EU Data Act Requirements, the Chances for the NDT Industry, and Why it is Critical Outside the EU

Data is the backbone of digitalization, digital transformation and NDE 4.0 but the full potential of this resource remains unused.

The whole situation became obvious a couple of years ago [1] when John Deere locked farmers from accessing machine data, using third-party repair and maintenance shops, or doing repair and maintenance themselves. John Deere considered themselves as the sole owner of all data collected by the machine. They argued that their software collects the data and that the copyright of the software belongs to John Deere. By collecting and merging all the data, this was an attempt by John Deere to monopolize the growing market of digital services. They even cooperated with large agricultural companies like BASF, Dow, DuPont, Monsanto and Syngenta to sell them the data.

This example shows, as detailed in [2, 3], that data handling, data access, use, ownership, and rights is often unclear or enforced by a powerful machine manufacturer. In a lot of current-day scenarios, connected products are black boxes for the user. The manufacturers of the products sell the product to the user, have access to the data of the device, and force the user into their data eco-system for any services regarding data evaluation. This might be a good business model for the manufacturers, but the European Commission sees that this is not in the interest of the economy and society as it #1 prevents utilizing the full potential of data as users are often in a quite weak position leading to the fact that they are unable to access the data they generated themselves and #2 it hinders the development of a market for data-driven services. It’s like a car manufacturer forcing the customer to only get service at their facilities and to buy accessories from them. The EU wants to create a highly innovative market for digital services. For this, as shown by Figure 1, they must split the hardware market from the data-services market, giving the customer/user of the product the possibility to access their data easily and free, forcing product manufacturers to only use fair rules within their contracts, and to give users the possibility to use third-party service providers and to make it easier to switch from one service provider to another.

The European Commission started to address those questions with the EU Data Act. The data act is part of their European Data Strategy to set clear rules.

Fig: Figure 1 left: Current Situation (Product = Black Box) right: EU Data Act (connected product and data service market separated)

(Author: Johannes Vrana, Vrana GmbH, Licenses: CC BY-ND 4.0)

The EU Data Act regulates the access to data which is created by the usage of products or services. It came into force on January 11th, 2024, and shall be applied from September 12th, 2025. The Data Act is a regulation which is directly applicable in all countries of the European Union for all connected products placed on the market in the EU and providers of related services, irrespective of the place of establishment of those manufacturers and providers. For companies and consumers, this results in new obligations and rights that have significant practical implications. So – even if the products are produced outside the EU – once they are sold, rented, or leased on the European market the manufacturer of the equipment has to comply with the Data Act.

In my view, this law will reshape the NDT&NDE Industry around the globe and will enable the start of numerous start-ups connected with an unseen growth of the NDT market by innovation-driven NDE 4.0.

Let’s have a look into the European data strategy and the Data Act.

European Data Strategy

The European data strategy [4] aims to create a market for data, ensuring data sovereignty and leading to the creation of dataspaces. This will ensure that more data is available for the economy and society while ensuring data control of data created by individuals and companies. To support this strategy multiple acts and regulations were and will be created:

In 2018 the famous General Data Protection Regulation (GDPR) was implemented. It ensures the protection of natural persons regarding the processing of personal data and on the free movement of such data [5]. The GDPR is not officially part of the EU data strategy (which was started in 2020), but in hindsight, it is clearly connected to it. It also became a model for multiple laws around the world.

In 2022 the Data Governance Act (DGA) [6], the Digital Markets Act (DMA) [7], and the Digital Services Act (DSA) [8] came into force. The DGA lays the fundament for the creation of a data exchange model, including the requirements for data intermediation services and the establishment of a European data innovation board. The DMA ensures a higher degree of competition in digital markets by preventing so called gatekeepers, meaning large companies that control market access for others due to their market power, from abusing their market power and by allowing new players to enter the market. The DSA created liability and safety regulations for digital platforms, services, and products.

In 2023 the Digital Operations Resilience Act (DORA) [9], the NIS 2 Directive [10], and Markets in Crypto-Assets (MiCA) [11] came into force. DORA improves the digital resilience for the financial sector and the NIS 2 Directive increases the cyber security for various sectors by higher security requirements. MiCA intends to streamline distributed ledger technologies (like blockchains) whilst protecting users and investors.

In 2024 the EU data act [12], the AI act [13], and the cyber resilience act (CRA) [14] came to force.

EU Data Act

Out of this bouquet of regulations and directives of the European data strategy the Data Act might have the biggest impact on the NDT industry and regulates three main aspects:

1. Access and use of data for users and third parties (service providers)
2. Fair rules for data usage contracts
3. Cloud service providers in particular regarding the simplification of switching between providers.

Is the Data Act Applicable for NDT?

The EU Data Act covers all data recorded by connected devices and related services, both personal and non-personal, and both data and metadata. A connected product is defined as “an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access” [12] – therefore, it applies to all modern-day B2B and B2C devices including all digital NDT devices. Only servers and similar devices, whose primary function is the storing, processing, or transmission of data on behalf of any party other than the user, are exempted.

A related service is defined as “a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product” [12]. Meaning the law is also applicable to all NDT software solutions.

Product data is defined as “data generated by the use of a connected product that the manufacturer designed to be retrievable, via an elecronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer” [12]. In particular, for handheld devices, if a manufacturer designs a product in a way so that nobody (including himself) is able to retrieve the data the data is NOT covered by the Data Act.

The Data Act is aimed mainly at manufacturers of connected products and providers of connected services and their users, as well as data holders and public bodies. The company’s registered office is irrelevant: the marketplace principle applies. For small and medium-sized companies (SME) some requirements are not applicable.

Requirements of the Data Act

The Data Act puts the user of connected products and related services in a central position.

