Back to blog
HDShealthtechcompliance

HDS 2.0 mandatory May 16, 2026: security checklist for healthtech

Published on 2026-04-077 min readCleanIssue

> TL;DR: The HDS 2.0 framework becomes mandatory. Here's the complete checklist for healthcare applications.

The countdown is on

HDS 2.0 is mandatory for new certificates since November 2024. By May 16, 2026, all old HDS 1.1 certificates become invalid.

What changes

  • EEA storage mandatory
  • Enhanced transparency on transfers
  • Strengthened encryption and access control
  • Security checklist

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Per-patient access controls (RLS)
  • Health data access logging
  • Data retention and deletion policies
  • CNIL notification procedure (72h)
  • Regular documented security tests
  • Strong authentication (2FA)
  • Key Takeaways

  • Identify and test your exposed attack surfaces before a third party does.
  • Client-side security controls never replace server-side validation.
  • Regular audits are more effective than one-time checks — vulnerabilities appear with every deployment.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Sources

    Written by CleanIssue
    Reviewed on 2026-04-07

    Editorial analysis based on official vendor, project, and regulator documentation.

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit