Glossary

  • Accountability

    The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the GDPR and other frameworks, including APEC's Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

  • Accuracy

    Organizations must take every reasonable step to ensure the data processed is accurate and, where necessary, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing data processing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Accuracy also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation.

  • Active Data Collection

    When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons.

  • Adequate Level of Protection

    A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements:

    1. the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred,
    2. the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules,
    3. the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data.
  • Anonymization

    The process in which personal data is altered in such a way that it no longer can be related back to a given individual through an irreversible process. Among many techniques, there are three primary ways that data is anonymized:

    - Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability.

    - Generalization (cohort) takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24).

    - Noise addition (salting) takes identifying values from a given data set and switches them with identifying values from another individual in that data set.

  • Appropriate Safeguards

    GDPR refers to appropriate safeguards in a number of contexts, including:

    - the transfer of personal data to third countries outside the European Union;

    - the processing of special categories of data; and

    - the processing of personal data in a law enforcement context.

    This generally refers to the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules. This may also refer to the use of encryption or pseudonymization, standard data protection clauses adopted by the European Commission, contractual clauses authorized by a supervisory authority, or certification schemes or codes of conduct authorized by the Commission or a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the European Union.

  • Availability

    Data is "available" if it is accessible when needed by the organization or data subject. GDPR requires that an organization be able to ensure the availability of personal data and have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Lack of availability of the personal data may constitute a personal data breach.

  • BCR

    Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

    Acronym: BCR

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Binding Corporate Rules

    Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

    Acronym: BCR

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Biometric Data

    Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. Should be considered as a special category of data only where it allows for such unique identification of a data subject.

    glossary

  • Cloud Computing Service

    A digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations

    Source: Directive 2022/2555 (NIS2)

  • Codes of Conduct

    Introduced by GDPR, codes of conduct are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses. Codes of conduct must be developed by industry trade groups, associations or other bodies representing categories of controllers or processors. They must be approved by supervisory authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.

    Source: Article 40 GDPR.

  • Consent

    Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Content Delivery Network

    A network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers.

    Source: Directive 2022/2555 (NIS2)

  • Controller

    The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Cookies

    A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already.

    Cookies may be referred to as:

    - "first-party" -- if they are placed by the website that is visited;

    - "third-party" -- if they are placed by a party other than the visited website;

    - "session cookies" -- if they are deleted when a session ends; or

    - "persistent cookies" -- if they remain longer.

  • Core Platform Service

    means any of the following:

    (a) online intermediation services;

    (b) online search engines;

    (c) online social networking services;

    (d) video-sharing platform services;

    (e) number-independent interpersonal communications services;

    (f) operating systems;

    (g) web browsers;

    (h) virtual assistants;

    (i) cloud computing services;

    (j) online advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by an undertaking that provides any of the core platform services listed in points (a) to (i).

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Cross-Border Processing

    (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

    (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Cyber Threat

    Any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons.

    Source: Regulation (EU) 2019/881 (Cybersecurity Act), as quoted in NIS2

  • Cybersecurity

    The activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats.

    Source: Regulation (EU) 2019/881 (Cybersecurity Act), as quoted in NIS2

    glossary

  • Cybersecurity Act

    Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)

  • Data

    Any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

    glossary

  • Data Centre Service

    A service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power
    distribution and environmental control.

    Source: Regulation (EU) 2019/881 (Cybersecurity Act), as quoted in NIS2

    glossary

  • Data Concerning Health

    Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Data Protection Impact Assessment

    Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

    A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:

    - a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
    - processing on a large scale of special categories of data referred to in Article 9(1) GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 GDPR; or
    - a systematic monitoring of a publicly accessible area on a large scale.

    Source: Article 35 GDPR

  • Data Subject

    An identified or identifiable (living) natural person.

    Source: Regulation 2016/679 (GDPR)

  • Digital Markets Act

    Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828

  • Digital Sector

    The sector of products and services provided by means of, or through, information society services.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Digital Service

    Any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
    For the purposes of this definition:

    i. "at a distance" means that the service is provided without the parties being simultaneously present;

    ii. "by electronic means" means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and
    entirely transmitted, conveyed and received by wire, by radio, by optical means or by other
    electromagnetic means;

    iii. "at the individual request of a recipient of services" means that the service is provided through the
    transmission of data on individual request.

