Back to Public Wiki.
| Term | Definition | Article | Text | Also used in… |
|---|---|---|---|---|
| ‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’ | respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC | Art. 3(19) | CyberResilience | |
| Accessibility 2 | Extent to which products, systems, services, environments and facilities can be used by people from a population with the widest range of user needs, characteristics and capabilities to achieve identified goals in identified contexts of use (which includes direct use or use supported by assistive technologies). | ALTAI | ||
| account information service provider | n account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366 | Art. 3 (37) | DORA | |
| Accountability | This term refers to the idea that one is responsible for their action – and as a corollary their consequences – and must be able to explain their aims, motivations, and reasons. Accountability has several dimensions. Accountability is sometimes required by law. For example, the General Data Protection Regulation (GDPR) requires organisations that process personal data to ensure security measures are in place to prevent data breaches and report if these fail. But accountability might also express an ethical standard, and fall short of legal consequences. Some tech firms that do not invest in facial recognition technology in spite of the absence of a ban or technological moratorium might do so out of ethical accountability considerations. | ALTAI | ||
| Accuracy | The goal of an AI model is to learn patterns that generalize well for unseen data. It is important to check if a trained AI model is performing well on unseen examples that have not been used for training the model. To do this, the model is used to predict the answer on the test dataset and then the predicted target is compared to the actual answer. The concept of accuracy is used to evaluate the predictive capability of the AI model. Informally, accuracy is the fraction of predictions the model got right. A number of metrics are used in machine learning (ML) to measure the predictive accuracy of a model. The choice of the accuracy metric to be used depends on the ML task. | ALTAI | ||
| active recipient of an online platform | a recipient of the service that has engaged with an online platform by either requesting the online platform to host information or being exposed to information hosted by the online platform and disseminated through its online interface | Art. 3(p) | Digital Services Act | |
| active recipient of an online search engine | a recipient of the service that has submitted a query to an online search engine and been exposed to information indexed and presented on its online interface | Art. 3(q) | Digital Services Act | |
| actively exploited vulnerability | a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner | Art. 3(42) | CyberResilience | |
| administrator of critical benchmarks | an administrator of ‘critical benchmarks’ as defined in Article 3(1), point (25), of Regulation (EU) 2016/1011, i.e. ”‘critical benchmark’ means a benchmark other than a regulated-data benchmark that fulfils any of the conditions laid down in Article 20(1) and which is on the list established by the Commission pursuant to that Article;” | Art. 3 (57) | DORA | Article 3(1), point (25), of Regulation (EU) 2016/1011 |
| advertisement | information designed to promote the message of a legal or natural person, irrespective of whether to achieve commercial or non-commercial purposes, and presented by an online platform on its online interface against remuneration specifically for promoting that information | Art. 3(r) | Digital Services Act | |
| AI bias | AI (or algorithmic) bias describes systematic and repeatable errors in a computer system that create unfair outcomes, such as favouring one arbitrary group of users over others. Bias can emerge due to many factors, including but not limited to the design of the algorithm or the unintended or unanticipated use or decisions relating to the way data is coded, collected, selected or used to train the algorithm. Bias can enter into algorithmic systems as a result of pre-existing cultural, social, or institutional expectations; because of technical limitations of their design; or by being used in unanticipated contexts or by audiences who are not considered in the software’s initial design. AI bias is found across platforms, including but not limited to search engine results and social media platforms, and can have impacts ranging from inadvertent privacy violations to reinforcing social biases of race, gender, sexuality, and ethnicity. | ALTAI | ||
| AI designer | AI designers bridge the gap between AI capabilities and user needs. For example, they can create prototypes showing some novel AI capabilities and how they might be used if the product is deployed, prior to the possible development of the AI product. AI designers also work with development teams to better understand user needs and how to build technology that addresses those needs. Additionally, they can support AI developers by designing platforms to support data collection and annotation, ensuring that data collection respects some properties (such as safety and fairness). | ALTAI | ||
| AI developer | An AI developer is someone who performs some of the tasks included in the AI development. AI development is the process of conceiving, specifying, designing, training, programming, documenting, testing, and bug fixing involved in creating and maintaining AI applications, frameworks, or other AI components. It includes writing and maintaining the AI source code, as well as all that is involved between the conception of the software through to the final manifestation and use of the software. | ALTAI | ||
| AI Ethics Review Board | An AI Ethics Review Board or AI Ethics Committee should be composed of a diverse group of stakeholders and expertises, including gender, background, age and other factors. The purpose for which the AI Ethics Board is created should be clear to the organisation establishing it and the members who are invited to join it. The members should have an independent role that is not influenced by any economic or other considerations. Bias and conflicts of interest should be avoided. The overall size can vary depending on the scope of the task. Both the authority the AI Ethics Review Board has and the access to information should be proportionate to their ability to fulfill the task to their best possible ability. | ALTAI | ||
| AI literacy | skills, knowledge and understanding that allow providers, deployers and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause | Art. 3(56) | EU AI Act | |
| AI Office | the Commission’s function of contributing to the implementation, monitoring and supervision of AI systems and general-purpose AI models, and AI governance provided for in Commission Decision of 24 January 2024; references in this Regulation to the AI Office shall be construed as references to the Commission | Art. 3(47) | EU AI Act | |
| AI regulatory sandbox | a controlled framework set up by a competent authority which offers providers or prospective providers of AI systems the possibility to develop, train, validate and test, where appropriate in real-world conditions, an innovative AI system, pursuant to a sandbox plan for a limited time under regulatory supervision | Art. 3(55) | EU AI Act | |
| AI reliability | An AI system is said to be reliable if it behaves as expected, even for novel inputs on which it has not been trained or tested earlier. | ALTAI | ||
| AI system 2 | Artificial intelligence (AI) systems are software (and possibly also hardware) systems designed by humans that, given a complex goal, act in the physical or digital dimension by perceiving their environment through data acquisition, interpreting the collected structured or unstructured data, reasoning on the knowledge, or processing the information, derived from this data and deciding the best action(s) to take to achieve the given goal. AI systems can either use symbolic rules or learn a numeric model, and they can also adapt their behaviour by analysing how the environment is affected by their previous actions. As a scientific discipline, AI includes several approaches and techniques, such as machine learning (of which deep learning and reinforcement learning are specific examples), machine reasoning (which includes planning, scheduling, knowledge representation and reasoning, search, and optimization), and robotics (which includes control, perception, sensors and actuators, as well as the integration of all other techniques into cyber-physical systems). A separate document prepared by the AI HLEG and elaborating on the definition of AI used for the purpose of this document is titled “A definition of AI: Main capabilities and scientific disciplines”. | ALTAI | ||
| AI System | a machine-based system that is designed to operate with varying levels of autonomy, and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments | Art. 3(1) | EU AI Act | |
| AI system environment- | This denotes everything in the world which surrounds the AI system, but which is not a part of the system itself. More technically, an environment can be described as a situation in which the system operates. AI systems get information from their environment via sensors that collect data and modify the environment via suitable actuators. Depending on whether the environment is in the physical or virtual world, actuators can be hardware, such as robotic arms, or software, such as programs that make changes in some digital structure. | ALTAI | ||
| ancillary insurance intermediary | an ancillary insurance intermediary as defined in Article 2(1), point (4), of Directive (EU) 2016/97, i.e. ”‘ancillary insurance intermediary’ means any natural or legal person, other than a credit institution or an investment firm as defined in points (1) and (2) of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council (1), who, for remuneration, takes up or pursues the activity of insurance distribution on an ancillary basis, provided that all the following conditions are met: (a) the principal professional activity of that natural or legal person is other than insurance distribution; (b) the natural or legal person only distributes certain insurance products that are complementary to a good or service; (c) the insurance products concerned do not cover life assurance or liability risks, unless that cover complements the good or service which the intermediary provides as its principal professional activity;” | Art. 3 (50) | DORA | Article 2(1), point (4), of Directive (EU) 2016/97 |
