Abstract
Digital Twins are becoming central enablers of Europe’s digital and green transitions, yet their data-intensive and autonomous nature exposes them to one of the most complex regulatory environments in the world. This article presents a comprehensive scoping review of how six principal European digital laws—the General Data Protection Regulation, Data Governance Act, Data Act, Artificial Intelligence Act, NIS2 Directive, and Cyber Resilience Act—jointly govern the design, deployment, and operation of Digital Twin systems. Building on the PRISMA-ScR methodology, the study constructs a Unified Digital Twin Compliance Framework (UDTCF) that consolidates overlapping obligations across data governance, privacy, cybersecurity, transparency, interoperability, and ethical responsibility. The framework is operationalised through a Digital Twin Compliance Evaluation Matrix (DTCEM) that enables qualitative assessment of compliance maturity in research and innovation projects. Applying these tools to representative European cases in Smart Cities, Industrial Manufacturing, Transportation, and Energy Systems reveals strong convergence in data governance, security, and interoperability, but also persistent gaps in the transparency, explainability, and accountability of AI-driven components. The findings demonstrate that European digital legislation forms a coherent yet fragmented ecosystem that increasingly requires integration through compliance-by-design methodologies. The article concludes that Digital Twins can act not only as regulated technologies but also as compliance infrastructures themselves, embedding legal, ethical, and technical safeguards that reinforce Europe’s vision for trustworthy, resilient, and human-centric digital transformation.
1. Introduction
The Digital Twin has emerged as one of the most transformative concepts in the digitalisation of physical systems. Originally formulated within product lifecycle management and aerospace engineering, it was conceived as a virtual representation of a physical asset that remains continuously synchronised through data exchange [1]. Early articulations defined the twin as a high-fidelity virtual counterpart capable of mirroring a product or system throughout its lifecycle, assimilating sensor data and simulation models to support monitoring, diagnostics, and predictive decision-making [2]. This concept evolved into a general paradigm for the integration of cyber-physical systems, combining virtual models, real-time data, and control mechanisms to enable intelligent management of complex infrastructures [3].
In this paradigm, a Digital Twin is understood as a persistent, data-driven virtual counterpart of a physical entity, process, or system. It maintains a bidirectional connection with its physical counterpart through sensing, communication, and control. The twin ingests data from the physical world, updates internal models, and generates predictions and decisions that can be enacted in the physical system [4]. This continuous feedback loop allows the twin to support design optimisation, operational efficiency, maintenance forecasting, and end-of-life management. Digital twins integrate hybrid modelling techniques that combine physics-based and machine-learning approaches, semantic data layers that ensure interoperability across domains, and uncertainty quantification that provides confidence in predictions and automated decisions [5]. The resulting systems span multiple levels of complexity, from product and process twins to large-scale system twins representing factories [6], transportation networks [7], power grids [8], and cities [9].
The technological architecture of a Digital Twin typically comprises five interrelated layers: the physical asset instrumented with sensors and actuators; a communication layer that enables secure and reliable data exchange; a virtual layer containing physics-based and data-driven models; a synchronisation layer that maintains alignment between physical and virtual states in time and context; and a service layer providing analytics, visualisation, and control functionalities [4]. Through this architecture, Digital Twins transform raw data into actionable knowledge, enabling real-time decision support, optimisation, and increasingly autonomous operation. As their fidelity and autonomy increase, they evolve from descriptive models to predictive and prescriptive systems that interact directly with the physical world.
These characteristics make Digital Twins powerful enablers of digital transformation across all major sectors of the European economy. In smart cities, they enable planners to simulate urban planning [10], integrate renewable energy [11], and improve mobility systems [12]. In industry, they support production-line optimisation [13], predictive maintenance [14], and supply-chain resilience [15]. In mobility and transportation, they underpin connected and autonomous vehicles that continuously exchange data with cloud-based models [16]. In energy systems, they facilitate integration of renewable resources [17], real-time grid balancing [18], and distributed energy management [19]. The convergence of these capabilities creates a foundational infrastructure for Europe’s data-driven, sustainable, and resilient economy.
However, the same data-intensive and autonomous features that define Digital Twins also make them exceptionally sensitive to the European Union’s comprehensive framework of digital legislation [20]. Each component of a Digital Twin corresponds to specific legal domains that regulate how data and intelligent systems are designed and operated. The General Data Protection Regulation [21] governs personal data collected through sensors, logs, and user interactions, establishing principles of lawful processing, transparency, and individual control. The Data Governance Act [22] and the Data Act [23] define how industrial and public data can be shared, reused, and exchanged under fair and transparent conditions. The Artificial Intelligence Act [24] introduces obligations for trustworthy and human-centric AI systems that underpin learning-enabled twins. The NIS2 Directive [25] establishes cybersecurity and resilience requirements for networked infrastructures, while the Cyber Resilience Act [26] mandates security-by-design principles for software and hardware components. Together, these instruments form an integrated yet fragmented legal environment that profoundly shapes the design, deployment, and operation of Digital Twin systems within the European Union.
The interaction between technical architectures and legal frameworks gives rise to a multidimensional compliance challenge. A single Digital Twin may simultaneously be subject to multiple regulatory obligations depending on its data sources, modelling methods, and connectivity patterns. Managing these overlapping requirements demands a unified approach that links the technical, organisational, and legal dimensions of system development. Compliance-by-design becomes not only a regulatory necessity but also a technical discipline that ensures accountability, interoperability, and trustworthiness throughout the lifecycle of the Digital Twin.
Against this background, this article provides a comprehensive review of how European digital regulations affect the development and deployment of Digital Twins across four key domains: smart cities, industry, mobility, and energy systems. It analyses how each legal instrument addresses specific challenges such as pervasive data collection, algorithmic decision-making, data sharing, and cybersecurity. Real-world examples illustrate both the benefits of Digital Twin technology and the compliance measures required for lawful and ethical operation. The article further proposes a unified compliance framework that aligns the requirements of the main EU legal acts with the technical architecture of Digital Twins, offering a structured pathway towards trustworthy and regulation-aligned innovation. By clarifying how Digital Twins intersect with the European legal order, the discussion contributes to advancing their responsible adoption as central enablers of Europe’s digital and green transitions. While previous studies typically analyse EU digital regulations in isolation, no existing work integrates the GDPR, DGA, Data Act, AI Act, NIS2, and CRA into a unified compliance model capable of guiding Digital Twin system design across domains. This article addresses this gap by proposing the first cross-sector, article-level legal-to-technical synthesis that links EU regulatory obligations directly to Digital Twin architecture, lifecycle governance, and evaluation criteria. To demonstrate the framework’s empirical validity, the study applies and evaluates it across four strategic sectors, Smart Cities, Industrial Manufacturing, Mobility and Transportation, and Energy Systems, thereby providing a cross-domain analysis of how compliance maturity manifests within the European Digital Single Market. Throughout this demonstration, the term ‘Digital Twin’ is generally used in its established technical meaning as a virtual counterpart continuously synchronised with a physical system through bidirectional data exchange, without any further distinction between different variants such as digital models, digital shadows, or digital threads.
The remainder of this article is structured as follows. Section 2 presents the research design and methodological framework employed in the study. Section 3 examines the European Union’s principal digital laws and their implications for Digital Twin systems. Section 4 introduces the integrated compliance framework and its evaluation matrix, which together form the conceptual foundation of the analysis. Section 5, Section 6, Section 7 and Section 8 apply these tools across the selected sectors, while Section 9 discusses cross-sectoral insights. Finally, Section 10 concludes the article with key findings and directions for future research and policy development.
2. Methodology
This study employs a multi-phase methodological design that integrates legal scoping analysis, framework development, and cross-sectoral evaluation. The approach combines the systematic mapping principles of the Preferred Reporting Items for Systematic Reviews and Meta-Analyses extension for Scoping Reviews (PRISMA-ScR) with design-science reasoning. The objective was to construct and validate a unified compliance framework that consolidates obligations from six principal European digital laws and operationalises them as actionable principles for Digital Twin design and governance. The methodology comprises three interdependent phases: (1) legal scoping and knowledge synthesis, (2) framework development, and (3) framework validation through case application.
2.1. Research Design and Objectives
The methodological architecture was designed to capture both the legal and technical dimensions of Digital Twin compliance under European law. The first phase systematically mapped the Union’s legislative corpus governing data protection, artificial intelligence, data sharing, and cybersecurity.
The second phase synthesised these findings into a conceptual and operational framework defining the principal compliance domains for Digital Twin systems. The third phase applied and evaluated this framework across representative European cases to test its interpretive robustness and cross-sectoral relevance. The study was guided by four research questions:
- 1.
- Which European legal instruments collectively regulate Digital Twin systems within and across the selected sectors?
- 2.
- How do the provisions of these instruments interact to create cumulative or overlapping compliance obligations?
- 3.
- What unified framework can support lawful, secure, and interoperable Digital Twin implementation within the European Digital Single Market?
- 4.
- How can the proposed framework be validated through cross-sectoral case application to assess its interpretive robustness and practical effectiveness?
This design positions the study not only as a scoping review of European digital regulation but also as an integrated research and development process culminating in the construction and empirical validation of the Unified Digital Twin Compliance Framework (UDTCF).
2.2. Phase 1: Legal Scoping and Knowledge Synthesis
The first research phase applied a structured scoping-review methodology based on the PRISMA-ScR guidelines. Its purpose was to map and synthesise the European Union’s digital legislative corpus that regulates the design, deployment, and operation of Digital Twin systems. The analysis identified, classified, and interpreted legal instruments that collectively define the normative, technical, and organisational foundations for lawful and trustworthy Digital Twin innovation within the European Digital Single Market.
2.2.1. Eligibility Criteria and Conceptual Boundaries
Eligibility criteria ensured inclusion of legally binding and technologically relevant instruments. The review considered EU regulations, directives, and legislative proposals adopted, published, or under final negotiation between 2016 and 2025, the period in which Europe’s digital-governance architecture consolidated after adoption of the GDPR. Documents were included if they
- Regulated or substantively influenced the collection, sharing, processing, or protection of digital data and intelligent systems.
- Contained provisions affecting cross-sectoral data governance, artificial-intelligence oversight, or cybersecurity of digital infrastructures.
- Were published in consolidated form on EUR-Lex or in official repositories of the European Commission or ENISA.
- Were applicable across multiple sectors, including smart cities, industry, mobility, and energy systems.
Excluded were repealed legislation, national measures, non-binding communications, soft-law instruments, or technical standards lacking direct regulatory authority. The temporal and thematic boundaries ensured comprehensive coverage of the six flagship legislative acts defining the EU’s digital legal order.
2.2.2. Information Sources and Search Strategy
Primary legal texts were retrieved from the following authoritative sources:
- EUR-Lex: for consolidated EU regulations, directives, and legislative proposals.
- ENISA (European Union Agency for Cybersecurity): for cybersecurity-related directives and technical guidelines.
- CORDIS and the Publication Office of the European Union: for interpretative reports, policy evaluations, and impact assessments complementing legal texts.
The search strategy combined controlled and free-text terms to capture all relevant instruments. Search expressions used Boolean combinations such as “data protection regulation” OR “GDPR” AND “Digital Twin”, “data governance act” OR “data act”, “artificial intelligence act” OR “AIA”, “network and information security directive” OR “NIS2”, and “cyber resilience act”. To ensure comprehensive coverage, each query was further refined with contextual keywords (“smart city”, “industry”, “mobility”, “energy system”) and executed in English and official EU languages. Searches were performed between January and July 2025 and limited to official EU documents to ensure authenticity and legal validity. The study included legal texts from EUR-Lex and ENISA alongside academic literature to ensure the scoping review captured both regulatory substance and interpretive scholarship.
2.2.3. Source Selection and Screening Procedure
Source selection followed the PRISMA-ScR four-stage workflow: identification, screening, eligibility, and inclusion.
- Identification: An initial pool of 910 records was retrieved from the databases listed above.
- Screening: Titles and abstracts were reviewed for thematic relevance to Digital Twin governance and EU digital-law domains, reducing the corpus to 114 documents.
- Eligibility: Full-text analysis assessed legal status, scope, and relevance to cross-sectoral data, AI, or cybersecurity governance. Documents failing to meet these criteria (e.g., national implementations or purely technical standards) were excluded.
- Inclusion: Six principal instruments met all criteria and constitute the analytical core of this study:
- ○
- General Data Protection Regulation (GDPR, Regulation (EU) 2016/679)
- ○
- Data Governance Act (DGA, Regulation (EU) 2022/868)
- ○
- Data Act (DA, Regulation (EU) 2023/2854)
- ○
- Artificial Intelligence Act (AIA, Regulation (EU) 2024/1689)
- ○
- NIS2 Directive (Directive (EU) 2022/2555)
- ○
- Cyber Resilience Act (CRA, Regulation (EU) 2024/XXXX)
The selection process is summarised in Figure 1, which presents the PRISMA-ScR flow diagram adapted for legal-document reviews. The diagram details the number of records identified, screened, excluded, and retained for qualitative synthesis, thereby ensuring transparency and reproducibility of the review process. The following counts reflect document flow through each stage: 910 records identified; 910 screened after duplicates removed; 129 reports sought for retrieval; 114 assessed for eligibility; 6 primary legal instruments analysed and included.
Figure 1.
PRISMA-ScR flow diagram for EU regulations related to Digital Twins.
2.2.4. Analytical Coding and Synthesis
Each included instrument was examined using a structured coding and charting scheme. Articles, recitals, and annexes were coded according to objectives, obligations, and implications for seven thematic dimensions: data governance, privacy, cybersecurity, accountability, interoperability, transparency, and ethics. Coded data were recorded in a comparative matrix noting article number, legal objective, compliance obligation, and technical implication. Thematic synthesis identified overlaps, complementarities, and inter-dependencies among the six acts. This cross-law synthesis generated a comprehensive matrix of obligations that served as the empirical foundation for developing the Unified Digital Twin Compliance Framework (UDTCF) described in Phase 2.
2.2.5. Literature Scoping for Methodological Novelty
In parallel with the legal mapping, a targeted literature scoping established whether comparable methodological frameworks had been proposed in peer-reviewed articles. This complementary search ensured that the UDTCF developed here represents a novel contribution rather than a reformulation of existing approaches. The literature scoping followed the same procedural discipline as the legal review but focused exclusively on academic sources addressing compliance or governance methodologies for Digital Twin systems under EU law.
Searches covered Scopus, Web of Science, IEEE Xplore, ScienceDirect, and SpringerLink, spanning 2018–2025 to capture the period when Digital Twin research matured alongside the evolution of EU digital legislation. Combined search terms included “Digital Twin”, “compliance framework”, “data governance”, “AI Act”, “GDPR”, “Data Act”, and “EU regulation”.
Results were screened by title, abstract, and keywords to identify studies proposing conceptual or operational frameworks for regulatory compliance in Digital Twins or related cyber-physical systems. Exclusions covered papers confined to technical architectures or sector-specific use without regulatory analysis. The final corpus comprised 9 publications showed in Table 1.
Table 1.
Related literature covering comparable methodological frameworks.
The analysis of the article in Table 1 showed that existing studies treat individual legal instruments in isolation, most often the GDPR or Data Act, without integrating the six major EU laws into a single, cross-sectoral compliance model. Hence, existing frameworks address individual domains and lack a comprehensive legal–technical synthesis applicable across sectors. This confirmed the methodological novelty of both the UDTCF and its companion instrument, the Digital Twin Compliance Evaluation Matrix (DTCEM), establishing the study’s unique contribution to legal scholarship and Digital Twin research.
2.3. Phase 2: Framework Development
Building on the regulatory corpus identified through the PRISMA-ScR process, the second phase developed a unified framework translating complex and overlapping EU obligations into an integrated compliance model for Digital Twin systems. This phase applied a design-science logic, combining deductive legal synthesis with inductive conceptual modelling to derive a normative, technical, and organisational framework relevant across multiple domains of deployment.
2.3.1. Conceptual Modelling Process
The framework development process began with a comparative analysis of the six legal instruments identified in Phase 1: the General Data Protection Regulation (GDPR), the Data Governance Act (DGA), the Data Act (DA), the Artificial Intelligence Act (AIA), the NIS2 Directive, and the Cyber Resilience Act (CRA). Each act was decomposed in phase 1 into coded provisions corresponding to specific legal obligations and governance principles. Cross-law analysis then identified convergent themes and dependencies, such as data-access governance, privacy-by-design, risk management, cybersecurity resilience, and transparency of artificial intelligence systems. Through iterative synthesis, these recurring themes were abstracted into seven meta-categories representing the fundamental compliance domains for Digital Twin systems:
- Data Governance and Access Control
- Data Protection and Privacy
- Cybersecurity and Resilience
- Accountability and Risk Management
- Transparency and Trust
- Interoperability and Standardisation
- Ethical and Social Responsibility
Together, these meta-categories form the Unified Digital Twin Compliance Framework (UDTCF), which establishes a consolidated structure linking legal requirements to the architectural, procedural, and ethical dimensions of Digital Twin design and operation.
2.3.2. Framework Structuring and Operationalisation
Once the seven meta-categories were defined, their constituent legal and technical obligations were mapped against the functional architecture of Digital Twin systems, data acquisition, modelling, communication, synchronisation, and service layers, to establish direct correspondence between regulatory provisions and system components. This mapping ensured that each compliance domain could be operationalised through measurable technical and organisational mechanisms.
To facilitate systematic evaluation, the UDTCF was translated into a structured analytical instrument, the Digital Twin Compliance Evaluation Matrix (DTCEM). The DTCEM converts each meta-category into a set of qualitative indicators and defines a four-level compliance scale: Non-Compliant, Partially Compliant, Compliant, and Fully Compliant, enabling assessment of compliance maturity in research and innovation projects. This operationalisation bridges normative legal interpretation and practical engineering implementation, creating a replicable framework for assessing lawful and trustworthy Digital Twin design.