    Source: Article 1(1)(b) of Directive (EU) 2015/1535, as quoted by NIS2

    glossary

  • DMA

    Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828

  • DNS

    A hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • DNS Service Provider

    An entity that provides:
    a) Publicly available recursive domain name resolution services for internet end-users; or
    b) Authoritative domain name resolution services for third-party use, with the exception of root name
    servers.

    Source: NIS2

    glossary

  • Domain Name System

    A hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • DPIA

    Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

    A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:

    - a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
    - processing on a large scale of special categories of data referred to in Article 9(1) GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 GDPR; or
    - a systematic monitoring of a publicly accessible area on a large scale.

    Source: Article 35 GDPR

  • eIDAS

    Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

    glossary

  • Electronic Communications Service

    A service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services:

    a) ‘internet access service’, which means a publicly available electronic communications service that
    provides access to the internet, and thereby connectivity to virtually all end points of the internet,
    irrespective of the network technology and terminal equipment used (Article 2, second paragraph, point
    (2) of Regulation (EU) 2015/2120);

    b) interpersonal communications service; and

    c) services consisting wholly or mainly in the conveyance of signals such as transmission
    services used for the provision of machine-to-machine services and for broadcasting.

    Source: Article 2(4) of Directive (EU) 2018/1972, as quoted in NIS2

    glossary

  • End Users

    Any natural or legal person using core platform services other than as a business user.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Entity (NIS2)

    A natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Entity Providing Domain Name Registration Services

    A registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Gatekeeper

    An undertaking providing core platform services, designated pursuant to Article 3 DMA

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • GDPR

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).

    Go to the official publication Regulation (EU) 2016/679

    glossary

  • General Data Protection Regulation

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).

    Go to the official publication Regulation (EU) 2016/679

    glossary

  • Genetic Data

    Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • health data

    Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • ICT Process

    A set of activities performed to design, develop, deliver or maintain an ICT product or ICT service

    Source: Article 2(14) of Regulation (EU) 2019/881 (Cybersecurity Act), as quoted by NIS 2

    glossary

  • ICT Product

    An element or a group of elements of a network or information system

    Source: Article 2(12) of Regulation (EU) 2019/881 (Cybersecurity Act), as quoted by NIS 2

    glossary

  • ICT service

    A service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems

    Source: Article 2(13) of Regulation (EU) 2019/881 (Cybersecurity Act), as quoted by NIS 2

    glossary

  • Identification Service

    A type of service provided together with or in support of core platform services that enables any type of verification of the identity of end users or business users, regardless of the technology used.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Incident

    An event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or
    processed data or of the services offered by, or accessible via, network and information systems.

    Source: Directive 2022/2555 (NIS2)

    glossary


  • Incident Handling

    Any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Internet Exchange Point

    A network facility which enables the interconnection of more than two independent networks (autonomous systems), primarily for the purpose of facilitating the exchange of internet traffic, which provides interconnection only for autonomous systems and which neither requires the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomous
    system nor alters or otherwise interferes with such traffic.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Interoperability

    The ability to exchange information and mutually use the information which has been exchanged through interfaces or other solutions, so that all elements of hardware or software work with other hardware and software and with users in all the ways in which they are intended to function.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Large-Scale Cybersecurity Incident

    An incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Lawfulness, Fairness and Transparency

    Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Managed Security Service Provider

    A managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Managed Service Provider

    An entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • National Cybersecurity Strategy

    Coherent framework of a Member State providing strategic objectives and priorities in the area of cybersecurity and the governance to achieve them in that Member State.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Near Miss

    An event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Network and Information System

    a) An electronic communications network, which means transmission systems, whether or not based
    on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed (Article 2(1) of Directive (EU) 2018/1972);
    b) Any device or group of interconnected or related devices, one or more of which, pursuant to a
    programme, carry out automatic processing of digital data; or
    c) Digital data stored, processed, retrieved or transmitted by elements covered under points (a)
    and (b) for the purposes of their operation, use, protection and maintenance.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • NIS2

    Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148

  • Online Marketplace

    A service using software, including a website, part of a website or an application, operated by or on behalf of a trader which allows consumers to conclude distance contracts with other traders or consumers.

    Source: Article 2(n) of Directive 2005/29/EC

  • Online Search Engine

    A digital service that allows users to input queries in order to perform searches of, in principle, all websites, or all websites in a particular language, on the basis of a query on any subject in the form of a keyword, voice request, phrase or other input, and returns results in any format in which information related to the requested content can be found.