| Assistive Technology | Software or hardware that is added to or incorporated within an ICT system to increase accessibility. Often it is specifically designed to assist people with disabilities in carrying out daily activities. Assistive technology includes wheelchairs, reading machines, devices for grasping, etc. In the area of Web Accessibility, common software-based assistive technologies include screen readers, screen magnifiers, speech synthesizers, and voice input software that operate in conjunction with graphical desktop browsers (among other user agents). Hardware assistive technologies include alternative keyboards and pointing devices. | ALTAI | ||
| Audit | An audit is an independent examination of some required properties of an entity, be it a company, a product, or a piece of software. Audits provide third-party assurance to various stakeholders that the subject matter is free from material misstatement. The term is most frequently applied to audits of the financial information relating to a legal person, but can be applied to anything else. | ALTAI | ||
| Auditability | Auditability refers to the ability of an AI system to undergo the assessment of the system’s algorithms, data and design processes. This does not necessarily imply that information about business models and Intellectual Property related to the AI system must always be openly available. Ensuring traceability and logging mechanisms from the early design phase of the AI system can help enable the system’s auditability. | ALTAI | ||
| authorised representative 2 | a natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks | Art. 3(15) | CyberResilience | |
| authorised representative | a natural or legal person located or established in the Union who has received and accepted a written mandate from a provider of an AI system or a general-purpose AI model to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation | Art. 3(5) | EU AI Act | |
| automated decision-making systems | systems which are used to take or support, by electronic means, decisions that significantly affect persons performing platform work, including the working conditions of platform workers, in particular decisions affecting their recruitment, their access to and the organisation of work assignments, their earnings, including the pricing of individual assignments, their safety and health, their working time, their access to training, their promotion or its equivalent, and their contractual status including the restriction, suspension or termination of their account. | Art. 2(i) | Platform Work | |
| automated monitoring systems | systems which are used for or which support monitoring, supervising or evaluating, by electronic means, the work performance of persons performing platform work or the activities carried out within the work environment, including by collecting personal data | Art. 2(h) | Platform Work | |
| Autonomous AI systems | An autonomous AI system is an AI system that performs behaviors or tasks with a high degree of autonomy, that is, without external influence. | ALTAI | ||
| binding corporate rules | personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity | Art. 4(20) | GDPR | |
| biometric categorisation system | an AI system for the purpose of assigning natural persons to specific categories on the basis of their biometric data, unless it is ancillary to another commercial service and strictly necessary for objective technical reasons | Art. 3(40) | EU AI Act | |
| biometric data 2 | personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data | Art. 4(14) | GDPR | |
| biometric data | personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, such as facial images or dactyloscopic data | Art. 3(34) | EU AI Act | |
| biometric identification | the automated recognition of physical, physiological, behavioural, or psychological human features for the purpose of establishing the identity of a natural person by comparing biometric data of that individual to biometric data of individuals stored in a database | Art. 3(35) | EU AI Act | |
| biometric verification | the automated, one-to-one verification, including authentication, of the identity of natural persons by comparing their biometric data to previously provided biometric data | Art. 3(36) | EU AI Act | |
| caching | a service, consisting of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients upon their request | Art. 3(g)(ii) | Digital Services Act | |
| CE marking 2 | a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing | Art. 3(31) | CyberResilience | |
| CE marking | a marking by which a provider indicates that an AI system is in conformity with the requirements set out in Chapter III, Section 2 and other applicable Union harmonisation legislation, providing for its affixing | Art. 3(24) | EU AI Act | |
| central counterparty | a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012 | Art. 3 (40) | DORA | |
| central securities depository | a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 | Art. 3 (42) | DORA | |
| commercial communication | ‘commercial communication’ as defined in Article 2, point (f), of Directive 2000/31/EC | Art. 3(w) | Digital Services Act | Article 2, point (f), of Directive 2000/31/EC |
| common specification | a set of technical specifications as defined in Article 2, point (4) of Regulation (EU) No 1025/2012, providing means to comply with certain requirements established under this Regulation | Art. 3(28) | EU AI Act | Article 2, point (4) of Regulation (EU) No 1025/2012 |
| common specification | a document, other than a standard, containing technical solutions providing a means to comply with certain requirements and obligations established under this Regulation | Art. 2(42) | EU Data Act | |
| component | software or hardware intended for integration into an electronic information system | Art. 3(6) | CyberResilience | |
| Confidence score | Much of AI involves estimating some quantity, such as the probability that the output is a correct answer to the given input. Confidence scores, or confidence intervals, are a way of quantifying the uncertainty of such an estimate. A low confidence score associated with the output of an AI system means that the system is not too sure that the specific output is correct. | ALTAI | ||
| conformity assessment 2 | the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled | Art. 3(27) | CyberResilience | |
| conformity assessment | the process of demonstrating whether the requirements set out in Chapter III, Section 2 relating to a high-risk AI system have been fulfilled | Art. 3(20) | EU AI Act | |
| conformity assessment body 2 | a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008 | Art. 3(28) | CyberResilience | |
| conformity assessment body | a body that performs third-party conformity assessment activities, including testing, certification and inspection | Art. 3(21) | EU AI Act | |
| connected product | an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user | Art. 2(5) | EU Data Act | |
| consent of the data subject | any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her | Art. 4(11) | GDPR | |
| consumer 3 | a natural person who acts for purposes which are outside that person’s trade, business, craft or profession | Art. 3(18) | CyberResilience | |
| consumer 2 | any natural person who is acting for purposes which are outside his or her trade, business, craft, or profession | Art. 3(c) | Digital Services Act | |
| consumer | any natural person who is acting for purposes which are outside that person’s trade, business, craft or profession | Art. 2(23) | EU Data Act | |
| content moderation | the activities, whether automated or not, undertaken by providers of intermediary services, that are aimed, in particular, at detecting, identifying and addressing illegal content or information incompatible with their terms and conditions, provided by recipients of the service, including measures taken that affect the availability, visibility, and accessibility of that illegal content or that information, such as demotion, demonetisation, disabling of access to, or removal thereof, or that affect the ability of the recipients of the service to provide that information, such as the termination or suspension of a recipient’s account | Art. 3(t) | Digital Services Act | |
| controller | the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law | Art. 4(7) | GDPR | |
| credit institution | credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council, i.e. ”‘credit institution’ means an undertaking the business of which consists of any of the following: (a) to take deposits or other repayable funds from the public and to grant credits for its own account; (b) to carry out any of the activities referred to in points (3) and (6) of Section A of Annex I to Directive 2014/65/EU of the European Parliament and of the Council (6), where one of the following applies, but the undertaking is not a commodity and emission allowance dealer, a collective investment undertaking or an insurance undertaking: (i) the total value of the consolidated assets of the undertaking is equal to or exceeds EUR 30 billion; (ii) the total value of the assets of the undertaking is less than EUR 30 billion, and the undertaking is part of a group in which the total value of the consolidated assets of all undertakings in that group that individually have total assets of less than EUR 30 billion and that carry out any of the activities referred to in points (3) and (6) of Section A of Annex I to Directive 2014/65/EU is equal to or exceeds EUR 30 billion; or (iii) the total value of the assets of the undertaking is less than EUR 30 billion, and the undertaking is part of a group in which the total value of the consolidated assets of all undertakings in the group that carry out any of the activities referred to in points (3) and (6) of Section A of Annex I to Directive 2014/65/EU is equal to or exceeds EUR 30 billion, where the consolidating supervisor, in consultation with the supervisory college, so decides in order to address potential risks of circumvention and potential risks for the financial stability of the Union; for the purposes of points (b)(ii) and (b)(iii), where the undertaking is part of a third‐country group, the total assets of each branch of the third‐country group authorised in the Union shall be included in the combined total value of the assets of all undertakings in the group;” | Art. 3 (31) | DORA | Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council |
