EU Data Act and the NDT Industry

By Johannes Vrana: Vrana GmbH, Rimsting, Germany; [email protected] ?

Note: This article was originally published as the NDE Outlook column in the September 2024 issue of Materials Evaluation . NDE Outlook focuses on possibility thinking for NDT and NDE. Topics may include technology trends, research in progress, or calls to action. To contribute, please contact Associate Technical Editor Ripi Singh at [email protected] .?

Background and Up Until Now?

Data is the backbone of digitalization, digital transformation, and NDE 4.0, but the full potential of this resource remains unused. The handling of data—in particular the question of data access, use, ownership, and rights—is often unclear. In a lot of current-day scenarios, connected products are black boxes for the user. The manufacturers of these products sell them to the user, have access to the device data, and force the user into their data ecosystem for any services regarding data evaluation. This might be a good business model for the manufacturers, but the European Commission has determined that this is not in the best interest of economy and society, as it (1) prevents the full potential of data from being utilized, as users are often in a weak position and unable to access the data they generate themselves, and (2) hinders the development of a market for data-driven services. It’s like a car manufacturer requiring you to get service only at their facilities and to buy accessories exclusively from them. The EU wants to create a highly innovative market for digital services. To achieve this, they must separate the hardware market from the data services market. This would allow customers/users to easily access their data for free, compel product manufacturers to adopt fair contract rules, give users the possibility of using third-party service providers, and make it easier to switch from one service provider to another.?

The European Commission started to address those concerns with the EU Data Act. The Data Act is part of their European data strategy, with the purpose of setting clear rules.?

The EU Data Act regulates access to data generated by the use of products or services. It went into effect on 11 January 2024 and will be applied from 12 September 2025. The Data Act is directly applicable in all countries of the European Union for all connected products placed on the market in the EU, as well as providers of related services, regardless of where these manufacturers and providers are established. For companies and consumers, this introduces new obligations and rights that have significant practical implications.?

In my view, this law will reshape the NDT/E industry worldwide, enabling the emergence of numerous start-ups and driving unprecedented growth and innovation in the NDT market, fueled by NDE 4.0.?

Next, let’s delve into the European data strategy and the Data Act.?

Outlook?

European Data Strategy?

The European data strategy [1] aims to create a market for data, ensuring data sovereignty and leading to the creation of data spaces. This will make more data available for the economy and society while ensuring control over data created by individuals and companies. To support this strategy, multiple acts and regulations have been and will be created.?

In 2018, the famous General Data Protection Regulation (GDPR) was implemented. It ensures the protection of natural persons concerning the processing of personal data and the free movement of such data [2]. Although the GDPR is not officially part of the EU data strategy (which started in 2020), it is clearly connected in hindsight. It has also become a model for multiple laws around the world.?

In 2022 the Data Governance Act (DGA) [3], the Digital Markets Act (DMA) [4], and the Digital Services Act (DSA) [5] came into force. The DGA lays the foundation for the creation of a data exchange model, including the requirements for data intermediation services and the establishment of a European data innovation board. The DMA ensures a higher degree of competition in digital markets by preventing so-called gatekeepers (large companies that control market access due to their market power) from abusing their power and allowing new players to enter the market. The DSA establishes liability and safety regulations for digital platforms, services, and products.?

In 2023 the Digital Operations Resilience Act (DORA) [6], the NIS 2 Directive [7], and Markets in Crypto-Assets (MiCA) [8] came into force. DORA improves the digital resilience for the financial sector, the NIS 2 Directive increases cybersecurity for various sectors through higher security requirements, and MiCA aims to streamline distributed ledger technologies (such as blockchains) while protecting users and investors.?

In 2024, the EU Data Act [9] came into force, likely to be followed soon by the AI Act [10] and the Cyber Resilience Act (CRA) [11].?

?

?

EU Data Act?

Out of this bouquet of regulations and directives of the European data strategy, the Data Act might have the biggest impact on the NDT industry. It regulates three main aspects:?

• Access and use of data for users and third parties (service providers)?

• Fair rules for data usage contracts?

• Cloud service providers, particularly regarding the simplification of switching between providers?

?

Is the Data Act Applicable for NDT??

The EU Data Act covers all data recorded by connected devices and related services, including personal and non-personal data, as well as data and metadata. A connected product is defined as “an item that obtains, generates, or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection, or on-device access” [9]. This means it applies to all modern-day B2B and B2C devices, including all digital NDT devices. Only servers and similar devices, whose primary function is storing, processing, or transmitting data on behalf of any party other than the user, are exempted.?

A related service is defined as “a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent, or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update, or adapt the functions of the connected product” [9]. This means the law also applies to all NDT software solutions.?

The Data Act is mainly aimed at manufacturers of connected products and providers of connected services and their users, as well as data holders and public bodies. The company’s registered office is irrelevant: the marketplace principle applies. For small and medium-sized companies (SMEs), some requirements are not applicable.?

?

Requirements of the Data Act?

The Data Act places the user of connected products and related services at the center of data access and control. It provides three instruments for this purpose:?

• Accessibility by design; direct data access (Article 3): Connected products and related services must be designed so that users can access data and metadata directly.?