    Source: Article 2 (5) of Regulation (EU) 2019/1150

  • Online Social Networking Service

    Aa platform that enables end users to connect and communicate with each other, share content and discover other users and content across multiple devices and, in particular, via chats, posts, videos and recommendations.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Operating System

    A system software that controls the basic functions of the hardware or software and enables software applications to run on it.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Payment Systems for In-App Purchases

    A software application, service or user interface which facilitates purchases of digital content or digital services within a software application, including content, subscriptions, features or functionality, and the payments for such purchases.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Personal Data

    Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Personal Data Breach

    A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Processing

    Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Processor

    A natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Profiling

    Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

  • Pseudonymisation

    The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

  • Public Administration Entity

    An entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria:

    a) It is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character;

    b) It has legal personality or is entitled by law to act on behalf of another entity with legal personality;

    c) It is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative,
    managerial or supervisory board, more than half of whose members are appointed by the State,
    regional authorities or by other bodies governed by public law;

    d) It has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Public Electronic Communications Network

    An electronic communications network used wholly or mainly for the provision of publicly available electronic communications services which support the transfer of information between network termination points.

    Source: Article 2(8) of Directive (EU) 2018/1972, as quoted in NIS2

    glossary

  • Qualified Trust Service

    A trust service that meets the applicable requirements laid down in Regulation (EU) No 910/2014.

    Source: Article 3(17) eIDAS

  • Qualified Trust Service Provider

    A trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body.

    Source: Article 3 (20) eIDAS, as quoted by NIS2

    glossary

  • Ranking

    The relative prominence given to goods or services offered through online intermediation services, online social networking services, video-sharing platform services or virtual assistants, or the relevance given to search results by online search engines, as presented, organised or communicated by the undertakings providing online intermediation services, online social networking services, video-sharing platform services, virtual assistants or online search engines, irrespective of the technological means used for such presentation, organisation or communication and irrespective of whether only one result is presented or communicated.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Recipient

    A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

  • Representative (GDPR)

    A natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27 GDPR, represents the controller or processor with regard to their respective obligations under GDPR.

    Source: Regulation (EU) 2016/679 (GDPR)

  • Representative (NIS2)

    A natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be
    addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under Directive NIS2.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Research Organisation

    An entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Risk

    The potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Search Results

    Any information in any format, including textual, graphic, vocal or other outputs, returned in response to, and related to, a search query, irrespective of whether the information returned is a paid or an unpaid result, a direct answer or any product, service or information offered in connection with the organic results, or displayed along with or partly or entirely embedded in them.

    Source: Regulation (EU) 2022/1925 (Digital Marks Act)

  • Security of Network and Information Systems

    The ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information
    systems.

    Source: Directive 2022/2555 (NIS2)

    glossary

  • Sensitive Data

    Personal data:

    - revealing:

    + racial or ethnic origin;

    + political opinions;

    + religious or philosophical beliefs;

    + trade union membership;

    - relating to the processing of

    + genetic data;

    + biometric data for the purpose of uniquely identifying a natural person;

    + data concerning health;

    + data concerning a natural person’s sex life or sexual orientation.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Significant Cyber Threat

    A cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage.

    Source: NIS2

    glossary

  • Social Networking Services Platform

    A platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations.

    Source: NIS2

    glossary


  • Software Application

    Any digital product or service that runs on an operating system.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Software Application Stores

    A type of online intermediation services, which is focused on software applications as the intermediated product or service.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Special Categories of Personal Data

    Personal data:

    - revealing:

    + racial or ethnic origin;

    + political opinions;

    + religious or philosophical beliefs;

    + trade union membership;

    - relating to the processing of

    + genetic data;

    + biometric data for the purpose of uniquely identifying a natural person;

    + data concerning health;

    + data concerning a natural person’s sex life or sexual orientation.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Standard

    A technical specification, adopted by a recognised standardisation body, for repeated or continuous
    application, with which compliance is not compulsory, and which is one of the following:

    a) ‘international standard’ means a standard adopted by an international standardisation body;

    b) ‘European standard’ means a standard adopted by a European standardisation organisation;

    c) ‘harmonised standard’ means a European standard adopted on the basis of a request made by the
    Commission for the application of Union harmonisation legislation;

    d) ‘national standard’ means a standard adopted by a national standardisation body.

    Source: Article 2(1) of Regulation (EU) No 1025/2012, as quoted in NIS2

    glossary

  • Supervisory Authority

    An independent public authority which is established by a Member State pursuant to Article 51 GDPR.