| credit rating agency | a credit rating agency as defined in Article 3(1), point (b), of Regulation (EC) No 1060/2009 | Art. 3 (54) | DORA | |
| critical ICT third-party service provider | an ICT third-party service provider designated as critical in accordance with Article 31 | Art. 3 (23) | DORA | |
| critical infrastructure | critical infrastructure as defined in Article 2, point (4), of Directive (EU) 2022/2557 | Art. 3(62) | EU AI Act | |
| critical or important function | a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law | Art. 3 (22) | DORA | |
| cross-border processing | either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. | Art. 4(23) | GDPR | |
| crowdfunding service provider | a crowdfunding service provider as defined in Article 2(1), point (e), of Regulation (EU) 2020/1503 of the European Parliament and of the Council | Art. 3 (58) | DORA | |
| crypto-asset service provider | a crypto-asset service provider as defined in the relevant provision of the Regulation on markets in crypto-assets | Art. 3 (54) | DORA | |
| CSIRT designated as coordinator | a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555 | Art. 3(51) | CyberResilience | |
| customer | a natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services | Art. 2(30) | EU Data Act | |
| cyber threat 2 | a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881 | Art. 3(46) | CyberResilience | |
| cyber threat | ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881, i.e. ”‘cyber threat’ means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;” | Art. 3 (12) | DORA | Article 2, point (8), of Regulation (EU) 2019/881 |
| cyber-attack | a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset | Art. 3 (14) | DORA | |
| cybersecurity | cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881 | Art. 3(3) | CyberResilience | |
| cybersecurity risk | the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident | Art. 3(37) | CyberResilience | |
| data | any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording | Art. 2(1) | EU Data Act | |
| data concerning health | personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status | Art. 4(15) | GDPR | |
| data egress charges | data transfer fees charged to customers for extracting their data through the network from the ICT infrastructure of a provider of data processing services to the system of a different provider or to on-premises ICT infrastructure | Art. 2(35) | EU Data Act | |
| Data governance | Data governance is a term used on both a macro and a micro level. On the macro level, data governance refers to the governing of cross-border data flows by countries, and hence is more precisely called international data governance. On the micro level, data governance is a data management concept concerning the capability that enables an organization to ensure that high data quality exists throughout the complete lifecycle of the data, and data controls are implemented that support business objectives. The key focus areas of data governance include data availability, usability, consistency, integrity, and sharing. It also regards establishing processes to ensure effective data management throughout the enterprise such as accountability for the adverse effects of poor data quality and ensuring that the data which an enterprise has can be used by the entire organization. | ALTAI | ||
| data holder | a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service | Art. 2(13) | EU Data Act | |
| data intermediation service | data intermediation service as defined in Article 2, point (11), of Regulation (EU) 2022/868 [Data Governance Act] [a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data, excluding at least the following: (a) services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users; (b) services that focus on the intermediation of copyright-protected content; (c) services that are exclusively used by one data holder in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things; (d) data sharing services offered by public sector bodies that do not aim to establish commercial relationships;] | Art. 2(10) | EU Data Act | Article 2, point (11), of Regulation (EU) 2022/868 |
| Data poisoning | Data poisoning occurs when an adversarial actor attacks an AI system, and is able to inject bad data into the AI model’s training set, thus making the AI system learn something that it should not learn. Examples show that in some cases these data poisoning attacks on neural nets can be very effective, causing a significant drop in accuracy even with very little data poisoning. Other kinds of poisoning attacks do not aim to change the behavior of the AI system, but rather they insert a backdoor, which is a data that the model’s designer is not aware of, but that the attacker can leverage to get the AI system to do what they want. | ALTAI | ||
| data processing service | digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction | Art. 2(8) | EU Data Act | |
| Data Protection Impact Assessment (DPIA) | Evaluation of the effects that the processing of personal data might have on individuals to whom the data relates. A DPIA is necessary in all cases in which the technology creates a high risk of violation of the rights and freedoms of individuals. The law requires a DPIA in case of automated processing, including profiling (i), processing of personal data revealing sensitive information like racial of ethnic origin, political opinions, religious or philosophical beliefs (ii), processing of personal data relating to criminal convictions and offences (iii) and systematic monitoring of a publicly accessible area on a large scale (iv). | ALTAI | ||
| Data Protection Officer (DPO) | This denotes an expert on data protection law. The function of a DPO is to internally monitor a public or private organisation’s compliance with GDPR. Public or private organisations must appoint DPOs in the following circumstances: (i) data processing activities are carried out by a public authority or body, except for courts acting in their judicial capacity; (ii) the processing of personal data requires regular and systematic monitoring of individuals on a large scale; (iii) the processing of personal data reveals sensitive information like racial of ethnic origin, political opinions, religious or philosophical beliefs, or refers to criminal convictions and offences. A DPO must be independent of the appointing organisation. | ALTAI | ||
| data recipient | a natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation adopted in accordance with Union law | Art. 2(14) | EU Data Act | |
| data reporting service provider | a data reporting service provider within the meaning of Regulation (EU) No 600/2014, as referred to in Article 2(1), points (34) to (36) thereof | Art. 3 (46) | DORA | |
| data subject 2 | data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679 [an identified or identifiable natural person] | Art. 2(11) | EU Data Act | Art. 4(1) GDPR |
| data subject | an identified or identifiable natural person | Art. 4(1) | GDPR | |
| deep fake | AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful | Art. 3(60) | EU AI Act | |
| deployer | a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity | Art. 3(4) | EU AI Act | |
| digital assets | elements in digital form, including applications, for which the customer has the right of use, independently from the contractual relationship with the data processing service it intends to switch from | Art. 2(32) | EU Data Act | |
| digital labour platform | a natural or legal person providing a service which meets all of the following requirements: (i) it is provided, at least in part, at a distance by electronic means, such as by means of a website or a mobile application; (ii) it is provided at the request of a recipient of the service; (iii) it involves, as a necessary and essential component, the organisation of work performed by individuals in return for payment, irrespective of whether that work is performed online or in a certain location; (iv) it involves the use of automated monitoring systems or automated decision-making systems | Art. 2(a) | Platform Work | |
| digital operational resilience | the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions | Art. 3 (1) | DORA | |
| Digital Services Coordinator of destination | the Digital Services Coordinator of a Member State where the intermediary service is provided | Art. 3(o) | Digital Services Act | |
| Digital Services Coordinator of establishment | the Digital Services Coordinator of the Member State where the main establishment of a provider of an intermediary service is located or its legal representative resides or is established | Art. 3(n) | Digital Services Act | |
| dissemination to the public | making information available, at the request of the recipient of the service who provided the information, to a potentially unlimited number of third parties | Art. 3(k) | Digital Services Act | |
| distance contract | ‘distance contract’ as defined in Article 2, point (7), of Directive 2011/83/EU | Art. 3(l) | Digital Services Act | Article 2, point (7), of Directive 2011/83/EU |
| distributor 2 | a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties | Art. 3(17) | CyberResilience | |
| distributor | a natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market | Art. 3(7) | EU AI Act | |
| downstream provider | a provider of an AI system, including a general-purpose AI system, which integrates an AI model, regardless of whether the AI model is provided by themselves and vertically integrated or provided by another entity based on contractual relations | Art. 3(68) | EU AI Act | |
| economic operator | the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation | Art. 3(12) | CyberResilience | |
| electronic information system | (a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data | Art. 3(7) | CyberResilience | |
| electronic money institution | an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council | Art. 3 (38) | DORA | |
| electronic money institution exempted pursuant to Directive 2009-110-EC | an electronic money institution benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC | Art. 3 (39) | DORA | |
| emotion recognition system | an AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric data | Art. 3(39) | EU AI Act | |
