How European Health Insurers Can Protect Sensitive Patient Information Under Sector-Specific Regulations
European health insurers manage some of the most sensitive personal information in the financial services sector. Statutory health insurers like Germany’s gesetzliche Krankenkassen process claims data for over 70 million publicly insured individuals. Private health insurers hold detailed underwriting assessments, medical examination results, and risk profiles that reveal conditions individuals may not have disclosed to employers, family members, or anyone outside their physician relationship.
The regulatory environment governing this data has undergone fundamental change. DORA entered into application on January 17, 2025, making ICT risk management a board-level responsibility for all insurance undertakings. The EHDS Regulation, which entered into force in March 2025, creates a framework for secondary use of health data while explicitly prohibiting its use for insurance decisions. And the tension between CLOUD Act jurisdiction and GDPR special category protections remains unresolved for any insurer processing patient data through US-operated platforms.
This guide examines where health insurer data sovereignty is most at risk, how sovereign architecture addresses DORA, EHDS, and GDPR requirements simultaneously, and what a practical implementation approach looks like.
Executive Summary
Main Idea: European health insurers face a convergence of regulatory requirements that make data sovereignty over patient information an operational imperative, not merely a compliance preference. Every platform through which insurers share patient data—with healthcare providers, reinsurers, claims processors, fraud detection services, and digital health platforms—must provide verifiable sovereignty that contractual mechanisms alone cannot deliver.
Why You Should Care: Health insurers that process patient data through platforms subject to foreign government access create a structural compliance gap that no Data Processing Agreement can close. Insurers that cannot demonstrate architectural sovereignty over patient data face simultaneous exposure under DORA, GDPR, and emerging EHDS requirements.
5 Key Takeaways
- DORA makes ICT risk management a board-level responsibility for health insurers. Since January 2025, insurance undertakings must maintain comprehensive ICT risk management frameworks, report major ICT incidents, conduct resilience testing, and document all third-party ICT provider relationships. Outsourcing services does not outsource responsibility.
- The EHDS prohibits using secondary health data for insurance decisions while expanding data governance obligations. Article 54 of the EHDS explicitly prohibits using health data obtained through secondary use to exclude individuals from insurance, modify premiums, or make any detrimental decisions. This prohibition covers all lines of insurance, not just health or life coverage.
- Health insurer data flows span more external parties than most financial services entities. Claims adjudication, provider payments, reinsurance arrangements, fraud detection, and digital health integrations each create data exchanges where patient information crosses organizational boundaries through platforms that determine actual data governance.
- Reinsurance data exchanges create particular sovereignty vulnerability. When primary insurers share claims data with reinsurers for risk assessment, patient health records flow across corporate boundaries. If either party uses communication platforms subject to non-EU jurisdiction, customer-controlled encryption is the only measure that maintains sovereignty regardless of which provider handles the data.
- Germany’s electronic patient record mandate expands the volume of digital health data insurers process. The Health Data Use Act (GDNG) and Digital Act (DigiG) mandate electronic patient records for over 70 million publicly insured individuals, dramatically increasing the digital health data flowing through insurer systems and the sovereignty stakes of platform choices.
The Regulatory Framework for Health Insurer Data
DORA: Digital Operational Resilience for Insurance
The Digital Operational Resilience Act, applicable since January 17, 2025, fundamentally changed how insurance undertakings must manage their ICT environments. EIOPA withdrew its previous ICT security and governance guidelines in December 2024 to avoid duplication with DORA, making the regulation the primary framework for digital operational resilience across the European insurance sector.
DORA’s Five Pillars Create Direct Platform Sovereignty Obligations for Insurers
DORA’s requirements for insurers are organized around five pillars. ICT risk management requires a comprehensive, well-documented framework with board-level accountability—DORA explicitly prevents delegation of this responsibility to technical teams. ICT third-party risk management requires insurers to maintain a complete register of all ICT service provider contracts, conduct pre-contract risk assessments for critical services, include mandatory contractual provisions covering service locations, data confidentiality, business continuity, and incident reporting, and establish exit strategies for all critical ICT relationships. Incident reporting requires standardized classification and notification of major ICT incidents to competent authorities. Digital operational resilience testing mandates regular assessment of ICT systems, with threat-led penetration testing for systemically important entities.