2.4. Phase 3: Framework Validation Through Case Application
The interpretive validity and practical relevance of the UDTCF and DTCEM were tested on representative European Digital Twin initiatives across four sectors: Smart Cities, Industrial Manufacturing, Mobility and Transportation, and Energy Systems. Case identification followed a transparent, multi-source procedure drawing from the CORDIS database, the Smart Cities Marketplace, and institutional or industrial repositories. Supplementary searches covered national and regional innovation portals such as the European Energy Research Alliance and the Digital Europe Programme directory. A total of 45 candidates were identified and screened against four inclusion criteria:
- A clearly defined Digital Twin concept with public documentation;
- Association with one of the four target sectors;
- Availability of sufficient legal, organisational, and technical evidence for DTCEM assessment;
- Explicit alignment with EU digital-policy objectives.
Twelve cases, three per sector, fulfilled all criteria and together represent a balanced cross-section of European Digital Twin practice. Each case was evaluated against the seven meta-categories of the DTCEM using the four-level scale. Evidence derived from project deliverables, institutional reports, and policy frameworks. To ensure analytical consistency, all assessments were independently reviewed by both authors, providing cross-validation of interpretation and reducing subjectivity in qualitative scoring. This validation procedure confirmed that the UDTCF offers a coherent structure for integrating overlapping EU requirements into the technical and organisational lifecycle of Digital Twins. The results of this evaluation are presented in Section 5, Section 6, Section 7 and Section 8, which detail sector-specific compliance assessments.
2.5. Rationale for the Multi-Phase Approach
The three-phase methodology: legal scoping, framework development, and empirical evaluation, captures the multidisciplinary nature of Digital Twin research at the intersection of law, governance, and cyber-physical engineering. The scoping phase establishes a verifiable regulatory corpus through the PRISMA-ScR procedure, ensuring transparency, completeness, and traceability. The framework-development phase transforms this corpus into a structured compliance model bridging legal norms and technical design, thereby advancing the field of compliance-by-design. The evaluation phase verifies the framework’s empirical relevance by applying it to real-world cases across Europe’s strategic digital and green-transition sectors. Together, these phases form a continuous methodological cycle linking normative governance with practical engineering. The approach extends beyond conventional legal analysis by providing a reproducible pathway for designing, testing, and validating compliance frameworks within the European digital ecosystem.
3. EU Laws and Digital Twins
In the European Union, a robust and evolving framework of laws governs data protection, artificial intelligence, data sharing, and cybersecurity, all of which directly impact the design and operation of digital twin systems. The multidimensional architecture of Digital Twins—spanning data acquisition, model-based analytics, connectivity, and actuation—means that each functional layer intersects with a specific area of legal oversight. The General Data Protection Regulation (GDPR) safeguards personal data and privacy, while the Data Governance Act and the Data Act define conditions for secure, fair, and interoperable data sharing across organisations and sectors. The Artificial Intelligence Act introduces obligations for transparency, risk management, and accountability of AI-driven components. The NIS2 Directive and the Cyber Resilience Act impose requirements for cybersecurity, system integrity, and secure product design. Together, these instruments create an interdependent compliance landscape that digital twin developers and adopters must navigate. European regulators aim to ensure transparency, privacy, safety, and security in these emerging technologies, yet organisations often face uncertainty in interpreting how general legal principles apply to the novel context of digital twins, from questions of data ownership and consent to liability for algorithmic decisions. The following sections examine these six legal instruments in detail, outlining how their provisions collectively shape the lawful and trustworthy deployment of digital twin systems within the European Union.
3.1. General Data Protection Regulation (GDPR)
The General Data Protection Regulation (Regulation (EU) 2016/679) establishes the legal framework for the protection of personal data and the free movement of such data within the European Union. It replaces Directive 95/46/EC and constitutes a binding legal instrument directly applicable in all Member States. The Regulation aims to ensure a consistent and high level of protection of natural persons with regard to the processing of personal data while safeguarding the fundamental rights and freedoms enshrined in the Charter of Fundamental Rights of the European Union. It further seeks to harmonise the conditions for lawful data processing across the Union and to strengthen the principles of accountability, transparency, and individual control over personal information.
The Regulation is structured into eleven chapters that set out the principles, rights, and obligations governing the processing of personal data. Its provisions define the responsibilities of controllers and processors, specify the legal bases for processing, and establish mechanisms for supervisory oversight and enforcement. The Regulation also outlines the rights of data subjects, including access, rectification, erasure, and portability, and introduces safeguards for automated decision-making and data transfers beyond the Union.
Although the General Data Protection Regulation contains ninety-nine articles in total, certain provisions constitute its essential core. These define the scope, fundamental principles, and lawful grounds for processing, as well as the mechanisms ensuring compliance, accountability, and protection of data subjects’ rights. The most important articles can be grouped according to their regulatory function: general provisions defining the scope and applicability of the Regulation; substantive provisions articulating the principles and conditions of lawful processing; procedural provisions detailing data subject rights and controller obligations; and enforcement provisions establishing governance, remedies, and penalties.
Table 2 presents a structured overview of these key articles, outlining their titles, central obligations, and relevance within the overall regulatory framework. To enhance the practical applicability of this overview, a third column summarises the implications for compliance in research and innovation projects that involve complex data processing environments, such as those applying Digital Twins, artificial intelligence, or advanced information systems. This integrated presentation links the legal principles of the Regulation with the operational and technical considerations essential for ensuring conformity in data-driven research and innovation activities.
Table 2.
Overview of the most important articles of the General Data Protection Regulation (EU) 2016/679 and their implications for compliance in research and innovation projects.
The synthesis presented in Table 2 illustrates how the General Data Protection Regulation forms an integrated legal and operational framework for data governance, connecting principles of lawfulness, transparency, and accountability to technical and procedural practices. To further support the implementation of these principles in digital and data-driven research contexts, Table 3 extends this overview by summarising the technical compliance requirements that are particularly relevant to system architecture, data interfaces, interoperability, and cloud portability. This complementary table translates the legal provisions into actionable design and deployment criteria for developing and maintaining compliant data processing environments.
Table 3.
Key regulatory requirements of the General Data Protection Regulation (EU) 2016/679 and their implications for Digital Twin system design.
The combination of Table 2 and Table 3 provides a coherent view of the General Data Protection Regulation from both legal and technical perspectives. It links the normative foundations of data protection law to concrete architectural, procedural, and governance requirements, supporting a systematic approach to compliance-by-design in complex, data-intensive research and innovation environments.
3.2. Data Governance Act (DGA)
The Data Governance Act (Regulation (EU) 2022/868) constitutes one of the principal legal instruments of the European Union’s data strategy, establishing a harmonised framework for the secure, fair, and transparent exchange and re-use of data across Member States. The Regulation aims to increase trust in data sharing mechanisms, enhance the availability of data for economic, scientific, and public interest purposes, and strengthen the Union’s capacity to build a competitive and human-centric data economy. By setting common rules for data intermediation, data altruism, and the re-use of protected public sector data, the Act introduces a governance architecture that ensures lawful, ethical, and traceable data flows within the internal market while safeguarding fundamental rights and data protection.
The Regulation does not create new obligations to share data but provides a consistent governance framework to facilitate voluntary and responsible data exchange. It complements the General Data Protection Regulation and the Data Act by operationalising the principles of transparency, neutrality, accountability, and interoperability in data use. The Act’s provisions ensure that both personal and non-personal data are shared in a trustworthy environment, mediated through neutral intermediaries and safeguarded by strong institutional oversight.
The core provisions of the Data Governance Act can be grouped according to their objectives and relevance for data governance and compliance. These include the re-use of protected public sector data (Articles 3–9), the regulation of data intermediation services (Articles 10–15), the framework for data altruism (Articles 16–25), the designation of competent authorities (Articles 26–28), the establishment of the European Data Innovation Board (Articles 29–30), and the safeguards for international data transfers (Article 31). Collectively, these provisions form a structured and enforceable foundation for transparent data governance across the Union, promoting interoperability and trust in cross-border data transactions.
Table 4 provides a structured summary of the most important Articles of the Data Governance Act. It outlines the title, key obligations, and relevance of each Article while including an additional column that summarises their implications for compliance in research and innovation projects such as those involving digital twins, artificial intelligence, or smart data ecosystems.
Table 4.
Summary of the most important Articles of the Data Governance Act (Regulation (EU) 2022/868) and their implications for compliance in research and innovation projects.
While Table 4 presents the structural and legal interpretation of the Regulation, Table 5 translates these legal requirements into a set of technical compliance measures relevant for data-intensive system architectures. It highlights the specific technical dimensions of compliance such as interoperability, secure data interfaces, cloud portability, and auditability that must be incorporated into digital infrastructures to ensure conformity with the Act.
Table 5.
Technical compliance requirements derived from the Data Governance Act and their implications for Digital Twin system design.
Together, these tables provide an integrated overview of the Data Governance Act’s legal and technical dimensions. They illustrate how the Regulation establishes not only a governance framework for lawful data exchange but also a set of architectural and procedural benchmarks for trustworthy, transparent, and interoperable data systems within the European digital ecosystem.
3.3. Data Act (DA)
The Data Act (Regulation (EU) 2023/2854) establishes a comprehensive legal framework for ensuring fairness, transparency, and accountability in the access to and use of data within the European Union. Adopted in December 2023, it complements the existing EU digital regulatory architecture by introducing harmonised rules that define rights and obligations related to data sharing, interoperability, and the protection of lawful access. The Regulation seeks to promote a balanced data economy in which data generated by connected products and related services can be accessed and reused under fair, reasonable, and non-discriminatory conditions, thereby enhancing innovation while safeguarding legitimate interests such as data protection, trade secrets, and cybersecurity.
The Regulation applies horizontally across sectors and covers both personal and non-personal data. It defines the roles of users, data holders, and data recipients, establishes mechanisms for public sector access to privately held data in cases of exceptional need, and sets principles for switching between data processing services. Furthermore, it provides technical and organisational requirements to guarantee interoperability between systems, ensure lawful international data transfers, and introduce safeguards against unfair contractual practices in data-related agreements.
The most significant provisions of the Data Act can be grouped according to their thematic focus and regulatory intent. The general provisions (Articles 1–2) define the scope of application and establish key terminology that underpins the legal interpretation of the Regulation. The data access and sharing provisions (Articles 3–7) introduce the principle of data accessibility by design and outline the rights of users to access, use, and share data generated by connected products and services. The business-to-business fairness rules (Articles 8–13) require that data be shared on fair, reasonable, and non-discriminatory terms and prohibit the imposition of unfair contractual conditions. The public-interest data access provisions (Articles 14–21) permit the use of privately held data by public authorities and EU institutions under specific and proportionate conditions in situations of exceptional need.
The rules on data processing and cloud switching (Articles 23–31) establish obligations for providers of data processing services to remove technical and contractual barriers to data portability and to ensure functional equivalence following service migration. The interoperability and international access provisions (Articles 32–36) introduce safeguards against unlawful access to non-personal data by third countries, define interoperability requirements for data exchange and common data spaces, and prescribe essential conditions for smart contracts used in automated data sharing. Finally, the implementation and enforcement framework (Articles 37–50) mandates Member States to designate competent authorities, defines cooperation mechanisms, introduces proportionate penalties for non-compliance, and sets timelines for the gradual application of the Regulation from September 2025 onward.
Together, these provisions form the foundation of the European Union’s data governance regime by delineating clear responsibilities among data actors, ensuring interoperability of digital infrastructures, and fostering trust in the lawful and equitable use of data.
The following Table 6 provides an overview of the most important articles, grouped according to their legal function and relevance for compliance. It highlights the regulatory purpose of each provision and identifies its implications for research and innovation projects relying on data-driven technologies such as digital twins and artificial intelligence.
Table 6.
Key Articles of the EU Data Act and Implications for Compliance in Research and Innovation Projects.
While Table 6 defines the legal and governance framework of the Data Act, effective compliance depends on its translation into technical system design and operational processes. Table 7 summarises the technical compliance requirements that arise from the Regulation’s provisions, focusing on data accessibility, interoperability, portability, and lawful use within digital infrastructures. It identifies the system-level mechanisms, architectural decisions, and procedural controls necessary to operationalise the Regulation’s principles within research and innovation environments that rely on distributed data and computational resources.
Table 7.
Technical Compliance Requirements for Digital Twin Systems under the EU Data Act.
3.4. Artificial Intelligence Act (AIA)
The Artificial Intelligence Act (Regulation (EU) 2024/1689) establishes a harmonised legal framework governing the development, placement on the market, and use of artificial intelligence within the European Union. The Act represents the first comprehensive regulatory instrument addressing the opportunities and risks associated with artificial intelligence, ensuring that its deployment is consistent with the Union’s fundamental values, human rights, and principles of transparency, accountability, and safety. Its objective is to create the conditions for trustworthy and human-centric artificial intelligence that fosters innovation while safeguarding public interests and the integrity of the internal market.
The structure of the regulation follows a risk-based approach that differentiates obligations according to the level of potential harm associated with an artificial intelligence system. It defines the categories of unacceptable, high, limited, and minimal risk and establishes specific requirements for each. The most significant provisions concern the identification of high-risk artificial intelligence systems, the establishment of technical and organisational safeguards, and the introduction of transparency and oversight obligations to ensure responsible design, development, and deployment.
Core obligations under the Act encompass the establishment of comprehensive risk management frameworks, the implementation of data governance and documentation requirements, and the enforcement of standards for transparency, accuracy, robustness, and human oversight. The regulation further defines the responsibilities of all actors in the artificial intelligence value chain, including providers, importers, distributors, and deployers, and sets out conformity assessment procedures to verify compliance before systems are placed on the market. It also introduces governance structures at both national and Union levels through the creation of the European Artificial Intelligence Board and the AI Office, which coordinate oversight, guidance, and enforcement.
In addition, the Act introduces specific provisions for general-purpose artificial intelligence models, mandates the establishment of regulatory sandboxes to support innovation under supervision, and defines a consistent penalty regime proportionate to the severity of non-compliance. Collectively, these elements form the legal foundation for the trustworthy and responsible integration of artificial intelligence across applications and contexts within the European Union.
To clarify the structure of the regulation and its key obligations, Table 8 presents a detailed overview of the most important articles of the Artificial Intelligence Act. The table groups the articles according to their objectives and relevance for compliance, governance, and risk management, while the final column identifies the implications for compliance in research and innovation projects involving artificial intelligence, digital twins, or other advanced system architectures. This extended interpretation allows for a deeper understanding of how the regulation informs the design and documentation of intelligent digital systems developed within research and innovation frameworks.
Table 8.
Summary of Core Articles of the Artificial Intelligence Act and Implications for Research and Innovation Compliance.
To further support digital twin developers in interpreting and operationalising the Artificial Intelligence Act, Table 9 reformulates the same key provisions into a condensed format that emphasises compliance awareness and practical implementation. The table is designed to guide development teams, research consortia, and system architects in understanding how each article translates into procedural and technical responsibilities during the design, testing, and deployment of digital twin systems that incorporate artificial intelligence components. It thereby serves as a pedagogical and organisational tool for integrating regulatory compliance into the full lifecycle of digital twin development and innovation.
Table 9.
Regulatory Requirements of the Artificial Intelligence Act and Their Implications for Digital Twin Design.
Together, these tables provide a structured foundation for understanding the Artificial Intelligence Act. They collectively bridge the regulatory text and its operational interpretation, offering both analytical depth for researchers and practical guidance for educators and compliance practitioners.
3.5. NIS 2 Directive (Network and Information Systems Security Directive)
The Directive (EU) 2022/2555 of the European Parliament and of the Council, known as the NIS 2 Directive, establishes a comprehensive framework for achieving a high common level of cybersecurity across the European Union. It replaces the original NIS Directive (EU) 2016/1148 and introduces a harmonised and more stringent regulatory regime designed to strengthen the resilience of network and information systems that underpin essential and important services within the internal market. The Directive defines the legal and organisational foundations for national cybersecurity governance, extends its scope to a broader range of entities, and reinforces supervisory and enforcement mechanisms to ensure consistent implementation among Member States.
The NIS 2 Directive is structured around several fundamental objectives that collectively ensure a unified and risk-based approach to cybersecurity management. It first establishes the general provisions, scope, and definitions that determine its applicability, classification of entities, and relationship with other Union legal instruments. It then defines the national and Union-level governance architecture, requiring Member States to adopt cybersecurity strategies, designate competent authorities, and establish computer security incident response teams (CSIRTs) to coordinate preparedness and response activities. Furthermore, it sets out harmonised cybersecurity risk-management measures and detailed incident-reporting obligations, providing a consistent procedural and technical framework for compliance. At the Union level, it enhances cooperation through structured mechanisms such as the Cooperation Group, the CSIRTs network, and the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe). Finally, it reinforces supervision, enforcement, and sanctioning powers, ensuring accountability and uniform application of cybersecurity requirements across the Union.
Table 10 summarises the most important Articles of the NIS 2 Directive, grouped by their objectives and regulatory significance. Each Article is accompanied by its title, key obligation, relevance, and implications for compliance in research and innovation contexts such as digital twin platforms, artificial intelligence systems, and smart building infrastructures. The table provides a concise reference for understanding how the Directive’s legal requirements translate into compliance obligations for organisations engaged in the design, development, and deployment of digital technologies.
Table 10.
Summary of Key Articles in the NIS 2 Directive and their Relevance for Digital Twin Research and Innovation.
Table 10 provides a regulatory overview that links each Article of the NIS 2 Directive to its operational significance for research and innovation environments. While the table emphasises Digital Twin development as a representative domain, its implications extend to any complex digital system architecture subject to the Directive’s provisions.
Building on this, Table 11 translates the legal and organisational provisions of the NIS 2 Directive into specific technical compliance requirements relevant to system architecture, data exchange, interoperability, and cloud portability. It serves as a practical mapping between the Directive’s legal obligations and the technical design principles that ensure conformity within distributed and data-driven digital infrastructures.
