Blog
How to

HDS: The French Standard for Hosting Health Data – What It Is and Why It Matters

Team Bravas
28/4/2025
4
min

In the age of digital healthcare, patient data is more sensitive—and more valuable—than ever. From hospital records to lab results and remote consultations, an increasing amount of personal medical information is being stored and shared online. This makes health data a prime target for cyberattacks.

That’s where the HDS (Hébergement de Données de Santé) certification comes in. Mandatory for any organization hosting or processing health data in France, HDS is designed to guarantee a high level of security and compliance for handling these critical assets.

1. Why HDS Exists

The main reason behind the HDS certification is simple: protecting patient data.

Medical information is among the most sensitive personal data, and any breach could lead not only to financial or reputational damage but also to significant ethical and legal consequences. As healthcare digitization accelerates, the French government and health authorities needed a framework to ensure that health data is handled securely—no matter where it’s stored or processed.

In 2018, the Agence du Numérique en Santé (ANS) formalized the HDS standard, building on existing norms like ISO 27001 and adapting them to the unique demands of the health sector in France.

The goal? To ensure that any provider managing health data—cloud services, software vendors, hosting companies, or even hospitals—has the right technical, organizational, and contractual safeguards in place.

2. What the HDS Certification Covers

The HDS certification is structured into two broad categories, encompassing six activity types:

Category 1 – Physical Infrastructure Providers:

  1. Provision and maintenance of physical sites for servers.
  2. Provision and maintenance of physical infrastructure (cooling, power, physical security).
  3. Provision and maintenance of network infrastructure.

Category 2 – Health Data Management Services:

  1. Administration and operation of information systems hosting health data.
  2. Hosting of applications handling health data.
  3. Outsourced data backup services.

An organization can be certified for one or multiple activity types, depending on its role in the health data lifecycle.

To get certified, companies must already comply with ISO 27001—which lays the foundation for information security management—and then complete additional audits specific to the HDS standard.

HDS is not a one-time process. Organizations must undergo regular audits, maintain a strong internal security policy, and demonstrate ongoing improvement and risk management. This includes elements such as:

  • Access control and traceability
  • Data integrity and availability
  • Incident management and recovery
  • Legal and regulatory compliance (e.g., GDPR)

3. How to Achieve HDS Compliance

Getting certified can feel like a daunting task, especially for small and mid-sized companies that don’t have a full-fledged security team. But it doesn’t have to be. Here’s a breakdown of how to approach HDS compliance:

A. Start with ISO 27001

Since HDS builds upon ISO 27001, organizations must first implement a compliant Information Security Management System (ISMS). This includes:

  • Conducting a risk assessment
  • Defining security policies and procedures
  • Training employees
  • Monitoring and auditing your controls

B. Perform a Gap Analysis Against HDS Requirements

Next, review the HDS-specific controls and evaluate how your current practices align. This step often highlights gaps related to:

  • Data traceability and audit logs
  • Backup encryption and restoration testing
  • Hosting environment segmentation

C. Document Everything

Like most certifications, HDS is heavy on documentation. You’ll need to provide clear records of:

  • Roles and responsibilities
  • Security incident management
  • Compliance with French health regulations
  • Data processing contracts and agreements

D. Choose the Right Partners

Many companies don’t manage all parts of the stack themselves. If you rely on a hosting provider, cloud vendor, or SaaS platforms, they must also be HDS-certified—or at the very least, not be a weak link in your compliance chain.

This makes vendor management a key aspect of your HDS preparation.

E. Plan for the Audit

Finally, you’ll need to pass an audit by an ANS-accredited certification body. The audit is conducted in two phases:

  1. Stage 1 (Documentation Review)
  2. Stage 2 (On-site Audit of Processes and Controls)

Once certified, you’ll be listed in the public ANS directory—providing a strong signal of trust to your clients and users.

Conclusion: Bravas.io and HDS Readiness

Whether you’re a SaaS platform in the medtech space, a hospital IT provider, or a startup looking to scale in the French healthcare sector, HDS compliance is a major milestone—but it shouldn’t be a blocker.

At Bravas.io, we help modern workspaces and software providers meet high security standards without the complexity. From device-based access control to phishing-resistant authentication, we provide the building blocks of a secure and compliant environment.

And for teams navigating compliance frameworks like HDS or ISO 27001, our tools bring visibility, control, and confidence across your infrastructure—without the heavy lift.

→ Need help aligning with HDS or just want to simplify your security stack? Let’s talk!

Share this post
Copy to clipboard icon
Linkedin Icon
Twitter Icon
Facebook Icon

Want more info?

Bravas - Arrow icon svg
Contact us
Bravas - Arrow icon svg

More Posts

The Ultimate Guide to Mobile Device Management (MDM) for SMBs
IT Management
3
min read

The Ultimate Guide to Mobile Device Management (MDM) for SMBs

MDM for SMBs
Why Did Atelier Ducrot Choose Bravas?
News
3
min read

Why Did Atelier Ducrot Choose Bravas?

