Hébergeur de Données de Santé
(HDS)
Overview
Introduced by the French governmental agency for health, “Agence du Numérique en Santé” (ANS), the HDS (Hébergeur de Données de Santé) certification aims to strengthen the security and protection of personal health data. Achieving this certification demonstrates that AWS provides a framework for technical and governance measures to secure and protect personal health data, governed by French law. The HDS certification validates that AWS ensures data confidentiality, integrity, and availability to its customers and partners. AWS worked with an independent third-party auditor to achieve the certification.
FAQs
Open allHDS certification provides the necessary assurance of information security for companies who wish to host the healthcare data of French citizens in the cloud.
- Data sovereignty requirements mandating that health data storage (Activities 1 & 2) occur exclusively within the European Economic Area (EEA).
- Enhanced transparency obligations regarding sub-processors and potential exposure to non-European legislation.
- Alignment with European cybersecurity standards and reinforced data portability/reversibility requirements.
Introduced by the Agence du Numérique en Santé (ANS) in 2024, HDS version 2.0 strengthens the security and protection of personal health data governed by French law. Key changes include:
As per the Shared Responsibility Model, it is the customer's responsibility to evaluate their own compliance requirements, including the impact of HDS version 2.0. The HDS requirements can be found on the ANS website.
The HDS v1.1 certification has been superseded by the v2.0 certification obtained through the transition audit. AWS is now certified under the current v2.0 framework.
Yes. AWS holds HDSv2 certification across 27 regions. For customers subject to the Activities 1 & 2 EEA data residency requirement, the six EEA regions (Frankfurt, Ireland, Milan, Paris, Stockholm, Spain) ensure uninterrupted compliance beyond the 16 May 2026 mandatory transition deadline. All 27 certified regions remain eligible for Activities 3–6.
- Activities 1 & 2 — Physical infrastructure (EEA regions only)
1. Provision and maintenance in operational condition of physical sites to host the hardware infrastructure of the information system used for health data processing.
2. Provision and maintenance in operational condition of the hardware infrastructure of the information system used for health data processing. - Activities 3–6 — Virtual infrastructure, platform, operations & backups (all 27 certified regions)
3. Provision and maintenance in operational condition of the virtual infrastructure of the information system used for health data processing.
4. Provision and maintenance in operational condition of the platform for hosting information system applications.
5. Administration and operation of the information system containing health data.
6. Health data backup.
AWS achieved HDSv2 certification on 21 April 2026, covering all six activities of the HDS framework:
- Europe (Frankfurt, Germany)
- Europe (Ireland)
- Europe (Milan, Italy)
- Europe (Paris, France)
- Europe (Spain)
- Europe (Stockholm, Sweden)
- Europe (London, UK)
- Europe (Zurich, Switzerland)
- US East (N. Virginia)
- US East (Ohio)
- US West (Oregon)
- US West (N. California)
- Canada (Central)
- Canada West (Calgary)
- South America (São Paulo, Brazil)
- Asia Pacific (Tokyo, Japan)
- Asia Pacific (Sydney, Australia)
- Asia Pacific (Melbourne, Australia)
- Asia Pacific (Singapore)
- Asia Pacific (Mumbai, India)
- Asia Pacific (Seoul, South Korea)
- Asia Pacific (Hong Kong)
- Asia Pacific (Jakarta, Indonesia)
- Asia Pacific (Osaka, Japan)
- Asia Pacific (Hyderabad, India)
- Middle East (Dubai, UAE)
- Israel (Tel Aviv)
Important — Data residency for physical hosting (Activities 1 & 2): Under the HDSv2 framework, Activities 1 and 2 require that health data be physically stored exclusively within the European Economic Area (EEA). This means that if you are subject to HDS requirements, your health data at rest must reside in one of the EEA regions listed below. Activities 3 through 6 (virtual infrastructure, platform hosting, administration/operation, and backups) are not subject to this geographic restriction and can be delivered from any certified region.
Europe (EEA) — eligible for all Activities (1–6)
Europe (non-EEA) — eligible for Activities 3–6 only
Americas — eligible for Activities 3–6 only
Asia Pacific & Oceania — eligible for Activities 3–6 only
Middle East & Israel — eligible for Activities 3–6 only
To be HDS certified, an IT provider must be ISO 27001 certified. The services covered by the AWS ISO 27001 certification are included in the scope of HDS. The AWS services in scope for ISO/IEC 27001:2022 can be found on the ISO Certified webpage.
As per the Shared Responsibility Model, it is the customer's responsibility to evaluate their own compliance requirements. Please review the ANS website for more details. The HDS standard can be found on the ANS website.
As per the Shared Responsibility Model, AWS’ HDS certification demonstrates the “Security of the Cloud,” enabling customers to focus their resources on items related to “Security in the Cloud” in connection with their HDS certification process.
Yes. The AWS HDSv2 certificate can be downloaded from AWS Artifact. The list of certified hosts can be found on the ANS website.
The AWS European Sovereign Cloud is not yet within the scope of the HDS v2.0 certification. The region has achieved foundational compliance certifications (ISO 27001, SOC 2, C5), and AWS is evaluating the inclusion of this region in the HDS certification scope. A further update will be provided in due course.
The centralized reference for all processors participating in HDS-certified hosting activities is available on the AWS Sub-Processors page. Additionally, customers can access certification verification through the ANS website, which provides official certification status and details for sub-processors involved in HDS-certified hosting activities.
This ensures customers have clear, centralized access to verify compliance and certification status of all sub-processors handling health data within AWS’s HDS-compliant infrastructure.
AWS maintains comprehensive data portability and customer control mechanisms enabling customers to retrieve their health data in multiple industry-standard formats and migrate workloads using well-documented methods.
Customer Data Ownership and Control
Under the AWS Shared Responsibility Model, AWS Customer Agreement (Section 6.1), and HDS v2 Addendum (Section 12), customers retain complete ownership and control of their content. AWS provides the ability to retrieve data at any time using native service capabilities, without requiring AWS assistance.
Key Portability Capabilities
|
Capability |
Details |
|---|---|
|
Healthcare data formats |
AWS HealthLake provides FHIR R4 support with SMART on FHIR for standards-based data export |
|
Database exports |
Amazon RDS supports standard formats including CSV, JSON, and Parquet |
|
Object storage |
Amazon S3 allows storage and retrieval in any format (CSV, JSON, XML, Parquet, etc.) |
|
Data exports |
AWS Data Exports enables recurring exports in CSV or Parquet to S3 |
|
VM portability |
VM Import/Export supports VMware ESX (VMDK), Microsoft Hyper-V (VHD/VHDX), and Citrix Xen formats |
|
Container portability |
Amazon ECR stores images in standard OCI format; Amazon EKS uses standard Kubernetes APIs |
- Contractual clauses: The French Public Health Code requires the execution of specific contractual conditions between the health data host and its clients. AWS customers can refer to the AWS Data Processing Addendum (AWS DPA) and applicable specific terms.
- Health and life sciences: AWS offers reference architectures, best practice guides, and specialized solutions for the healthcare sector. Learn more at AWS for Health.
- AWS Landing Zone Accelerator for Healthcare: A reference implementation for deploying HDS compliant infrastructure. Learn more on GitHub.