Table 11.
Technical Compliance Requirements of the NIS 2 Directive Relevant to Digital Twin System Architecture.
Together, Table 10 and Table 11 provide a structured understanding of the NIS 2 Directive as both a legal and a technical instrument for cybersecurity governance. They demonstrate how regulatory provisions are operationalised within digital infrastructures, supporting the systematic alignment of organisational processes, data governance, and system design with the Directive’s overarching objective of ensuring a common and resilient cybersecurity posture across the European Union.
3.6. Cyber Resilience Act (CRA)
The Cyber Resilience Act (Regulation (EU) 2024/XXXX) constitutes a cornerstone of the European Union’s cybersecurity legislation, aiming to ensure a uniformly high level of cyber resilience across all products with digital elements made available on the Union market. It introduces harmonised requirements that apply to both hardware and software throughout their entire lifecycle, from design and development to production, maintenance, and end-of-life. By establishing common obligations for manufacturers, importers, and distributors, the Regulation seeks to safeguard the internal market against systemic digital vulnerabilities and to enhance the overall trustworthiness of the digital ecosystem.
The Regulation applies to a broad spectrum of products with digital elements and defines mandatory cybersecurity requirements based on the principles of security-by-design and security-by-default. These principles ensure that security considerations are integrated from the earliest stages of product conception and continuously maintained through vulnerability management and post-market monitoring. The Cyber Resilience Act introduces a structured governance model that defines responsibilities for all economic operators in the supply chain. Manufacturers are required to conduct risk assessments, implement secure development processes, and ensure conformity before products are placed on the market. Importers and distributors must verify compliance and cooperate with supervisory authorities.
To ensure proportionality and coherence, the Act differentiates between products according to their risk level and establishes corresponding conformity assessment procedures. This tiered approach balances the need for high security assurance with the importance of promoting innovation and reducing administrative burdens. National authorities are empowered to conduct audits, enforce corrective measures, and impose sanctions in cases of non-compliance, while the European Commission and the European Union Agency for Cybersecurity (ENISA) coordinate the implementation of technical standards and regulatory updates. Through this structure, the Act combines preventive security design with enforceable oversight mechanisms to strengthen cyber resilience across the Union.
The most significant provisions of the Cyber Resilience Act can be grouped according to their regulatory objectives and implementation focus. Table 12 presents an overview of the Regulation’s most important articles, highlighting their main obligations, relevance, and specific implications for compliance in research and innovation projects involving digital technologies such as digital twins, artificial intelligence, or intelligent systems.
Table 12.
Summary of the Most Important Articles of the Cyber Resilience Act.
Beyond the legal and procedural aspects, the Cyber Resilience Act also establishes technical compliance requirements that define how cybersecurity must be implemented in complex digital architectures. These requirements are particularly relevant to systems that integrate interconnected components, distributed data infrastructures, and cloud-based environments. They cover interoperability, data integrity, secure communication, cloud portability, and resilience across system interfaces. Table 13 presents a structured synthesis of the Act’s technical compliance dimensions, linking specific articles to the architectural and engineering considerations that underpin cybersecurity-by-design in advanced digital systems.
Table 13.
Technical Compliance Requirements under the Cyber Resilience Act Relevant to Digital Twin System Architecture.
Together, these two tables illustrate how the Cyber Resilience Act provides both a regulatory foundation and a technical framework for ensuring the cybersecurity of digital systems. The Regulation establishes legal obligations for conformity, accountability, and enforcement, while simultaneously defining precise technical expectations for secure interoperability and resilience. It therefore forms a comprehensive framework for guiding compliance in the design, operation, and governance of interconnected digital environments within the European Union.
4. Towards a Unified Digital Twin Compliance Framework
4.1. Rationale for Integration of EU Digital Regulations
The preceding sections have demonstrated that the European regulatory environment governing Digital Twin systems is both comprehensive and multifaceted. Each of the six legal instruments—the General Data Protection Regulation (GDPR), the Data Governance Act (DGA), the Data Act, the Artificial Intelligence Act (AI Act), the NIS2 Directive, and the Cyber Resilience Act (CRA)—introduces distinct objectives, terminologies, and compliance mechanisms. While together they form the foundation for trustworthy and secure data-driven innovation within the European Union, their concurrent application creates an intricate compliance landscape that is difficult for technology developers to operationalise in practice. The overlapping scopes of these laws mean that a single Digital Twin may simultaneously be classified as a data controller, an AI provider, a data holder, and an operator of an essential digital service. Consequently, even small design decisions, such as which data to collect, how to share it, or how to manage security updates, can trigger multiple legal obligations across different regulatory domains.
This fragmentation leaves developers and research organisations with the challenge of navigating six sets of requirements that must be satisfied concurrently during the design, development, deployment, and operation of a Digital Twin. Without a structured compliance framework, it becomes nearly impossible to maintain traceability between legal obligations and their corresponding technical implementations. The risk is not only non-compliance but also reduced innovation capacity, as excessive legal uncertainty discourages experimentation and cross-sectoral data use. This underscores the need for an integrated approach that aligns the requirements of EU data, AI, and cybersecurity legislation into a coherent methodology that developers can follow systematically throughout the Digital Twin lifecycle.
4.2. Conceptual Basis of the Unified Digital Twin Compliance Framework (UDTCF)
To address this challenge, a unified digital twin compliance framework (UDTCF) is proposed. The framework consolidates the principal obligations derived from the six EU legal acts into a single, harmonised matrix of meta-categories that groups requirements according to shared compliance domains. This approach enables developers to assess, implement, and document compliance-by-design measures holistically rather than separately for each regulation. The framework serves as both a conceptual map for legal alignment and a practical design tool for developers working on Digital Twins intended for the European market. The creation of the UDTCF followed a structured legal-to-technical mapping process, shown in Figure 2, where each article of each regulation was first coded for objective, obligation type, and technical implication (Section 3.1, Section 3.2, Section 3.3, Section 3.4, Section 3.5 and Section 3.6). Then these coded obligations were thematically grouped through an inductive process into the seven meta-categories. For example, GDPR Article 22 prohibits solely automated decision-making that produces legal or significant effects on individuals. The coding process identifies obligations related to human oversight, transparency, and explainability. These were assigned to three meta-categories of the UDTCF: Data Protection and Privacy, Accountability and Risk Management, and Transparency, Explainability and Trust. Technical implications include implementing human-in-the-loop review mechanisms, explainable-model interfaces, and decision-logging capabilities within the Digital Twin workflow.
Figure 2.
Deriving Meta-Categories from EU Regulatory Obligations.
Table 14 provides the synthesis of the key compliance requirements of the GDPR, DGA, Data Act, AI Act, NIS2 Directive, and CRA into the seven meta-categories: Data Governance and Access Control, Data Protection and Privacy, Cybersecurity and System Resilience, Accountability and Risk Management, Transparency and Trust, Interoperability and Standardisation, and Ethical and Social Responsibility. Together, these meta-categories capture the cumulative compliance logic of EU law as it applies to Digital Twin systems, establishing a unified compliance model that links legal provisions to the technical and organisational layers of system design.
Table 14.
Integrated EU Compliance Framework for Digital Twin Systems under EU Law.
4.3. Technical Implementation Guidelines for Compliance-by-Design
While Table 14 provides a consolidated mapping of obligations across EU legislation, its utility for practitioners increases when complemented with explicit design guidance. Table 15 therefore operationalises the seven meta-categories of the UDTCF by linking them to concrete design and deployment measures that Digital Twin developers can apply directly. It converts the legal and ethical requirements of EU law into actionable technical principles that govern data governance, security, transparency, and interoperability throughout the Digital Twin lifecycle. In this way, the framework bridges the conceptual layer of legal interpretation with the engineering layer of compliance implementation.
Table 15.
Technical Compliance Implications for Digital Twin Systems under EU Law.
This unified framework transforms the complexity of European digital regulation into a structured methodology for lawful, secure, and interoperable Digital Twin development. It allows developers to identify compliance dependencies early, document regulatory evidence consistently, and integrate technical safeguards systematically across all system layers. By embedding these principles into the engineering process, Digital Twin developers can align innovation with European legal and ethical standards, thereby ensuring that Digital Twin solutions are market-ready, trustworthy, and compliant within the evolving European data and AI ecosystem.
4.4. The Digital Twin Compliance Evaluation Matrix (DTCEM)
While the UDTCF provides a structured synthesis of legal and technical obligations under the six major EU laws, practical assessment of compliance in real-world Digital Twin projects remains a significant challenge. Many Digital Twins are documented in scientific articles, research deliverables, or technical reports, but their degree of legal and ethical compliance is rarely assessed systematically. The complexity of the European regulatory environment, combined with the multidisciplinary nature of Digital Twin systems, makes it difficult to determine whether a specific implementation conforms to the requirements of the General Data Protection Regulation (GDPR), the Data Governance Act (DGA), the Data Act, the Artificial Intelligence Act (AI Act), the NIS2 Directive, and the Cyber Resilience Act (CRA).
To address this challenge, a Digital Twin Compliance Evaluation Matrix (DTCEM) is proposed, as shown in Table 16. The DTCEM extends the compliance framework and technical implications presented in Table 14 and Table 15 by translating each compliance domain into a set of measurable evaluation indicators that can be applied to existing Digital Twin projects. It provides a structured instrument for assessing how well a Digital Twin system aligns with EU legal requirements across the seven meta-categories defined in the Unified Digital Twin Compliance Framework (UDTCF).
Table 16.
Digital Twin Compliance Evaluation Matrix (DTCEM).
Unlike quantitative assessment tools, this matrix uses qualitative compliance levels that capture the degree to which the Digital Twin demonstrates conformity with lawful obligations and best practices. Each meta-category is evaluated using a four-level qualitative scale as listed in Table 17.
Table 17.
Four-level qualitative evaluation scale.
These four qualitative levels provide clear interpretability for compliance audits while allowing flexibility for research-oriented evaluations that involve systems still under development.
The DTCEM bridges the gap between regulatory theory and engineering practice by transforming the complex legal environment into measurable, evidence-based compliance indicators. When used together with the unified framework, it enables Digital Twin developers and researchers to demonstrate conformity with EU law systematically, fostering trustworthy and lawful innovation within the European Digital Single Market.
4.5. Evaluation Procedure and Application Contexts
The DTCEM provides a practical methodology for evaluating Digital Twin systems in both research and industrial settings. Its application follows a structured five-step process designed to ensure transparency, reproducibility, and comparability across projects.
- Step 1—Definition of Evaluation Scope: The evaluator begins by clearly defining the scope and boundaries of the Digital Twin to be assessed. This includes identifying the system’s purpose, operational environment, and interfaces with external data or control systems. For complex projects, such as multi-domain or federated Digital Twins, the scope should be decomposed into logical subsystems (for instance, data acquisition, analytics, or control layers) to enable targeted evaluation within each compliance domain.
- Step 2—Evidence Collection: For each meta-category of the DTCEM, relevant evidence must be gathered to substantiate the compliance assessment. Acceptable evidence includes technical documentation, organisational policies, legal artefacts, and operational records such as incident logs or audit trails. This ensures traceability and transparency in compliance evaluation.
- Step 3—Qualitative Assessment: Each meta-category is evaluated qualitatively using the four compliance levels: Non-Compliant (NC), Partially Compliant (PC), Compliant (C), or Fully Compliant (FC). The evaluator assigns a rating based on the strength and completeness of the supporting evidence and the extent to which the system meets the lawful requirements listed in the UDTCF. The process is deliberative rather than mechanical, encouraging expert judgement from both legal and technical perspectives.
- Step 4—Documentation and Review: All assessments and evaluator notes must be documented to support internal review and external verification. Documentation includes the rationale for each compliance level, references to supporting evidence, identified compliance gaps, and recommended corrective actions. The resulting dossier can serve in project reporting, certification alignment, or ethics board submissions.
- Step 5—Synthesis and Reporting: After completing the evaluation, the findings are synthesised into a compliance summary that highlights both strengths and deficiencies across meta-categories. Instead of numerical aggregation, the synthesis relies on interpretive reasoning. Systems may, for instance, be classified as
- ○
- Legally Critical—containing one or more Non-Compliant (NC) domains that require immediate remediation.
- ○
- Conditionally Acceptable—mostly Partially Compliant (PC), suitable for research pilots but not for operational deployment.
- ○
- Legally Robust—predominantly Compliant (C) or Fully Compliant (FC), suitable for deployment within the EU regulatory framework.
This qualitative synthesis enables decision-makers to prioritise compliance improvements and communicate the project’s legal readiness level transparently. The evaluation process can be applied manually by a legal–technical expert panel or semi-automatically through natural language analysis of Digital Twin documentation. It supports comparative studies, benchmarking of Digital Twin projects across sectors, and alignment of research outputs with EU policy objectives. Moreover, it provides a transparent and reproducible method for identifying gaps in privacy, security, and interoperability before deployment or certification.
The DTCEM thereby bridges the gap between regulatory theory and engineering practice by transforming the complex legal environment into measurable, evidence-based compliance indicators. When used together with the unified framework (Table 14 and Table 15), it enables Digital Twin developers and researchers to demonstrate conformity with EU law systematically, fostering trustworthy and lawful innovation within the European Digital Single Market.
The subsequent sections apply the Unified Digital Twin Compliance Framework (UDTCF) and the Digital Twin Compliance Evaluation Matrix (DTCEM) to four strategic sectors: Smart Cities, Industrial Manufacturing, Mobility and Transportation, and Energy Systems. Each sectoral analysis evaluates representative European initiatives across the seven meta-categories defined in the UDTCF, using the four-level qualitative compliance scale described in Table 17. This consistent methodological approach ensures comparability among the twelve cases examined and enables cross-sectoral synthesis of compliance maturity presented in Section 9.
5. Digital Twins in Smart Cities
5.1. Sector Overview
Digital Twins have become foundational instruments in the digital transformation of European cities. Urban Digital Twins integrate data from infrastructure, transport, environment, and citizen services into a virtual representation of the urban fabric that supports real-time analysis, simulation, and policy evaluation. By interlinking geographic information systems, IoT sensor networks, and AI-driven analytics, these platforms enable planners and operators to monitor and optimise the functioning of complex urban systems. Their functions range from dynamic traffic management and energy-efficient building operations to climate adaptation modelling and participatory urban design.
At the municipal level, Digital Twins are deployed as decision-support tools that facilitate cross-departmental coordination and transparency in urban governance. The European Commission’s initiatives on Local Digital Twins, the Living-in. EU movement [37], and the Mission on Climate-Neutral and Smart Cities [38] have further encouraged cities to adopt these technologies to achieve the objectives of the European Green Deal [39] and Digital Decade Policy Programme [40]. Consequently, Smart City Digital Twins constitute not only a technological evolution but also a governance innovation, embodying the integration of real-time data, citizen engagement, and predictive policy analysis within a shared digital infrastructure.
5.2. Regulatory Relevance
The governance of Smart City Digital Twins intersects with nearly all major EU digital laws identified in this review. The General Data Protection Regulation (GDPR) is central because urban Digital Twins continuously process location, environmental, and behavioural data that may qualify as personal or indirectly identifiable information. Ensuring data minimisation, lawful basis for processing, and transparency in citizen data use is therefore essential.
The Data Governance Act (DGA) and the Data Act are equally critical since municipal Digital Twins rely on data sharing among public authorities, utilities, private companies, and citizens. These laws define how public-sector data may be reused, how data intermediation services must operate, and how interoperability and contractual fairness are guaranteed.
The Artificial Intelligence Act (AIA) applies to the AI models embedded within Digital Twins that generate predictions, perform anomaly detection, or support decision-making in areas such as traffic control and energy distribution. Depending on their function, such systems may be classified as high-risk AI under the AIA, triggering obligations related to transparency, documentation, and human oversight.
The NIS2 Directive and Cyber Resilience Act (CRA) establish cybersecurity and resilience obligations for the infrastructures underpinning Smart City Digital Twins. These instruments require secure-by-design system architecture, vulnerability management, and incident reporting, ensuring that critical city operations remain protected against cyber threats.
Within the Unified Digital Twin Compliance Framework (UDTCF), Smart City applications primarily activate the following meta-categories: Data Governance and Access Control, Data Protection and Privacy, Cybersecurity and Resilience, and Transparency, Explainability, and Trust. These domains define the legal and technical conditions for trustworthy operation of urban Digital Twins.
5.3. Sectoral Compliance Evaluation
To assess the compliance maturity of Smart City Digital Twins, the Digital Twin Compliance Evaluation Matrix (DTCEM) can be applied to representative European initiatives. Three prominent examples illustrate different governance and technical models: Virtual Helsinki, Smart Dublin, and Rotterdam Urban Twin. Each represents an operational Digital Twin integrating heterogeneous data sources for urban management and citizen services.
Virtual Helsinki [41] demonstrates a strong alignment with GDPR principles through transparent data governance and explicit consent mechanisms in citizen engagement modules [42]. Its privacy-by-design approach and open-access policies indicate clear alignment with the Data Governance Act and the Data Act through licensed open datasets and interoperable APIs [43]. However, full traceability and explainability of AI models in line with the AI Act appear to be still developing in the public documentation, which emphasises datasets and use cases rather than model documentation [44]. The project can be rated as Fully Compliant (FC) for data protection, Compliant (C) for data governance, and Partially Compliant (PC) for AI transparency and documentation.
Smart Dublin [45] employs a distributed data-sharing model connecting city councils, utilities, and research institutions. Its adherence to the Data Governance Act principles of data altruism and neutrality is well established through its open-data portal and governance participation in the Cities Coalition for Digital Rights, which commits to transparent and privacy-by-design data use [46]. However, interoperability of datasets across departments and cloud platforms remains constrained, both of which note that Dublin’s councils operate heterogeneous systems without uniform schemas [47]. Accordingly, Smart Dublin demonstrates Compliant (C) levels for Data Governance, Partially Compliant (PC) for Interoperability and Standardisation, and Compliant (C) for Ethical and Social Responsibility due to its well-documented citizen-participation and open-innovation framework [48,49].