DORA’s Third-Party Register Forces Formal Documentation of Jurisdictional Exposure
For health insurers specifically, DORA’s third-party risk management requirements have direct implications for platform sovereignty. By April 2025, insurers were required to submit their registers of information on ICT third-party contracts to national supervisory authorities. This register must document the nature of services provided, data storage locations, subcontracting arrangements, and whether each service supports critical or important functions. Insurers using US-operated platforms for patient data processing must now formally document the jurisdictional exposure this creates—turning a previously informal risk into a board-level documented obligation.
The EHDS: Health Data Space Implications for Insurers
The European Health Data Space Regulation creates obligations and restrictions that affect health insurers in distinct ways. As entities that process electronic health data, insurers may be classified as data holders subject to secondary use sharing requirements from March 2029. Claims data, reimbursement records, and coverage information all fall within the EHDS’s broad definition of electronic health data.
EHDS Article 54 Prohibits Using Secondary Health Data for Any Insurance Decision
The EHDS explicitly prohibits taking decisions in relation to individuals or groups that would result in exclusion from insurance contracts, modification of premiums, or any other detrimental decision based on health data obtained through secondary use. This prohibition is not limited to health insurance—it applies across all lines of business. The prohibition reflects the European Commission’s assessment that public participation in the EHDS depends on confidence that health data will not be used against individuals by insurers.
For health insurers, this creates a governance imperative. They must be able to demonstrate that their data processing systems maintain clear separation between data used for legitimate insurance operations and data that could be accessed through EHDS secondary use channels. This requires technical architecture that enforces data governance boundaries, not just policy documentation.
GDPR Special Category Protections Apply to Every Patient Data Exchange
Health data is classified as special category data under GDPR Article 9, subject to the highest level of protection. Processing requires explicit legal basis beyond the standard Article 6 grounds. For health insurers, this means that every data exchange involving patient health information—whether claims data shared with reinsurers, treatment records exchanged with healthcare providers, or medical assessments transmitted to underwriting systems—must meet GDPR special category requirements.
The practical implication for platform sovereignty is direct. When special category health data flows through a platform operated by a provider subject to the CLOUD Act, Standard Contractual Clauses address the contractual relationship but cannot override the provider’s legal obligations under US law. The EDPB has consistently emphasized that supplementary technical measures—particularly encryption where the data importer does not hold the keys—are necessary when legal protections are insufficient.
A Complete Checklist of GDPR Compliance
Where Health Insurer Data Sovereignty Is Most at Risk
Claims Processing Platforms Are the Highest-Volume Sovereignty Exposure Point
Claims adjudication is the highest-volume data flow for most health insurers. Statutory health insurers process millions of claims annually, each containing diagnosis codes, treatment details, provider information, and patient identification data. These claims move between healthcare providers, the insurer’s claims management system, and often external claims processing services. When any link in this chain uses a communication platform or file transfer service subject to foreign jurisdiction, the sovereignty of every patient record in that claims flow is compromised.
Provider data exchanges extend beyond claims. Pre-authorization requests, medical necessity reviews, treatment plan approvals, and case management communications all involve detailed patient health information flowing between insurers and healthcare providers through digital channels. The platforms carrying these exchanges determine the actual jurisdictional governance of the data, regardless of what the contracts say.
Reinsurance Data Flows Extend Sovereignty Risk Beyond the Primary Insurer’s Own Systems
Health insurers, particularly those covering catastrophic or high-cost treatments, share risk with reinsurers. This requires transferring claims data, actuarial analyses, and sometimes individual patient-level information to reinsurance partners. As Munich Re’s own privacy documentation acknowledges, reinsurers receive application, contract, and claims data from primary insurers when necessary for proper establishment and performance of reinsurance contracts.
These reinsurance data exchanges create a sovereignty chain. Even if the primary insurer maintains sovereign architecture for its own systems, patient data sovereignty depends on the platforms through which data reaches the reinsurer. If either party uses US-operated file transfer services or cloud collaboration tools, the data passes through infrastructure where foreign legal compulsion can override European contractual protections. Under DORA, the primary insurer must now formally assess and document this third-party risk.
Fraud Detection Analytics Running on Non-EU Cloud Platforms Create Concentration Risk
Health insurance fraud detection increasingly relies on data analytics platforms that aggregate claims data, identify patterns, and flag anomalies. Some insurers participate in shared fraud databases where intelligence is exchanged between multiple insurance entities. These analytics environments process large volumes of patient health data, often using cloud-based platforms selected for computational capability rather than sovereignty characteristics.
