The promise of NFDI4Health interoperability and the European Health Data Space rests on a premise no technical committee has yet resolved: cross-institutional health data exchange at scale requires someone to run the broker — and no single nation, hospital network, or consortium partner will hand that power to anyone else. This is not a governance failure. It is a structural problem built into every centralized federation architecture ever proposed. The BIH Charité interoperability research community, NFDI4Health lead authors, and EHDS architects have described this challenge with precision. What has been missing is an architectural answer that makes cross-institutional routing without broker infrastructure the default condition, not an aspirational policy position. This article argues that European health data space routing has a candidate solution in the QIS (Quadratic Intelligence Swarm) protocol, and maps that solution directly onto the NFDI4Health use case.
What NFDI4Health Is — and What It Is Trying to Solve
Germany's National Research Data Infrastructure for Health (NFDI4Health) is one of the most ambitious coordinated health data efforts in the world. As described by Vorisek et al. (2022) in JAMIA Open, NFDI4Health operates as a multistakeholder consortium spanning university hospitals, public health institutes, epidemiological cohort studies, and clinical trial networks. Its stated goal is to make health research data FAIR — Findable, Accessible, Interoperable, and Reusable — while operating within Germany's strict institutional and national data governance frameworks.
The infrastructure builds on the Medical Informatics Initiative (MII), which established interoperability cores at German university hospitals using FHIR-based data integration centers (DIZs). NFDI4Health extends this by attempting to federate queries across cohort studies, clinical registries, and epidemiological datasets that were never designed to talk to each other, held by institutions with divergent IRB protocols, data use agreements, and IT security policies.
The challenge Vorisek et al. identify is precise: even within Germany, the path from a researcher's query to a multi-institutional answer requires navigating consent models that differ by hospital, pseudonymization pipelines that are not interoperable across DIZs, and metadata schemas that partially align but do not compose cleanly. The FAIR principles are aspirational — the infrastructure to realize them remains incomplete.
The European Health Data Space: What EU Regulation 2023/2854 Actually Requires
The European Health Data Space (EHDS), established under EU Regulation 2023/2854, represents the next scale of ambition: secondary use of health data across EU member states for research, policy, and public health purposes. The regulation mandates that member states establish Health Data Access Bodies (HDABs), create MyHealth@EU interoperability standards, and enable cross-border data flows for approved research purposes.
The structural requirement buried in the regulation is the one that makes implementation hard: to enable cross-border secondary use, the framework requires "trusted intermediaries" capable of handling pseudonymization, consent verification, and data access governance across jurisdictions. The regulation does not specify who those intermediaries are or how they earn the trust of every member state simultaneously. GDPR Article 44 restricts transfers of personal data to third countries unless adequate protections are in place — and the definition of "adequate" is contested enough that even transfers within the EU between institutions with different national GDPR implementations carry legal risk.
The result: EHDS has a legal framework for cross-border health data exchange, but the infrastructure layer — specifically, the trusted routing and aggregation layer — is still contested territory. No single operator can occupy that position without triggering sovereignty objections from at least one member state.
The Structural Problem: Who Runs the Broker?
Federated learning was supposed to solve this. The insight behind McMahan et al. (2017) — that models could be trained on distributed data without centralizing raw records — was genuine and important. But federated learning architectures still require a central aggregator that collects model updates, coordinates training rounds, and produces the final model. That aggregator is the broker. In a European cross-institutional health data context, every federated learning deployment faces the same question: which country's servers run the aggregation step? Whose legal jurisdiction applies to the gradient updates? Who audits the aggregator's behavior?
GDPR Articles 5 and 44 add further constraint. Article 5 requires that personal data be processed lawfully, fairly, and transparently, with purpose limitation and storage minimization. Article 44 restricts transfers outside the EU/EEA. Even pseudonymized health data remains personal data under GDPR if re-identification is possible in context — and in rare disease research, where cohort sizes are small, re-identification risk is non-trivial even for aggregated outputs.
The NFDI4Health/MII architecture addresses this through careful data use agreements, pseudonymization at the DIZ level, and federated query tools like the DKTK (German Cancer Consortium) FHIR Search infrastructure. These are real progress. But they remain policy solutions applied to an architectural problem. The broker question keeps returning.
