AS4 in Public Sector & Healthcare: eDelivery Use Cases

Organisations operating in public administration and business across Europe are increasingly being introduced to AS4 and eDelivery, as a growing number of European Union (EU) programmes mandate their use for digital submissions and cross-border data exchange. However, before exploring the technical aspects, it is important to understand the underlying rationale behind the EU’s investment in this infrastructure and the challenges it was designed to address.

The EU’s Goal: A Digital Single Market

The European Union has long pursued the vision of a Digital Single Market - an environment in which citizens, businesses, and public administrations can interact digitally across borders as seamlessly as they do within their own countries. While conceptually straightforward, achieving this vision has been complex in practice. Over time, each Member State developed its own digital systems, including distinct approaches to document signing, identity verification, data exchange, and invoice processing. As a result, cross-border interactions such as a healthcare institution in one country sharing data with another, or a manufacturer submitting regulatory information to an EU-wide system, frequently encounter challenges due to incompatible formats, protocols, and ad hoc integration approaches.

Rather than enforcing a single, unified system across all Member States, the EU adopted a more flexible approach. It established a set of shared, reusable digital components that could be adopted across countries, programmes, and organisations, while allowing individual systems to build on top of them. These components are collectively referred to as the EU Digital Building Blocks.

The EU Digital Building Blocks

The EU Digital Building Blocks are a set of standardised digital components developed by the European Commission, initially funded through the Connecting Europe Facility (CEF) Digital programme and now continued under the Digital Europe Programme.

The thinking behind them is straightforward: if every EU programme had to build its own infrastructure for secure document exchange, digital identity, or electronic signatures, the result would be dozens of incompatible solutions - exactly the problem the EU was trying to fix. Instead, these common requirements are addressed once, based on open standards, and made available for reuse across all programmes that require them.

The current Building Blocks are:

• eDelivery - secure and reliable exchange of documents and data between organizations.
• eID - cross-border digital identity, so citizens can authenticate in another Member State using their own national credentials.
• eSignature - digital signatures that are legally recognised across the EU.
• eInvoicing - standardised electronic invoicing for public procurement.
• Once-Only Technical System (OOTS) - citizens submit a document to one authority once, and other authorities share it among themselves rather than asking the citizen to resubmit it.

Any programme built on these Building Blocks automatically benefits from the shared infrastructure. For example, when the EU launches a new regulatory system that needs to exchange documents securely, it connects to eDelivery rather than reinventing the wheel.

The eDelivery Building Block

eDelivery is a digital building block that provides technical specifications, installable software, and services for the secure, reliable, and cross-border exchange of electronic documents and data. It enables public administrations and businesses to exchange information through a distributed “four-corner” model, ensuring interoperability across disparate IT systems.

At the technical level, eDelivery is built on the AS4 messaging protocol. Participating organisations connect to the network through an AS4 Access Point, which handles the security and routing of messages on their behalf. Once connected, an institution can exchange data with any other organisation connected to any other conformant Access Point in the network, regardless of which software that organisation uses internally.

The European Commission provides an open-source reference implementation called Domibus, which can be deployed by Member States or used as a reference by commercial software vendors seeking to verify conformance. A formal CEF Conformance Testing Service allows vendors to validate their implementations against the eDelivery AS4 specification and be listed publicly as conformant solutions.

What is AS4, and Why Does the eDelivery rely on it?

AS4 (Applicability Statement 4) is an open, web-services-based messaging protocol standardised by OASIS. It builds on the ebMS 3.0 specification and brings enterprise-grade security, including message signing and encryption, together with the following key characteristics.

• Non-repudiation: Digitally signed receipts create a verifiable audit trail, proving that a message was sent and received.
• Interoperability: Because it is built on open standards (SOAP, WS-Security, HTTPS), any compliant implementation can communicate with any other, regardless of vendor.
• Reliability: Built-in retry logic and duplicate-message detection ensure that data arrives exactly once, even across unreliable networks.

These qualities explain why the European Commission has made AS4 the foundation of its cross-border data exchange infrastructure for public and private administrations.

eDelivery in Practice: Key Use Cases

The reach of eDelivery is broader than many organisations realise. As of 2021, 680 eDelivery access points have been deployed across 39 countries, spanning major sectors such as energy, economy and finance, government and public sector, justice and public safety, and population and society, according to the EU eDelivery dashboard. Below are some of the most significant use cases with a particular focus on healthcare and social security domains.

Medical Device Regulation

The European Database on Medical Devices (EUDAMED) is the EU’s centralised regulatory database for medical devices, and it is one of the most relevant eDelivery use cases for healthcare and life sciences organisations. EUDAMED mandates AS4 as its machine-to-machine (M2M) integration protocol for all automated submissions.

Manufacturers, authorised representatives, and notified bodies wishing to submit device registrations, UDI (Unique Device Identification) data, vigilance reports, and other regulatory documents to EUDAMED must do so via AS4. The protocol is configured using PMode (Processing Mode) agreements, which define the business rules for each message type - specifying the service module (such as UDI, ACT, or CRF) and the action. Payloads must conform to specific XML schemas, and submissions require prior certificate exchange with EUDAMED support teams.

Social Security Information

Electronic Exchange of Social Security Information (EESSI) is a decentralised IT infrastructure built on the eDelivery Building Block that connects social security institutions across 32 participating countries (all 27 EU Member States, plus Iceland, Liechtenstein, Norway, Switzerland, and the United Kingdom). As of mid-2023, approximately 3,400 institutions were connected to the system.

