Home
arrow_forward_ios
Frameworks
arrow_forward_ios
Hébergement de Données de Santé (HDS) – Référentiel v3.0
Data Protection & Privacy
DETAIL

France HDS — Healthcare Data Hosting Certification

SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting.
Framework text may require a separate license unless explicitly provided.

Overview

France HDS — Healthcare Data Hosting (Hébergement de Données de Santé) is a French regulatory certification framework that establishes requirements for cloud service providers and IT service companies hosting personal health data. The certification ensures that hosted health data benefits from a high level of security and confidentiality protection.

Governed by the French National Digital Health Agency (ANS) and established under Article L.1111-8 of the French Public Health Code, HDS certification is mandatory for any organization hosting personal health data on behalf of healthcare establishments or professionals in France. It covers hosting of health information systems, telemedicine applications, and other healthcare data environments.

Organizations achieve HDS certification through independent audits by accredited certification bodies, demonstrating compliance with security requirements across six service scopes. Certification integrates with ISO 27001 and ISO 27018 standards as foundational requirements.

Why it Matters

HDS certification is legally required for all organizations hosting personal health data in France, ensuring consistent protection of sensitive patient information across the healthcare ecosystem.

Key benefits include:

  • Meet legal requirements

Comply with mandatory French legal requirements for health data hosting, enabling lawful processing of patient information.

  • Demonstrate security assurance

Provide healthcare organizations with certified evidence of security controls protecting hosted health data.

  • Enable market access

Access French healthcare market opportunities requiring HDS certification for health data hosting services.

  • Align with GDPR health data requirements

Complement GDPR special category data obligations with France-specific health data protection requirements.

  • Build patient trust

Demonstrate commitment to health data protection supporting patient confidence in digital health services.

How it Works

HDS certification covers six service scopes organized across two certification levels: hosting infrastructure (physical and virtual) and hosting applications. Certification requires ISO 27001 compliance as a baseline, plus additional security requirements specific to health data environments.

Organizations undergo independent audits by accredited certification bodies every three years, with annual surveillance audits. The certification process validates security governance, access controls, incident management, and data protection controls across the hosting environment.

Within SmartSuite, HDS-certified organizations track certification requirements across six service scopes, manage audit evidence, coordinate compliance monitoring, and maintain documentation supporting HDS and GDPR health data obligations.

Key Elements

  • Six Certification Scopes

Covers physical hosting, virtual infrastructure management, IT infrastructure management, platform administration, health application hosting, and subcontracting.

  • ISO 27001 Foundation

Requires ISO 27001 certification as a baseline, with additional HDS-specific health data security requirements.

  • Independent Audit Requirement

Mandates audits by accredited certification bodies every three years with annual surveillance.

  • Health Data Security Standards

Establishes specific security controls for the sensitivity of personal health data environments.

Framework Scope

France HDS certification applies to organizations hosting personal health data on behalf of French healthcare establishments and professionals. Mandatory for cloud and IT service providers hosting health information systems in France.

Framework Objectives

France HDS certification ensures consistent security protection for personal health data across certified hosting environments.

  • Meet French legal requirements for health data hosting certification
  • Protect personal health data through certified security controls
  • Enable healthcare organizations to trust health data hosting providers
  • Align health data hosting with GDPR and French health law requirements
  • Provide independent verification of health data security controls

Common Framework Mappings

Mapped frameworks include:

EU General Data Protection Regulation (GDPR)

French Public Health Code (Article L.1111-8)

ISO/IEC 27001

ISO/IEC 27018

NIS2 Directive

At a Glance
Hébergement de Données de Santé (HDS) – Référentiel v3.0
  • checklist
    Classicifation
    Category
    info
    Data Protection & Privacy
    Domain
    info
    Privacy
    Framework Family
    info
    Other
  • info
    Regulatory Context
    Type
    info
    Certification / Assurance Program
    Legal Instrument
    info
    Standard
    Sector
    info
    Healthcare Sector
    Industry
    info
    Healthcare & Life Sciences
  • arrow_upload_ready
    Region / Publisher
    Region
    info
    Europe
    Region Detail
    info
    France
    Publisher
    info
    Ministère des Solidarités et de la Santé
  • published_with_changes
    Versioning
    Version
    info
    HDS Certification Framework (current requirements)
    Effective Date
    info
    January 1, 2020
    Issue Date
    info
    November 2018
  • graph_3
    Adoption
    Adoption Model
    info
    Regulatory Compliance
    Implementation Complexity
    info
    High
  • captive_portal
    Official Reference
    Source
    info
    Open Link in New Tab
License Information

License included / downloadable: Yes

The HDS certification framework is published by the French Ministry of Health and supporting regulatory authorities and is publicly available through official government resources.