When fraud detection analytics run on platforms operated by US-headquartered providers, the aggregated dataset—potentially containing claims information across thousands of patients—is exposed to jurisdictional risk. DORA’s requirement to classify ICT services supporting critical functions means insurers must evaluate whether their fraud detection platforms create unacceptable concentration risk on non-EU providers.
Digital Health Integrations Introduce Real-Time Patient Data Into Sovereignty-Weak Channels
European health insurers are increasingly integrating with digital health platforms that provide telemedicine, wellness programs, chronic disease management, and preventive care services. Germany’s DigiG and GDNG mandates are accelerating this digitization, with electronic patient records now required for over 70 million publicly insured individuals. Each integration creates a data exchange pathway where patient health information flows between the insurer and the digital health platform.
These integrations are particularly sensitive because they often involve real-time or near-real-time health data—wearable device data, telemedicine session records, medication adherence information—that goes beyond traditional claims data in its intimacy and detail. When these data flows pass through platforms without sovereign encryption architecture, the insurer’s data governance obligations under GDPR, DORA, and the emerging EHDS framework are all at risk simultaneously.
Building Sovereign Architecture for Health Insurer Data
Customer-Controlled Encryption Mitigates Jurisdictional Risk at the Architectural Level
The most effective single measure for health insurer data sovereignty is implementing customer-controlled encryption where the insurer generates, manages, and retains encryption keys in its own hardware security module or key management system. Under this model, the platform provider processes encrypted patient data but cannot decrypt it. This provides sovereignty that survives provider acquisitions, ownership changes, and foreign legal compulsion because the provider physically cannot produce decrypted patient health records.
This directly addresses DORA’s ICT risk management requirements. When documenting third-party risks in the mandatory register of information, an insurer using customer-controlled encryption can demonstrate that jurisdictional exposure is mitigated at the architectural level—the platform provider’s legal obligations under foreign law are irrelevant because it cannot access the data. This is a stronger compliance position than relying on contractual provisions that may not withstand legal challenge.
Single-Tenant European Deployment Ensures Patient Data Is Not Commingled With Other Organizations
Health insurer data should reside on dedicated infrastructure serving only the insurer, not on multi-tenant platforms where patient records coexist with data from other organizations under different jurisdictional arrangements. Single-tenant deployment ensures that the insurer’s data governance policies, access controls, and encryption standards apply consistently to all patient data without dependency on the platform provider’s multi-tenant isolation mechanisms.
For statutory health insurers operating within national health system structures, single-tenant deployment also supports the institutional separation that regulators expect. Patient data from a national health insurance system should not share infrastructure with commercial entities from other jurisdictions, regardless of the logical separation that multi-tenant platforms claim to provide.
Comprehensive Audit Trails Satisfy DORA, GDPR, and EHDS Evidence Requirements Simultaneously
DORA requires insurers to detect, manage, record, and notify ICT-related incidents. GDPR requires accountability evidence for special category data processing. The EHDS will require demonstrable data governance separation between legitimate insurance operations and secondary use channels. Comprehensive audit logging that records every access, modification, and transfer of patient data provides the evidence base for all three regulatory requirements simultaneously.
For health insurers, audit trails serve an additional function: demonstrating to supervisory authorities, policyholders, and the public that patient data is handled with the governance rigor that health information demands. In an environment where the EHDS explicitly reflects public concern about insurer access to health data, demonstrable sovereignty and transparency become competitive assets, not just compliance requirements.
DORA Third-Party Risk Management: A Practical Approach
DORA requires health insurers to assess all ICT third-party provider relationships against documented risk criteria. For communication and file sharing platforms that handle patient data, the assessment should address four questions directly relevant to data sovereignty.
Four Sovereignty Questions Every Health Insurer Must Answer About Each ICT Provider
First, is the provider subject to legal obligations under non-EU government access laws? If the provider is headquartered in the US or subject to US jurisdiction, the CLOUD Act creates a legal pathway to compel data production regardless of server location or contractual restrictions. Second, does the provider architecture support customer-controlled encryption where the insurer retains exclusive control over decryption keys? This is the technical control that mitigates jurisdictional risk. Third, can the provider demonstrate that operations, maintenance, and support are conducted exclusively by EU personnel under EU jurisdiction? Operational access to systems that process patient data creates a potential exposure pathway even where data-at-rest encryption is implemented. Fourth, does the contractual arrangement include DORA-compliant provisions for service locations, data confidentiality, incident reporting, and exit strategies?
