ISMS Copilot for French health data compliance
HDS certification is the wall — ISMS Copilot drafts the documentation around CNIL and NIS 2, never the health data itself.
HDS: the certification French health data forces
If you host or process personal health data on behalf of a French healthcare organisation, HDS (Hébergeur de Données de Santé) certification is mandatory — not optional, not a best practice. HDS requires ISO 27001:2022 certification as a prerequisite and then layers health-data-specific controls on data sovereignty, EEA residency, and patient-data confidentiality on top. ISMS Copilot is not itself an HDS-certified host and does not become the data path for your patient data: use it to build the ISO 27001 foundation, map the HDS-specific requirements and gap analysis, and prepare the certification evidence — the actual health data must live with an HDS-certified hosting provider. On top of HDS sit CNIL's reference methodologies and GDPR Article 9 special-category rules for health data, and NIS 2 obligations where the entity is in scope.
HDS framework details →What ISMS Copilot does for French health-data teams
- Map HDS certification requirements and run the gap analysis against your current controls
- Build and verify the ISO 27001:2022 prerequisite HDS depends on
- Draft CNIL-aligned documentation for health data — GDPR Article 9 special-category basis, DPIA, and ROPA
- Assess NIS 2 applicability for health-sector entities and draft the risk-management and incident-reporting measures
- Prepare data-sovereignty and EEA-residency evidence HDS auditors expect
- Draft patient-data confidentiality, access-control, and breach-notification procedures
Built for the French health-data compliance lead
HDS requirement mapping and certification gap analysis
ISO 27001:2022 prerequisite control library
CNIL / GDPR Article 9 health-data documentation templates
DPIA and ROPA generators for special-category health data
NIS 2 health-sector applicability and incident-reporting workflow
Data-sovereignty and EEA-residency evidence preparation
Frequently Asked Questions
Is HDS certification really mandatory?
Yes. Under French law any third party hosting or processing personal health data on behalf of a French healthcare organisation must use HDS-certified hosting. Health establishments managing their own systems are exempt, but third-party hosts, SaaS vendors, and IT service companies are not. ISMS Copilot helps you prepare the documentation and ISO 27001 base HDS requires.
Do I need ISO 27001 before HDS?
Yes. HDS certification requires ISO 27001:2022 certification as a prerequisite. ISMS Copilot helps you build the ISO 27001 foundation first and then layer the HDS-specific health-data requirements on top, rather than treating them as two unrelated projects.
Can ISMS Copilot host our patient data?
No. ISMS Copilot is not an HDS-certified hosting provider and patient health data must never be entered into it. Use ISMS Copilot for the documentation, gap analysis, and certification evidence; the health data itself must live with an HDS-certified host.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.