The Legal Framework and Implications of the EU Data and Artificial Intelligence Acts on Nondestructive Testing and NDE 4.0

Abstract

Data-driven networking and interoperability make nondestructive testing (NDT) a key provider of safety-critical quality data for Industry 4.0. However, the EU Data Act and Artificial Intelligence (AI) Act will fundamentally reshape how this data is accessed, shared, and utilized. While many view the AI Act with concern, it fundamentally serves as a modern, reasonable extension of existing product liability laws tailored for digital safety components. On the other hand, the Data Act introduces massive structural implications. It creates a legal framework for fair data access, effectively shattering the proprietary data ecosystems of equipment manufacturers while offering unprecedented data sovereignty to users. This article provides an overview of this new regulatory landscape. It explores the legal rights of users, the obligations of equipment manufacturers, enforcement penalties, the protection of trade secrets, and how Data Sovereignty Connectors can technically implement these rules. Ultimately, it highlights how these acts will act as a catalyst for NDE 4.0.

1. Introduction

Data is the irrefutable backbone of digitalization, digital transformation, and the transition toward NDE 4.0 [1,2,3]. Yet, the full potential of this resource frequently remains unused. In many current-day scenarios, the handling of data—specifically concerning questions of access, use, ownership, and rights—is unclear or heavily enforced by powerful product manufacturers.

The whole situation became obvious a couple of years ago when John Deere locked farmers out of accessing their own machine data. By arguing that their proprietary software collected the data and that the copyright belonged solely to them, John Deere attempted to monopolize the growing market of digital agricultural data. They even cooperated with large agricultural companies to sell this data. [4]

This example shows that connected products often operate as black boxes for the user. Manufacturers sell the hardware, retain exclusive access to the device's data or only support proprietary data formats, and subsequently force the user into their proprietary data ecosystems for any evaluation or service. It’s like a car manufacturer requiring you to get service only at their facilities and to buy accessories exclusively from them. In the authors view, this might be a good business model for the manufacturers, but the European Commission has determined that this dynamic is not in the best interest of the economy and society. It prevents the utilization of data to its full potential and actively hinders the development of a competitive, innovative market for data-driven services.

The EU's response is an ambitious strategy shown in Fig. 1 aimed at separating the hardware market from the data-services market, allowing users to easily and freely access their data. Within this push for digital sovereignty, two primary pieces of legislation have emerged with distinct philosophies: the AI Act, which modernizes established safety and liability doctrines, and the Data Act, which actively restructures market economics.

Figure 1 left: Current Situation (Product = Black Box)

right: EU Data Act (connected product and data service market separated)

(Author: Johannes Vrana, Vrana GmbH, Licenses: CC BY-ND 4.0) [6]

2. European Data Strategy

The European Data Strategy [5,6,7,8,9,10] aims to create a market for data, ensuring data sovereignty and leading to the creation of unified data spaces. To support this strategy, multiple acts and regulations have been implemented.

The foundation was laid in 2018 with the General Data Protection Regulation (GDPR) [11], which ensures the protection and free movement of personal data. In 2022, the Data Governance Act (DGA) [12], the Digital Markets Act (DMA) [13], and the Digital Services Act (DSA) [14] came into force. These laid the foundation for data exchange models and prevented large "gatekeeper" companies from abusing their market power.

In 2023, the Digital Operations Resilience Act (DORA) [15] and the NIS 2 Directive [16] increased cybersecurity resilience across various sectors. Finally, in 2024, the cornerstone acts directly impacting industrial data and systems—the EU Data Act [17], the AI Act [18], and the Cyber Resilience Act (CRA) [19] —entered into force.

3. The AI Act: A Reasonable Extension of Product Liability

The EU AI Act entered into force on August 1st, 2024, and will become fully applicable on August 2nd, 2026. While the AI Act has caused significant industry concern, in the view of the author, it is a highly logical and reasonable extension of existing product safety and liability laws [20].

In 1985, the Product Liability Directive established the principle of "liability without fault" for producers of defective movables to ensure a fair apportionment of the risks inherent in modern technological production. The AI Act extends this exact safety-first approach to the digital realm. The regulation explicitly clarifies that it complements existing product safety laws, ensuring that all rights and remedies for the compensation of damages remain unaffected.

