The EuroStack initiative is Europe’s ambitious attempt to reclaim digital sovereignty by building its own federated, standards-based infrastructure. In the healthcare sector, this means enabling patients’ health data—much of it generated by Internet of Things (IoT) devices—to move securely and seamlessly across national borders. The goal is to make care more responsive, especially in emergencies or when people travel, without compromising privacy rights under the General Data Protection Regulation (GDPR).
This is not just about electronic health records anymore. We are talking about a growing web of interconnected devices: fitness trackers monitoring vital signs, home blood pressure monitors uploading results, hospital machines feeding diagnostics into central systems. These IoT sources must all speak the same digital language. To that end, Europe is pushing for mandatory use of standards such as HL7 FHIR (a widely-used healthcare data standard) and GAIA-X frameworks that define how data should be shared across providers, countries, and systems.
Security and privacy are central to this vision. Data is encrypted from the point of capture to the point of access. Healthcare providers and patients gain access via Digital Identity Wallets, part of the EU Digital Identity Framework that allows citizens to prove who they are and give consent to data use across borders.
To ground this in a real-world example: imagine a German tourist who suffers a medical emergency in France. The pharmacy treating them can, in theory, access the tourist’s digital prescription through secure European systems, verify it via a trusted digital identity, and dispense the right medication—without any delay, language barriers, or faxes.
It is an elegant vision. But reality is rather more complicated.
The chaos behind the brochure
Fragmented data systems
Although the vision is to build one unified European health data space, the current reality is that each country—and often each hospital or clinic—uses its own systems, formats, and protocols. This creates significant barriers to interoperability. For example, a hospital in the Netherlands may use one format to store electronic health records, while a hospital in Italy uses something entirely different, making it difficult or impossible for devices and systems to communicate. As a result, crucial medical data gets stuck in silos, unavailable when it is needed most.
GDPR compliance gymnastics
The GDPR, while essential for protecting personal privacy, creates a complex legal landscape for health-related IoT systems. These devices often collect much more data than they actually need—such as GPS location, activity patterns, or even ambient noise—which violates the GDPR’s principle of data minimisation. And when data crosses national borders, organisations must carry out Data Protection Impact Assessments (DPIAs) to prove they are handling data properly, which adds layers of paperwork and legal uncertainty. In short, the technology is moving faster than the regulation can adapt.
Cybersecurity Swiss cheese
Many of the IoT devices currently used in healthcare were never designed with security in mind. They often come with default passwords that are rarely changed, run on outdated operating systems, or lack proper encryption. These vulnerabilities make them easy targets for hackers. While the Cyber Resilience Act aims to fix this by requiring certain security standards, implementation varies wildly between member states. Some take it seriously; others treat it like a box-ticking exercise. The result is a patchwork of protection across Europe.
Patient consent management
Giving patients control over their data is central to GDPR, but most existing systems do a poor job of it. Many people do not really understand what they are consenting to when they click “yes” on a digital form. And cross-border data sharing makes things even murkier: patients may be unaware that their data is being accessed in another country, or by whom. Current digital consent tools lack clarity and flexibility, especially when dealing with IoT data that is constantly updating.
Dependence on non-EU cloud giants
Despite the rhetoric around digital sovereignty, much of Europe’s healthcare data infrastructure still runs on platforms controlled by U.S. and Chinese tech giants like Amazon Web Services (AWS), Microsoft Azure, and Alibaba Cloud. These companies dominate the market due to their scale, reliability, and ease of use. However, relying on them raises serious concerns about data sovereignty—namely, who controls the servers where our most sensitive health data is stored, and what foreign laws might apply.
Proposed solutions (and why they will not be easy)
EU-wide health IoT interoperability framework
To break down the walls between national systems, the EU proposes a unified interoperability framework. This would mandate the use of shared standards like HL7 FHIR and push for full integration with the European Health Data Space (EHDS). The idea is that devices, apps, and records from different countries will finally be able to talk to each other in the same language.
However, implementation will be far from straightforward. Many healthcare providers still rely on outdated technologies—some clinics, for example, still use the HL7 version 2 standard from the 1990s—which are not compatible with newer systems. Retrofitting these systems will be expensive and technically difficult. Moreover, GDPR is interpreted and enforced differently in each member state, leading to regulatory inconsistencies that make harmonisation harder. Finally, the EHDS may struggle to process the enormous volume of data generated by millions of IoT devices in real time.
Privacy-preserving architectures (federated learning, zero-knowledge proofs)
To reduce the need for centralised data storage while still gaining insights from IoT data, the EU is exploring federated learning (FL) and zero-knowledge proofs (ZKPs). With FL, data stays on the device (alledgedly); only insights or model updates are shared. ZKPs allow verification of data claims without revealing the underlying data.
While elegant in theory, these solutions introduce practical headaches. Because federated learning does not share raw data, it is difficult to verify whether the data used to train a model is accurate or biased. If one device sends faulty information, the whole model may be compromised. On top of that, these techniques require significant computing power, which many small or battery-powered IoT medical devices simply do not have. There is also a legal grey area: even if personal data is not directly stored, can the model still be said to “remember” parts of it—and does that conflict with GDPR’s right to erasure?
Enhanced cybersecurity for medical IoT
Under the Cyber Resilience Act, the EU aims to enforce stronger security standards for IoT devices, such as requiring software updates, endpoint monitoring, and even AI-based anomaly detection to spot unusual patterns in real time.
But most of the medical IoT devices in use today are not equipped for that. Around half run on legacy hardware or outdated software that cannot support modern security protocols. Even when AI-based monitoring is available, it is not perfect—these systems can produce false positives, mistaking legitimate emergency access for a security threat, which could slow down care. And perhaps most importantly, advanced cybersecurity tools are expensive. Smaller clinics, especially in rural or underfunded regions, simply do not have the budget for them.
Dynamic consent and patient control
To put patients back in the driver’s seat, some propose blockchain-based systems that create tamper-proof records of who accessed what data and when. These systems could offer real-time dashboards that allow patients to approve or revoke data access at any time.
But as always, the devil is in the usability. Many people find these tools confusing and do not know how to manage complex settings around data consent. Blockchain’s immutability—the fact that data, once recorded, cannot be deleted—also poses a direct conflict with GDPR’s right to be forgotten. Some workarounds exist (like encrypting data and deleting the key), but they add complexity. Finally, many older hospital IT systems do not have the programming interfaces (APIs) needed to integrate with such new technologies, meaning that any solution would require a full system overhaul.
Sovereign EU health cloud for IoT
One of the more ambitious solutions is to replace foreign cloud services with a GAIA-X-based health cloud built by European providers. This would ensure data stays within the EU, under European laws and oversight. In theory, this gives patients and governments more control, reducing exposure to foreign surveillance or legal overreach.
But there are trade-offs. Using only EU providers could limit access to the latest technologies, or lock healthcare systems into expensive, less flexible platforms. Centralising data in one or a few locations could also introduce latency—delays in accessing real-time information, which could be critical in emergencies. And while localisation improves legal clarity, it might also limit participation in global medical research, where international data-sharing is essential.
Key trade-offs and unresolved riddles
At the heart of all these efforts lie some unavoidable tensions:
- Privacy versus utility: Strong encryption protects patients but slows down data access and analysis—potentially a life-threatening problem in urgent care scenarios.
- Sovereignty versus innovation: Choosing only European providers protects against dependency but may reduce access to the most cutting-edge tools and competitive pricing.
- Security versus accessibility: Locking systems down too tightly can prevent legitimate users—like paramedics or emergency doctors—from getting access when they need it most.
- Compliance versus usability: Consent dashboards that no one understands are not useful. They may check legal boxes, but they do not empower patients in any meaningful way.
Projects already in motion
Open ePrescription gateway for EU cross-border exchange
Active pilots are already underway. For example, EU4Digital recently launched a cross-border ePrescription pilot between Georgia and EU member states using an OpenNCP gateway, enabling prescriptions issued in one country to be used across borders.
Meanwhile, the EUDI Wallet framework is testing real-time prescription retrieval in 25 EU countries, with live trials planned through 2025.
And the MyHealth@EU/eHDSI network already supports ePrescription and patient summary exchange, with Ireland deploying a full stack including National Contact Point services.
GDPR-first IoT device SDK
There is no single pan-European SDK, but major interoperability efforts are led by HL7 Europe and IHE Europe, collaborating on FHIR implementation guides—including ePrescription and medication data use—under the EHDS and the soon-to-be-standardised EEHRxF format.