| Encryption, Pseudonymisation, Aggregation, and Anonymisation | Pseudonymisation refers to the idea that it is not possible to attribute personal data to a specific data subject without additional information. By contrast to pseudonymisation, anonymisation consists in preventing any identification of individuals from personal data. The link between an individual and personal data is definitively erased. Encryption is the procedure whereby clear text information is disguised by using especially a hash key. Encrypted results are unintelligible data for persons who do not have the encryption key. Aggregation is a process whereby data is gathered and expressed in a summary form, especially for statistical analysis. | ALTAI | ||
| end-point | any device that is connected to a network and serves as an entry point to that network | Art. 3(11) | CyberResilience | |
| End-user | An end-user is the person that ultimately uses or is intended to ultimately use the AI system. This could either be a consumer or a professional within a public or private organisation. The end-user stands in contrast to users who support or maintain the product, such as system administrators, database administrators, information technology experts, software professionals and computer technicians. | ALTAI | ||
| enterprise 2 | a natural or legal person that, in relation to contracts and practices covered by this Regulation, is acting for purposes which are related to that person’s trade, business, craft or profession | Art. 2(24) | EU Data Act | Art. 4(18) GDPR |
| enterprise | a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity | Art. 4(18) | GDPR | Art. 2(24) EU Data Act |
| European standard | a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012 | Art. 3(35) | CyberResilience | |
| Explainability | Feature of an AI system that is intelligible to non-experts. An AI system is intelligible if its functionality and operations can be explained non technically to a person not skilled in the art. | ALTAI | ||
| exploitable vulnerability | a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions | Art. 3(41) | CyberResilience | |
| exportable data | for the purpose of Articles 23 EU Data Act to Article 31 EU Data Act and Article 35 EU Data Act , means the input and output data, including metadata, directly or indirectly generated, or cogenerated, by the customer’s use of the data processing service, excluding any assets or data protected by intellectual property rights, or constituting a trade secret, of providers of data processing services or third parties | Art. 2(38) | EU Data Act | |
| Fairness | Fairness refers to a variety of ideas known as equity, impartiality, egalitarianism, non-discrimination and justice. Fairness embodies an ideal of equal treatment between individuals or between groups of individuals. This is what is generally referred to as ‘substantive’ fairness. But fairness also encompasses a procedural perspective, that is the ability to seek and obtain relief when individual rights and freedoms are violated. | ALTAI | ||
| Fault tolerance | Fault tolerance is the property that enables a system to continue operating properly in the event of the failure of (or one or more faults within) some of its components. If its operating quality decreases at all, the decrease is proportional to the severity of the failure, as compared to a naively designed system, in which even a small failure can cause total breakdown. Fault tolerance is particularly sought after in high-availability or safetycritical systems. Redundancy or duplication is the provision of additional functional capabilities that would be unnecessary in a fault-free environment. This can consist of backup components that automatically ‘kick in’ if one component fails. | ALTAI | ||
| filing system | any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis | Art. 4(6) | GDPR | |
| floating-point operation | any mathematical operation or assignment involving floating-point numbers, which are a subset of the real numbers typically represented on computers by an integer of fixed precision scaled by an integer exponent of a fixed base | Art. 3(67) | EU AI Act | |
| free and open-source software | software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable | Art. 3(48) | CyberResilience | |
| functional equivalence | re-establishing on the basis of the customer’s exportable data and digital assets, a minimum level of functionality in the environment of a new data processing service of the same service type after the switching process, where the destination data processing service delivers a materially comparable outcome in response to the same input for shared features supplied to the customer under the contract | Art. 2(37) | EU Data Act | |
| general-purpose AI model | an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market | Art. 3(63) | EU AI Act | |
| general-purpose AI system | an AI system which is based on a general-purpose AI model, and which has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systems | Art. 3(66) | EU AI Act | |
| genetic data | personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question | Art. 4(13) | GDPR | |
| group | a group as defined in Article 2, point (11), of Directive 2013/34/EU, i.e. ”‘group’ means a parent undertaking and all its subsidiary undertakings;” | Art. 3 (26) | DORA | Article 2, point (11), of Directive 2013/34/EU |
| group of undertakings | a controlling undertaking and its controlled undertakings | Art. 4(19) | GDPR | |
| hardware | a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data | Art. 3(5) | CyberResilience | |
| harmonised standard 3 | a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012 | Art. 3(36) | CyberResilience | |
| harmonised standard 2 | a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012 [a European standard adopted on the basis of a request made by the Commission for the application of Union harmonisation legislation] | Art. 2(43) | EU Data Act | Article 2, point (1)(c), of Regulation (EU) No 1025/2012 Art. 3(37) EU AI Act |
| harmonised standard | a harmonised standard as defined in Article 2(1), point (c), of Regulation (EU) No 1025/2012 | Art. 3(27) | EU AI Act | Article 2, point (1)(c), of Regulation (EU) No 1025/2012 Art. 2(43) EU Data Act |
| high-impact capabilities | capabilities that match or exceed the capabilities recorded in the most advanced general-purpose AI models | Art. 3(64) | EU AI Act | |
| hosting | a service, consisting of the storage of information provided by, and at the request of, a recipient of the service | Art. 3(g)(iii) | Digital Services Act | |
| Human oversight, human-in-the-loop, human-on-the-loop, human-in-command | Human oversight helps ensure that an AI system does not undermine human autonomy or causes other adverse effects. Oversight may be achieved through governance mechanisms such as a human-in-the-loop (HITL), human-on-the-loop (HOTL), or human-in-command (HIC) approach. Human-in-the-loop refers to the capability for human intervention in every decision cycle of the system, which in many cases is neither possible nor desirable. Humanon-the-loop refers to the capability for human intervention during the design cycle of the system and monitoring the system’s operation. Human-in-command refers to the capability to oversee the overall activity of the AI system (including its broader economic, societal, legal and ethical impact) and the ability to decide when and how to use the system in any particular situation. This can include the decision not to use an AI system in a particular situation, to establish levels of human discretion during the use of the system, or to ensure the ability to override a decision made by a system. Moreover, it must be ensured that public enforcers have the ability to exercise oversight in line with their mandate. Oversight mechanisms can be required in varying degrees to support other safety and control measures, depending on the AI system’s application area and potential risk. All other things being equal, the less oversight a human can exercise over an AI system, the more extensive testing and stricter governance is required. | ALTAI | ||
| ICT asset | a software or hardware asset in the network and information systems used by the financial entity | Art. 3 (7) | DORA | |
| ICT concentration risk | an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions, or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the Union as a whole | Art. 3 (29) | DORA | |
| ICT intra-group service provider | an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control | Art. 3 (20) | DORA | |
| ICT risk | any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment | Art. 3 (5) | DORA | |
| ICT services | digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services | Art. 3 (21) | DORA | |
| ICT subcontractor established in a third country | an ICT subcontractor that is a legal person established in a third-country and that has entered into a contractual arrangement either with an ICT third-party service provider, or with an ICT third-party service provider established in a third country | Art. 3 (28) | DORA | |
| ICT third-party risk | an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements | Art. 3 (18) | DORA | |
| ICT third-party service provider | an undertaking providing ICT services | Art. 3 (19) | DORA | |
| ICT third-party service provider established in a third country | an ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services | Art. 3 (24) | DORA | |
| ICT-related incident | a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity | Art. 3 (8) | DORA | |
| illegal content | any information that, in itself or in relation to an activity, including the sale of products or the provision of services, is not in compliance with Union law or the law of any Member State which is in compliance with Union law, irrespective of the precise subject matter or nature of that law | Art. 3(h) | Digital Services Act | |
| importer 2 | a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union | Art. 3(16) | CyberResilience | |
| importer | a natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country | Art. 3(6) | EU AI Act | |
| incident | an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555 | Art. 3(43) | CyberResilience | |
| incident having an impact on the security of the product with digital elements | an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions | Art. 3(44) | CyberResilience | |
| indirect connection | a connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network | Art. 3(10) | CyberResilience | |
| information asset | a collection of information, either tangible or intangible, that is worth protecting | Art. 3 (6) | DORA | |