Official Resources
Certification HDS - Hébergeur de Données de Santé
Provides detailed specifications for obtaining HDS certification in France.
chevron_forward
HDS Guidelines for Cloud Service Providers
Outlines requirements and procedures for cloud services seeking HDS certification.
chevron_forward
HDS Compliance Implementation Guide
Describes practical steps for achieving compliance with HDS certification standards.
chevron_forward
SMARTSUITE

How SmartSuite Supports France HDS (Healthcare Data Hosting)

Centralize controls, evidence, and audit workflows to stay continuously SOC 2–ready.

HDS Scope and Hosting Inventory

Define in-scope hosting services, environments, and responsibilities.

HDS Control Library and Ownership

Organize HDS requirements into controls with owners and operating cadence.

Evidence Collection and Audit Trail

Centralize policies, technical proof, and operating evidence tied to each control.

Incident Response and Continuity Testing

Manage incidents, BC/DR tests, and corrective actions with full traceability.

Access and Privilege Governance

Track privileged access, reviews, approvals, and monitoring evidence.

Certification Readiness Reporting

Report readiness, gaps, and evidence coverage for HDS audits.

Related frameworks

SOC 2

SOC 2 assesses and reports on a service organization's controls for security, availability, processing integrity, confidentiality, and privacy.

Learn More
arrow_forward
GDPR

GDPR is an EU regulation that protects individuals' personal data and strengthens organizations' accountability for privacy.

Learn More
arrow_forward
HITRUST CSF v11.5

HITRUST CSF is a certifiable, risk-based cybersecurity and privacy framework for managing regulatory compliance and protecting sensitive data.

Learn More
arrow_forward
ISO 27001:2022

ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.

Learn More
arrow_forward
ISO 27002:2022

ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.

Learn More
arrow_forward
ISO 27017

ISO/IEC 27017 provides cloud-specific security controls to help organizations protect data and manage cloud-related risks.

Learn More
arrow_forward
ISO 27701

ISO/IEC 27701 extends ISO/IEC 27001 to help organizations manage privacy and protect personally identifiable information.

Learn More
arrow_forward
ONBOARDING FAQS

Frequently Asked Questions For France HDS (Healthcare Data Hosting Certification)

What is France HDS used for?

France HDS (Hébergement de Données de Santé) is used to ensure the secure hosting, processing, and management of healthcare data within France. It prescribes legal and technical requirements for protecting sensitive personal health information against cyber threats, ensuring confidentiality, integrity, and availability.

Is France HDS certification mandatory?

Yes, France HDS certification is mandatory for any organization that hosts, processes, or transmits healthcare data in France. This includes both cloud service providers and on-premise hosting companies handling health-related personal data.

Who does France HDS apply to?

France HDS applies to all service providers—public or private—managing the storage, processing, or transmission of healthcare data belonging to French residents. It is relevant to healthcare organizations, IT providers, and any third-party processors engaged in healthcare data handling.

What are the key requirements of France HDS?

France HDS requires organizations to implement controls across seven domains, including physical security, logical/access controls, data confidentiality, risk management, incident response, continuity planning, and privacy governance. Compliance includes documenting practices, securing infrastructure, and establishing robust data protection measures aligned with French and EU regulations.

How does an organization achieve France HDS certification?

Organizations must conduct risk assessments, implement prescribed technical and organizational controls, and undergo a rigorous audit by an accredited body. They must demonstrate continuous compliance through ongoing monitoring, policy documentation, and evidence of operational controls.

How does France HDS relate to other frameworks like ISO 27001?

France HDS shares similarities with ISO 27001, particularly in information security management, but it imposes additional requirements specific to healthcare data protection under French law. Many organizations choose to integrate both frameworks to achieve comprehensive compliance and risk management.

What are the ongoing compliance requirements for France HDS?

Certified organizations must conduct regular internal audits, maintain up-to-date documentation, monitor for security incidents, and report on compliance status. Continuing education, control testing, and annual reassessments are essential to maintain certification and address evolving cyber risks.

How would SmartSuite support France HDS?

SmartSuite supports France HDS management by providing integrated risk registers, centralized control management, and automated evidence collection tools. It streamlines compliance tracking, enables regulatory reporting, supports audit readiness, and facilitates workflow management for remediation and ongoing control monitoring.

NEXT STEP

Put CRI Profile into action with SmartSuite

Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.

Explore in SmartSuite
chevron_forward
View all Frameworks
chevron_forward