Instead of reinventing the wheel, the AI Act heavily focuses on AI systems that function as safety components of products, such as machinery, pressure equipment, or medical devices. To ensure consistency, providers of products containing high-risk AI systems can integrate the necessary AI risk-management and quality control testing directly into the conformity assessments they already perform under the New Legislative Framework.

It is important to note that the regulation’s definition of an 'AI system' extends far beyond modern neural networks, encompassing also logic- and knowledge-based approaches that infer outputs from encoded knowledge. However, traditional software based solely on hardcoded rules defined by humans to automatically execute operations without inference is explicitly excluded.

The regulation classifies AI systems strictly by their potential to harm people (see also Fig. 2):

1. Prohibited AI Systems: Systems designed to exploit vulnerabilities, untargeted scraping of facial images from the internet or CCTV, and the use of AI to infer emotions in the workplace or educational institutions.
2. High-Risk AI Systems: This encompasses AI systems used as safety components for machinery and critical infrastructure. Providers must establish robust Quality Management Systems, maintain detailed technical documentation, and ensure logging capabilities. Deployers (users) must ensure human supervision and verify the quality of input data.
3. Limited-Risk AI Systems: Simple generation systems face transparency obligations, such as informing persons they are interacting with AI.

Figure 2: AI System Classification: Can it Harm People (Health, Safety and Fundamental Rights)?

(Author: Johannes Vrana, Vrana GmbH, Licenses: CC BY-ND 4.0)

Most AI-based NDE systems will be classified as high-risk under the EU AI Act because they serve as safety components for critical infrastructure and machinery. Unless an application is strictly for non-safety-critical purposes (like evaluating art) or pure research, industrial NDE systems directly impact health and safety, meaning they must comply with strict high-risk regulatory obligations.

4. The EU Data Act and the NDT Industry

If the AI Act is a modernization of safety and liability, the EU Data Act is a disruptive force with massive implications for equipment manufacturers, offset by immense benefits for users. The Data Act regulates access to and use of data generated by connected products and related services. It applies directly to all connected products placed on the EU market, irrespective of where the manufacturers are headquartered.

A "connected product" is defined as an item that obtains, generates, or collects data concerning its use and can communicate this data electronically. A "related service" is any digital service or software connected to the product in such a way that its absence prevents the product from performing its functions.

In the NDT market, this covers three typical scenarios (see Fig. 3):

1. Connected standalone NDT devices (e.g., portable devices with Wi-Fi or Bluetooth).
2. Integrated NDT devices (e.g., sensors intended for integration into an automated inspection system).
3. NDT inspection systems (complex systems integrating multiple connected products, where the system integrator is responsible for compliance).

Figure 3: Three typical scenarios for connected products in the NDT market.

Left: A connected standalone product which can be connected to a potential related service

Middle: An NDT device which is intended for the integration into an automated inspection system 

Right: An NDT inspection system

(Author: Johannes Vrana, Vrana GmbH, Licenses: CC BY-ND 4.0) [10]

The Data Act places the user in a central position, equipped with three primary instruments:

1. Accessibility by Design (Article 3): Connected products and related services must be designed so that data and metadata are easily, securely, and freely accessible to the user by default, in a comprehensive, structured, commonly used, and machine-readable format.
2. Indirect Access (Article 4): Where direct access is not technically feasible, the data holder must make the data accessible to the user without undue delay, continuously, and in real-time where feasible.
3. Data Sharing with Third Parties (Article 5): The data holder must, upon request, make the user's data available to a designated third party (such as a new NDT service provider). Notably, large technology platforms designated as "gatekeepers" under the DMA (e.g., Amazon, Meta) are excluded from acting as eligible third parties.

Figure 4 Left: Art. 3 Direct Access (accessibility by Design)

Middle: Art.4 Indirect Access

Right: Art. 5 Data Share with third Party

(Author: Johannes Vrana, Vrana GmbH, Licenses: CC BY-ND 4.0) [7]

It is important to note that simple open container files like XML or HDF are insufficient to fulfill the mandate for structured, machine-readable data; true compliance requires semantic interoperability achieved through standardized ontologies.