The Rotterdam Urban Twin [50] integrates environmental monitoring and climate resilience functions through city-scale digital infrastructure and AI-enabled analytical models [51,52]. Developed within the city’s Open Urban Platform, it facilitates data exchange across municipal departments and supports predictive simulations for urban sustainability and flood-risk management. The platform’s design aligns with the European NIS2 Directive and Cybersecurity Act through integrated risk-management procedures and adoption of security-by-design principles promoted by ENISA’s cybersecurity frameworks, indicating a high level of operational resilience. Governance and accountability are strengthened through the Centre for Bold Cities, which applies multidisciplinary ethical review and risk analysis in the use of municipal and citizen data [53]. However, ongoing experimentation with machine-learning-based prediction for climate adaptation and mobility scenarios still lacks full explainability documentation, leaving transparency obligations under the Artificial Intelligence Act partially met. Accordingly, the Rotterdam Urban Twin can be assessed as Fully Compliant (FC) for Cybersecurity and Resilience, Compliant (C) for Accountability and Risk Management, and Partially Compliant (PC) for Transparency and Explainability.
A comparative synthesis of these evaluations is shown in Table 18.
Table 18.
Compliance Evaluation of Representative Smart City Digital Twins.
This analysis shows that most European Smart City Digital Twins reach at least Compliant (C) levels across data protection, governance, and cybersecurity dimensions, while Transparency and Explainability remain areas of partial compliance. The trend indicates that although technical and organisational safeguards are increasingly mature, the interpretability and documentation of AI-based urban simulations still require further alignment with the transparency obligations of the Artificial Intelligence Act.
Table 19 provides structured evidence linking each compliance rating in Table 18 to publicly verifiable documentary sources, ensuring methodological transparency in the scoping review process. Each entry lists the relevant documentation and corresponding legal provisions under the six EU acts covered by the Unified Digital Twin Compliance Framework (UDTCF). Together, Table 18 and Table 19 enable cross-validation of compliance assessments and strengthen the evidential basis for sectoral findings discussed in Section 9.
Table 19.
Evidence Alignment between Compliance Evaluation and Documentary Sources.
5.4. Sector-Specific Challenges and Lessons
The application of EU law to Smart City Digital Twins reveals several recurring challenges. First, data protection and anonymisation remain complex because urban data often combine personal and non-personal elements, making complete anonymisation technically difficult without undermining analytical value. Second, interoperability and standardisation continue to be fragmented due to the diversity of municipal data infrastructures and vendor-specific implementations. Third, accountability and human oversight of AI-driven decision systems, such as adaptive traffic control or urban planning simulations, require clearer governance frameworks to comply with the AI Act’s requirements for transparency and oversight.
Nevertheless, European initiatives show growing maturity in integrating compliance-by-design methodologies. The use of federated data spaces allows municipalities to retain data sovereignty while enabling cross-domain analysis in line with the Data Governance Act. Regulatory sandboxes established under the AI Act are emerging as valuable instruments for testing high-risk AI components in controlled environments. Similarly, alignment with European cybersecurity certification schemes under the NIS2 Directive and Cyber Resilience Act enhances trust and resilience in municipal infrastructures.
Overall, Smart City Digital Twins exemplify the convergence of technical innovation and legal responsibility within the European digital ecosystem. Their progressive alignment with EU data, AI, and cybersecurity laws demonstrates a strong trajectory toward lawful, ethical, and interoperable digital governance. However, sustained investment in transparency mechanisms, open standards, and cross-sector collaboration remains essential to achieve full compliance maturity across the European Smart City landscape.
6. Digital Twins in Industrial Manufacturing
6.1. Sector Overview
Digital Twins have become a cornerstone of the digital transformation in industrial manufacturing, underpinning the transition towards smart factories, cyber-physical production systems, and Industry 5.0 [68,69]. Within this context, Digital Twins represent a fusion of operational technology and information technology that enables continuous synchronisation between virtual models and physical assets such as machines, robots, and production lines. They are deployed across the full manufacturing lifecycle: product design, process optimisation, predictive maintenance, and supply-chain coordination. By combining IoT sensor data, physics-based simulations, and AI-driven analytics, they facilitate real-time monitoring, predictive decision-making, and self-adaptive control of production environments.
European manufacturing is a leading domain for Digital Twin innovation, strongly supported by programmes such as Made in Europe [70] and Factories of the Future [71]. Industrial Digital Twins are increasingly embedded in data-driven ecosystems that connect equipment manufacturers, suppliers, and customers through secure and interoperable platforms. Their contribution to resource efficiency, resilience, and circular manufacturing aligns with the European Green Deal [39], the Data Strategy [72], and the Digital Single Market objectives [73].
6.2. Regulatory Relevance
Industrial Digital Twins operate at the intersection of multiple European digital regulations. The Data Act and Data Governance Act are particularly influential because manufacturing data, especially that generated by connected industrial machinery, forms the basis for value creation and innovation. These laws define access rights, interoperability, and fairness in business-to-business data sharing, ensuring that machine-generated data can be reused under transparent and non-discriminatory conditions.
The General Data Protection Regulation (GDPR) applies where Digital Twins process human-related data such as operator performance metrics or workplace safety monitoring. The Artificial Intelligence Act (AIA) becomes relevant when machine-learning components are used for autonomous optimisation, quality control, or predictive maintenance. Such systems may fall under the high-risk category if they affect human safety or product conformity.
The NIS2 Directive and Cyber Resilience Act (CRA) impose obligations for cybersecurity, vulnerability management, and secure software development. Because industrial Digital Twins connect production assets and cloud infrastructures, compliance with these instruments is essential for safeguarding manufacturing continuity and preventing cyber-physical incidents.
Within the Unified Digital Twin Compliance Framework (UDTCF), industrial manufacturing primarily activates the domains of Data Governance and Access Control, Cybersecurity and Resilience, Interoperability and Standardisation, and Accountability and Risk Management.
6.3. Sectoral Compliance Evaluation
To illustrate compliance maturity in industrial manufacturing, the Digital Twin Compliance Evaluation Matrix (DTCEM) was applied to three representative European cases: Siemens Industrial Edge [74] and Digital Twin Factory [75], Bosch Rexroth Factory of the Future [76], and Fraunhofer DIGIT Smart Factory Twin [77]. Each case demonstrates a distinct combination of proprietary and open-data ecosystems, yet all operate under the same overarching EU legal obligations.
Siemens Industrial Edge [74] and Digital Twin Factory [75] integrates the MindSphere Cloud Services [78] and Teamcenter Simulation Platform [79] for synchronising product, process, and performance data. Documentation indicates adherence to the Data Act through standardised APIs, open interoperability formats, and contractual fairness provisions. Siemens’ security certifications under ISO 27001 [80] and ENISA guidelines align with NIS2 requirements, while integrated privacy-by-design functions in Human–Machine Interfaces support GDPR compliance [81]. Transparency of AI-based predictive models remains limited due to proprietary algorithms, justifying ratings of Compliant (C) for governance and security, and Partially Compliant (PC) for transparency.
Bosch Rexroth Factory [76] of the Future uses an open automation platform that combines Digital Twin models with edge computing and AI analytics [82]. Its governance documentation demonstrates clear data-access policies, cross-domain interoperability, and voluntary alignment with the European Data Space standards [83,84]. Security-by-design principles and continuous vulnerability assessment under the Bosch Cybersecurity Framework substantiate a Fully Compliant (FC) rating for Cybersecurity and Resilience [85,86]. However, partial explainability in predictive maintenance algorithms and limited user transparency lead to a (PC) rating for Transparency and Trust.
Fraunhofer Digital Twin Smart Factory operates as a research infrastructure for testing interoperable Digital Twins across multiple industrial partners [77]. It explicitly applies the Data Governance Act through neutral data intermediation services and implements a federated access model compatible with the GAIA-X architecture [87]. The facility maintains full traceability and audit trails for all AI models, combined with detailed conformity documentation under the AIA and CRA. It is rated Fully Compliant (FC) for Data Governance and Access Control, Compliant (C) for Transparency and Accountability, and Fully Compliant (FC) for Interoperability and Standardisation.
A comparative synthesis of these evaluations is shown in Table 20.
Table 20.
Compliance Evaluation of Representative Industrial Digital Twins.
This evaluation shows that industrial Digital Twins generally achieve high compliance with data governance, security, and interoperability obligations, while transparency and explainability remain partially fulfilled due to proprietary AI models and confidential industrial processes.
Table 21 presents verifiable evidence linking the compliance levels in Table 20 to documented corporate, institutional, and research materials. Each citation corresponds to public technical documentation, certification statements, or institutional policy frameworks consistent with the obligations under the six EU legislative instruments analysed. The alignment confirms that Siemens, Bosch Rexroth, and Fraunhofer DIGIT exhibit strong conformity in cybersecurity, interoperability, and governance domains, while explainability and transparency remain partially implemented due to proprietary industrial constraints.
Table 21.
Evidence Alignment between Compliance Evaluation and Documentary Sources.
6.4. Sector-Specific Challenges and Lessons
The compliance evaluation highlights recurring challenges in industrial manufacturing. Data sovereignty remains a dominant issue, as contractual asymmetries between data holders and equipment users complicate the implementation of the Data Act’s fair-access principles. Interoperability is hindered by co-existing proprietary ecosystems that slow the adoption of open standards and semantic harmonisation. Transparency of AI models is limited by intellectual-property constraints, making it difficult to meet the AI Act’s requirements for explainability and human oversight.
Nevertheless, several best practices are emerging. The adoption of European Industrial Data Spaces and GAIA-X compliant reference architectures promotes lawful and secure data exchange across value chains. Industrial AI sandboxes under the AIA provide a safe environment for testing high-risk applications such as automated quality inspection or robot collaboration. The integration of Cyber Resilience Act conformity assessments within product certification processes ensures continuous vulnerability management and lifecycle security.
Overall, the manufacturing sector demonstrates advanced maturity in compliance-by-design. Its long-standing culture of quality assurance and certification has accelerated the integration of legal compliance into engineering workflows. However, achieving full conformity under EU digital law will depend on greater openness, cross-industry standardisation, and the incorporation of explainable AI into Digital Twin development and deployment.
7. Digital Twins in Mobility and Transportation
7.1. Sector Overview
Digital Twins are reshaping mobility and transportation through continuously synchronised models of networks, vehicles, terminals and logistics flows. They integrate live data from traffic sensors, connected vehicles, public transport systems and logistics platforms with physics-based and data-driven models. These capabilities enable authorities and operators to optimise timetables, signal plans and curb use, to coordinate multimodal exchanges, to anticipate congestion and incidents, and to manage resilience during disruptions.
In Europe the most mature applications appear in port logistics, rail infrastructure and airport operations. Port authorities use Digital Twins to orchestrate vessel calls, yard movements and hinterland trucking. Rail infrastructure managers employ network twins to plan maintenance, timetable capacity and energy optimisation. Airport operators deploy operational twins to manage airside and landside flows, turnaround processes and passenger services. These deployments align with the goals of the European Sustainable and Smart Mobility Strategy [106], the European Green Deal [39] and the Digital Decade [40].
7.2. Regulatory Relevance
Mobility Digital Twins intersect with all six EU legal instruments analysed in this study. The General Data Protection Regulation governs personal and indirectly identifiable data derived from location traces, ticketing, computer vision and telematics. Privacy by design, lawful basis and data subject rights must be embedded in passenger-facing functions and connected vehicle services.
The Data Governance Act and the Data Act are central because mobility twins rely on governed sharing of data among transport authorities, operators, terminal owners, fleet companies and service providers. These laws shape conditions for reuse of public sector data, neutrality of intermediation, fairness in business-to-business data access and interoperability for switching across cloud and edge services.
The Artificial Intelligence Act applies where learning components support safety relevant functions, for example predictive maintenance of rolling stock, operational decision support in airside turnarounds or signal optimisation in rail networks. Depending on use and risk, obligations include risk management, documentation, transparency and human oversight.
The NIS2 Directive and the Cyber Resilience Act impose security by design, vulnerability and incident handling, and supply chain assurance across operational technology, information technology and cloud infrastructure. For critical transport services, these obligations are decisive for safe operations and for continuity of cross border mobility.
Within the Unified Digital Twin Compliance Framework, mobility systems activate all seven meta categories, with particular emphasis on data governance and access control, data protection and privacy, cybersecurity and resilience, and transparency and trust where AI informs operational decisions.
7.3. Sectoral Compliance Evaluation
The Digital Twin Compliance Evaluation Matrix was applied to three representative European mobility cases. The Port of Hamburg operates a logistics and traffic Digital Twin for the harbour and urban interfaces. Deutsche Bahn through DB Netz advances a rail infrastructure twin under the Digital Rail for Germany initiative. Royal Schiphol Group operates an airport operations twin that integrates airside and landside processes. The three cases illustrate different combinations of safety critical operations, complex stakeholder governance and multi cloud data pipelines.
The Port of Hamburg operates an advanced smart-port digital-twin environment under the Hamburg Port Authority’s “Digital Port Twin” and “smartPORT” initiatives [107,108]. These programmes integrate sensor data, simulation, and 3D visualisation to enhance infrastructure planning, logistics coordination, and traffic management. Governed data and service interfaces are provided through secure web-based clients for logistics and rail operators, enabling coordinated operational access within defined governance frameworks [109]. The authority participates in the international chainPORT network, which promotes connected-port data exchange and cyber-resilience among global port authorities [110]. Projects such as smartBRIDGE Hamburg employ open BIM and IFC standards to ensure interoperability and technical transparency across digital-asset models [111]. Cybersecurity and operational-technology resilience form explicit priorities in HPA’s strategy, with public statements stressing the protection of industrial-control environments and alignment with port-sector cyber-resilience frameworks [112]. Research collaborations such as the TwinSim project use AI-based simulation and predictive modelling to support terminal operations [113], while current literature indicates that transparency and model-level explainability in port digital twins remain at a developing stage [114]. Based on the available evidence, the Port of Hamburg’s digital-twin ecosystem can be rated Compliant (C) for governance, Compliant (C) for data protection and privacy, Compliant (C) for cybersecurity and resilience, Partially Compliant (PC) for transparency and explainability, Compliant (C) for interoperability and standardisation, Compliant (C) for accountability and risk management, and Compliant (C) for ethics and societal responsibility.
Deutsche Bahn’s rail infrastructure twin enables DB Netz to link asset registers, signalling, scheduling and maintenance planning to a network-level digital twin that simulates train operations across the entire German rail network [115]. The programme documents risk management, conformity processes and safety cases that map to the governance requirements of the EU Artificial Intelligence Act and NIS2 Directive, both of which apply to critical rail infrastructure managers and their control and signalling systems. Interoperability follows European rail standards and common data formats used in GIS and BIM integration, as demonstrated in Deutsche Bahn’s network-modernisation programme reported by [116]. Where learning systems inform timetable proposals or predictive maintenance, human oversight is maintained, though public explainability artefacts remain concise. Ratings were Compliant (C) for governance, Compliant (C) for privacy, Fully Compliant (C) for cybersecurity and resilience, Compliant (C) for accountability and risk management, Partially Compliant (PC) for transparency, Compliant (C) for interoperability, Compliant (C) for ethics.
The Royal Schiphol Group operates an airport twin that integrates aircraft turnaround, stand allocation, passenger flow, and baggage logistics within a unified operational digital twin. Real-time camera and sensor feeds, such as the Deep Turnaround AI system, use computer-vision processing to predict push-back times and optimise stand operations [117]. Airport-wide dashboards in the Airport Operations Centre employ predictive insights for dynamic capacity and flow management [118]. The digital-twin architecture tracks over 80,000 indoor and outdoor assets and infrastructure systems under a unified Common Data Environment [119]. Schiphol’s corporate Risk Management and Internal Control framework details incident response, vulnerability management, and cyber-resilience governance consistent with European critical-infrastructure standards [120]. Additional sector-wide cooperation on threat simulation and supplier security is reported by PwC in its Schiphol cybersecurity case study [121]. Academic analyses confirm that airport digital twins are increasingly applied for cyber-attack protection and vulnerability assessment [122]. Although public certification under the Cyber Resilience Act has not yet been disclosed, Schiphol’s infrastructure aligns with obligations for transport-critical entities under the NIS2 Directive in the Netherlands [123]. Passenger-facing data use incorporates privacy-by-design mechanisms, including visual masking of non-relevant fields in AI processing [117], while some predictive modules remain proprietary with limited published explainability. Ratings were Compliant (C) for governance, Compliant (C) for privacy, Fully Compliant (C) for cybersecurity and resilience, Compliant (C) for accountability, Partially Compliant (PC) for transparency, Compliant (C) for interoperability, Compliant (C) for ethics.
Table 22 reports the qualitative assessment.
Table 22.
Compliance evaluation of representative mobility and transportation Digital Twins.
The cross-case pattern mirrors the industrial and city domains. Governance, privacy, security and interoperability reach at least compliant levels, while transparency of model logic and assurances for explainability remain partially fulfilled due to operational sensitivity, intellectual property constraints and safety certification boundaries. Table 23 reports evidence for alignment between compliance evaluation and documentary sources for mobility Digital Twins.
Table 23.
Evidence Alignment between Compliance Evaluation and Documentary Sources.
7.4. Sector Specific Challenges and Lessons
First, data protection in mobility twins must reconcile privacy with lawful processing of location and behavioural data at scale. Strong minimisation, aggregation and pseudonymisation are required, together with clear interfaces for data subject rights. Second, interoperability across authority systems, operators and suppliers is a persistent barrier. Progress depends on adoption of open schemas, common operational semantics and switching controls aligned with the Data Act. Third, transparency for AI remains the principal open obligation. Safety critical operations favour proven models and vendor confidentiality, yet the Artificial Intelligence Act requires documented risk management, traceability and human oversight.