| information society service 2 | a ‘service’ as defined in Article 1(1), point (b), of Directive (EU) 2015/1535 | Art. 3(a) | Digital Services Act | Article 1(1), point (b), of Directive (EU) 2015/1535 |
| information society service | a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council 19) | Art. 4(25) | GDPR | |
| informed consent | means a subject’s freely given, specific, unambiguous and voluntary expression of his or her willingness to participate in a particular testing in real-world conditions, after having been informed of all aspects of the testing that are relevant to the subject’s decision to participate | Art. 3(59) | EU AI Act | |
| input data | data provided to or directly acquired by an AI system on the basis of which the system produces an output | Art. 3(33) | EU AI Act | |
| institution exempted pursuant to Directive 2013-36-EU | an entity as referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU, i.e. ”5. This Directive shall not apply to the following: (2) central banks; (3) post office giro institutions; (4) in Denmark, the ‘Eksport Kredit Fonden’, the ‘Eksport Kredit Fonden A/S’, the ‘Danmarks Skibskredit A/S’ and the ‘KommuneKredit’; (5) in Germany, the ‘Kreditanstalt für Wiederaufbau’, ‘Landwirtschaftliche Rentenbank’, ‘Bremer Aufbau-Bank GmbH’, ‘Hamburgische Investitions- und Förderbank’, ‘Investitionsbank Berlin’, ‘Investitionsbank des Landes Brandenburg’, ‘Investitionsbank Schleswig-Holstein’, ‘Investitions- und Förderbank Niedersachsen – NBank’, ‘Investitions- und Strukturbank Rheinland-Pfalz’, ‘Landeskreditbank Baden-Württemberg – Förderbank’, ‘LfA Förderbank Bayern’, ‘NRW.BANK’, ‘Saarländische Investitionskreditbank AG’, ‘Sächsische Aufbaubank – Förderbank’, ‘Thüringer Aufbaubank’, undertakings which are recognised under the ‘Wohnungsgemeinnützigkeitsgesetz’ as bodies of State housing policy and are not mainly engaged in banking transactions, and undertakings recognised under that law as non-profit housing undertakings; (6) in Estonia, the ‘hoiu-laenuühistud’, as cooperative undertakings that are recognised under the ‘hoiu-laenuühistu seadus’; (7) in Ireland, the Strategic Banking Corporation of Ireland, credit unions and friendly societies; (8) in Greece, the ‘Ταμείο Παρακαταθηκών και Δανείων’ (Tamio Parakatathikon kai Danion); (9) in Spain, the ‘Instituto de Crédito Oficial’; (10) in France, the ‘Caisse des dépôts et consignations’; (11) in Croatia, the ‘kreditne unije’ and the ‘Hrvatska banka za obnovu i razvitak’; (12) in Italy, the ‘Cassa depositi e prestiti’; (13) in Latvia, the ‘krājaizdevu sabiedrības’, undertakings that are recognised under the ‘krājaizdevu sabiedrību likums’ as cooperative undertakings rendering financial services solely to their members; (14) in Lithuania, the ‘kredito unijos’ other than the ‘centrinės kredito unijos’; (15) in Hungary, the ‘MFB Magyar Fejlesztési Bank Zártkörűen Működő Részvénytársaság’ and the ‘Magyar Export-Import Bank Zártkörűen Működő Részvénytársaság’; (16) in Malta, ‘The Malta Development Bank’; (17) in the Netherlands, the ‘Nederlandse Investeringsbank voor Ontwikkelingslanden NV’, the ‘NV Noordelijke Ontwikkelingsmaatschappij’, the ‘NV Limburgs Instituut voor Ontwikkeling en Financiering’, the ‘Ontwikkelingsmaatschappij Oost-Nederland NV’ and kredietunies; (18) in Austria, undertakings recognised as housing associations in the public interest and the ‘Österreichische Kontrollbank AG’ (19) in Poland, the ‘Spółdzielcze Kasy Oszczędnościowo — Kredytowe’ and the ‘Bank Gospodarstwa Krajowego’; (20) in Portugal, the ‘Caixas Económicas’ existing on 1 January 1986 with the exception of those incorporated as limited companies and of the ‘Caixa Económica Montepio Geral’; (21) in Slovenia, the ‘SID-Slovenska izvozna in razvojna banka, d.d. Ljubljana’; (22) in Finland, the ‘Teollisen yhteistyön rahasto Oy/Fonden för industriellt samarbete AB’, and the ‘Finnvera Oyj/Finnvera Abp’; (23) in Sweden, the ‘Svenska Skeppshypotekskassan’; (24) in the United Kingdom, National Savings and Investments (NS&I), CDC Group plc, the Agricultural Mortgage Corporation Ltd, the Crown Agents for overseas governments and administrations, credit unions and municipal banks.” | Art. 3 (32) | DORA | Article 2(5), points (4) to (23), of Directive 2013/36/EU |
| institution for occupational retirement provision | an institution for occupational retirement provision as defined in Article 6, point (1), of Directive (EU) 2016/2341 | Art. 3 (52) | DORA | |
| instructions for use | the information provided by the provider to inform the deployer of in particular an AI system’s intended purpose and proper use | Art. 3(15) | EU AI Act | |
| insurance intermediary | an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 of the European Parliament and of the Council, i.e. ”‘insurance intermediary’ means any natural or legal person, other than an insurance or reinsurance undertaking or their employees and other than an ancillary insurance intermediary, who, for remuneration, takes up or pursues the activity of insurance distribution;” | Art. 3 (49) | DORA | Article 2(1), point (3), of Directive (EU) 2016/97 |
| insurance undertaking | an insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC | Art. 3 (47) | DORA | |
| intended purpose 2 | the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation | Art. 3(23) | CyberResilience | |
| intended purpose | the use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation | Art. 3(12) | EU AI Act | |
| intermediary | a natural or legal person that, for the purpose of making platform work available to or through a digital labour platform: (i) establishes a contractual relationship with that digital labour platform and a contractual relationship with the person performing platform work; or (ii)is in a subcontracting chain between that digital labour platform and the person performing platform work | Art. 2(e) | Platform Work | |
| intermediary service | one of the following information society services: (i) a ‘mere conduit’ service, consisting of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network; (ii) a ‘caching’ service, consisting of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients upon their request; (iii) a ‘hosting’ service, consisting of the storage of information provided by, and at the request of, a recipient of the service; | Art. 3(g) | Digital Services Act | |
| international organisation | an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries. | Art. 4(26) | GDPR | |
| international standard | an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012 | Art. 3(34) | CyberResilience | |
| interoperability | the ability of two or more data spaces or communication networks, systems, connected products, applications, data processing services or components to exchange and use data in order to perform their functions | Art. 2(40) | EU Data Act | |
| Interpretability | Interpretability refers to the concept of comprehensibility, explainability, or understandability. When an element of an AI system is interpretable, this means that it is possible at least for an external observer to understand it and find its meaning. | ALTAI | ||
| investment firm | an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU, i.e. ”‘investment firm’ means any legal person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis. Member States may include in the definition of investment firms undertakings which are not legal persons, provided that: (a) their legal status ensures a level of protection for third parties’ interests equivalent to that afforded by legal persons; and (b) they are subject to equivalent prudential supervision appropriate to their legal form. However, where a natural person provides services involving the holding of third party funds or transferable securities, that person may be considered to be an investment firm for the purposes of this Directive and of Regulation (EU) No 600/2014 only if, without prejudice to the other requirements imposed in this Directive, in Regulation (EU) No 600/2014, and in Directive 2013/36/EU, that person complies with the following conditions: (a) the ownership rights of third parties in instruments and funds must be safeguarded, especially in the event of the insolvency of the firm or of its proprietors, seizure, set-off or any other action by creditors of the firm or of its proprietors; (b) the firm must be subject to rules designed to monitor the firm’s solvency and that of its proprietors; (c) the firm’s annual accounts must be audited by one or more persons empowered, under national law, to audit accounts; (d) where the firm has only one proprietor, that person must make provision for the protection of investors in the event of the firm’s cessation of business following the proprietor’s death or incapacity or any other such event;” | Art. 3 (33) | DORA | Article 4(1), point (1), of Directive 2014/65/EU |
| issuer of asset-referenced tokens | an issuer of asset-referenced tokens as defined in the relevant provision of the Regulation on markets in crypto-assets | Art. 3 (56) | DORA | |
| joint committee | the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 | Art. 3 (62) | DORA | |
| law enforcement | activities carried out by law enforcement authorities or on their behalf for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security | Art. 3(46) | EU AI Act | |
| law enforcement authority | (a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or (b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; | Art. 3(45) | EU AI Act | |
| lead overseer | the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation | Art. 3 (61) | DORA | |
| legacy ICT system | an ICT system that has reached the end of its lifecycle (end-of-life), that is not suitable for upgrades or fixes, for technological or commercial reasons, or is no longer supported by its supplier or by an ICT third-party service provider, but that is still in use and supports the functions of the financial entity; | Art. 3 (3) | DORA | |
| Lifecycle | The lifecycle of an AI system includes several interdependent phases ranging from its design and development (including sub-phases such as requirement analysis, data collection, training, testing, integration), installation, deployment, operation, maintenance, and disposal. Given the complexity of AI (and in general information) systems, several models and methodologies have been defined to manage this complexity, especially during the design and development phases, such as waterfall, spiral, agile software development, rapid prototyping, and incremental. | ALTAI | ||
| logical connection | a virtual representation of a data connection implemented through a software interface | Art. 3(8) | CyberResilience | |
| main establishment | (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; (b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation | Art. 4(16) | GDPR | |
| major ICT-related incident | an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity | Art. 3 (10) | DORA | |
| major operational or security payment-related incident | an operational or security payment-related incident that has a high adverse impact on the payment-related services provided | Art. 3 (11) | DORA | |
| making available on the market 3 | the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge | Art. 3(22) | CyberResilience | |
| making available on the market 2 | any supply of a connected product for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge | Art. 2(21) | EU Data Act | Art. 3(10) EU AI Act |
| making available on the market | the supply of an AI system or a general-purpose AI model for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge | Art. 3(10) | EU AI Act | Art. 2(21) EU Data Act |
| management body | a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law | Art. 3 (30) | DORA | |
| management company | a management company as defined in Article 2(1), point (b), of Directive 2009/65/EC | Art. 3 (45) | DORA | |
| manager of alternative investment funds | a manager of alternative investment funds as defined in Article 4(1), point (b), of Directive 2011/61/EU | Art. 3 (44) | DORA | |
| manufacturer | a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge | Art. 3(13) | CyberResilience | |
| market surveillance authority 2 | a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020 | Art. 3(33) | CyberResilience | |
| market surveillance authority | the national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020; | Art. 3(26) | EU AI Act | |
| medium-sized enterprise | a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million | Art. 3 (64) | DORA | |
| mere conduit | a service, consisting of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network | Art. 3(g)(i) | Digital Services Act | |
| metadata | a structured description of the contents or the use of data facilitating the discovery or use of that data | Art. 2(2) | EU Data Act | |
| microenterprise 2 | a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million | Art. 3 (60) | DORA | |
| microenterprise | a microenterprise as defined in Article 2(3) of the Annex to Recommendation 2003/361/EC [an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million] | Art. 2(26) | EU Data Act | Article 2(3) of the Annex to Recommendation 2003/361/EC |
| Model Evasion | Evasion is one of the most common attacks on machine learning models (ML) performed during production. It refers to designing an input, which seems normal for a human but is wrongly classified by ML models. A typical example is to change some pixels in a picture before uploading, so that the image recognition system fails to classify the result. | ALTAI | ||
| Model Inversion | Model inversion refers to a kind of attack to AI models, in which the access to a model is abused to infer information about the training data. So, model inversion turns the usual path from training data into a machine-learned model from a one-way one to a two-way one, permitting the training data to be estimated from the model with varying degrees of accuracy. Such attacks raise serious concerns given that training data usually contain privacy-sensitive information. | ALTAI | ||
| national competent authority | means a notifying authority or a market surveillance authority; as regards AI systems put into service or used by Union institutions, agencies, offices and bodies, references to national competent authorities or market surveillance authorities in this Regulation shall be construed as references to the European Data Protection Supervisor; | Art. 3(48) | EU AI Act | |
| near miss | a near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555 | Art. 3(45) | CyberResilience | |
| network and information system | a network and information system as defined in Article 6, point 1, of Directive (EU) 2022/2555, i.e. ”‘network and information system’ means: (a) an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; (b) any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or (c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance” | Art. 3 (2) | DORA | Article 6, point 1, of Directive (EU) 2022/2555 |
| non-personal data 2 | data other than personal data | Art. 2(4) | EU Data Act | Art. 3(51) EU AI Act |
| non-personal data | data other than personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679 | Art. 3(51) | EU AI Act | Art. 2(4) EU Data Act |
| notified body 2 | a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation | Art. 3(29) | CyberResilience | |
| notified body | a conformity assessment body notified in accordance with this Regulation and other relevant Union harmonisation legislation; | Art. 3(22) | EU AI Act | |
| notifying authority 2 | the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring | Art. 3(26) | CyberResilience | |
| notifying authority | the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring; | Art. 3(19) | EU AI Act | |
| on-premises ICT infrastructure | ICT infrastructure and computing resources owned, rented or leased by the customer, located in the data centre of the customer itself and operated by the customer or by a third-party | Art. 2(33) | EU Data Act | |
| Online continual learning | The ability to continually learn over time by accommodating new knowledge while retaining previously learned experiences is referred to as continual or lifelong learning. Learning continually is crucial for agents and robots operating in changing environments and required to acquire, fine-tune, adapt, and transfer increasingly complex representations of knowledge. Such a continuous learning task has represented a long-standing challenge for machine learning and neural networks and, consequently, for the development of artificial intelligence (AI) systems. The main issue of computational models regarding lifelong learning is that they are prone to catastrophic forgetting or catastrophic interference, i.e., training a model with new information interferes with previously learned knowledge. | ALTAI | ||
| online interface | any software, including a website or a part thereof, and applications, including mobile applications | Art. 3(m) | Digital Services Act | |
| online platform | a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public, unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of this Regulation | Art. 3(i) | Digital Services Act | |
| online search engine | an intermediary service that allows users to input queries in order to perform searches of, in principle, all websites, or all websites in a particular language, on the basis of a query on any subject in the form of a keyword, voice request, phrase or other input, and returns results in any format in which information related to the requested content can be found | Art. 3(j) | Digital Services Act | |
| open interoperability specification | a technical specification in the field of information and communication technologies which is performance oriented towards achieving interoperability between data processing services | Art. 2(41) | EU Data Act | |
| open-source software steward | a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products | Art. 3(14) | CyberResilience | |
| operational or security payment-related incident | a single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity | Art. 3 (9) | DORA | |
| operator | a provider, product manufacturer, deployer, authorised representative, importer or distributor | Art. 3(8) | EU AI Act | |
| parent undertaking | a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU, i.e. ”‘parent undertaking’ means an undertaking which controls one or more subsidiary undertakings;” | Art. 3 (27) | DORA | Article 2, point (9), and Article 22 of Directive 2013/34/EU |
| payment institution | a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366 | Art. 3 (35) | DORA | |
| payment institution exempted pursuant to Directive (EU) 2015-2366 | a payment institution exempted pursuant to Article 32(1) of Directive (EU) 2015/2366 | Art. 3 (36) | DORA | |
| Pen test | A penetration test, colloquially known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorised parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed. | ALTAI | ||
| performance of an AI system | the ability of an AI system to achieve its intended purpose; | Art. 3(18) | EU AI Act | |
| person performing platform work | an individual performing platform work, irrespective of the nature of the contractual relationship or the designation of that relationship by the parties involved | Art. 2(c) | Platform Work | |
| personal data 4 | personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679 | Art. 3(47) | CyberResilience | |
| personal data 3 | personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679 [any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person] | Art. 2(3) | EU Data Act | Art. 4(1) GDPR Art. 3(50) EU AI Act |
| personal data | any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person | Art. 4(1) | GDPR | Art. 3(50) EU AI Act Art. 2(3) EU Data Act |
| personal data 2 | personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679 [any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person] | Art. 3(50) | EU AI Act | Art. 4(1) GDPR Art. 2(3) EU Data Act |
| personal data breach | a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed | Art. 4(12) | GDPR | |
| persons with disabilities | ‘persons with disabilities’ as referred to in Article 3, point (1), of Directive (EU) 2019/882 of the European Parliament and of the Council | Art. 3(v) | Digital Services Act | Article 3, point (1), of Directive (EU) 2019/882 |
| physical connection | a connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves | Art. 3(9) | CyberResilience | |
| placing on the market 3 | the first making available of a product with digital elements on the Union market | Art. 3(21) | CyberResilience | |
| placing on the market 2 | the first making available of a connected product on the Union market | Art. 2(22) | EU Data Act | Art. 3(9) EU AI Act |
| placing on the market | the first making available of an AI system or a general-purpose AI model on the Union market | Art. 3(9) | EU AI Act | Art. 2(22) EU Data Act |