Before EESSI, cross-border social security coordination relied on paper forms - slow, costly, and prone to error. EESSI replaces this with structured electronic document exchange, following commonly agreed procedures. It covers the full spectrum of social security branches, including sickness benefits and healthcare entitlement, pensions and long-term care, unemployment and posted worker declarations, family benefits, and accidents at work. Each branch is handled through standardised electronic documents known as Structured Electronic Documents, routed via AS4 Access Points to the correct institution in the destination country.

The architecture is deliberately decentralised. Each participating country operates national Access Points connected to a Central Service Node (CSN) hosted by the European Commission. Sensitive case data never sits in a central database - it travels directly between the Access Points of the institutions handling a specific case, encrypted using AS4’s WS-Security layer.

In practice, this means significantly faster benefit processing for citizens. For example, a German health insurer that once had to wait weeks for a paper E-form from a customer’s home-country insurer can now query the relevant institution electronically and receive a verified response in a fraction of the time.

Customs, Safety, and Security

The Import Control System 2 (ICS2) is an advanced cargo information system developed to enhance security in international goods transportation and across the supply chain. All Economic Operators (EOs) bringing goods into or transiting through the EU are required to submit safety and security data to ICS2 via an Entry Summary Declaration (ENS). eDelivery access points act as the secure backbone for economic operators to electronically submit ENS before goods arrive in the EU. Based on the ENS, all shipments undergo safety and security risk assessments, enabling more targeted and effective controls.

eProcurement

OpenPEPPOL is a non-profit international association (AISBL) responsible for maintaining and developing the Pan-European Public Procurement On-Line (PEPPOL) network, which enables businesses and governments to securely exchange electronic documents—such as invoices, orders, and shipping notes—across borders. While OpenPeppol defines the business rules, eDelivery provides the standardised technical specifications and infrastructure (e.g., SML and SMP) that enable secure and interoperable document exchange.

Business Registers Interconnection

The Business Registers Interconnection System (BRIS) and the Beneficial Ownership Registers Interconnection System (BORIS) connect national company registries across EU Member States to one another and to the European Commission’s central platform, all using eDelivery Access Points.

Cross-Border eJustice and Regulatory Reporting

eDelivery is also used for cross-border judicial cooperation and for the reporting of tobacco and e-cigarette product data to regulatory authorities under the Tobacco Products Directive.

Key Compliance Considerations for AS4 Connectivity

Organisations that need to connect to any of the eDelivery-based use cases mentioned above must comply with the following technical and operational requirements.

Certificate Management: AS4 relies on digital certificates for signing messages and encrypting payloads. Certificates must be exchanged with counterparties before communication can begin, and organisations must have processes in place to manage certificate lifecycle and renewal.

PMode Configuration: eDelivery-based platforms use PMode agreements to define the rules governing message exchange. Organisations need to identify and configure the applicable subset of PMode rules for each integration scenario.

Error Handling and Retries: AS4’s built-in retry logic is a compliance requirement, not just a convenience. Systems must handle error receipts containing standard AS4 error codes, diagnose root causes, and retry or escalate as appropriate.

Non-Repudiation and Audit Trails: Regulators may require evidence that messages were sent and received. Though AS4’s signed receipt mechanism provides this functionality, organisations need to store and manage receipts systematically.

Payload Validation: Each eDelivery-based platform defines its own schema for message payloads. EUDAMED requires XML documents conforming to specific schema versions, while EESSI uses its own Structured Electronic Document formats. Submissions that do not conform to the required schema will be rejected.

Introducing the Aayu AS4 Solution

At Aayu Technologies, we have built our AS4 capability directly into the Aayu MFT Gateway - the same platform that many organisations use for secure file transfer through AS2 and SFTP protocols. This means that organisations connecting to eDelivery-based platforms benefit immediately from the full range of enterprise file transfer features already present in the current MFT Gateway solution, alongside purpose-built AS4 functionality.

Our AS4 solution was initially developed to address a specific, demanding use case: EUDAMED integration. Medical device manufacturers and notified bodies needed a reliable, straightforward path to AS4 connectivity with the EU’s regulatory database, without the complexity of building and maintaining a custom integration stack. The result is an AS4 implementation that handles the protocol’s complexity - certificate management, PMode configuration, payload validation, error receipts, and retry logic - through the same familiar interface that Aayu MFT Gateway users already know.

Key Capabilities

Enterprise-Grade Security: Aayu’s AS4 implementation handles message signing for sender identity verification, payload encryption for confidentiality, and integrity checks for message content in full compliance with WS-Security standards.

Standardised Non-Repudiation: The system automatically manages AS4 signed receipts, maintaining a verifiable audit trail for every message sent and received. This is essential for regulated environments where evidence of delivery may be required.

Automated Error Handling and Retries: The Gateway visualises error receipts using standard AS4 error codes and applies retry logic in accordance with each platform’s specifications. For EUDAMED, this means strict adherence to the platform’s published retry rules.

Full Message Visibility: Every message that is sent or received is tracked in real time. Status indicators show the encryption, signature, and compression states, while receipt status confirms successful delivery, and detailed log streams support rapid diagnosis when errors occur.

Familiar Setup Experience: Station and Partner configuration in our AS4 implementation follows the same patterns as our AS2 service. Organisations already using Aayu MFT Gateway for AS2 or SFTP will find the AS4 setup process immediately recognisable, reducing the learning curve significantly.

For organisations looking to connect to EUDAMED or evaluate AS4 support for other eDelivery-based platforms, we welcome the conversation. Contact the Aayu team to discuss your specific requirements.