Promising practices include federated data spaces for transport that keep data sovereignty with operators while enabling lawful reuse, regulatory sandboxes for safety-related AI functions, and security certification of digital products under the Cyber Resilience Act to strengthen supply chain trust. As mobility twins converge with connected vehicle ecosystems and city traffic management, joint governance between authorities and operators becomes a decisive enabler of lawful and trustworthy deployment.
8. Digital Twins in Energy Systems
8.1. Sector Overview
Digital Twins are transforming how Europe plans, operates, and integrates its energy systems by providing synchronised virtual models of assets and networks across transmission, distribution, and prosumer domains [8]. These models continuously ingest data from supervisory control and data acquisition systems, synchrophasors, smart meters, weather services, and market platforms, enabling dynamic visualisation, forecasting, and optimisation of energy flows.
At the transmission level, Digital Twins underpin security assessment, congestion management, and real-time stability analysis. At the distribution level, they support voltage regulation, local flexibility management, and grid integration of distributed energy resources. At the prosumer level, virtual power plant (VPP) twins and community energy twins optimise rooftop photovoltaics, batteries, electric vehicles, and demand response resources. Together, these capabilities directly advance the objectives of the European Green Deal [39], the Digitalisation of the Energy System Action Plan [139], and the Fit-for-55 Package [140].
8.2. Regulatory Relevance
Energy system Digital Twins are subject to the full spectrum of EU digital regulation. The General Data Protection Regulation (GDPR) governs household and prosumer data collected through smart meters and IoT devices, requiring privacy-by-design and user rights management.
The Data Governance Act (DGA) and Data Act (DA) define lawful conditions for data exchange among transmission system operators (TSOs), distribution system operators (DSOs), aggregators, and service providers, enforcing neutrality of data intermediation, fair contractual terms, and interoperability across energy data spaces.
The Artificial Intelligence Act (AIA) applies to learning components used in predictive control, state estimation, or fault detection, which may qualify as high-risk systems and must therefore meet obligations for risk management, documentation, and human oversight.
The NIS2 Directive and the Cyber Resilience Act (CRA) establish cybersecurity and vulnerability management obligations for energy system operators and digital product vendors, ensuring secure design and lifecycle monitoring of critical digital infrastructures.
Within the Unified Digital Twin Compliance Framework (UDTCF), the energy domain activates all seven meta-categories, with pronounced emphasis on data governance, data protection, cybersecurity, interoperability, and accountability.
8.3. Sectoral Compliance Evaluation
To evaluate the maturity of compliance in European energy system Digital Twins, the Digital Twin Compliance Evaluation Matrix (DTCEM) was applied to three representative EU projects: OneNet (pan-European TSO-DSO coordination twin), Platone (distribution-system twin for flexibility management), and SINTEF & NODES (Virtual Power Plant and prosumer twin for local energy markets). Each project illustrates how data governance, privacy, cybersecurity, interoperability, and transparency obligations are addressed in operational energy-data ecosystems.
The OneNet project, funded under Horizon 2020 (Grant Agreement No. 957739) and coordinated by a European consortium including ENTSO-E and E.DSO, develops a unified digital environment that connects transmission and distribution system operators across Europe to enable real-time coordination, data exchange, and market interoperability [141]. The project’s governance framework defines access roles, data usage policies, and traceability mechanisms to ensure data sovereignty and lawful exchange, as outlined in Deliverables D5.7 and D6.2 [142,143]. Cybersecurity, privacy, and risk-management principles are addressed in Deliverable D5.8, which specifies regulatory and technical requirements derived from the NIS Directive and EU data-protection law [144]. These documents collectively demonstrate a robust approach to governance, security, and interoperability, although no explicit references to the forthcoming NIS2 Directive or Cyber Resilience Act are present in the publicly available materials. Cross-border data exchange frameworks integrate privacy and minimisation measures, yet algorithmic transparency and explainability remain limited in the published documentation. Overall, the OneNet project exhibits compliance with EU standards for data governance, security, and interoperability, while partial evidence is available for privacy implementation and transparency of AI-driven modules. It is rated Compliant (C) for Data Governance and Access Control, Partially Compliant (PC) for Data Protection and Privacy, Compliant (C) for Cybersecurity and Resilience, Compliant (C) for Accountability and Risk Management, Partially Compliant (PC) for Transparency and Explainability, Compliant (C) for Interoperability and Standardisation, and Compliant (C) for Ethical and Social Responsibility.
Platone, a Horizon 2020 project led by Avacon, Areti, and HEDNO, develops architectures for distribution-grid flexibility and prosumer integration within European smart distribution networks. The project’s objective is to enhance observability of distributed renewable energy resources and unlock flexibility services for DSOs through open, standardised, and interoperable platforms [145]. Governance follows principles of neutrality and non-discrimination in data exchange, as described by the European Distribution System Operators (E.DSO), ensuring open access and compliance with existing regulatory frameworks [146]. Data management and interoperability are documented through project deliverables defining standard communication protocols and data governance models [147]. Cybersecurity within Platone is addressed through the examination of relevant smart-grid and information-security standards as documented in the project’s deliverables on interoperability and standardization [147]. Ethical and regulatory assessments within the project address data security, privacy, and transparency obligations under the EU’s digital strategy [40]. While these reports document strong governance and cybersecurity measures, publicly available materials provide limited detail on privacy-by-design mechanisms or model-level explainability of AI-driven grid optimisation modules. Consequently, Platone demonstrates compliant implementation of governance, interoperability, and cybersecurity frameworks, though transparency and explainability remain areas where publicly verifiable evidence is limited. It is rated Compliant (C) for Data Governance and Access Control, Compliant (PC) for Data Protection and Privacy, Compliant (C) for Cybersecurity and Resilience, Compliant (C) for Accountability and Risk Management, Partially Compliant (PC) for Transparency and Explainability, Compliant (FC) for Interoperability and Standardisation, and Compliant (PC) for Ethical and Social Responsibility.
The SINTEF–NODES collaboration in the Nordic energy market explores digital twin-enabled frameworks for aggregating distributed energy resources and enhancing local flexibility trading. Building on SINTEF’s broader digital twin research (e.g., SINDIT framework) and its involvement in the NODES flexibility platform, the initiative aims to create interoperable environments that allow prosumers, aggregators, and system operators to exchange energy and flexibility services transparently [148,149]. Governance approaches are inspired by European data-space principles, emphasising transparency, traceability, and interoperability in line with the objectives of the EU Data Act and Data Governance Act, though no public deliverables explicitly document GAIA-X compliance. Cybersecurity and interoperability practices are aligned with SINTEF’s established methodologies for secure digital twin development and data-space architectures (as evidenced in related projects such as COGNITWIN and industrial IoT frameworks) [150]. Available information indicates that consent management and data-minimisation principles are considered at the design level, but detailed documentation on privacy-by-design, device onboarding, or conformity with the Cyber Resilience Act is not publicly available. Peer-reviewed work from SINTEF and collaborators confirms the use of digital twins and interoperability frameworks in Nordic energy systems, although explicit references to a federated Virtual Power Plant Twin remain absent in the scientific literature [151,152]. Overall, the initiative demonstrates a progressive alignment with EU principles for trustworthy, data-driven flexibility management, yet public evidence of full compliance across privacy and transparency dimensions remains limited. It is therefore rated Compliant (C) for Data Governance and Access Control, Compliant (C) for Data Protection and Privacy, Compliant (PC) for Cybersecurity and Resilience, Compliant (PC) for Accountability and Risk Management, Partially Compliant (PC) for Transparency and Explainability, Compliant (C) for Interoperability and Standardisation, and Compliant (C) for Ethical and Social Responsibility.
The comparative analysis indicates that European energy-system twins achieve solid compliance in governance, privacy, security, and interoperability. However, transparency and explainability remain only partially realised, primarily due to proprietary control algorithms and the confidentiality of operational-security data within critical-infrastructure contexts.
Table 24 shows the results of the compliance evaluations and Table 25 provides verifiable traceability between compliance assessments and project documentation. Each deliverable or report corresponds directly to one or more meta-categories of the Unified Digital Twin Compliance Framework. Together, Table 24 and Table 25 demonstrate that European energy Digital Twin projects are embedding compliance-by-design methodologies, advancing cybersecurity and interoperability maturity, and progressively aligning with EU law, while explainability and public transparency remain the principal areas for continued development.
Table 24.
Compliance Evaluation of Representative Energy System Digital Twins.
Table 25.
Evidence Alignment between Compliance Evaluation and Documentary Sources.
8.4. Sector-Specific Challenges and Lessons
Energy sector Digital Twins must reconcile strict cybersecurity and reliability standards with open data exchange and AI-driven optimisation. Data protection is complex because smart-meter data may reveal individual consumption behaviour, requiring strong pseudonymisation and consent management. Interoperability depends on convergence of Common Information Model (CIM), IEC 61970/61968, and GAIA-X data-space standards. Transparency remains constrained by vendor confidentiality and security classification.
Promising trends include the creation of European Common Data Spaces for Energy, the use of regulatory sandboxes for AI in grid control, and the application of Cyber Resilience Act certification schemes to grid-control software and IoT gateways. Harmonised guidance from ENTSO-E, E.DSO and ENISA is accelerating convergence towards full compliance maturity.
9. Discussion
The cross-sectoral synthesis of the scoping review reveals that Digital Twin deployments across Smart Cities, Industry, Mobility, and Energy Systems share a convergent trajectory towards legally and technically mature implementations. Yet, despite clear progress, a number of structural asymmetries persist in how the six major EU laws are interpreted and operationalised. The analysis confirms that most European Digital Twins now embed compliance-by-design principles in data governance, cybersecurity, and interoperability, whereas transparency, explainability, and accountability remain unevenly realised across domains.
9.1. Cross-Sectoral Compliance Strengths
Across all four sectors, data governance and access control demonstrate a high degree of convergence. The review finds consistent adoption of practices aligned with the Data Governance Act and the Data Act, including role-based access control, non-exclusive data sharing, and open interface design. Smart City initiatives such as Helsinki 3D+ and Smart Dublin exemplify these principles through public data portals and transparent data intermediation. Industrial cases such as Siemens MindSphere and Bosch Rexroth’s ctrlX Automation extend the same logic into business-to-business ecosystems, while energy projects such as OneNet and Platone adopt federated data-space architectures that apply equivalent rules at the inter-operator level. Collectively, these practices illustrate that lawful, transparent, and interoperable data exchange is becoming a de facto design standard in European Digital Twin development.
Cybersecurity and system resilience also represent a cross-sector strength. All studied domains implement layered security architectures, vulnerability management, and incident-response frameworks aligned with the NIS2 Directive and the Cyber Resilience Act. Industrial and energy systems, which fall under the category of essential services, show particularly mature implementation through ISO 27001, IEC 62443, or ENISA-referenced controls. In Smart City and Mobility contexts, cybersecurity certification and continuous monitoring are now embedded into procurement and operational governance. These developments confirm that security-by-design has transitioned from a voluntary best practice to a regulated engineering discipline.
Another area of progress concerns interoperability and standardisation. Most initiatives converge on open data models such as CityGML, IFC, OPC UA, and CIM, or rely on GAIA-X-compliant data connectors for cross-platform exchange. The institutionalisation of European Data Spaces further accelerates this trend by aligning technical interoperability with lawful data-sharing frameworks. This progress underpins not only compliance but also long-term scalability and innovation capacity within the Digital Single Market.
9.2. Persistent Gaps and Cross-Cutting Challenges
Despite these strengths, three compliance dimensions remain partially fulfilled across all sectors.
First, transparency and explainability present the most consistent gap. While most projects document system architecture and data provenance, few disclose the internal logic of AI-driven decision modules. Proprietary algorithms, safety certification boundaries, and security sensitivities limit publication of model documentation. Consequently, obligations under the Artificial Intelligence Act—particularly for high-risk systems—are often met only at procedural rather than substantive levels. Bridging this gap requires explainability frameworks that reconcile intellectual property protection with verifiable accountability, possibly through trusted audit or certification mechanisms.
Second, accountability and risk management are unevenly implemented. Although audit logging and compliance documentation exist in every sector, systematic conformity assessment remains rare outside essential-service domains. Many Smart City and Mobility projects depend on project-based governance rather than institutionalised compliance structures. Industrial and Energy projects perform better due to established quality-assurance cultures and risk-management standards, yet harmonisation across the EU remains incomplete.
Third, ethical and social responsibility—while consistently referenced—often lacks operationalisation. Citizen participation frameworks, fairness monitoring, and environmental metrics appear in policy narratives but are seldom integrated into compliance evaluation. The review finds that ethics in Digital Twin practice is treated as an aspirational objective rather than a measurable compliance domain, despite its inclusion as a meta-category within the Unified Digital Twin Compliance Framework.
9.3. Sectoral Contrasts
The comparative evaluation also highlights distinct compliance profiles.
- Smart Cities show advanced data governance and privacy management but lower transparency due to the scale and heterogeneity of data sources. Their governance maturity reflects long experience with open-data regulation and citizen-centric policy frameworks.
- Industrial Manufacturing demonstrates the highest cybersecurity and interoperability maturity, grounded in established certification and quality-control cultures. Transparency remains constrained by proprietary intellectual property and competitive sensitivity.
- Mobility and Transportation integrate strong operational security and governance but exhibit partial explainability in AI-assisted scheduling and predictive maintenance. Multi-stakeholder governance across public and private entities complicates uniform compliance interpretation.
- Energy Systems achieve exemplary governance and cybersecurity through the obligations of essential-service operators but face challenges with transparency of AI-enabled control algorithms and harmonisation of data standards across network levels.
These contrasts indicate that compliance maturity correlates with the criticality of the sector and the strength of its existing regulatory oversight. Domains historically governed by strict safety and reliability regulation, such as energy and rail, display higher baseline compliance, whereas domains characterised by municipal autonomy and public experimentation, such as Smart Cities, demonstrate more heterogeneous practices.
9.4. Convergence Towards Integrated Compliance-by-Design
A cross-sector pattern of convergence is emerging around integrated compliance-by-design methodologies. Projects across all domains increasingly embed legal requirements directly into system architecture and engineering workflows. Privacy-by-design modules, automated consent management, continuous security monitoring, and interoperable data APIs now appear as standard architectural features rather than add-on controls. The Unified Digital Twin Compliance Framework (UDTCF) and Digital Twin Compliance Evaluation Matrix (DTCEM) provide a structured method for articulating and measuring these practices, allowing developers and regulators to trace the link between legal obligations and technical implementations.
Nevertheless, full realisation of compliance-by-design will require further institutional alignment. Three measures are critical:
- Interdisciplinary compliance engineering, integrating legal, ethical, and technical expertise within project design phases.
- Certification frameworks that extend existing cybersecurity and quality standards to encompass AI transparency and data-governance conformity.
- Regulatory sandboxes and data spaces that allow controlled experimentation with high-risk Digital Twin applications while maintaining oversight and auditability.
9.5. Implications for Policy and Research
The findings highlight both the effectiveness and the limits of Europe’s current regulatory model. The combination of horizontal digital acts (GDPR, DGA, DA) and sector-specific instruments (AIA, NIS2, CRA) has created a coherent legal ecosystem that fosters trustworthy innovation. Yet, the coexistence of multiple frameworks also generates interpretive complexity, particularly for cross-domain spanning several legal regimes.
Future policy evolution should therefore focus on harmonised guidance that translates legal principles into actionable design criteria for Digital Twin developers. Research priorities should include model transparency metrics, automated compliance verification, and governance mechanisms for federated data spaces. The cross-sector evidence compiled in this review demonstrates that Digital Twins can function as both technical and regulatory integrators within the European digital transformation, provided that compliance-by-design is institutionalised across the entire lifecycle.
9.6. Limitations and Scope
The findings of this study should be interpreted in light of several limitations. First, the Unified Digital Twin Compliance Framework (UDTCF) is tailored to the European Union’s digital-regulatory ecosystem. While many principles generalise to other jurisdictions, direct application requires adaptation to local legal structures and sectoral regulatory instruments. Second, the framework assumes the presence of data-driven or AI-enabled components within Digital Twin systems. Digital Twins without such components may still benefit from the UDTCF, though obligations arising from the Artificial Intelligence Act become less salient. Third, the analysis of compliance maturity relies on publicly available documentation from real-world projects. Although each evaluation is supported by verifiable evidence, data quality and completeness vary across sectors. Fourth, the EU’s digital legislation is rapidly evolving. Future amendments to the GDPR, Data Act, or Cyber Resilience Act may necessitate updates to the framework and evaluation matrix. These limitations highlight important avenues for future research, including comparative analyses beyond the EU, deeper validation within industry settings, and automated compliance-checking methods.
10. Conclusions
This review set out to examine how the principal European digital laws collectively regulate the development and operation of Digital Twin systems across key sectors of the economy. Guided by the research questions defined in Section 2, it sought to identify (1) which European legal instruments jointly determine the regulatory environment for Digital Twins, (2) how their provisions interact to create cumulative or overlapping compliance obligations, and (3) what unified framework can support lawful, secure, and interoperable implementation of these technologies within the European Digital Single Market.
The review confirms that six instruments—the General Data Protection Regulation (GDPR), Data Governance Act (DGA), Data Act (DA), Artificial Intelligence Act (AIA), Network and Information Security Directive (NIS2), and Cyber Resilience Act (CRA)—together form an integrated yet complex legal ecosystem governing Digital Twin innovation. Their combined scope encompasses the entire lifecycle of data and intelligence, from acquisition and sharing to automated decision-making and cybersecurity. Each law maps to distinct functional layers of the Digital Twin architecture: the GDPR and DGA regulate data collection and reuse; the Data Act secures interoperability and fairness in access; the AIA governs transparency and accountability of learning components; and NIS2 and CRA ensure secure design and operational resilience.