| platform work | work organised through a digital labour platform and performed in the Union by an individual on the basis of a contractual relationship between the digital labour platform or an intermediary, and the individual, irrespective of whether there is a contractual relationship between the individual or an intermediary and the recipient of the service | Art. 2(b) | Platform Work | |
| platform worker | means any person performing platform work who has or is deemed to have an employment contract or an employment relationship as defined by the law, collective agreements or practice in force in the Member States with consideration to the case-law of the Court of Justice | Art. 2(d) | Platform Work | |
| post-market monitoring system | all activities carried out by providers of AI systems to collect and review experience gained from the use of AI systems they place on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions; | Art. 3(25) | EU AI Act | |
| post-remote biometric identification system | a remote biometric identification system other than a real-time remote biometric identification system; | Art. 3(43) | EU AI Act | |
| processing 2 | any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or other means of making them available, alignment or combination, restriction, erasure or destruction | Art. 2(7) | EU Data Act | Art. 4(2) GDPR |
| processing | any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction | Art. 4(2) | GDPR | Art. 2(7) EU DAta Act |
| processor | a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller | Art. 4(8) | GDPR | |
| product data | data generated by the use of a connected product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer | Art. 2(15) | EU Data Act | |
| product with digital elements | a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately | Art. 3(1) | CyberResilience | |
| profiling 3 | profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679 (GDPR) [any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements] | Art. 2(20) | EU Data Act | Art. 4(4) GDPR Art. 3(52) EU AI Act |
| profiling | any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements | Art. 4(4) | GDPR | Art. 3(52) EU AI Act Art. 2(20) EU Data Act |
| profiling 2 | profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679 (GDPR) [any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements] | Art. 3(52) | EU AI Act | Art. 4(4) GDPR Art. 2(20) EU Data Act |
| provider | a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge; | Art. 3(3) | EU AI Act | |
| pseudonymisation | the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person | Art. 4(5) | GDPR | |
| public authority | any government or other public administration entity, including national central banks | Art. 3 (65) | DORA | |
| public emergency | an exceptional situation, limited in time, such as a public health emergency, an emergency resulting from natural disasters, a human-induced major disaster, including a major cybersecurity incident, negatively affecting the population of the Union or the whole or part of a Member State, with a risk of serious and lasting repercussions for living conditions or economic stability, financial stability, or the substantial and immediate degradation of economic assets in the Union or the relevant Member State and which is determined or officially declared in accordance with the relevant procedures under Union or national law | Art. 2(29) | EU Data Act | |
| public sector body | national, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodies | Art. 2(28) | EU Data Act | |
| publicly accessible space | any publicly or privately owned physical place accessible to an undetermined number of natural persons, regardless of whether certain conditions for access may apply, and regardless of the potential capacity restrictions; | Art. 3(44) | EU AI Act | |
| putting into service | the supply of an AI system for first use directly to the deployer or for own use in the Union for its intended purpose | Art. 3(11) | EU AI Act | |
| readily available data | product data and related service data that a data holder lawfully obtains or can lawfully obtain from the connected product or related service, without disproportionate effort going beyond a simple operation | Art. 2(17) | EU Data Act | |
| real-time remote biometric identification system | a remote biometric identification system whereby the capturing of biometric data, the comparison and the identification all occur without a significant delay, comprising not only instant identification, but also limited short delays in order to avoid circumvention; | Art. 3(42) | EU AI Act | |
| real-world testing plan | a document that describes the objectives, methodology, geographical, population and temporal scope, monitoring, organisation and conduct of testing in real-world conditions | Art. 3(53) | EU AI Act | |
| reasonably foreseeable misuse 2 | the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems | Art. 3(25) | CyberResilience | |
| reasonably foreseeable misuse | the use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems, including other AI systems | Art. 3(13) | EU AI Act | |
| reasonably foreseeable use | use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions | Art. 3(24) | CyberResilience | |
| recall | recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020 | Art. 3(49) | CyberResilience | |
| recall of an AI system | any measure aiming to achieve the return to the provider or taking out of service or disabling the use of an AI system made available to deployers | Art. 3(16) | EU AI Act | |
| recipient | a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing | Art. 4(9) | GDPR | |
| recipient of the service | any natural or legal person who uses an intermediary service, in particular for the purposes of seeking information or making it accessible | Art. 3(b) | Digital Services Act | |
| recommender system | a fully or partially automated system used by an online platform to suggest in its online interface specific information to recipients of the service or prioritise that information, including as a result of a search initiated by the recipient of the service or otherwise determining the relative order or prominence of information displayed | Art. 3(s) | Digital Services Act | |
| Red team | Red teaming is the practice whereby a red team or independent group challenges an organisation to improve its effectiveness by assuming an adversarial role or point of view. It is often used to help identify and address potential security vulnerabilities. | ALTAI | ||
| Redress by design | Redress by design relates to the idea of establishing, from the design phase, mechanisms to ensure redundancy, alternative systems, alternative procedures, etc. in order to be able to effectively detect, audit, rectify the wrong decisions taken by a perfectly functioning system and, if possible, improve the system. | ALTAI | ||
| reinsurance intermediary | a reinsurance intermediary as defined in Article 2(1), point (5), of Directive (EU) 2016/97, i.e. ”‘reinsurance intermediary’ means any natural or legal person, other than a reinsurance undertaking or its employees, who, for remuneration, takes up or pursues the activity of reinsurance distribution;” | Art. 3 (51) | DORA | Article 2(1), point (5), of Directive (EU) 2016/97 |
| reinsurance undertaking | a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC | Art. 3 (48) | DORA | |
| related service | a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product | Art. 2(6) | EU Data Act | |
| related service data | data representing the digitisation of user actions or of events related to the connected product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related service by the provider | Art. 2(16) | EU Data Act | |
| relevant and reasoned objection | an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union | Art. 4(24) | GDPR | |
| remote biometric identification system | an AI system for the purpose of identifying natural persons, without their active involvement, typically at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database; | Art. 3(41) | EU AI Act | |
| remote data processing | data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions | Art. 3(2) | CyberResilience | |
| representative | a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation | Art. 4(17) | GDPR | |
| representatives of persons performing platform work | workers’ representatives and, insofar as provided for in national law and practice | Art. 2(g) | Platform Work | |
| Reproducibility | Reproducibility refers to the closeness between the results of two actions, such as two scientific experiments, that are given the same input and use the methodology, as described in a corresponding scientific evidence (such as a scientific publication). A related concept is replication, which is the ability to independently achieve non-identical conclusions that are at least similar, when differences in sampling, research procedures and data analysis methods may exist. Reproducibility and replicability together are among the main tools of the scientific method. | ALTAI | ||
| restriction of processing | the marking of stored personal data with the aim of limiting their processing in the future | Art. 4(3) | GDPR | |
| risk | the combination of the probability of an occurrence of harm and the severity of that harm | Art. 3(2) | EU AI Act | |
| Robustness AI | Robustness of an AI system encompasses both its technical robustness (appropriate in a given context, such as the application domain or life cycle phase) and as well as its robustness from a social perspective (ensuring that the AI system duly takes into account the context and environment in which the system operates). This is crucial to ensure that, even with good intentions, no unintentional harm can occur. Robustness is the third of the three components necessary for achieving Trustworthy AI. | ALTAI | ||
| safety component | a component of a product or of an AI system which fulfils a safety function for that product or AI system, or the failure or malfunctioning of which endangers the health and safety of persons or property | Art. 3(14) | EU AI Act | |
| same service type | a set of data processing services that share the same primary objective, data processing service model and main functionalities | Art. 2(9) | EU Data Act | |
| sandbox plan | a document agreed between the participating provider and the competent authority describing the objectives, conditions, timeframe, methodology and requirements for the activities carried out within the sandbox; | Art. 3(54) | EU AI Act | |