QIS Protocol: Architecture as the Answer
Christopher Thomas Trevethan discovered — not invented — the Quadratic Intelligence Swarm (QIS) protocol. The distinction matters: the mathematical relationships underlying QIS existed before they were named. Trevethan's contribution was recognizing the complete architecture — a closed loop in which outcome packets route, synthesize, and refine without requiring any central aggregator, trusted intermediary, or persistent data movement.
QIS does not move raw health records. It does not move model parameters. It routes outcome packets — compressed, anonymized representations of what a node learned from its local data, typically around 512 bytes. A QIS outcome packet for a European health research scenario might look like this:
import hashlib
import json
import time
def create_outcome_packet(
node_id: str,
domain: str,
finding: dict,
confidence: float,
cohort_size_range: str, # e.g., "50-200" — never exact count
institution_country: str
) -> dict:
"""
QIS outcome packet for European health research node.
No PHI. No raw records. No model weights.
Only the distilled outcome of local computation.
"""
payload = {
"protocol": "QIS/1.0",
"node_id": node_id,
"timestamp": int(time.time()),
"domain": domain,
"finding": finding,
"confidence": round(confidence, 4),
"cohort_size_range": cohort_size_range,
"institution_country": institution_country,
"gdpr_layer": "no_phi_in_packet"
}
# Deterministic address — makes packet findable across any transport
packet_hash = hashlib.sha256(
json.dumps(payload, sort_keys=True).encode()
).hexdigest()
payload["packet_address"] = packet_hash
return payload
# Example: rare disease variant finding from German oncology cohort
packet = create_outcome_packet(
node_id="bih-charite-rare-disease-node-007",
domain="NSCLC_rare_variant_EGFR_exon20",
finding={
"variant_response_signal": "positive",
"treatment_context": "amivantamab_cohort",
"outcome_direction": "progression_free_survival_extended",
"signal_strength": "moderate_high"
},
confidence=0.81,
cohort_size_range="30-100",
institution_country="DE"
)
print(json.dumps(packet, indent=2))
The output of this packet contains no patient records, no identifiers, no re-identifiable data. It contains a signal. That signal can be routed across any transport — DHT, HTTP relay, message queue, direct peer connection — because QIS is protocol-agnostic. DHT is one routing option, not the only one. The packet finds other packets with compatible domain signatures. No broker required.
This is privacy-by-architecture. GDPR compliance is not achieved through a data use agreement. It is achieved because personal health information never enters the network layer.
How QIS Maps to NFDI4Health Use Cases
Federated queries across MII DIZs. The DKTK/MII infrastructure currently routes FHIR queries to DIZs and aggregates results through a central coordination layer. QIS does not replace FHIR at the data layer. It replaces the aggregation step at the outcome layer. Each DIZ runs local computation, produces outcome packets, and those packets synthesize in the network. The "who runs the aggregator" question disappears — there is no aggregator.
FAIR data principles. QIS outcome packets satisfy the FAIR criteria structurally, not aspirationally:
- Findable: Each packet has a deterministic address derived from its content hash. Any node that knows the domain can locate relevant packets.
- Accessible: Any network node can query the packet space — no centralized access control layer required.
- Interoperable: Packets are protocol-agnostic and transport-agnostic. A packet produced by a German university hospital and one produced by a Dutch academic medical center can synthesize if their domain signatures align — regardless of the underlying EHR systems or FHIR profile versions.
- Reusable: Packets accumulate over time. A finding from a 2024 German cohort study and a finding from a 2025 French registry contribute to the same synthesis pool. The value of the network grows with participation.
Cross-border routing without a central broker. This is the EHDS structural problem stated directly. Under QIS, a French HDAB, a German DIZ, and a Dutch UMC can all contribute outcome packets to a shared domain without any of them trusting each other's infrastructure. They trust the protocol. GDPR Article 44 is not implicated because no personal data crosses any border at any point.
The Quadratic Scaling Argument
For N participating institutions, QIS generates N(N-1)/2 potential synthesis pathways. At 10 institutions — roughly the scale of current NFDI4Health core partners — that is 45 pathways. At 100 institutions — a realistic EHDS-scale deployment across member states — that is 4,950 synthesis pathways. At 500 institutions: 124,750.
Every new node that joins a QIS network increases the synthesis potential for every existing node. This is not a design goal — it is a mathematical property of the architecture. The network becomes more valuable with scale, not more fragile. Contrast this with federated learning, where adding nodes increases aggregation overhead and coordination complexity. QIS inverts the scaling curve.