To address this complexity, the study developed the Unified Digital Twin Compliance Framework (UDTCF) and the Digital Twin Compliance Evaluation Matrix (DTCEM). Together, they translate legal obligations into seven meta-categories—data governance and access control, data protection and privacy, cybersecurity and resilience, accountability and risk management, transparency and trust, interoperability and standardisation, and ethical and social responsibility. Applied across 12 representative European cases in Smart Cities, Industrial Manufacturing, Mobility, and Energy Systems, these frameworks provided a structured basis for evaluating compliance maturity and identifying both convergences and gaps.
The cross-sectoral analysis demonstrates that Europe’s Digital Twin landscape is progressing toward mature, law-aligned deployment. Governance, cybersecurity, and interoperability consistently achieve compliant or fully compliant status, reflecting the success of EU-wide standardisation and security policies. However, transparency and explainability remain partially fulfilled across all domains. The opacity of AI-driven modules and the absence of standardised explainability metrics continue to pose barriers to full conformity with the Artificial Intelligence Act. Accountability and ethical responsibility, though widely acknowledged, require more systematic operationalisation through traceable audits, certification schemes, and fairness assurance protocols.
The findings yield three key insights for European digital policy and research:
- Compliance-by-design must become a formal engineering discipline. The study shows that technical and legal design cannot be separated; embedding compliance mechanisms within architectures, workflows, and data models is now essential for lawful innovation.
- Harmonisation of interpretive guidance is needed across digital acts. Developers face uncertainty when obligations overlap. Coordinated guidance from the European Commission, ENISA, and the AI Office could translate abstract legal principles into concrete design criteria.
- Digital Twins are strategic enablers of both regulatory compliance and digital sovereignty. An example of this principle is the use of Digital Twin platforms to embed automated data-governance controls and audit trails directly into system workflows. By generating immutable, machine-readable logs aligned with GDPR and Data Act obligations, a Digital Twin can function not only as a regulated technology but also as an operational mechanism for enforcing lawful data access, traceability, and accountability by design.
In conclusion, the review demonstrates that the European regulatory framework provides a robust foundation for trustworthy and innovation-oriented Digital Twin deployment. Yet, achieving full compliance maturity will depend on institutionalising cross-disciplinary collaboration between legislators, engineers, and data governance experts. As Digital Twins evolve from experimental pilots to critical infrastructures, their success will rest on the capacity to merge technological excellence with legal certainty, ensuring that Europe’s digital transformation remains both competitive and accountable to its fundamental rights and societal values. Taken together, these findings confirm that the Unified Digital Twin Compliance Framework and its accompanying Evaluation Matrix constitute a validated analytical foundation for cross-sectoral assessment of regulatory compliance, supporting the systematic integration of legal and technical design principles in future Digital Twin research and innovation.
Author Contributions
Conceptualization, B.N.J.; methodology, Z.G.M.; validation, Z.G.M. and B.N.J.; formal analysis, Z.G.M. and B.N.J.; investigation, Z.G.M. and B.N.J.; resources, B.N.J.; data curation, Z.G.M.; writing—original draft preparation, B.N.J.; writing—review and editing, Z.G.M. and B.N.J.; visualization, B.N.J. All authors have read and agreed to the published version of the manuscript.
Funding
This research received no external funding.
Data Availability Statement
No new data were created or analyzed in this study.
Conflicts of Interest
The authors declare no conflicts of interest.
Abbreviations
The following abbreviations are used in this manuscript:
| AI | Artificial Intelligence |
| AIA | Artificial Intelligence Act |
| API | Application Programming Interface |
| CIM | Common Information Model |
| CRA | Cyber Resilience Act |
| CSIRT | Computer Security Incident Response Team |
| DA | Data Act |
| DGA | Data Governance Act |
| DPIA | Data Protection Impact Assessment |
| DPO | Data Protection Officer |
| DSO | Distribution System Operator |
| DTCEM | Digital Twin Compliance Evaluation Matrix |
| DT | Digital Twin |
| ENISA | European Union Agency for Cybersecurity |
| EU | European Union |
| FRAND | Fair, Reasonable, and Non-Discriminatory |
| GAIA-X | GAIA-X European Data Infrastructure |
| GDPR | General Data Protection Regulation |
| IEC | International Electrotechnical Commission |
| IFC | Industry Foundation Classes |
| IoT | Internet of Things |
| ISO | International Organization for Standardization |
| NC | Non-Compliant |
| NIS2 | Network and Information Security Directive |
| REST | Representational State Transfer |
| SPE | Secure Processing Environment |
| TSO | Transmission System Operator |
| UDTCF | Unified Digital Twin Compliance Framework |
| VPP | Virtual Power Plant |
Glossary of Key Terms
| Compliance-by-design | An engineering principle requiring that regulatory obligations be incorporated into system architecture, workflows, and controls from the earliest stages of design. |
| Secure Processing Environment (SPE) | A controlled computational environment that enforces strict access control, data segregation, and auditability to ensure secure re-use of protected data under the Data Governance Act. |
| High-risk AI | AI systems classified under the Artificial Intelligence Act as presenting significant risks to health, safety, or fundamental rights; subject to enhanced requirements for risk management, human oversight, transparency, and robustness. |
| Interoperability | The ability of systems or components to exchange data using shared formats, protocols, and semantics, ensuring portability and cross-platform functionality. |
| Human-in-the-loop | A design requirement that mandates human oversight, review, or intervention in automated processes to ensure accountability and reduce risks from automated decision-making. |
| Data minimisation | A GDPR principle requiring that personal data collected or processed be limited to what is strictly necessary for the intended purpose. |
| Pseudonymisation | A technique that replaces identifying attributes of personal data with artificial identifiers, reducing re-identification risk while preserving analytical usefulness. |
| Data portability | A data subject’s right to receive their personal data in a structured, machine-readable format and transmit it to another controller. |
| Audit trail | A detailed, tamper-evident log of data flows, decision processes, or system events supporting accountability, monitoring, and regulatory compliance. |
References
- Grieves, M.; Vickers, J. Origins of the Digital Twin Concept; Florida Institute of Technology: Melbourne, FL, USA, 2016. [Google Scholar]
- Glaessgen, E.H.; Stargel, D.S. The Digital Twin Paradigm for Future NASA and U.S. Air Force Vehicles. In Proceedings of the 53rd AIAA/ASME/ASCE/AHS/ASC Structures, Structural Dynamics and Materials Conference, Honolulu, HI, USA, 23–26 April 2012. [Google Scholar] [CrossRef]
- Sharma, A.; Kosasih, E.; Zhang, J.; Brintrup, A.; Calinescu, A. Digital Twins: State of the art theory and practice, challenges, and open research questions. J. Ind. Inf. Integr. 2022, 30, 100383. [Google Scholar] [CrossRef]
- Jørgensen, B.N.; Howard, D.A.; Clausen, C.S.B.; Ma, Z. Digital Twins: Benefits, Applications and Development Process. In Proceedings of the Progress in Artificial Intelligence, Faial Island, Portugal, 5–8 September 2023; Cham, N., Moniz, Z., Vale, J., Cascalho, C.S., Sebastião, R., Eds.; Springer Nature: Cham, Switzerland, 2023; pp. 511–522. [Google Scholar]
- Farhat, H.; Altarawneh, A. Physics-Informed Machine Learning for Intelligent Gas Turbine Digital Twins: A Review. Energies 2025, 18, 5523. [Google Scholar] [CrossRef]
- Tao, F.; Zhang, H.; Zhang, C. Advancements and challenges of digital twins in industry. Nat. Comput. Sci. 2024, 4, 169–177. [Google Scholar] [CrossRef] [PubMed]
- Wu, D.; Zheng, A.; Yu, W.; Cao, H.; Ling, Q.; Liu, J.; Zhou, D. Digital Twin Technology in Transportation Infrastructure: A Comprehensive Survey of Current Applications, Challenges, and Future Directions. Appl. Sci. 2025, 15, 1911. [Google Scholar] [CrossRef]
- Jørgensen, B.N.; Ma, Z.G. Digital Twin of the European Electricity Grid: A Review of Regulatory Barriers, Technological Challenges, and Economic Opportunities. Appl. Sci. 2025, 15, 6475. [Google Scholar] [CrossRef]
- Ketzler, B.; Naserentin, V.; Latino, F.; Zangelidis, C.; Thuvander, L.; Logg, A. Digital Twins for Cities: A State of the Art Review. Built Environ. 2020, 46, 547–573. [Google Scholar] [CrossRef]
- Caprari, G.; Castelli, G.; Montuori, M.; Camardelli, M.; Malvezzi, R. Digital Twin for Urban Planning in the Green Deal Era: A State of the Art and Future Perspectives. Sustainability 2022, 14, 6263. [Google Scholar] [CrossRef]
- Zhao, X.; Zhang, Y. Integrated management of urban resources toward Net-Zero smart cities considering renewable energies uncertainty and modeling in Digital Twin. Sustain. Energy Technol. Assess. 2024, 64, 103656. [Google Scholar] [CrossRef]
- Grotto, A.; Casas, P.F.i.; Zubaryeva, A.; Sparber, W. Formalizing Sustainable Urban Mobility Management: An Innovative Approach with Digital Twin and Integrated Modeling. Logistics 2024, 8, 117. [Google Scholar] [CrossRef]
- Krenczyk, D.; Paprocka, I. Integration of Discrete Simulation, Prediction, and Optimization Methods for a Production Line Digital Twin Design. Materials 2023, 16, 2339. [Google Scholar] [CrossRef]
- van Dinter, R.; Tekinerdogan, B.; Catal, C. Predictive maintenance using digital twins: A systematic literature review. Inf. Softw. Technol. 2022, 151, 107008. [Google Scholar] [CrossRef]
- Singh, G.; Singh, S.; Daultani, Y.; Chouhan, M. Measuring the influence of digital twins on the sustainability of manufacturing supply chain: A mediating role of supply chain resilience and performance. Comput. Ind. Eng. 2023, 186, 109711. [Google Scholar] [CrossRef]
- Ali, W.A.; Fanti, M.P.; Roccotelli, M.; Ranieri, L. A Review of Digital Twin Technology for Electric and Autonomous Vehicles. Appl. Sci. 2023, 13, 5871. [Google Scholar] [CrossRef]
- Belik, M.; Rubanenko, O. Implementation of Digital Twin for Increasing Efficiency of Renewable Energy Sources. Energies 2023, 16, 4787. [Google Scholar] [CrossRef]
- Abo-Khalil, A.G. Digital twin real-time hybrid simulation platform for power system stability. Case Stud. Therm. Eng. 2023, 49, 103237. [Google Scholar] [CrossRef]
- Værbak, M.; Billanes, J.D.; Jørgensen, B.N.; Ma, Z. A Digital Twin Framework for Simulating Distributed Energy Resources in Distribution Grids. Energies 2024, 17, 2503. [Google Scholar] [CrossRef]
- Mureddu, F.; Paciaroni, A.; Pavelka, T.; Pemberton, A.; Remotti, L.A. Rights and Responsibilities: Legal and Ethical Considerations in Adopting Local Digital Twin Technology. In Decide Better: Open and Interoperable Local Digital Twins; Raes, L., Ruston McAleer, S., Croket, I., Kogut, P., Brynskov, M., Lefever, S., Eds.; Springer Nature: Cham, Switzerland, 2025; pp. 291–317. [Google Scholar]
- European Parliament, Council of the European Union. Regulation (EU) 2016/679 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation, GDPR). Available online: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng (accessed on 7 September 2025).
- European Parliament, Council of the European Union. Regulation (EU) 2022/868 on European Data Governance and Amending Regulation (EU) 2018/1724 (Data Governance Act). Available online: https://eur-lex.europa.eu/eli/reg/2022/868/oj/eng (accessed on 7 September 2025).
- European Parliament, Council of the European Union. Regulation (EU) 2023/2854 on Harmonised Rules on Fair Access to and Use of Data (Data Act). Available online: https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng (accessed on 7 September 2025).
- European Parliament, Council of the European Union. Regulation (EU) 2024/1689 Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act). Available online: https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng (accessed on 7 September 2025).
- European Parliament, Council of the European Union. Directive (EU) 2022/2555 on Measures for a High Common Level of Cybersecurity Across the Union (NIS2 Directive). Available online: https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng (accessed on 7 September 2025).
- European Parliament, Council of the European Union. Regulation (EU) 2024/2847 on Horizontal Cybersecurity Requirements for Products with Digital Elements (Cyber Resilience Act). Available online: https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng (accessed on 7 September 2025).
- Lennon, Y.; Julien, N.; Quin, A. Ensuring Personal Data Compliance by Integrating Legal Constraints into Digital Twin Design Methodology. In Proceedings of the 35th European Safety and Reliability & the 33rd Society for Risk Analysis Europe Conference (ESREL–SRA-E 2025), Trondheim, Norway, 2 June 2025; pp. 1618–1625. [Google Scholar]
- Bäumer, F.S.; Schultenkämper, S.; Geierhos, M.; Lee, Y.S. Mirroring Privacy Risks with Digital Twins: When Pieces of Personal Data Suddenly Fit Together. SN Comput. Sci. 2024, 5, 1109. [Google Scholar] [CrossRef]
- Dhinakaran, D.; Edwin Raja, S.; Ramathilagam, A.; Vennila, G.; Alagulakshmi, A. Ethical and legal challenges with IoT in home digital twins. MethodsX 2025, 14, 103409. [Google Scholar] [CrossRef] [PubMed]
- Schultes, E.; Roos, M.; Bonino da Silva Santos, L.O.; Guizzardi, G.; Bouwman, J.; Hankemeier, T.; Baak, A.; Mons, B. FAIR Digital Twins for Data-Intensive Research. Front. Big Data 2022, 5. (In English) [Google Scholar] [CrossRef] [PubMed]
- Garske, B.; Holz, W.; Ekardt, F. Digital twins in sustainable transition: Exploring the role of EU data governance. Front. Res. Metr. Anal. 2024, 9, 1303024. (In English) [Google Scholar] [CrossRef]
- Jørgensen, B.N.; Gunasekaran, S.S.; Ma, Z.G. Impact of EU Laws on AI Adoption in Smart Grids: A Review of Regulatory Barriers, Technological Challenges, and Stakeholder Benefits. Energies 2025, 18, 3002. [Google Scholar] [CrossRef]
- Coppolino, L.; Nardone, R.; Petruolo, A.; Romano, L. Building Cyber-Resilient Smart Grids with Digital Twins and Data Spaces. Appl. Sci. 2023, 13, 13060. [Google Scholar] [CrossRef]
- Hananto, A.L.; Veza, I. Governance Framework for Intelligent Digital Twin Systems in Battery Storage: Aligning Standards, Market Incentives, and Cybersecurity for Decision Support of Digital Twin in BESS. Computers 2025, 14, 365. [Google Scholar] [CrossRef]
- ISO/IEC 27000 family; Information Security Management. International Organization for Standardization (ISO): Geneva, Switzerland. Available online: https://www.iso.org/standard/iso-iec-27000-family (accessed on 7 September 2025).
- ISO 31000:2018; Risk Management—Guidelines. International Organization for Standardization (ISO): Geneva, Switzerland. Available online: https://www.iso.org/standard/65694.html (accessed on 7 September 2025).
- Living-in.EU Movement. Living-in.EU: Join Us in Building the European Way of Digital Transformation for 300 Million Europeans. Available online: https://living-in.eu/ (accessed on 7 September 2025).
- European Commission. EU Mission: Climate-Neutral and Smart Cities. Available online: https://research-and-innovation.ec.europa.eu/funding/funding-opportunities/funding-programmes-and-open-calls/horizon-europe/eu-missions-horizon-europe/climate-neutral-and-smart-cities_en (accessed on 7 September 2025).
- European Commission. European Green Deal: A Climate-Neutral Europe by 2050. Available online: https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/european-green-deal_en (accessed on 7 September 2025).
- European Commission. Digital Decade Policy Programme 2030. Available online: https://digital-strategy.ec.europa.eu/en/policies/digital-decade-policy-programme (accessed on 7 September 2025).
- Zoan Corporation. Virtual Helsinki—World’s First City in the Metaverse (Case Study). Available online: https://zoan.com/en/cases/virtual-helsinki/ (accessed on 7 September 2025).
- City of Helsinki. Data Protection—City of Helsinki. Available online: https://www.hel.fi/en/decision-making/information-on-helsinki/data-protection-and-information-management/data-protection (accessed on 7 September 2025).
- City of Helsinki. Open Geographic Data—City of Helsinki. Available online: https://www.hel.fi/en/decision-making/information-on-helsinki/maps-and-geospatial-data/make-better-use-of-geospatial-data/open-geographic-data (accessed on 7 September 2025).
- City of Helsinki (Bentley Systems). City of Helsinki Expands Digitalization with Citywide Digital Twin; In Case Study–Bentley Applications Bring Stakeholders and Citizens Together with an Open Digital City Platform; Bentley Systems: Exton, PA, USA, 2022; Available online: https://www.bentley.com/wp-content/uploads/2022/05/CS-City-of-Helsinki-Citywide-Digital-Twin-LTR-EN-LR.pdf (accessed on 7 September 2025).
- Smart Dublin Initiative. Smart Dublin: Innovation for a Connected and Resilient Dublin Region. Available online: https://smartdublin.ie/ (accessed on 7 September 2025).
- Cities Coalition for Digital Rights. Dublin—City of Human-Centric Digital Innovation. Available online: https://citiesfordigitalrights.org/city/dublin (accessed on 7 September 2025).
- Dhingra, M.; Kerr, A.; Lehane, J.R. Rethinking Digital Twins and Building Alternatives for Smart City Planning in Dublin. In Proceedings of the the 60th ISOCARP World Planning Congress: “Future Cities—Exploring the Invisible Cities”, Toronto, ON, Canada, 8–12 October 2024; pp. 254–264. Available online: https://isocarp.org/app/uploads/2025/04/ISOCARP_2024_Dhingra_254.pdf (accessed on 7 September 2025).
