. Those expenses shall be reimbursed within the limits of the available appropriations allocated under the annual procedure for the allocation of resources.
Article 9 
Implementing Decision 2011/890/EU is repealed. References to the repealed Decision shall be construed as references to this Decision.
Article 10 
This Decision is addressed to the Member States.
Done at Brussels, 22 October 2019.
For the Commission
Vytenis ANDRIUKAITIS
Member of the Commission
ANNEX

The Commission shall:

1.. Set up and ensure a secure and reliable communication infrastructure that interconnects networks of the Members of the eHealth Network involved in eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services (‘Central Secure Communication Infrastructure’). To fulfil its obligations, the Commission may engage third parties. The Commissions shall ensure that the same data protection obligations as set out in this Decision apply to these third parties.
2.. Configure part of the Central Secure Communication Infrastructure so that the National Contact Points for eHealth may exchange information securely, reliably and efficiently.
3.. The Commission shall process the personal data on documented instructions from the Controllers.
4.. Take all organisational, physical and logical security measures to maintain the Central Secure Communication Infrastructure. To this end, the Commission shall:

((a)) designate a responsible entity for the security management at the level of Central Secure Communication Infrastructure, communicate to the data controllers its contact information and ensure its availability to react to security threats;
((b)) assume the responsibility for the security of the Central Secure Communication Infrastructure;
((c)) ensure that all individuals that are granted access to Central Secure Communication Infrastructure are subject to contractual, professional or statutory obligation of confidentiality;
((d)) ensure that the personnel having access to classified information fulfil the corresponding criteria of clearance and confidentiality.
5.. Take all necessary security measures to avoid compromising the smooth operational functioning of the other’s domain. To this end, the Commission shall put in place the specific procedures related to the connection to the Central Secure Communication Infrastructure. This information includes:

((a)) risk assessment procedure, to identify and estimate potential threats to the system;
((b)) audit and review procedure to:

((i)) check the correspondence between the implemented security measures and the security policy in application;
((ii)) control on a regular basis the integrity of system files, security parameters and granted authorisations;
((iii)) monitor to detect security breaches and intrusions;
((iv)) implement changes to avoid existing security weaknesses and
((v)) define the conditions under which to authorise, including at the request of controllers, and contribute to the performance of independent audits, including inspections, and reviews on security measures.
((c)) change control procedure to document and measure the impact of a change before its implementation and keep the National Contact Points for eHealth informed of any changes that can affect the communication with and/or the security of the other national infrastructures;
((d)) maintenance and repair procedure to specify the rules and conditions to follow when maintenance and/or repair of equipment should be performed;
((e)) security incident procedure to define the reporting and escalation scheme, inform without delay the responsible national administration, as well as the European Data Protection Supervisor of any security breach and define a disciplinary process to deal with security breaches.
6.. Take physical and/or logical security measures for the facilities hosting the Central Secure Communication Infrastructure equipment and for the controls of logical data and security access. To this end, the Commission shall:

((a)) enforce physical security to establish distinctive security perimeters and allowing detection of breaches;
((b)) control access to the facilities and maintain a visitor register for tracing purposes;
((c)) Ensure that external people granted access to premises are escorted by duly authorised staff of its respective organisation;
((d)) ensure that equipment cannot be added, replaced or removed without prior authorisation of the designated responsible bodies;
((e)) control access from and to other network(s) interconnected to the Central Secure Communication Infrastructure;
((f)) ensure that individuals who access the Central Secure Communication
Infrastructure are identified and authenticated;
((g)) review the authorisation rights related to the access to the Central Secure Communication Infrastructure in case a security breach affecting this infrastructure;
((h)) keep the integrity of the transmitted information through the Central Secure Communication Infrastructure;
((i)) implement technical and organisational security measures to prevent unauthorized access to personal data;
((j)) implement, whenever necessary, measures to block unauthorised access to the Central Secure Communication Infrastructure from the domain of National Contact Points for eHealth (i.e.: Block a location/IP address).
7.. Take steps to protect its domain, including the severing of connections, in the event of substantial deviation from the principles and concepts for quality or security.
8.. Maintain a risk management plan related to its area of responsibility.
9.. Monitor — in real time — the performance of all the service components of its Central Secure Communication Infrastructure services, produce regular statistics and keep records.
10.. Provide support for all Central Secure Communication Infrastructure services in English 24/7 via phone, mail or Web Portal and accept calls from authorised callers: Central Secure Communication Infrastructure’s coordinators and their respective helpdesks, Project Officers and designated people from the Commission.
11.. Support the controllers by providing information concerning the Central Secure Communication Infrastructure of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services, in order to implement the obligations in Articles 35 and 36 of the Regulation (EU) 2016/679.
12.. Ensure that data transported within the Central Secure Communication Infrastructure are encrypted.
13.. Take all relevant measures to prevent that the Central Secure Communication Infrastructure’s operators have unauthorised access to transported data.
14.. Take measures in order to facilitate the interoperability and the communication between the Central Secure Communication Infrastructure’s designated national competent administrations.