    Source: Regulation (EU) 2016/679 (GDPR)

  • Supervisory Authority Concerned

    A supervisory authority which is concerned by the processing of personal data because:
    - the controller or processor is established on the territory of the Member State of that supervisory authority;
    - data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
    - a complaint has been lodged with that supervisory authority.

    Source: Regulation 2016/679 (GDPR)

    glossary

  • Technical and Organisational Measures

    GDPR requires a risk-based approach to data protection, whereby organizations take into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, and institute policies, controls and certain technologies to mitigate those risks. These "appropriate technical and organisational measures" might help meet the obligation to keep personal data secure, including technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve the implementation of data protection policies. These measures should be demonstrable on demand to data protection authorities and reviewed regularly.

    Acronym: TOMs

  • Technical and Organizational Measures

    GDPR requires a risk-based approach to data protection, whereby organizations take into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, and institute policies, controls and certain technologies to mitigate those risks. These "appropriate technical and organisational measures" might help meet the obligation to keep personal data secure, including technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve the implementation of data protection policies. These measures should be demonstrable on demand to data protection authorities and reviewed regularly.

    Acronym: TOMs

  • Technical Specification

    A document that prescribes technical requirements to be fulfilled by a product, process, service or system and which lays down one or more of the following:

    a) the characteristics required of a product including levels of quality, performance, interoperability,
    environmental protection, health, safety or dimensions, and including the requirements
    applicable to the product as regards the name under which the product is sold, terminology, symbols,
    testing and test methods, packaging, marking or labelling and conformity assessment procedures;

    b) production methods and processes used in respect of agricultural products as defined in Article 38(1)
    TFEU, products intended for human and animal consumption, and medicinal products, as well as
    production methods and processes relating to other products, where these have an effect on their
    characteristics;

    c) the characteristics required of a service including levels of quality, performance, interoperability, environmental protection, health or safety, and including the requirements applicable to the provider
    as regards the information to be made available to the recipient, as specified in Article 22(1) to (3) of
    Directive 2006/123/EC;

    d) the methods and the criteria for assessing the performance of construction products, as defined in
    point 1 of Article 2 of Regulation (EU) No 305/2011 of the European Parliament and of the Council of 9
    March 2011 laying down harmonised conditions for the marketing of construction products, in relation to
    their essential characteristics.

    Source: Article 2 (4) of Regulation (EU) No 1025/2012, as quoted in NIS2

    glossary

  • Third Party

    A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

  • TLD name registry

    An entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are carried out by the entity itself or are outsourced, but excluding situations where TLD names are used by a registry only for its own use.

    Source: Directive 2022/2555 (NIS2)

    glossary

    glossary

  • TOMs

    GDPR requires a risk-based approach to data protection, whereby organizations take into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, and institute policies, controls and certain technologies to mitigate those risks. These "appropriate technical and organisational measures" might help meet the obligation to keep personal data secure, including technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve the implementation of data protection policies. These measures should be demonstrable on demand to data protection authorities and reviewed regularly.

    Acronym: TOMs

  • Top-Level Domain Name Registry

    An entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are carried out by the entity itself or are outsourced, but excluding situations where TLD names are used by a registry only for its own use.

    Source: Directive 2022/2555 (NIS2)

    glossary

    glossary

  • Trust Service

    An electronic service normally provided for remuneration which consists of:
    a) The creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or
    b) The creation, verification and validation of certificates for website authentication; or
    c) The preservation of electronic signatures, seals or certificates related to those services.

    Source: Art. 3 (16) eIDAS

    glossary

  • Trust Service Provider

    A natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider.

    Source: Art. 3 (19) eIDAS, as quoted by NIS2

    glossary

  • Undertaking

    An entity engaged in an economic activity, regardless of its legal status and the way in which it is financed, including all linked enterprises or connected undertakings that form a group through the direct or indirect control of an enterprise or undertaking by another.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Virtual Assistant

    A software that can process demands, tasks or questions, including those based on audio, visual, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls connected physical devices.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)

  • Vulnerability

    A weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat.

    Source: Directive 2022/2555 (NIS2)

  • Web Browser

    A software application that enables end users to access and interact with web content hosted on servers that are connected to networks such as the Internet, including standalone web browsers as well as web browsers integrated or embedded in software or similar.

    Source: Regulation (EU) 2022/1925 (Digital Markets Act)