Regulatory compliance

Compliance by design, not an afterthought.

My Data My Care targets HDS v2 certification, operational GDPR, Ségur V2 and FHIR R4 FR Core as its minimal V1 foundation — not as ticking boxes but as enforceable public contractual commitments.

  • HDS v2 (V1 target)
  • Native GDPR
  • Ségur V2 (10/2026)
Regulatory timeline

Deadlines 2026-2028

Legal obligations already dated by French and European regulation. MDMC aligns with each deadline ahead of the cut-off date.

  1. V1 target

    HDS v2 — health data hosting obligation

    Decree R. 1111-9 CSP. Any host processing health data must be HDS v2 certified. MDMC targets public certification before V1 go-live.

  2. V1 target

    AI Act — high-risk health AI applicable

    EU Regulation 2024/1689. Our CareFlow LLM falls under Art. 6.2 (consultation guidance). Model documentation, human oversight and bias audit mandatory.

  3. V1 target

    Ségur V2 — mandatory hospital listing

    Solutions used in French healthcare institutions must be listed in the ANS catalogue. FHIR FR Core profiles + INS mandatory.

  4. Roadmap V2

    EHDS — European health data space

    Phased rollout. Cross-border interoperability + patient opt-in secondary use. MDMC architecture prepared.

Targeted frameworks

8 frameworks govern MDMC

V1 foundation = HDS + GDPR + Ségur + FHIR + INS. V2 roadmap = AI Act + EHDS + SecNumCloud. Status updated 2026-05-13.

HDS v2
V1 target
Health Data Host

Blocking commitment before V1 go-live. Audit being finalised Q2 2026 with an ANS-certified French operator. No post-launch promise.

RGPD
In progress
General Data Protection Regulation

External DPO being appointed Q2 2026. DPIA drafted. Art. 30 register maintained. DPIA planned per PHI processing.

Ségur V2
V1 target
ANS catalogue listing

Obligation 14/10/2026 for hospital use. ANS-compliant FHIR FR Core profiles. MDMC application filing Q3 2026.

FHIR R4
Native
FR Core interoperability

Native implementation of patient/pro API. Passport export compliant with ANS profiles. Full portability without lock-in.

INS
V1 target
National Health Identity

INS-API (RNIV) integrated. Unique national patient identifier. Prerequisite for Ségur V2 + DMP.

AI Act
V1 target
High-risk health AI

Applicable 02/08/2026. CareFlow model documentation + transparency + human oversight + bias audit.

EHDS
Roadmap V2
European Health Data Space

Rollout 2027. Cross-border interop + patient opt-in secondary use. Architecture prepared in V1.

SecNumCloud
Roadmap V2
ANSSI qualification

V2 target (2027) for OIV / hospital offering. Zero foreign legal influence over infrastructure.

Operational commitments

4 commitments contractual

Beyond certifications, public and enforceable operational commitments.

External DPO appointed

Independent firm registered with the CNIL. Direct contact dpo@mydatamycare.com. Response to Art. 12-22 GDPR requests within 30 working days.

DPIA per processing

Data Protection Impact Assessment for every feature touching PHI. Available on a justified request from CIO/DPO/CNIL.

Bug Bounty programme

Launch Q3 2026 on a recognised platform (HackerOne or YesWeHack). Scope: patient API + encryption + auth.

Annual pentest audit

ANSSI-recognised firm (Quarkslab or Synacktiv). Summary report published on the security page. First audit Q2 2026.

Go further

Regulatory compliance and technical architecture are inseparable: patient-side end-to-end encryption, signed consent, zero-trust API.

See the security architecture
Frequently asked questions

What you want to know

When will MDMC be HDS v2 certified?

Audit being finalised Q2 2026 with an ANS-certified French operator. Public certification expected before V1 go-live — a blocking contractual commitment, not a post-launch marketing promise.

Why is Ségur V2 mandatory?

Obligation 14/10/2026 for solutions used in French healthcare institutions. ANS catalogue listing is a condition for public procurement. MDMC targets application filing Q3 2026 (FHIR FR Core profiles + INS ready).

Is your CareFlow AI high-risk AI under the AI Act?

Yes — patient guidance/consultation falls under Art. 6.2 of EU Regulation 2024/1689. Applicable 02/08/2026. Model documentation + transparency + human oversight + bias audit = obligations being implemented.

Who is your DPO and how do I contact them?

External DPO being appointed (independent firm registered with the CNIL). Transitional contact dpo@mydatamycare.com (qualified inbox). Response time for Art. 12 GDPR requests: 30 working days in accordance with Art. 12.3 GDPR.

A compliance question?

Our DPO + security team answers hospital CIOs, ESSMS institutions, health insurers and regulatory bodies. Response within 48 working hours.

Contact the compliance teamSee the security architecture