Skip to content
Contact us

Get HDS Compliant

HDS (Hébergement de Données de Santé) – France is as much an evidence problem as it is a policy problem. Teams fail when controls exist, but proof is scattered, outdated, or inconsistent.

Neutral Partners helps you scope what matters, implement practical controls, and build an evidence package reviewers, customers, and internal stakeholders can trust.

Schedule a Discovery Session
HDS compliance support

At a Glance

  • Best for: Organizations hosting French health data for third parties
  • Works with: ISO/IEC 27001-aligned security management and cloud operations
  • Outcome: HDS certification readiness with a clear scope and audit-ready evidence
  • Focus: Hosting activity scope, operations proof, supplier oversight, and continuity
  • Common failure point: Treating HDS as paperwork instead of operational controls with traceable proof

If you want a plan you can execute, start with a short working session.

Book a Discovery Session

What Is HDS (Hébergement de Données de Santé) – France

HDS (Hébergement de Données de Santé) – France defines expectations for how organizations manage privacy and related controls. Compliance becomes durable when you treat it as an operating model: defined responsibilities, repeatable workflows, and evidence that stays current.

Neutral Partners focuses on making the requirements actionable—so the program works in production, not just on paper.

HDS program documentation and evidence

HDS scope (activities) and audit expectations

Clarity on the variant and scope prevents rework and helps you build the right evidence the first time.

  • Scope by activity: HDS certification is applied to specific hosting activities. Clear service boundaries prevent audit findings.
  • ISO 27001 alignment: Many requirements align to ISO/IEC 27001 controls, but the hosting context drives specific evidence expectations.

Who Needs HDS

HDS typically matters when you collect, use, share, or host personal data in a way that customers, regulators, or partners will scrutinize.

  • Cloud hosts and MSPs in France/EU: Hosting health data for third parties under French rules.
  • Digital health and SaaS platforms: Using third-party infrastructure while maintaining shared responsibility.
  • Healthcare vendors and processors: Demonstrating compliant hosting arrangements to customers.

What HDS Covers

Most efforts fail when organizations try to “document” their way into compliance without aligning systems, vendors, and day-to-day operations. A practical program ties requirements to the workflows that generate proof.

  • Hosting service scope: Defined hosting activities, responsibilities, and interfaces.
  • Security management: ISMS governance, risk management, and secure operations aligned to hosting reality.
  • Access & segregation: Identity controls, admin access governance, and tenant isolation where relevant.
  • Operational assurance: Logging, incident response, continuity, and supplier oversight with proof.

Evidence Auditors Expect

Audits and customer reviews move faster when evidence is organized, traceable, and repeatable. Common evidence categories include:

  • Governance: policies, risk assessments, training records, roles and responsibilities
  • Operational: access reviews, ticketing/change approvals, incident response records
  • Technical: MFA/encryption settings, audit logs, configuration exports, vulnerability reports
  • Third-party: BAAs/DPAs, supplier due diligence, shared responsibility mappings

Rule of thumb: if you can’t prove it with current evidence, you can’t rely on it.

HDS Roadmap

Move faster by running the work like a program: clear scope, owned controls, and a living evidence library.

1

Define scope and data flows

Map personal data, systems, vendors, and cross-border transfers. Confirm roles (controller/processor) and applicability.

Deliverable: Scope + data flow map
2

Run a focused gap assessment

Compare current policies, controls, and workflows to the framework requirements. Prioritize the changes that unlock compliance.

Deliverable: Gap report + prioritized plan
3

Implement controls and workflows

Deploy operational controls (requests, consent/opt-outs, vendor governance) and harden security safeguards where needed.

Deliverable: Updated controls + runbooks
4

Build an evidence library

Create repeatable evidence: logs, tickets, screenshots, reports, and narratives that tie to requirements and can be refreshed on a cadence.

Deliverable: Evidence pack
5

Validate readiness

Do a pre-assessment style review, remediate findings, and package materials so reviewers and customers can follow the story quickly.

Deliverable: Readiness sign-off

Make HDS a Growth Lever

Compliance becomes a revenue enabler when customers can trust your controls—and you can prove them quickly.

Schedule a Discovery Session

Common HDS Gaps

  • Scope is unclear: Service boundaries and hosting activities are not precisely defined.
  • Shared responsibility gaps: Controls are assumed “inherited” without proof or mapping.
  • Ops evidence is inconsistent: Ticketing, access reviews, and monitoring aren’t repeatable.
  • Supplier oversight is thin: Third-party dependencies aren’t documented and monitored.

How Neutral Partners Helps

We help you scope the work, implement what matters, and build evidence that holds up to review—without derailing product velocity.

What We Deliver

  • Scope & data mapping: Clear inventories, flows, and role mapping so requirements match reality.
  • Policies & notices: Practical disclosures and policy language aligned to product behavior and vendors.
  • Workflow buildout: DSARs, opt-outs/consent, incident triage, and evidence capture built into operations.
  • Vendor governance: DPAs/BAAs, subprocessor oversight, and shared responsibility mapping with proof.
  • Sustainment: A cadence for refresh: evidence routines, metrics, and readiness check-ins.

Proof matters. Since 2017, we have maintained a 100% audit success rate across more than 700 successful audits and assessments.

Book Your Discovery Call
Neutral Partners delivery and evidence support

HDS FAQs

Is HDS only for French companies?

HDS applies to hosting health data under French requirements. Non-French providers may still need HDS if they host covered data/services.

Do we need ISO 27001 first?

Many organizations align to ISO 27001 practices as a foundation, but you still need HDS-specific scope and evidence.

How long does HDS preparation take?

Timelines depend on maturity and scope. Most teams plan 10–20 weeks for readiness and evidence stabilization.

What drives most audit findings?

Boundary and operational proof—especially access controls, logging, and continuity evidence.

Key Resources