- Appleton, J. Smart Dublin: Future-Proofing The Irish Capital. Available online: https://www.beesmart.city/en/smart-city-blog/smart-dublin-city-portrait (accessed on 7 September 2025).
- Smart Dublin Initiative. Dublin City Council Joins the Twin4Resilience Interreg Project. Available online: https://smartdublin.ie/dublin-city-council-joins-the-twin4resilience-interreg-project/ (accessed on 7 September 2025).
- Centre for Bold Cities. Urban Digital Twins. Available online: https://www.centre-for-bold-cities.nl/projects/urban-digital-twins (accessed on 7 September 2025).
- Wray, S. Rotterdam Forges Ahead with Homegrown Digital Twin. Available online: https://cities-today.com/rotterdam-forges-ahead-with-homegrown-digital-twin/ (accessed on 7 September 2025).
- Ricciardi, G.; Callegari, G. Digital Twins for Climate-Neutral and Resilient Cities. State of the Art and Future Development as Tools to Support Urban Decision-Making. In Proceedings of the International Conference on Technological Imagination in the Green and Digital Transition, Rome, Italy, 30 June–2 July 2022; Springer International Publishing: Cham, Switzerland, 2023; pp. 617–626. [Google Scholar]
- De Jaeger, A. Towards a Right to the Smart City? Citizen Participation in Rotterdam’s Urban Digital Twin. Masters Thesis, Erasmus University, Rotterdam, The Netherlands, 2024. Available online: https://www.centre-for-bold-cities.nl/uploads/cfbc/attachments/Working%20Paper%20%2314%20-%20Towards%20a%20Right%20to%20the%20Smart%20City%EF%80%A5%20Citizen%20Participation%20in%20Rotterdam%27s%20Urban%20Digital%20Twin.pdf (accessed on 7 September 2025).
- City of Helsinki. Helsinki 3D—The 3D City Models of Helsinki (Digital Twin). Available online: https://www.hel.fi/en/decision-making/information-on-helsinki/maps-and-geospatial-data/helsinki-3d (accessed on 7 September 2025).
- City of Helsinki. Kalasatama Digital Twins—KIRA-digi Pilot Project. Available online: https://www.kiradigi.fi/en/experiments/ongoing-projects/kalasatama-digital-twins.html (accessed on 7 September 2025).
- Smart Dublin Initiative. Dublinked: Open Data for the Dublin Region—Smart Dublin. Available online: https://data.smartdublin.ie/dataset (accessed on 7 September 2025).
- Dublin City Council. Smart Dublin Framework (Policy 9.5.11.1)—Dublin City Development Plan 2016–2022. Available online: https://www.dublincity.ie/dublin-city-development-plan-2016-2022/9-sustainable-environmental-infrastructure/95-policies-and-objectives/95111-smart-dublin-framework (accessed on 7 September 2025).
- Municipality of Rotterdam. Rotterdam in Transformation: The Convergence of Social, Physical & Digital Rotterdam. City of Rotterdam/CIO Office: 2024/10 2024. Available online: https://oascities.org/wp-content/uploads/2024/11/Rotterdam-in-tranformation-vision-on-the-digital-city-1.0.pdf (accessed on 7 September 2025).
- Dublin City Council (Dublin City Council). Quality Assurance Report 2022. Dublin City Council: 2023/05/31 2022. Available online: https://www.dublincity.ie/sites/default/files/2023-05/Dublin%20City%20Council%20Quality%20Assurance%20Report%202022.pdf (accessed on 7 September 2025).
- Bentley Systems. Improving the Environment with a City-Scale Digital Twin—City of Helsinki. Available online: https://www.bentley.com/company/esg-user-project-city-of-helsinki/ (accessed on 7 September 2025).
- Khemlani, L. Digital Twins Implementation in the City of Dublin, Ireland. Available online: https://www.aecbytes.com/feature/2025/DublinDigitalTwins.html (accessed on 7 September 2025).
- Ghaith, M.; Yosri, A.; El-Dakhakhni, W. Digital Twin: A City-Scale Flood Imitation Framework. In Proceedings of the Canadian Society of Civil Engineering Annual Conference, 26–29 May 2021. [Google Scholar]
- Heiskanen, A. Helsinki is Building a Digital Twin of the City. Available online: https://aec-business.com/helsinki-is-building-a-digital-twin-of-the-city/ (accessed on 7 September 2025).
- European Environment Agency. Coupling High-Resolution Flood Modelling and 3D Digital Twins for Climate Change Adaptation. Available online: https://climate-adapt.eea.europa.eu/en/mission/solutions/mission-stories/coupling-high-resolution-flood-modelling-story34 (accessed on 7 September 2025).
- Julin, A.; Jaalama, K.; Virtanen, J.-P.; Pouke, M.; Ylipulli, J.; Vaaja, M.; Hyyppä, J.; Hyyppä, H. Characterizing 3D City Modeling Projects: Towards a Harmonized Interoperable System. ISPRS Int. J. Geo-Inf. 2018, 7, 55. [Google Scholar] [CrossRef]
- ISO 37106:2021; Sustainable Cities and Communities—Guidance on Establishing Smart City Operating Models for Sustainable Communities. International Organization for Standardization (ISO): Geneva, Switzerland. Available online: https://www.iso.org/standard/82854.html (accessed on 7 September 2025).
- Virtanen, J.-P. What Will the Future of Helsinki’s Digital Twins Be Like? Available online: https://forumvirium.fi/en/future-blog-what-will-the-future-of-helsinkis-digital-twins-be-like/ (accessed on 7 September 2025).
- Rahmani, R.; Jesus, C.; Lopes, S.I. Implementations of Digital Transformation and Digital Twins: Exploring the Factory of the Future. Processes 2024, 12, 787. [Google Scholar] [CrossRef]
- Fernández-Miguel, A.; García-Muiña, F.E.; Ortíz-Marcos, S.; Jiménez-Calzado, M.; Fernández del Hoyo, A.P.; Settembre-Blundo, D. AI-Driven Transformations in Manufacturing: Bridging Industry 4.0, 5.0, and 6.0 in Sustainable Value Chains. Future Internet 2025, 17, 430. [Google Scholar] [CrossRef]
- European Factories of the Future Research Association (EFFRA). Made in Europe—State of Play. Available online: https://www.effra.eu/made-in-europe-state-play/ (accessed on 7 September 2025).
- European Factories of the Future Research. European Factories of the Future Research Association (EFFRA)—Factories of the Future. Available online: https://www.effra.eu/factories-future/ (accessed on 7 September 2025).
- European Commission. A European Strategy for Data. Available online: https://digital-strategy.ec.europa.eu/en/policies/strategy-data (accessed on 7 September 2025).
- European Commission. Mid-Term Review on the implementation of the Digital Single Market Strategy: A Connected Digital Single Market for All. In Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, COM/2017/0228 Final; Commission of the European Communities: Brussels, Belgium, 2017; Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52017DC0228 (accessed on 7 September 2025).
- Siemens A.G. Industrial Edge—Siemens Automation Topic Area. Available online: https://www.siemens.com/global/en/products/automation/topic-areas/industrial-edge.html?VYYsN9YhU0ZselectedFilters=0-2ca0e474-dac8-4d31-86df-ce240b196f7d (accessed on 7 September 2025).
- Siemens A.G. Digital Twin—Siemens Digital Enterprise. Available online: https://www.siemens.com/global/en/products/automation/topic-areas/digital-enterprise/digital-twin.html (accessed on 7 September 2025).
- Siemens A.G. Insights Hub—Siemens Digital Industries Software. Available online: https://plm.sw.siemens.com/en-US/insights-hub/ (accessed on 7 September 2025).
- Siemens A.G. Simulation Process and Data Management (SPDM) with Teamcenter Simulation. Available online: https://plm.sw.siemens.com/en-US/teamcenter/solutions/simulation-process-data-management-spdm/ (accessed on 7 September 2025).
- ISO/IEC 27001:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements. International Organization for Standardization (ISO): Geneva, Switzerland. Available online: https://www.iso.org/standard/27001 (accessed on 7 September 2025).
- Siemens A.G. Cybersecurity Governance—Siemens Trust Center. Available online: https://www.sw.siemens.com/en-US/trust-center/cybersecurity-governance/ (accessed on 7 September 2025).
- Bosch Rexroth A.G. Factory Automation—Bosch Rexroth Solutions. Available online: https://www.boschrexroth.com/en/us/factory-automation/ (accessed on 7 September 2025).
- Bosch Rexroth A.G. Digital Twin: Reflecting Reality. Available online: https://apps.boschrexroth.com/microsites/ctrlX-automation/en/news-stories/story/digital-twin-reflecting-reality/ (accessed on 7 September 2025).
- Bosch Rexroth A.G. Data Protection Notice—Bosch Rexroth AG. Available online: https://www.boschrexroth.com/en/dc/data-protection-notice/ (accessed on 7 September 2025).
- Bosch Rexroth A.G. Bosch Rexroth’s ctrlX World is Growing—Focus Shifts Increasingly Toward IT/OT Convergence. Available online: https://www.boschrexroth.com/en/de/company/press/ctrlx-world-is-growing-27136.html (accessed on 7 September 2025).
- Bosch Global Software Technologies Pvt Ltd. Cyber Security—Engineering Smart Products (Bosch Global Software Technologies). Available online: https://www.bosch-softwaretechnologies.com/en/services/engineering-services/engineering-smart-products/cyber-security/ (accessed on 7 September 2025).
- IIoT Use Case GmbH. RHEBO and Bosch Rexroth: The Perfect Combination for Cyber-Security and Stability. Available online: https://iotusecase.com/en/solution-examples/rhebo-and-bosch-rexroth-the-perfect-combination-for-cyber-security-and-stability-1/ (accessed on 7 September 2025).
- Fraunhofer. Digital Twin—The Key Concept for Industrie 4.0. Available online: https://www.iosb.fraunhofer.de/en/business-units/automation-digitalization/digital-twin.html (accessed on 7 September 2025).
- Pettenpohl, H.; Langkau, J.; Gelhaar, J.; Mitani, K.; Hupperz, M.; Huber, M.; Jahnke, N.; Brandstädter, R.; Wessel, S.; Bader, S. GAIA-X and IDS: Position Paper of the IDS Association; Version 1.0; International Data Spaces Association (IDSA): Berlin, Germany, 2021; Available online: https://internationaldataspaces.org/wp-content/uploads/dlm_uploads/IDSA-Position-Paper-GAIA-X-and-IDS.pdf (accessed on 7 September 2025).
- Bosch Rexroth A.G. Using REST API of ctrlX CORE. Available online: https://community.boschrexroth.com/ctrlx-automation-how-tos-qmglrz33/post/using-rest-api-of-ctrlx-core-HCE2Q8WW3uhUYOh (accessed on 7 September 2025).
- Otto, B.; Auer, S.; Cirullies, J.; Jürjens, J.; Menz, N.; Schon, J.; Wenzel, S. Industrial Data Space: Digital Sovereignty over Data—White Paper; Fraunhofer-Gesellschaft zur Förderung der Angewandten Forschung e.V.: Munich, Germany, 2016; Grant ID 01IS15054; Available online: https://www.fraunhofer.de/content/dam/zv/en/fields-of-research/industrial-data-space/whitepaper-industrial-data-space-eng.pdf (accessed on 7 September 2025).
- Siemens A.G. SIMATIC PCS 7—Industrial Security. Available online: https://www.siemens.com/global/en/products/automation/process-control/simatic-pcs-7/industrial-security.html (accessed on 7 September 2025).
- Mock, M.; Schmidt, S.; Müller, F.; Görge, R.; Schmitz, A.; Haedecke, E.; Voss, A.; Hecker, D.; Poretschkin, M. Developing Trustworthy AI Applications with Foundation Models; Fraunhofer Institute for Intelligent Analysis and Information Systems (IAIS): Sankt Augustin, Germany, 2024; Available online: https://www.iais.fraunhofer.de/content/dam/iais/publikationen/studien-und-whitepaper/2024/Fraunhofer_IAIS_Whitepaper_trustworthy_AI_applications_Web.pdf (accessed on 7 September 2025).
- ISA/IEC 62443; Security for Industrial Automation and Control Systems (IACS). International Society of Automation (ISA): Durham, NC, USA. Available online: https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards (accessed on 7 September 2025).
- Siemens A.G. ONE Industrial Cybersecurity: Configuration Manual (01/2024); A5E51912408B AB.; Siemens Industry Online Support: 2024. Available online: https://cache.industry.siemens.com/dl/files/842/109925842/att_1262081/v1/ONE_IndustrialCybersecurity_config_man_0124_en-US.pdf (accessed on 7 September 2025).
- Bosch Rexroth A.G. Cyber Resilience Act (CRA)—Bosch Rexroth ctrlX AUTOMATION. Available online: https://apps.boschrexroth.com/microsites/ctrlx-automation/en/cra/ (accessed on 7 September 2025).
- Fraunhofer. Secure Identities for Automation Systems according to IEC 62443. Available online: https://www.iosb-ina.fraunhofer.de/en/divisions/Cyber-security-in-production/seminars/secure-identities-after-iec62443.html (accessed on 7 September 2025).
- Bosch Group. Annual Report 2024; Bosch Group: Stuttgart, Germany, 2024; Available online: https://assets.bosch.com/media/global/bosch_group/our_figures/pdf/bosch-annual-report-2024.pdf (accessed on 7 September 2025).
- Fraunhofer. Annual Report 2024; Fraunhofer-Gesellschaft: Munich, Germany, 2024; 2024/07/15; Available online: https://www.fraunhofer.de/en/media-center/publications/fraunhofer-annual-report/annual-report-2024.html (accessed on 7 September 2025).
- Siemens A.G. MindSphere app Predictive Service Assistance Uses Artificial Intelligence to Optimize Maintenance Efficiency of Drive Systems. 2020. Available online: https://press.siemens.com/global/en/pressrelease/mindsphere-application-predictive-service-assistance-uses-artificial-intelligence (accessed on 7 September 2025).
- Bosch Rexroth A.G. Predictive Maintenance—Service & Support—Bosch Rexroth. Available online: https://www.boschrexroth.com/en/hu/service-and-support/service/predictive-maintenance/ (accessed on 7 September 2025).
- Bosch Rexroth A.G. ctrlX OS-OPC UA Server. Available online: https://community.boschrexroth.com/ctrlx-automation-how-tos-qmglrz33/post/ctrlx-os---opc-ua-server-2J3tFReDuoM8Svz (accessed on 7 September 2025).
- ISO 23247-1:2021; Automation Systems and Integration: Digital Twin Framework for Manufacturing—Part 1: Overview and General Principles. International Organization for Standardization (ISO): Geneva, Switzerland. Available online: https://www.iso.org/standard/75066.html (accessed on 7 September 2025).
- Knußmann, J.; Schmitt, R.H. Real-Time Digital Twin. In Real-Time Digital Twin; Fraunhofer Institute for Production Technology IPT: Aachen, Germany, 2022; Available online: https://publica-rest.fraunhofer.de/server/api/core/bitstreams/741ecb0b-1d56-4d14-835b-f95708c5295d/content (accessed on 7 September 2025).
- Siemens A.G. Sustainability Report 2024; Report No. A19100-V112-V4-7600; Siemens AG: Munich, Germany, 2024; Available online: https://assets.new.siemens.com/siemens/assets/api/uuid:32a7154d-edba-47bc-8e9b-9761617ba774/sustainability-report.pdf (accessed on 7 September 2025).
- Bosch Rexroth A.G. Sustainability—Bosch Rexroth. Available online: https://www.boschrexroth.com/en/dc/company/sustainability/ (accessed on 7 September 2025).
- Fraunhofer. FAIR Data Spaces—Fraunhofer FIT Annual Report 2024. Available online: https://www.fit.fraunhofer.de/en/publikationen/annual-report-2024/FAIR-Data-Spaces.html (accessed on 7 September 2025).
- European Commission. Sustainable & Smart Mobility: EU Mobility & Transport Achievements 2019–2024. Available online: https://transport.ec.europa.eu/transport-themes/eu-mobility-transport-Achievements-2019-2024/sustainable-smart-mobility_en (accessed on 7 September 2025).
- Hamburg Port Authority. Digital Testing Ground—Hamburg Port Authority. Available online: https://www.hamburg-port-authority.de/en/themenseiten/digital-testing-ground (accessed on 7 September 2025).
- Hamburg Port Authority. smartPORT—The Intelligent Port. Available online: https://www.hamburg-port-authority.de/en/hpa-360/smartport (accessed on 7 September 2025).
- Meier, J. Wir sind für Ideen offen—Digitale Transformation im Hamburger Hafen. Available online: https://www.hafen-hamburg.de/en/port-of-hamburg-magazine/the-digital-transformation/wir-sind-fuer-ideen-offen/ (accessed on 7 September 2025).
- Hamburg Port Authority. chainPORT—A Global Network of Interconnected Logistics Hubs. Available online: https://www.hamburg-port-authority.de/en/chainport (accessed on 7 September 2025).
- Khemlani, L. SmartBRIDGE Hamburg: A Digital Twin in Action. Available online: https://www.aecbytes.com/feature/2022/SmartBRIDGE-Hamburg.html (accessed on 7 September 2025).
- Port Technology Team. Hamburg Port Authority Urges Industry to Focus on Cybersecurity. Available online: https://www.porttechnology.org/news/hamburg-port-authority-urges-industry-to-focus-on-cybersecurity/ (accessed on 7 September 2025).
- Fennessy, M.; Priebe, A. TwinSim Project: A Digital Twin for Hamburg’s Port. Available online: https://www.uni-hamburg.de/en/newsroom/forschung/2022/0825-fv-11-projekt-hafenzwilling.html (accessed on 7 September 2025).