5. Enforcement, Contractual Fairness, and Trade Secrets

The financial stakes for noncompliance with the Data Act are severe. Working in conjunction with the GDPR, violations involving personal data can result in fines of up to €20 million or 4% of global turnover. For non-personal data, national implementations (such as the German draft bill) are proposing fines up to €5 million or 4% of the preceding year’s EU-wide turnover. [9]

To prevent exploitation by powerful data holders, Article 13 dictates that any contractual term concerning data access unilaterally imposed on an enterprise shall not be binding if it is deemed unfair. A user's right to access their data generally cannot be waived, though the European Commission's Expert Group clarified that narrow B2B exceptions may exist, such as in joint ventures accompanied by fair compensation.

Simultaneously, the Data Act provides vital protections for OEMs regarding their intellectual property. Trade secrets shall be preserved. If a user or a third party fails to implement agreed-upon technical and organizational measures to protect trade secrets, the data holder is legally permitted to withhold or suspend the sharing of that data. Such suspensions must be duly substantiated and reported to the competent national authority.

6. Technical Implementation: Data Sovereignty Connectors 

While contracts define the legal rules of data sharing and trade secret protection, these rules must be technologically enforced to guarantee true data sovereignty. As any cyber security expert knows, a legal contract alone cannot physically prevent a third party from copying an unencrypted file from a USB stick [7].

The technical solution lies in Data Sovereignty Connectors [7], such as the Eclipse Dataspace Components (EDC) developed by the International Data Spaces Association (IDSA). In this framework, both the data provider (source) and the data consumer (sink) must utilize certified connectors. The data owner defines specific usage rights which are attached to the data mathematically. The connector at the receiving end uses encryption and software restrictions to physically enforce these policies. For example, it can ensure that a third-party NDT service provider can only view the inspection data once before the software automatically deletes it. This technology actively safeguards the trade secrets referenced in the Data Act and establishes a truly secure market for NDE 4.0 data.

7. Timelines and Pre-Contractual Obligations

The implementation of the Data Act utilizes a staggered timeline to allow industries with long development cycles to adapt:

1. September 12th, 2025: General application begins. Users gain the immediate right to request data access, and new contracts must comply with fairness protections.
2. September 12th, 2026: The strict "Accessibility by Design" (Article 3) mandate applies to any connected product placed on the market after this date.
3. September 12th, 2027: Existing long-term or indefinite legacy contracts must be brought into full compliance.

Crucially, pre-contractual information obligations apply immediately. Before a contract for a connected NDT device is signed, the seller must explicitly disclose the device's data profile (type, format, and volume), data storage locations, retention times, and detailed instructions on how the user can access and retrieve the data.

Furthermore, the Data Act applies retrospectively to legacy devices. While older equipment does not require retroactive physical redesigning, if an OEM possesses the technical means to remotely access data generated by legacy systems after September 12th, 2025, they are legally bound to make that data available to the user upon request.

8. Conclusion

In the view of the author, this legislation will fundamentally reshape the NDT & NDE industry worldwide. The AI Act, while carrying stringent compliance requirements, should be viewed primarily as a reasonable evolution of the 1985 Product Liability Directive, directly extending established safety-first principles to modern digital safety components.

Conversely, the EU Data Act serves as a structural market revolution. For users, owner-operators, and independent service providers, it brings unprecedented benefits, granting them full legal sovereignty over their own equipment data and the freedom to share it across a newly competitive market. This will enable the emergence of numerous start-ups and drive innovations fueled by NDE 4.0.

For established NDT equipment manufacturers, it represents a massive paradigm shift. Stripped of the ability to use proprietary data formats for customer lock-in, OEMs must fundamentally rethink their business models. They must rapidly adopt "Accessibility by Design" standards and rely on Data Sovereignty Connectors to protect their intellectual property. To survive and thrive in this new era, companies must start implementing the requirements of the Data and AI Acts immediately, as the necessary long-term process adjustments cannot be achieved overnight.

