Regulatory compliance

Compliance by design, not an after-thought.

My Data My Care targets HDS v2, operational GDPR, Ségur V2 and FHIR R4 FR Core certifications as its minimum V1 foundation — not as box-ticking but as public, enforceable contractual commitments.

  • HDS v2 (V1 target)
  • Native GDPR
  • Ségur V2 (10/2026)
Regulatory calendar

Deadlines 2026-2028

Legal obligations already dated by French and European regulation. MDMC aligns with each deadline ahead of the cut-off date.

  1. V1 target

    HDS v2 — health hosting obligation

    Decree R. 1111-9 of the Public Health Code. Any host processing health data must be HDS v2 certified. MDMC targets public certification before V1 go-live.

  2. V1 target

    AI Act — high-risk health AI applicable

    EU Regulation 2024/1689. Our CareFlow LLM falls under art. 6.2 (consultation guidance). Model documentation, human oversight and bias audit mandatory.

  3. V1 target

    Ségur V2 — mandatory hospital referencing

    Solutions used in French healthcare facilities must be referenced in the ANS catalog. FHIR FR Core profiles + INS mandatory.

  4. Roadmap V2

    EHDS — European health data space

    Progressive rollout. Cross-border interoperability + patient opt-in secondary use. MDMC architecture is prepared.

Targeted frameworks

8 frameworks frame MDMC

V1 foundation = HDS + GDPR + Ségur + FHIR + INS. V2 roadmap = AI Act + EHDS + SecNumCloud. Status up to date 2026-05-13.

HDS v2
V1 target
Health Data Host

A blocking commitment before V1 go-live. Audit being finalized in Q2 2026 with an ANS-certified French operator. No post-launch promises.

RGPD
In progress
General Data Protection Regulation

External DPO being appointed Q2 2026. DPIA drafted. Art. 30 register maintained. DPIA planned per PHI processing.

Ségur V2
V1 target
ANS catalogue referencing

14/10/2026 hospital-use obligation. ANS-compliant FHIR FR Core profiles. MDMC submission Q3 2026.

FHIR R4
Native
FR Core interoperability

Native patient/pro API implementation. Passport export compliant with ANS profiles. Full portability with no lock-in.

INS
V1 target
National Health Identity

INS-API (RNIV) integrated. Unique national patient identifier. Prerequisite for Ségur V2 + DMP.

AI Act
V1 target
High-risk health AI

Applicable 02/08/2026. CareFlow model documentation + transparency + human oversight + bias audit.

EHDS
Roadmap V2
European Health Data Space

Rollout in 2027. Cross-border interop + patient opt-in secondary use. Architecture prepared in V1.

SecNumCloud
Roadmap V2
ANSSI qualification

V2 target (2027) for the OIV / hospitals offering. Zero foreign legal influence over the infrastructure.

Operational commitments

4 contractual commitments

Beyond certifications, public and enforceable operational commitments.

External DPO appointed

Independent firm declared to the CNIL. Direct contact dpo@mydatamycare.com. Reply to art. 12-22 GDPR requests within 30 business days.

DPIA per processing activity

A Data Protection Impact Assessment for every feature touching PHI. Available on justified request from IT/DPO/CNIL.

Bug bounty programme

Launch Q3 2026 on a recognized platform (HackerOne or YesWeHack). Scope: patient API + encryption + auth.

Annual pentest audit

An ANSSI-recognized firm (Quarkslab or Synacktiv). Summary report published on the security page. First audit Q2 2026.

Go further

Regulatory compliance and technical architecture are inseparable: patient-side end-to-end encryption, signed consent, zero-trust API.

See the security architecture
Frequently asked questions

What you want to know

When will MDMC be HDS v2 certified?

Audit being finalized in Q2 2026 with an ANS-certified French operator. Public certification expected before V1 go-live — a blocking contractual commitment, not a post-launch marketing promise.

Why is Ségur V2 mandatory?

14/10/2026 obligation for solutions used in French healthcare facilities. ANS catalog referencing is a condition for public procurement. MDMC targets submission in Q3 2026 (FHIR FR Core profiles + INS ready).

Is your CareFlow AI a high-risk AI under the AI Act?

Yes — patient guidance/consultation falls under art. 6.2 of EU Regulation 2024/1689. Applicable 02/08/2026. Model documentation + transparency + human oversight + bias audit = obligations currently being implemented.

Who is your DPO and how do I contact them?

External DPO being appointed (an independent firm declared to the CNIL). Transitional contact dpo@mydatamycare.com (a qualified mailbox). Response time for art. 12 GDPR requests: 30 business days in line with GDPR art. 12.3.

A compliance question?

Our DPO + security team answers hospital CIOs, ESSMS facilities, insurers and regulatory bodies. Reply within 48 business hours.

Contact the compliance teamSee the security architecture