They are provided with three instruments (see also Figure 2):

• Accessibility by design; direct data access (Article 3): connected products and related services must be designed in such a way that the user can access the data and metadata from them.
• Data provision by the data holder; indirect access (Article 4): Where direct access by the user is not technically feasible, the party who has access to the data (e.g. the operator of a related service) must make the data accessible to the user.
• The user may have the data processed by a third party (Article 5). The data holder shall make the data accessible to a third party acting on behalf of the user. However, the large platform operators acting as gatekeepers (e.g. Amazon) are exempt from this. They are not eligible as a third party.

Figure 2 left: Art. 3 Direct Access (accessibility by Design); middle: Art. 4 Indirect Access; right: Art. 5 Data Share with Third Party

(Author: Johannes Vrana, Vrana GmbH, Licenses: CC BY-ND 4.0)

In all three instruments, the data has to be accessible easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format. The Data Act also highlights the importance of interoperability between data spaces, products, and services. In recent time the use of open container-file formats like XML, json, or HDF became quite popular. In my view, just storing data in those formats is not sufficient to meet the data act as they do not enable the required interoperability. Only once a semantic interoperability by a standardized ontology (giving the required structure and machine readability) is given those file formats can be considered compliant with the Data Act.

The Data Act provides for the details of data provision to be set out in contractual agreements between the data holder and the user/third party. The Data Act sets the framework for this and prohibits unfair, unreasonable, and discriminatory contractual terms, for example (Article 8-13).

Articles 23-31 regulate switching between data processing services and reduces obstacles for the user. Switching and transferring all their data to a new service must be free of charge. Data processing services must support their customers when switching, including adapted contractual clauses and information obligations. After a change, the contract with the previous provider is deemed to be terminated - the regulations can therefore lead to extraordinary termination rights.

Is there More to the Data Act

Another interesting term introduced by the Data Act is the data holder. The data holder is defined as “a natural or legal person that has the right or obligation, …, to use and make available data, … “ [12]. With this definition the EU Data Act is the first law which indicates that the person using a device to generate data has certain rights regarding the data. It almost defines who owns data. This needs to be clarified further.

What Does the Data Act Mean for NDT?

The rules of the EU Data Act are a chance for the NDT&NDE market as it offers the potential to significantly expand the use of data and to enable NDE 4.0 use cases [15]. The act introduces the obligation for “Accessibility by Design”. It reduces the current-day burdens caused by proprietary data formats and interfaces and will allow new players to offer services which were not possible up to the moment.

While data creators and users (e.g. Asset OEMs, Owner-Operators, NDT Service Providers, R&D), as well as third-party service providers (a new stakeholder in the NDE Eco-System), will clearly benefit from the act, it will be a challenge for NDT OEMs. For a long time, NDT OEMs used proprietary data formats and interfaces to achieve customer retention. With the EU Data Act, they will have to rethink their business models.

Companies should start implementing the requirements of the Data Act now, as the Data Act brings with it numerous obligations, some of which can only be guaranteed through long-term and extensive process adjustments.

Acknowledgements

Many thanks to Dr. Kai Hofmann (Lawyer and Scientific Advisor at the German Centre for Rail Traffic Research) for his input and discussions.

Note

The author of this text is not a lawyer and cannot give legal advice. This text represents the opinion of the author and is intended as an information for the industry. Each company which sees that its business might be impacted by the European Data Strategy should seek legal counsel.

References

1. Horton TJ, Kirchmeier D (2020) John Deere’s Attempted Monopolization of Equipment Repair, and the Digital Agricultural Data Market- Who Will Stand Up for American Farmers? CPI Antitrust Chronicle, Jan. 2020, 2-7. https://ssrn.com/abstract=3541149
2. Vrana J (2024) EU Data Act and the NDT Industry. Materials Evaluation 82(9), 14-16.
3. Vrana, J. (2025). Cyber Security and Data Ownership. In: Meyendorf, N., Ida, N., Singh, R., Vrana, J. (eds) Handbook of Nondestructive Evaluation 4.0. Springer, Cham. https://doi.org/10.1007/978-3-030-48200-8_79-1
4. COM(2020) 66 Document 52020DC0066; A European strategy for data https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX-:52020DC0066
5. Regulation (EU) 2016/679 Protection of natural persons with regard to the processing of personal data and on the free movement of such data http://data.europa.eu/eli/reg/2016/679/oj
6. Regulation (EU) 2022/868 European data governance http://data.europa.eu/eli/reg/2022/868/oj
7. Regulation (EU) 2022/1925 Contestable and fair markets in the digital sector http://data.europa.eu/eli/reg/2022/1925/oj
8. Regulation (EU) 2022/2065 Single Market For Digital Services http://data.europa.eu/eli/reg/2022/2065/oj
9. Regulation (EU) 2022/2554 Digital operational resilience for the financial sector http://data.europa.eu/eli/reg/2022/2554/oj
10. Directive (EU) 2022/2555 Measures for a high common level of cybersecurity http://data.europa.eu/eli/dir/2022/2555/oj
11. Regulation (EU) 2023/1114 Markets in crypto-assets http://data.europa.eu/eli/reg/2023/1114/oj
12. Regulation (EU) 2023/2854 Harmonised rules on fair access to and use of data http://data.europa.eu/eli/reg/2023/2854/oj
13. Regulation (EU) 2024/1689 Harmonised rules on artificial intelligence http://data.europa.eu/eli/reg/2024/1689/oj
14. Regulation (EU) 2024/2847 Horizontal cybersecurity requirements for products with digital elements http://data.europa.eu/eli/reg/2024/2847/oj
15. Vrana, J., Singh, R. Cyber-Physical Loops as Drivers of Value Creation in NDE 4.0. J Nondestruct Eval 40, 61 (2021). https://doi.org/10.1007/s10921-021-00793-7