SMB MDM
Why Does TeckFX Use Bravas MDM for Its Customers?
News
2
min read

Why Does TeckFX Use Bravas MDM for Its Customers?

Why Does TeckFX Use Bravas MDM for Its Customers?
All blog posts
How to

HDS: The French Standard for Hosting Health Data – What It Is and Why It Matters

28/4/2025
5
min de lecture

In the age of digital healthcare, patient data is more sensitive—and more valuable—than ever. From hospital records to lab results and remote consultations, an increasing amount of personal medical information is being stored and shared online. This makes health data a prime target for cyberattacks.

That’s where the HDS (Hébergement de Données de Santé) certification comes in. Mandatory for any organization hosting or processing health data in France, HDS is designed to guarantee a high level of security and compliance for handling these critical assets.

1. Why HDS Exists

The main reason behind the HDS certification is simple: protecting patient data.

Medical information is among the most sensitive personal data, and any breach could lead not only to financial or reputational damage but also to significant ethical and legal consequences. As healthcare digitization accelerates, the French government and health authorities needed a framework to ensure that health data is handled securely—no matter where it’s stored or processed.

In 2018, the Agence du Numérique en Santé (ANS) formalized the HDS standard, building on existing norms like ISO 27001 and adapting them to the unique demands of the health sector in France.

The goal? To ensure that any provider managing health data—cloud services, software vendors, hosting companies, or even hospitals—has the right technical, organizational, and contractual safeguards in place.

2. What the HDS Certification Covers

The HDS certification is structured into two broad categories, encompassing six activity types:

Category 1 – Physical Infrastructure Providers:

  1. Provision and maintenance of physical sites for servers.
  2. Provision and maintenance of physical infrastructure (cooling, power, physical security).
  3. Provision and maintenance of network infrastructure.

Category 2 – Health Data Management Services:

  1. Administration and operation of information systems hosting health data.
  2. Hosting of applications handling health data.
  3. Outsourced data backup services.

An organization can be certified for one or multiple activity types, depending on its role in the health data lifecycle.

To get certified, companies must already comply with ISO 27001—which lays the foundation for information security management—and then complete additional audits specific to the HDS standard.

HDS is not a one-time process. Organizations must undergo regular audits, maintain a strong internal security policy, and demonstrate ongoing improvement and risk management. This includes elements such as:

  • Access control and traceability
  • Data integrity and availability
  • Incident management and recovery
  • Legal and regulatory compliance (e.g., GDPR)

3. How to Achieve HDS Compliance

Getting certified can feel like a daunting task, especially for small and mid-sized companies that don’t have a full-fledged security team. But it doesn’t have to be. Here’s a breakdown of how to approach HDS compliance:

A. Start with ISO 27001

Since HDS builds upon ISO 27001, organizations must first implement a compliant Information Security Management System (ISMS). This includes:

  • Conducting a risk assessment
  • Defining security policies and procedures
  • Training employees
  • Monitoring and auditing your controls

B. Perform a Gap Analysis Against HDS Requirements

Next, review the HDS-specific controls and evaluate how your current practices align. This step often highlights gaps related to:

  • Data traceability and audit logs
  • Backup encryption and restoration testing
  • Hosting environment segmentation

C. Document Everything

Like most certifications, HDS is heavy on documentation. You’ll need to provide clear records of:

  • Roles and responsibilities
  • Security incident management
  • Compliance with French health regulations
  • Data processing contracts and agreements

D. Choose the Right Partners

Many companies don’t manage all parts of the stack themselves. If you rely on a hosting provider, cloud vendor, or SaaS platforms, they must also be HDS-certified—or at the very least, not be a weak link in your compliance chain.

This makes vendor management a key aspect of your HDS preparation.

E. Plan for the Audit

Finally, you’ll need to pass an audit by an ANS-accredited certification body. The audit is conducted in two phases:

  1. Stage 1 (Documentation Review)
  2. Stage 2 (On-site Audit of Processes and Controls)

Once certified, you’ll be listed in the public ANS directory—providing a strong signal of trust to your clients and users.

Conclusion: Bravas.io and HDS Readiness

Whether you’re a SaaS platform in the medtech space, a hospital IT provider, or a startup looking to scale in the French healthcare sector, HDS compliance is a major milestone—but it shouldn’t be a blocker.

At Bravas.io, we help modern workspaces and software providers meet high security standards without the complexity. From device-based access control to phishing-resistant authentication, we provide the building blocks of a secure and compliant environment.

And for teams navigating compliance frameworks like HDS or ISO 27001, our tools bring visibility, control, and confidence across your infrastructure—without the heavy lift.

→ Need help aligning with HDS or just want to simplify your security stack? Let’s talk!

Vous aimez cet article ?

Partagez-le !