Insurers That Cannot Answer These Questions Affirmatively Should Prioritise Migration
Insurers that document these assessments in their DORA register of information create a defensible compliance record. Insurers that cannot answer these questions affirmatively for their patient data platforms should prioritize migration to sovereign alternatives—and DORA’s mandatory register creates a natural forcing function for that prioritisation, since the gaps will be visible to supervisory authorities.
Kiteworks Helps European Health Insurers Protect Patient Information Under Sector-Specific Regulations
European health insurers now face simultaneous exposure under DORA, GDPR, and the EHDS for any patient data flowing through platforms subject to foreign government access. No Data Processing Agreement closes that gap—only sovereign architecture does. The DORA register of information requirement, effective April 2025, makes jurisdictional exposure a formally documented board-level obligation, not an informal risk to be managed through contracts.
The Kiteworks Private Data Network provides health insurers with the sovereign communication infrastructure they need to protect patient data while meeting the layered requirements of DORA, GDPR, and the EHDS. Kiteworks operates on a customer-managed encryption model where the insurer generates and retains encryption keys in its own key management system. Kiteworks cannot access decrypted patient data and cannot comply with foreign government demands to produce readable health records because it does not possess the keys.
Kiteworks deploys as a single-tenant instance on dedicated European infrastructure, ensuring that patient data is not commingled with data from other organizations. Policy-enforced geofencing prevents health data from leaving designated boundaries, and comprehensive audit logging provides the accountability evidence that DORA incident management, GDPR supervisory authorities, and EHDS data governance all require.
The platform unifies secure file sharing for claims documentation and provider communications, protected email for case management and policyholder correspondence, managed file transfer for automated data exchanges with reinsurers and claims processors, and secure web forms for policyholder data collection under a single zero trust governance framework. This enables health insurers to secure all patient data exchange channels through one platform with consistent encryption, access controls, and audit evidence for DORA compliance documentation.
To learn more about protecting patient information under sector-specific regulations, schedule a custom demo today.
Frequently Asked Questions
DORA, applicable since January 17, 2025, replaces EIOPA’s previous ICT security guidelines and makes ICT risk management a board-level responsibility for all insurance undertakings. Health insurers must now maintain comprehensive ICT risk management frameworks, document all third-party ICT provider contracts in a mandatory register of information, report major ICT incidents to competent authorities, and conduct regular resilience testing. DORA’s third-party risk management requirements mean insurers must formally assess the jurisdictional exposure created by each ICT provider, making platform sovereignty a documented compliance requirement rather than a best practice.
Article 54 of the EHDS explicitly prohibits using health data obtained through secondary use channels to exclude individuals from insurance contracts, modify their premiums, or make any other detrimental decisions based on that data. This prohibition applies across all insurance lines, not just health or life coverage. For health insurers, this means they must implement technical architecture that enforces clear separation between data used for legitimate insurance operations and data accessible through EHDS secondary use mechanisms. The prohibition reflects the European Commission’s determination that public trust in the EHDS depends on preventing insurer access to secondary health data.
When primary health insurers share claims data with reinsurers for risk assessment, patient health records cross organizational boundaries through communication platforms that determine actual data sovereignty. Even if the primary insurer maintains sovereign architecture, patient data protection depends on the platforms used for the exchange. If either party uses file transfer services or collaboration tools operated by US-headquartered providers, the data is exposed to CLOUD Act jurisdiction. Under DORA, primary insurers must now formally assess and document this third-party risk in their register of information. Customer-controlled encryption ensures sovereignty regardless of which provider handles the exchange.
Germany’s Health Data Use Act (GDNG) and Digital Act (DigiG) mandate electronic patient records for over 70 million publicly insured individuals, with opt-out rights for citizens. This dramatically increases the volume of digital health data flowing through insurer systems. Health insurers must ensure that the platforms processing this expanded data volume provide sovereign architecture with customer-controlled encryption and European deployment. The GDNG also establishes Germany-specific requirements for health data governance that complement GDPR and EHDS obligations, making architectural sovereignty essential for meeting multiple overlapping regulatory frameworks.
Health insurers should begin with the DORA-required register of information on ICT third-party contracts, using it as both a compliance exercise and a sovereignty audit. By mapping every platform and service that processes patient data against the four sovereignty questions (jurisdictional exposure, encryption key control, operational sovereignty, and exit strategy viability), insurers can identify which data flows create the greatest risk. Prioritize migration for platforms handling the highest-sensitivity data: claims processing, reinsurance exchanges, and provider communications. Deploying a sovereign communication platform for these exchanges first delivers the greatest compliance improvement with manageable scope.
Additional Resources