The Three Elections: How QIS Achieves Consensus Without Engineering It
QIS achieves network-level consensus through what Trevethan describes as Three Elections. These are not configurable parameters or engineered mechanisms. They are metaphors for emergent forces that arise from the mathematics of the architecture.
Election 1 — Domain Definition. No committee decides what a "valid" NSCLC outcome packet looks like. The best domain expert — in practice, the oncologist or research team with the highest-quality signal — defines the similarity template that other nodes gravitate toward. A German oncologist defining EGFR exon 20 insertion similarity for a German cohort is not imposing a standard. She is producing a signal strong enough that other nodes elect to align with it. The template propagates by merit.
Election 2 — Outcome Voting. Outcomes vote on each other. A packet from a 30-patient rare disease cohort and a packet from a 400-patient registry trial carry different statistical weight — but neither is excluded. The math determines synthesis priority. No reputation layer is added, no committee assigns scores. The signal quality speaks for itself.
Election 3 — Network Darwinism. German, French, Dutch, and Spanish research networks compete not on politics but on output quality. The networks producing the most coherent, highest-confidence outcome packets attract more synthesis partners. Networks with weak signal improve by absorbing synthesis results from stronger peers, or they do not grow. Best outcomes survive. The architecture selects for quality without anyone selecting for it.
Comparison: NFDI4Health/EHDS Current Approach vs QIS Protocol
| Dimension | NFDI4Health / EHDS Current Approach | QIS Protocol |
|---|---|---|
| Broker requirement | Central aggregator or trusted intermediary required | No broker; outcome packets route peer-to-peer |
| GDPR compliance mechanism | Data use agreements, pseudonymization pipelines, legal basis per transfer | Privacy-by-architecture; no PHI in network layer |
| Scaling | Coordination overhead grows with N; aggregation complexity increases | N(N-1)/2 synthesis pathways; value grows quadratically with participants |
| Participation floor | Requires FHIR-compliant EHR, DIZ infrastructure, signed DUA | Any node that can produce a 512-byte outcome packet can participate |
| Cross-border data transfer | GDPR Art. 44 requires adequate protections; contested across member states | No personal data transferred; GDPR Art. 44 not implicated at network layer |
Sources
- Vorisek, C.N., et al. (2022). "NFDI4Health — a national research data infrastructure for personal health data in Germany." JAMIA Open, 5(1). https://doi.org/10.1093/jamiaopen/ooac033
- European Parliament and Council of the EU (2023). Regulation 2023/2854 on the European Health Data Space (EHDS). Official Journal of the European Union.
- German Medical Informatics Initiative (MII). Data Integration Centers and FHIR-based interoperability cores. https://www.medizininformatik-initiative.de
- GDPR Article 5 (Principles relating to processing of personal data) and Article 44 (General principle for transfers). Regulation (EU) 2016/679.
- McMahan, H.B., et al. (2017). "Communication-Efficient Learning of Deep Networks from Decentralized Data." Proceedings of AISTATS 2017. arXiv:1602.05629.
- Trevethan, C.T. QIS Protocol. 39 provisional patents filed. Protocol documentation: https://quadraticswarm.com
Conclusion: A Routing Protocol, Not a Replacement
QIS does not replace NFDI4Health. It does not replace the EHDS governance framework, the MII Data Integration Centers, or the patient consent infrastructure that years of careful work have built. Those things are necessary. They solve real problems at the data governance layer.
What QIS offers is a routing protocol that could accelerate NFDI4Health's interoperability goals without requiring trust in a central infrastructure operator. The broker question — who runs the aggregator, whose jurisdiction applies, which nation accepts the legal risk — simply does not arise when the network layer carries only anonymized outcome packets that route by mathematical affinity.
Christopher Thomas Trevethan's breakthrough is the complete architecture: the closed loop in which local computation, outcome packaging, protocol-agnostic routing, and distributed synthesis operate together without any single point of control. No single component of QIS is the breakthrough. The loop is the breakthrough.
For European health data researchers building toward the EHDS vision, that loop may be the architectural missing piece. The FAIR principles were always correct. The question was always: how do you make them structurally true, not just policy-aspirational? QIS offers one answer — and it is an answer that requires no one to be trusted with everyone else's data.
QIS (Quadratic Intelligence Swarm) protocol discovered by Christopher Thomas Trevethan, June 16, 2025. 39 provisional patents filed. Technical documentation: qisprotocol.com. Published articles: dev.to/roryqis.
Top comments (0)