• Data provision by the data holder; indirect access (Article 4): Where direct access by the user is not technically feasible, the party who has access to the data (e.g., the operator of a related service) must make the data accessible to the user.?

• Processing by a third party (Article 5): Users can have their data processed by a third party. The data holder must make the data accessible to a third party acting on behalf of the user, but large platform operators acting as gatekeepers (e.g., Amazon) are exempt from this requirement and cannot act as third parties.?

In all three cases, the data must be accessible easily, securely, free of charge, and in a comprehensive, structured, commonly used, and machine-readable format. The Data Act emphasizes the importance of interoperability between data spaces, products, and services. While open container–file formats like XML, JSON, or HDF have become popular, simply storing data in these formats may not meet the Data Act’s requirements, as they do not enable the required interoperability. Only once a semantic interoperability by a standardized ontology (giving the required structure and machine readability) is given can those file formats be considered compliant with the Data Act.?

The Data Act also outlines that details of data provision should be defined in contractual agreements between the data holder and the user/third party. The Data Act sets a framework for this and prohibits unfair, unreasonable, and discriminatory contractual terms (Articles 8–13).?

Articles 23–31 address switching between data processing services and aim to reduce obstacles for the user. Switching and transferring all their data to a new service must be free of charge. Data processing services must support their customers during the switching process, including adapting contractual clauses and providing necessary information. Once the switch is complete, the contract with the previous provider is considered terminated, which may lead to extraordinary termination rights.?

?

What Does the Data Act Mean for NDT??

The rules of the EU Data Act present a significant opportunity for the NDT/E market by expanding the use of data and enabling NDE 4.0 use cases [12]. The act introduces the obligation for “accessibility by design,” which reduces the current burdens associated with proprietary data formats and interfaces, and opens the door for new players to offer previously unavailable services.?

While data creators and users (e.g., asset OEMs, owner-operators, NDT service providers, R&D), as well as third-party service providers (a new stakeholder in the NDE ecosystem), will clearly benefit from the act, it will pose a challenge for NDT OEMs. For a long time, NDT OEMs have relied on proprietary data formats and interfaces to retain customers. With the EU Data Act, they will have to rethink their business models.?

Companies should start implementing the requirements of the Data Act now, as it introduces numerous obligations that may require long-term and extensive process adjustments to ensure compliance.?

?

ACKNOWLEDGMENTS?

Many thanks to Dr. Kai Hofmann (lawyer and scientific advisor at the German Centre for Rail Traffic Research) for his input and discussions.?

?

NOTE?

The author of this text is not a lawyer and cannot give legal advice. This text represents the opinion of the author and is intended as information for the industry. Companies with business lines that might be impacted by the European data strategy should seek legal counsel.?

?

AUTHOR?

Johannes Vrana: Vrana GmbH, Rimsting, Germany; [email protected] ?

?

REFERENCES?

1. European Parliament and Council. COM (2020) 66 final. 19 February 2020. A European strategy for data. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020DC0066 .?

?

2. European Parliament and Council. Regulation (EU) 2016/679. 27 April 2016. Protection of natural persons with regard to the processing of personal data and on the free movement of such data. https://data.europa.eu/eli/reg/2016/679/oj .?

?

3. European Parliament and Council. Regulation (EU) 2022/868. 30 May 2022. European data governance. https://data.europa.eu/eli/reg/2022/868/oj .?

?

4. European Parliament and Council. Regulation (EU) 2022/1925. 14 September 2022. Contestable and fair markets in the digital sector. https://data.europa.eu/eli/reg/2022/1925/oj .??

?

5. European Parliament and Council. Regulation (EU) 2022/2065. 19 October 2022. Single market for digital services. https://data.europa.eu/eli/reg/2022/2065/oj .??

?

6. European Parliament and Council. Regulation (EU) 2022/2554. 14 December 2022. Digital operational resilience for the financial sector. https://data.europa.eu/eli/reg/2022/2554/oj .??

?

7. European Parliament and Council. Directive (EU) 2022/2555. 14 December 2022. Measures for a high common level of cybersecurity across the Union. https://data.europa.eu/eli/dir/2022/2555/oj .??

?

8. European Parliament and Council. Regulation (EU) 2023/1114. 31 May 2023. Markets in crypto-assets. https://data.europa.eu/eli/reg/2023/1114/oj .??

?

9. European Parliament and Council. Regulation (EU) 2023/2854. 13 December 2023. Harmonised rules on fair access to and use of data. https://data.europa.eu/eli/reg/2023/2854/oj .??

?

10. European Parliament and Council. 1 August 2024. Artificial Intelligence Act (AI Act). https://en.wikipedia.org/wiki/Artificial_Intelligence_Act .??

?

11. European Parliament and Council. 12 March 2024. Cyber Resilience Act (CRA). https://en.wikipedia.org/wiki/Cyber_Resilience_Act .??

?

12. Vrana, J., and R. Singh. 2021. “Cyber-Physical Loops as Drivers of Value Creation in NDE 4.0.” Journal of Nondestructive Evaluation 40 (3): 61. https://doi.org/10.1007/s10921-021-00793-7 .??