Note:

The author of this text is not a lawyer and cannot give legal advice. This text represents the opinion of the author and is intended as information for the industry. The implementation of the EU Data Act and the AI Act are highly complex processes that deeply intertwine legal requirements with software, hardware, and data architecture. Consequently, achieving compliance cannot be handled through legal consulting alone; it requires legal counsel combined with specialized technical knowledge. Each company that sees that its business might be impacted by the European Data Strategy should seek interdisciplinary advice from both legal and technical experts.

References

1. Vrana, J., Singh, R. NDE 4.0—A Design Thinking Perspective. J Nondestruct Eval 40, 8 (2021). https://doi.org/10.1007/s10921-020-00735-9 
2. Meyendorf N, Ida N, Singh R, Vrana J. NDE 4.0: progress, promise, and its role to Industry 4.0. NDT E Int. 2023;140:102957. https://doi.org/10.1016/j.ndteint.2023.102957 
3. Vrana, J., Meyendorf, N., Ida, N., Singh, R. (2025). Introduction to NDE 4.0. In: Meyendorf, N., Ida, N., Singh, R., Vrana, J. (eds) Handbook of Nondestructive Evaluation 4.0. Springer, Cham. https://doi.org/10.1007/978-3-031-84477-5_43 
4. Horton TJ, Kirchmeier D (2020) John Deere's Attempted Monopolization of Equipment Repair, and the Digital Agricultural Data Market - Who Will Stand Up for American Farmers? CPI Antitrust Chronicle, Jan. 2020, 2-7. https://ssrn.com/abstract=3541149 
5. COM(2020) 66 Document 52020DC0066; A European strategy for data https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020DC0066 
6. Vrana J (2024) EU Data Act and the NDT Industry. Materials Evaluation 82(9), 14-16.
7. Vrana J (2025). Cyber Security and Data Ownership. In: Meyendorf, N., Ida, N., Singh, R., Vrana, J. (eds) Handbook of Nondestructive Evaluation 4.0. Springer, Cham. https://doi.org/10.1007/978-3-030-48200-8_79-1 
8. Vrana J (2025) EU Data Act Requirements, the Chances for the NDT Industry, and Why it is Critical Outside the EU. NDT Trends 95, 36-39.
9. Sarpong R (2025) Why NDT OEMS and Related Service Providers Should Care About Europe’s Data Act. Materials Evaluation 83(10), 14-15.
10. Vrana J , Leinenbach F., Casperson R., Sarpong R. (2026) Legal Framework and Practical Examples of the EU Data Act in Nondestructive Testing. To be published.
11. Regulation (EU) 2016/679 Protection of natural persons with regard to the processing of personal data and on the free movement of such data http://data.europa.eu/eli/reg/2016/679/oj 
12. Regulation (EU) 2022/868 European data governance http://data.europa.eu/eli/reg/2022/868/oj 
13. Regulation (EU) 2022/1925 Contestable and fair markets in the digital sector http://data.europa.eu/eli/reg/2022/1925/oj 
14. Regulation (EU) 2022/2065 Single Market For Digital Services http://data.europa.eu/eli/reg/2022/2065/oj 
15. Regulation (EU) 2022/2554 Digital operational resilience for the financial sector http://data.europa.eu/eli/reg/2022/2554/oj 
16. Directive (EU) 2022/2555 Measures for a high common level of cybersecurity http://data.europa.eu/eli/dir/2022/2555/oj 
17. Regulation (EU) 2023/2854 Harmonised rules on fair access to and use of data http://data.europa.eu/eli/reg/2023/2854/oj 
18. Regulation (EU) 2024/1689 Harmonised rules on artificial intelligence http://data.europa.eu/eli/reg/2024/1689/oj 
19. Regulation (EU) 2024/2847 Horizontal cybersecurity requirements for products with digital elements http://data.europa.eu/eli/reg/2024/2847/oj 
20. Council Directive (EU) 85/374/EEC Approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products http://data.europa.eu/eli/dir/1985/374/oj

Author: Dr. Johannes Vrana