- Neugebauer, J.; Heilig, L.; Voß, S. Digital Twins in the Context of Seaports and Terminal Facilities. Flex. Serv. Manuf. J. 2024, 36, 821–917. [Google Scholar] [CrossRef]
- Digitale Schiene Deutschland. Digitale Schiene Deutschland and NVIDIA Collaborate on a Digital Twin of the Rail Network. Available online: https://digitale-schiene-deutschland.de/en/news/2022/digital-twin (accessed on 7 September 2025).
- Speed, V. On Track with a Digital Mindset. Available online: https://www.gim-international.com/content/article/on-track-with-a-digital-mindset (accessed on 7 September 2025).
- Royal Schiphol Group. Deep Turnaround: How Does It Work? Available online: https://www.schiphol.nl/en/aviation-solutions/deep-turnaround-how-does-it-work/ (accessed on 7 September 2025).
- Future Travel Experience. How Schiphol Is Leveraging Tech, Design, Data and AI-Powered Intelligence to Redefine Airport Capacity and Flow Management. Available online: https://www.futuretravelexperience.com/2025/07/how-schiphol-is-leveraging-tech-design-data-and-ai-powered-intelligence-to-redefine-airport-capacity-and-flow-management/ (accessed on 7 September 2025).
- Baumann, J. Digital Twin Helps Airport Optimize Operations. Available online: https://www.esri.com/about/newsroom/arcuser/digital-twin-helps-airport-optimize-operations (accessed on 7 September 2025).
- Royal Schiphol Group. Risk Management and Internal Control. 2024. Available online: https://assets.ctfassets.net/biom0eqyyi6b/3zmH4sMldK7Qj9651YGLan/9470398be8a1259173babc477bf94413/Risk_management_and_internal_control.pdf (accessed on 7 September 2025).
- PwC Netherlands. Schiphol Airport: Creating a Digital Twin to Improve Passenger Experience and Operational Efficiency. Available online: https://www.pwc.nl/en/topics/digital/clientcases/schiphol-airport.html (accessed on 7 September 2025).
- Weinberg, A. The Role and Applications of Airport Digital Twin in Cyberattack Protection During the Generative AI Era. arXiv arXiv:2408.05248. [CrossRef]
- Netherlands Enterprise Agency. NIS2 Directive: Protecting Network and Information Systems. Available online: https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/ (accessed on 7 September 2025).
- Geyer, M. On Track: Digitale Schiene Deutschland Building Digital Twin of Rail Network in NVIDIA Omniverse. Available online: https://blogs.nvidia.com/blog/deutsche-bahn-railway-system-digital-twin/ (accessed on 7 September 2025).
- Hamburg Port Authority. Data Privacy Statement—Hamburg Port Authority. Available online: https://www.hamburg-port-authority.de/en/privacy-policy/ (accessed on 7 September 2025).
- Amazon Web Services. AWS IoT Helps Deutsche Bahn Improve Operational Efficiency Across 6,500 Trains and 37,000 Miles of Track. Available online: https://aws.amazon.com/solutions/case-studies/deutsche-bahn-case-study/ (accessed on 7 September 2025).
- Royal Schiphol Group. The Predictive Power of Wilbur—Schiphol Innovation Blog. Available online: https://www.schiphol.nl/en/innovation/blog/the-predective-power-of-wilbur/ (accessed on 7 September 2025).
- Royal Schiphol Group. Accurately Predict Traveller Movements in Real-Time—Schiphol Developer Center. Available online: https://www.schiphol.nl/nl/developer-center/accurately-predict-traveller-movements-in-real-time/ (accessed on 7 September 2025).
- International Association of Ports and Harbors (IAPH). Cybersecurity Guidelines for Ports and Port Facilities; Version 1.0; International Association of Ports and Harbors (IAPH): Tokyo, Japan, 2021; 2021/07/02; Available online: https://sustainableworldports.org/wp-content/uploads/IAPH-Cybersecurity-Guidelines-version-1_0.pdf (accessed on 7 September 2025).
- Boockmeyer, A.; Friedenberger, D.; Pirl, L.; Schmid, R.; Polze, A.; Herholz, H.; Arnim, G.F.v.; Ibáñez, P.L.; Friedrich, T.; Klaus, C.; et al. From CCS-Planning to Testautomation: The Digital Testfield of Deutsche Bahn in Scheibenberg—A Case Study. In Proceedings of the 2021 IEEE International Conference on Cloud Engineering (IC2E), 4–8 October 2021; pp. 258–263. [Google Scholar] [CrossRef]
- Geyer, M. On the Way to the Connected Digital Twin: DB Systel Relies on GIS and Location Services. Available online: https://www.esri.com/en-us/industries/blog/articles/db-systel-connected-digital-twin (accessed on 7 September 2025).
- Catenda. Schiphol Airport: Where Data Is the Key, with Catenda Hub as a Central Tool. Available online: https://catenda.com/bim-case-studies/schiphol-airport-where-data-is-the-key/ (accessed on 7 September 2025).
- Luo, M.; Fricke, H.; Desart, B.; Zapata, S.R.; Schultz, M. High-Fidelity Digital Twin Applied Agent-Based Model for Supporting Predictable Airport Ground Operations. SSRN Work. Pap. 2024, 20. [Google Scholar] [CrossRef]
- Economic, H.M.O.; Affairs and Innovation. Hafenentwicklungsplan 2040—Operative Umsetzung (Operational Implementation); Free and Hanseatic City of Hamburg: Hamburg, Germany, 2023; Available online: https://www.hamburg.de/resource/blob/1014480/19e27ca5e86fd2ffd2f1ece56050578e/hafenentwicklungsplan-operative-umsetzung-engl-data.pdf (accessed on 7 September 2025).
- Building Smart International. Airport Domain—BuildingSMART International. Available online: https://www.buildingsmart.org/standards/domains/airport/ (accessed on 7 September 2025).
- Hamburg Port Authority. Sustainability—HPA 360°. Available online: https://www.hamburg-port-authority.de/en/hpa-360/sustainability/ (accessed on 7 September 2025).
- Deutsche Bahn E.C.O. Group. Zero-Emission Teams Developing Alternative Drive Solutions—DB E.C.O. Group. Available online: https://db-eco.com/en/updates/carbon-neutrality-zero-emission-teams-developing-alternative-drive-solutions/ (accessed on 7 September 2025).
- NavVis Gmb. Schiphol Airport and Allinq Digital Transform Scan-to-BIM (Part 2). Available online: https://www.navvis.com/resources/case-studies/allinq-digital-part-2 (accessed on 7 September 2025).
- European Commission. Digitalisation of the Energy System. Available online: https://energy.ec.europa.eu/topics/eus-energy-system/digitalisation-energy-system_en (accessed on 7 September 2025).
- European Commission. Fit for 55: Delivering on the Proposals. Available online: https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/european-green-deal/delivering-european-green-deal/fit-55-delivering-proposals_en (accessed on 7 September 2025).
- ENTSO-E. OneNet Project—One Network for Europe. OneNet Consortium. Available online: https://www.onenet-project.eu/the-project/ (accessed on 7 September 2025).
- Bosco, F.; Croce, V.; Ziu, D.; Triveri, A. Report on Data Enforcement Policies Design for Sovereignty-Preserving Data Access (Deliverable D5.7 v1.0); OneNet Consortium: Brussels, Belgium, 2022; Available online: https://www.onenet-project.eu/wp-content/uploads/2022/12/OneNet_D5.7_v1.0.pdf (accessed on 7 September 2025).
- Kukk, K.; Bosco, F.; Lacerda, M.; Sakas, V.; Kapetanios, A.; Kotsalos, K. Cross-Stakeholder Data Governance for Energy Data Exchange (Deliverable D6.2 v1.0); Horizon 2020, Grant No. 957739; OneNet Consortium: Brussels, Belgium, 2023; Available online: https://www.onenet-project.eu/wp-content/uploads/2023/04/D6.2-OneNet-v1.0.pdf (accessed on 7 September 2025).
- Zafeiropoulou, M.; Bachoumis, T.; Drivakou, K.; Tzoumpas, A.; Bosco, F.; Ziu, D.; Toots, A.; Jõgi, A.; Petron, M. Report on Cybersecurity, Privacy and Other Business Regulatory Requirements (Deliverable D5.8 v1.0); Horizon 2020, Grant No. 957739; OneNet Consortium: Brussels, Belgium, 2022; Available online: https://www.onenet-project.eu/wp-content/uploads/2022/10/OneNet_957739_D5_8_v1_final.pdf (accessed on 7 September 2025).
- Platone Consortium. Platone: Platform for Operation of Distribution Networks. Available online: https://www.platone-h2020.eu/project/our_project (accessed on 7 September 2025).
- E.DSO for Smart Grids. Platone Project: Open and Interoperable Digital Platforms for Smart Grids. Available online: https://www.edsoforsmartgrids.eu/eu-projects/platone/ (accessed on 7 September 2025).
- Baude, J.; Bosco, F. Deliverable D2.9: Specification of the Interoperability and Standard Communication Protocols (v1); Platone Project (Horizon 2020): Brussels, Belgium, 2021; Available online: https://www.platone-h2020.eu/data/deliverables/864300_M28_D2.9.pdf (accessed on 7 September 2025).
- Svaland, G.B.; Lam, A.N. SINDIT: SINTEF Digital Twin Framework. SINTEF Digital. Available online: https://www.sintef.no/en/software/sindit-sintef-digital-twin-framework/ (accessed on 7 September 2025).
- Nodes A.S. NODES Market: The Independent Marketplace for Flexibility. NODES AS. Available online: https://nodesmarket.com/ (accessed on 7 September 2025).
- Lam, A.N.; Svaland, G.B.; Hafver, A.; Buvik, K. D4.3: Cognitive Digital Twin Platform—Final Report; SINTEF Digital: Trondheim, Norway, 2022; Available online: https://www.sintef.no/globalassets/project/cognitwin/public-reports/d4.3.pdf (accessed on 7 September 2025).
- Stadtmann, F.; Rasheed, A.; Kvamsdal, T.; Johannessen, K.A.; San, O.; Kölle, K.; Tande, J.O.; Barstad, I.; Benhamou, A.; Brathaug, T.; et al. Digital Twins in Wind Energy: Emerging Technologies and Industry-Informed Future Directions. IEEE Access 2023, 11, 110762–110795. [Google Scholar] [CrossRef]
- Löschenbrand, M. Modeling competition of virtual power plants via deep learning. Energy 2021, 214, 118870. [Google Scholar] [CrossRef]
- De Luca, E.; Fedele, G.; Avacon; Petters, B.; Mantzaris, Y.; Stratogiannis, D.; Daridou, E. Deliverable D9.1: Data Management Plan; Platone Project (Horizon 2020): Brussels, Belgium, 2020; Available online: https://www.platone-h2020.eu/data/deliverables/864300_M6_D9.1.pdf (accessed on 7 September 2025).
- Muench, S.; Stoermer, E.; Jensen, K.; Asikainen, T.; Salvi, M.; Scapolo, F. Towards a Green & Digital Future; European Commission, Joint Research Centre (JRC): Luxembourg, 2022; Available online: https://publications.jrc.ec.europa.eu/repository/handle/JRC129319 (accessed on 7 September 2025).
- Bosco, F.; Ziu, D.; Triveri, A.; Croce, V.; Sakkas, V.; Kapetainos, A.; Kotsalos, K.; Haghgoo, M.; Campos, J.; Alves, T.; et al. Reference Architecture (Deliverable D5.2 v1.0); Horizon 2020, Grant No. 957739; OneNet Consortium: Brussels, Belgium, 2022; Available online: https://www.onenet-project.eu/wp-content/uploads/2022/12/OneNet_D5.2_v1.0.pdf (accessed on 7 September 2025).
- Nodes A.S. NODES Privacy Policy. NODES AS. Available online: https://nodesmarket.com/privacy-policy/ (accessed on 7 September 2025).
- Tzoumpas, A.; Kapetanios, A.; Panagou, E.; Bosco, F.; Triveri, A.; Kotsalos, K.; Mylonas, K.; Foti, M.; Sakas, V. OneNet Framework and Components—Final Release (Deliverable D6.8 v1.0); Horizon 2020, Grant Agreement No. 957739; OneNet Consortium: Brussels, Belgium, 2023; Available online: https://www.onenet-project.eu/wp-content/uploads/2024/01/OneNet_D6.8_V1.0.pdf (accessed on 7 September 2025).
- Le Boudec, R.; Svaland, G.B.; Lam, A.N. Cybersecurity in Smart Grids. SINTEF Energy Research. Available online: https://www.sintef.no/projectweb/cineldi/cineldi-knowledge-base/niva-3/cybersecurity-in-smart-grids/ (accessed on 7 September 2025).
- Karras, S. Deliverable D6.8: Report on the Analysis of the Regulatory and Legislative Framework; Platone Project (Horizon 2020): Brussels, Belgium, 2020; Available online: https://www.platone-h2020.eu/data/deliverables/864300_M6_D6.8.pdf (accessed on 7 September 2025).
- Pediaditis, P.; Zafeiratou, I.; Daridou, E.; Stratogiannis, D.; Tzioka, S.; Gross, T.; Petters, B.G.; Pfingsten, H.; Fedele, G.; Nori, G.; et al. Deliverable D6.9: Report on Solutions and Recommendations for the Roll-out of the Designed Solutions; Platone Project (Horizon 2020): Brussels, Belgium, 2020; Available online: https://www.platone-h2020.eu/data/deliverables/864300_M12_D6.9.pdf (accessed on 7 September 2025).
- Svaland, G.B.; Lam, A.N.; Le Boudec, R. NODES Flexibility Platform—CINELDI Pilot Project. SINTEF Energy Research. Available online: https://www.sintef.no/globalassets/project/cineldi/pilot-projects/nodes-flexibility-platform_innovasjon.pdf (accessed on 7 September 2025).
- Mäkelä, H.; Farahmand, H.; Vogelsang, F.; Honkapuro, S. Distributed Flexibility: Lessons Learned in the Nordics; Nordic Energy Research: Oslo, Norway, 2022. Available online: https://www.nordicenergy.org/wordpress/wp-content/uploads/2022/06/Report-Distributed-Fexibility-Lessons-leared-in-the-Nordics.pdf (accessed on 7 September 2025).
- Bosco, F.; Ziu, D.; Happ, S.; Haghgoo, M.; Campos, J.; Alves, T.; Bytyqi, A. AI, Big Data, IoT Enablers and FIWARE-Compliant Interoperable Interfaces for Grid Services (Deliverable D5.4 v1.0); Horizon 2020, Grant No. 957739; OneNet Consortium: Brussels, Belgium, 2022. Available online: https://www.onenet-project.eu/wp-content/uploads/2022/12/OneNet_D5.4_v1.0.pdf (accessed on 7 September 2025).
- Giovanett, S.; Pediaditis, P.; Gralista, E.M.; Daridou, E.; Tzioka, S.; Petters, B.; De Luca, E.; Colafranceschi, A.; Bastianelli, F.; McKeever, P.; et al. Overview of Regulatory Aspects that Impact the Solutions Tested in the Demos in European Countries (Deliverable D1.3 v1.0); Grant Agreement No. 864300; Platone Consortium, Horizon 2020 Project: Brussels, Belgium, 2021; Available online: https://www.platone-h2020.eu/data/deliverables/864300_M24_D1.3.pdf (accessed on 7 September 2025).
- Bosco, F.; Triveri, A.; Linardi, P.; Galeano Martinez, J.; Koster, I.; Kapetainos, A.; Kotsalos, K.; Sakas, V. Extended Interoperability and Management with FIWARE (Deliverable D6.3 v1.0); Horizon 2020, Grant Agreement No. 957739; OneNet Consortium: Brussels, Belgium, 2023; Available online: https://www.onenet-project.eu/wp-content/uploads/2023/09/OneNet_D6.3_v1.0.pdf (accessed on 7 September 2025).
- Pediaditis, P.; Boskov Kovacs, E.; Syrmakesis, A.-D.; Dimeas, A.; Karras, S.; Vlachos, I.; Bosco, F. Deliverable D6.1: Report on the Most Relevant Standards; Grant Agreement No. 864300; Platone Consortium, Horizon 2020 Project: Brussels, Belgium, 2020; Available online: https://www.platone-h2020.eu/data/deliverables/864300_M6_D6.1.pdf (accessed on 7 September 2025).
- Valarezo, O.; Gómez, T.; Chaves-Avila, J.P.; Lind, L.; Correa, M.; Ulrich Ziegler, D.; Escobar, R. Analysis of New Flexibility Market Models in Europe. Energies 2021, 14, 3521. [Google Scholar] [CrossRef]
- Chondrogiannis, S.; Vasiljevska, J.; Marinopoulos, A.; Papaioannou, I.; Flego, G. Local Electricity Flexibility Markets in Europe; Publications Office of the European Union: Luxembourg, 2022; pp. 1831–9424. Available online: https://publications.jrc.ec.europa.eu/repository/bitstream/JRC130070/JRC130070_01.pdf (accessed on 7 September 2025).
- Bosco, F.; Triveri, A.; Linardi, P.; Galeano Martinez, J.; Koster, I.; Kapetanios, A.; Kotsalos, K.; Sakas, V. D11.7: Final Report on Dissemination and Communication Activities; OneNet Project (Horizon 2020): Brussels, Belgium, 2024; Available online: https://www.onenet-project.eu/wp-content/uploads/2024/03/OneNet_D11.7.pdf (accessed on 7 September 2025).
- Haas, M.; Petersen, K.; Gieseke, C.; Katona, J.; Pediaditis, P. Intermediate Report on Stakeholders Engagement, Exploitation, Dissemination, Communication and Standardization Activities (Deliverable D8.4 v1.0); Grant Agreement No. 864300; Platone Consortium, Horizon 2020 Project: Brussels, Belgium, 2021; Available online: https://www.platone-h2020.eu/data/deliverables/864300_M24_D8.4.pdf (accessed on 7 September 2025).
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).