Peripheral FHIR SDKs (for mobile health apps) do exist in development, but nothing purpose-built for edge-device GDPR defaults yet.
Federated learning pilot for EU health research
Although no EU-wide federated-learning pilot is publicly known for device-level health data, academic projects are actively exploring the concept.
Examples include FedBlockHealth, combining federated learning and blockchain for patient privacy, and older frameworks like FedHealth and FedHome, targeted at wearables and home-monitoring.
These exist in research settings now and could be upscaled into EU pilots.
Digital consent ledger
No live EU-wide consent ledger exists—but the building blocks are being assembled. The EUDI Wallet pilot includes consent mechanisms for ePrescriptions, and GDPR-compliant digital identity systems are being developed across Europe.
Standards work being done by IHE and HL7 Europe also support consent metadata models.
What is missing is a user-friendly, blockchain-anchored consent implementation integrated with IoT devices.
Cyber resilience toolkit for legacy medical devices
There is no single open toolkit, but the Cyber Resilience Act is pushing manufacturers toward stronger controls.
Early pilots in Germany’s DataMarketPlace.NRW project (using Gaia-X architecture) include IoT security measures. Also, Gaia-X-Med (2022-2024 in Schleswig-Holstein) piloted secure data-sharing in healthcare IoT within Gaia-X frameworks.
However, a specific toolkit for retrofitting vulnerable devices remains a gap.
Gaia-X deployment blueprints for health IoT
Gaia-X-Med, completed in mid-2024, explored how to apply Gaia-X to secure health data spaces. There are also HEALTH-X dataLOFT and TEAM-X lighthouse projects under Gaia-X focused on creating trustworthy, citizen-centric health data spaces.
These initiatives are generating reference architectures, pipelines, and governance models—ready for adaptation.
“Patient in transit” IoT simulator
No dedicated European simulator for cross-border IoT incidents exists, but this capability could be built atop existing test infrastructures like MyHealth@EU’s interoperability platforms and OpenNCP testing environments.
Academics and private labs often simulate components, but a federated, cross-border end-to-end demo is not yet public.
Open data harmonisation library for HL7 FHIR variants
Multiple collaborative efforts are underway. The i2X project (starting April 2025) supports implementation of the future EEHRxF across real-world clinical settings.
Alongside, xShare, XiA, and MyHealth@MyHands are all contributing implementation guides, validators, and mapping tools for FHIR payloads across EU member systems.
Europe has already built—or is building—many of the infrastructure blocks suggested. What is still missing are packaged developer tools, device-level SDKs, and user-centric consent systems. Plenty of room to contribute—and fast.
Projects probably not underway yet
High-impact, currently missing (or seemingly barely explored) projects that could tackle the blind spots between policy and reality.
| Rank | Project Name | Importance | Tech Difficulty | Strategic Benefit |
|---|---|---|---|---|
| 1 | Legacy EHR Plug-in Pack | *** | High | Foundational for inclusion & equity |
| 2 | Red Button Expiry Framework | *** | Medium-high | Key to patient trust & compliance |
| 3 | FL Auditor | ** | High | Needed for legal & AI transparency |
| 4 | Minimal Viable Patient Testbed | ** | Medium | Crucial for realistic testing |
| 5 | Wearable Consent UI | * | Medium | Boosts real-time control |
| 6 | Cross-Border Terminology API | * | Medium | Smooths UX for cross-border care |
| 7 | Visual DPIA Composer | * | Medium-low | Eases adoption for smaller orgs |
TL;DR
The EuroStack vision for healthcare IoT is bold, sophisticated, and deeply needed. But for now, it remains a sketch rather than a working system. If it is to move from ideal to reality, Europe must get serious about standardisation, invest heavily in both technical infrastructure and public understanding, and create real incentives for healthcare providers and developers to adopt new systems.
Above all, it must never lose sight of the patient—not just as a data point, but as a person with rights, needs, and real-life emergencies. Otherwise, we risk building a digital fortress so secure and so “compliant” that even the doctors cannot get in.
Europe has already built—or is building—many of the infrastructure blocks suggested. What is still missing are packaged developer tools, device-level SDKs, and user-centric consent systems. Plenty of room to contribute—and fast.