Schellman Announces Strategic Partnership with Goldman Sachs Alternatives

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

HDS Certification Is Evolving: What You Need to Know About HDS v2.1
Robert Tylka

By: Robert Tylka

Print/Save as PDF

HDS Certification Is Evolving: What You Need to Know About HDS v2.1

Healthcare Assessments | HDS Certification

Published: Apr 13, 2026

Just when you thought the transition to Version 2.0 of France's Hébergeur de Données de Santé (HDS) — or health data hosting — was almost complete, the certification framework is undergoing another significant update. Following the publication of the Law on Securing and Regulating the Digital Space (SREN) decree on March 24, 2026, a new version of the standard, referred to as HDS v2.1, is now in development.

In this article, we’ll detail the transition to HDS v2.1, what’s changing, new requirements for hosting providers, the timeline involved, and how to prepare for certification.

The HDS v2.0 Transition: What's at Stake

The transition from HDS v1.1 to v2.0 has been well underway since the v2.0 standard was published by decree in April 2024; however, the deadline is firm. After May 16, 2026, all HDS certificates issued under v1.1 will no longer be valid. Any organization that has not yet completed its transition should treat this as an urgent priority.

Why The Transition To v2.1? The SREN Act and Its Impact

Article 32 of the SREN Act, adopted on May 21, 2024, introduced new obligations for health data hosts that the existing v2.0 framework does not fully reflect, including:

  • A mandatory obligation to store personal health data exclusively within the European Economic Area (EEA), specified by decree
  • New contractual disclosure requirements when data transfers, including remote access, involve countries outside the European Union (EU)/EEA
  • Extension of HDS certification obligations to hosting providers offering electronic archiving services

These changes required a formal update to the certification framework, giving rise to HDS v2.1.

Certification Requirement Updates in HDS v2.1

The updates are precise and legally grounded. Here are the key changes to the certification framework:

  • Activity 6 (renamed): This reflects the SREN Act's explicit extension of the HDS certification obligation to electronic archiving services, meaning hosting providers offering this type of service are now unambiguously within scope. The backup of health activity now explicitly covers retention of health data in the context of electronic archiving, reflecting the SREN obligation.
  • Requirements 28 & 29 (updated data transfer rules): Both requirements now reference Article R.1111-9-1 of the code de la santé publique (CSP), or French Public Health Code. Additionally, Requirement 29 makes clear that remote access from outside the EEA is treated as a data transfer and must either be covered by an EU adequacy decision or by appropriate safeguards under GDPR Article 46, and the customer must be informed of the specifics in the contract.
  • Requirement 19 (expanded patient rights): Hosting contracts must now explicitly enumerate patients' rights under GDPR Articles 15–21, including rights of access, rectification, erasure, portability, restriction of processing, and objection.
  • Requirements 23-1, 23-2, and 23-3 (contract transparency on data transfers): These requirements impose structured disclosure obligations in hosting contracts:
    • 23-1 (renumbered from previous Requirement 23): Contracts must describe access governance and any applicable transfer information under Article R.1111-9-1, including remote access scenarios.
    • 23-2 (new): Takes up Requirements 29 and 30 of the v2.0 standard by requiring that this information be indicated in the contract even if the third country is the subject of an adequacy decision. If the host or a subcontractor is subject to legislation of a third country that is not a member of the EU or a party to the EEA, the contract must list the applicable regulations, the relevant adequacy decision (if any), and both the mitigation measures and the residual risks where no adequacy decision exists.
    • 23-3 (new): Imposes that the information which is published as part of Requirement 31 (representation of guarantees) must be stated explicitly in the contract.
  • Requirement 31 (public transparency map): Adds a reference to III of Article R.1111-11 of the French Public Health Code. Hosts must publish and keep an up-to-date public map of all personal health data transfers outside the EEA, including remote access situations and risks of unauthorized access.

What HDS v2.1 Means Operationally

For hosting providers, the primary obligation is to update customer contracts to reflect the new disclosure requirements.

For certification bodies (CBs) such as Schellman, the changes require:

  • Updating issued certificates to reflect the v2.1 framework version and the renamed Activity 6
  • Adding controls to verify that new contract templates incorporate the revised requirements, and that existing contracts have been updated for sample testing

What Comes Next: The HDS v2.1 Timeline

The path to HDS v2.1 publication follows a structured sequence that began in March 2026 with the following tentative timeline:

  1. March 24, 2026 — SREN HDS decree published in the Official Journal
  2. March-May 2026 — Public consultation on the v2.1 framework
  3. May-July or August 2026 — Notification period with the European Commission
  4. August-September 2026 (estimated) — HDS v2.1 published in the Official Journal

Once published, audits conducted three months after the publication date, whether initial, surveillance, or renewal, will be carried out under v2.1. The most substantive work for hosting providers lies in updating the contractual language to meet the new data sovereignty and transparency obligations. Organizations that start reviewing their contracts now will be well-positioned when the new standard takes effect.

How To Prepare for HDS v2.1 Certification

With the v2.0 transition deadline firmly set for May 16, 2026, now is the time for organizations to look ahead at what HDS v2.1 will bring and begin positioning themselves accordingly.

While v2.1 is still an emerging standard, compliance teams can take several steps today to prepare:

  • Complete your v2.0 transition first. If your organization has not yet finalized its HDS v2.0 certification, that remains the immediate priority. A valid v2.0 certificate is the foundation from which your v2.1 readiness will be built.
  • Review the v2.1 changes against your current documentation and controls. Identify gaps early so remediation efforts can be planned and resourced proactively, rather than addressed later under deadline pressure.
  • Engage your certification body early. Understanding how your auditor is interpreting the new requirements will help you align your internal processes before your next audit cycle.
  • Update your internal training and awareness materials. Any changes to security or data protection requirements under v2.1 should be reflected in how your teams are trained and how policies are communicated across the organization.

Staying ahead of certification changes is a signal to partners, customers, and patients that your organization takes data protection seriously. To learn more about HDS v2.1 or for additional information about the certification requirements or timeline, contact us today. In the meantime, discover other HDS certification insights in these helpful resources:

About Robert Tylka

Robert Tylka is a Principal at Schellman & Company. With over 17 years of experience in providing IT attestation and compliance services, Robert currently leads the Midwest practice at Schellman where he specializes in SOC 1, SOC 2, ISO 27001, STAR, and HIPAA examinations. In his portfolio he also oversees engagements that include FedRAMP, HITRUST, PCI, and various Privacy reviews. To date, Robert has provided services to clients in the information technology, financial services, governmental, human resources, insurance, and manufacturing industries, among others. Robert has also provided professional services to companies of all sizes during his career, including Fortune 1000 and publicly traded companies, with a strong focus in the technology sector.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

 

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.