| securitisation repository | a securitisation repository as defined in Article 2, point (23), of Regulation (EU) 2017/2402 of the European Parliament and of the Council | Art. 3 (59) | DORA | |
| security of network and information systems | security of network and information systems as defined in Article 6, point 2, of Directive (EU) 2022/2555, i.e. ”‘security of network and information systems’ means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems;” | Art. 3 (4) | DORA | Article 6, point 2, of Directive (EU) 2022/2555 |
| Self-learning AI system | Self-learning (or self-supervised learning) AI systems recognize patterns in the training data in an autonomous way, without the need for supervision. | ALTAI | ||
| sensitive operational data | operational data related to activities of prevention, detection, investigation or prosecution of criminal offences, the disclosure of which could jeopardise the integrity of criminal proceedings; | Art. 3(38) | EU AI Act | |
| serious incident | an incident or malfunctioning of an AI system that directly or indirectly leads to any of the following: (a) the death of a person, or serious harm to a person’s health; (b) a serious and irreversible disruption of the management or operation of critical infrastructure. (c) the infringement of obligations under Union law intended to protect fundamental rights; (d) serious harm to property or the environment | Art. 3(49) | EU AI Act | |
| significant cyber threat | a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident | Art. 3 (13) | DORA | |
| significant cybersecurity risk | a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption | Art. 3(38) | CyberResilience | |
| small and non-interconnected investment firm | an investment firm that meets the conditions laid out in Article 12(1) of Regulation (EU) 2019/2033 of the European Parliament and of the Council | Art. 3 (34) | DORA | |
| small enterprise 2 | a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million | Art. 3 (63) | DORA | |
| small enterprise | a small enterprise as defined in Article 2(2) of the Annex to Recommendation 2003/361/EC [an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million] | Art. 2(25) | EU Data Act | Article 2(2) of the Annex to Recommendation 2003/361/EC |
| small institution for occupational retirement provision | an institution for occupational retirement provision which operates pension schemes which together have less than 100 members in total | Art. 3 (53) | DORA | |
| smart contract | a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering | Art. 2(39) | EU Data Act | |
| software | the part of an electronic information system which consists of computer code | Art. 3(4) | CyberResilience | |
| software bill of materials | a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements | Art. 3(39) | CyberResilience | |
| special categories of personal data | the categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679, Article 10 of Directive (EU) 2016/680 and Article 10(1) of Regulation (EU) 2018/1725; | Art. 3(37) | EU AI Act | |
| Standards | Standards are norms designed by industry and/or Governments that set product or services’ specifications. They are a key part of our society as they ensure quality and safety in both products and services in international trade. Businesses can be seen to benefit from standards as they can help cut costs by improved systems and procedures put in place. Standards are internationally agreed by experts and they usually represent what the experts think is the best way of doing something. It could be about making a product, managing a process, delivering a service or supplying materials – standards cover a huge range of activities. Standards are released by international organizations, such as ISO (International Organisation for Standardisation), IEEE (The Institute of Electrical and Electronics Engineers) Standard Association, and NIST (National Institute of Standards and Technology). | ALTAI | ||
| subject | A subject is a person or a group of persons affected by the AI system (such as the recipient of benefits where the decision to grant or reject benefits is underpinned by an AIsystem, or the general public for facial recognition). | ALTAI | ||
| subject | for the purpose of real-world testing, means a natural person who participates in testing in real-world conditions; | Art. 3(58) | EU AI Act | |
| subsidiary | a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU, i.e. ”‘subsidiary undertaking’ means an undertaking controlled by a parent undertaking, including any subsidiary undertaking of an ultimate parent undertaking;” | Art. 3 (25) | DORA | Article 2, point (10), and Article 22 of Directive 2013/34/EU |
| substantial connection to the Union | a connection of a provider of intermediary services with the Union resulting either from its establishment in the Union or from specific factual criteria, such as: - a significant number of recipients of the service in one or more Member States in relation to its or their population; or - the targeting of activities towards one or more Member States | Art. 3(e) | Digital Services Act | |
| substantial modification 2 | a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed | Art. 3(30) | CyberResilience | |
| substantial modification | a change to an AI system after its placing on the market or putting into service which is not foreseen or planned in the initial conformity assessment carried out by the provider and as a result of which the compliance of the AI system with the requirements set out in Chapter III, Section 2 is affected or results in a modification to the intended purpose for which the AI system has been assessed; | Art. 3(23) | EU AI Act | |
| supervisory authority | an independent public authority which is established by a Member State pursuant to Article 51; | Art. 4(21) | GDPR | |
| supervisory authority concerned | a supervisory authority which is concerned by the processing of personal data because: • (a) the controller or processor is established on the territory of the Member State of that supervisory authority; • (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or • (c) a complaint has been lodged with that supervisory authority; | Art. 4(22) | GDPR | |
| support period | the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I | Art. 3(20) | CyberResilience | |
| switching | the process involving a source provider of data processing services, a customer of a data processing service and, where relevant, a destination provider of data processing services, whereby the customer of a data processing service changes from using one data processing service to using another data processing service of the same service type, or other service, offered by a different provider of data processing services, or to an on-premises ICT infrastructure, including through extracting, transforming and uploading the data | Art. 2(34) | EU Data Act | |
| switching charges | charges, other than standard service fees or early termination penalties, imposed by a provider of data processing services on a customer for the actions mandated by this Regulation for switching to the system of a different provider or to on-premises ICT infrastructure, including data egress charges | Art. 2(36) | EU Data Act | |
| systemic risk | a risk that is specific to the high-impact capabilities of general-purpose AI models, having a significant impact on the Union market due to their reach, or due to actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or the society as a whole, that can be propagated at scale across the value chain | Art. 3(65) | EU AI Act | |
| terms and conditions | all clauses, irrespective of their name or form, which govern the contractual relationship between the provider of intermediary services and the recipients of the service | Art. 3(u) | Digital Services Act | |
| testing data | data used for providing an independent evaluation of the AI system in order to confirm the expected performance of that system before its placing on the market or putting into service; | Art. 3(32) | EU AI Act | |
| testing in real-world conditions | the temporary testing of an AI system for its intended purpose in real-world conditions outside a laboratory or otherwise simulated environment, with a view to gathering reliable and robust data and to assessing and verifying the conformity of the AI system with the requirements of this Regulation and it does nor qualify as placing the AI system on the market or putting it into service within the meaning of this Regulation, provided that all the conditions laid down in Article 57 or 60 are fulfilled | Art. 3(57) | EU AI Act | |
| third party | a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data | Art. 4(10) | GDPR | |
| threat intelligence | information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations | Art. 3 (15) | DORA | |
| threat-led penetration testing (TLPT) | a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems | Art. 3 (19) | DORA | |
| offer services in the Union | enabling natural or legal persons in one or more Member States to use the services of a provider of intermediary services that has a substantial connection to the Union; | Art. 3(d) | Digital Services Act | |
| Traceability | Ability to track the journey of a data input through all stages of sampling, labelling, processing and decision making. | ALTAI | ||
| trade repository | a trade repository as defined in Article 2, point (2), of Regulation (EU) No 648/2012 | Art. 3 (41) | DORA | |
| trade secret | trade secret as defined in Article 2, point (1), of Directive (EU) 2016/943 [‘trade secret’ means information which meets all of the following requirements: (a) it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; (b) it has commercial value because it is secret; (c) it has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret;] | Art. 2(18) | EU Data Act | Article 2, point (1), of Directive (EU) 2016/943 |
| trade secret holder | a trade secret holder as defined in Article 2, point (2), of Directive (EU) 2016/943 [any natural or legal person lawfully controlling a trade secret] | Art. 2(19) | EU Data Act | Article 2, point (2), of Directive (EU) 2016/943 |
| trader | any natural person, or any legal person irrespective of whether it is privately or publicly owned, who is acting, including through any person acting in his or her name or on his or her behalf, for purposes relating to his or her trade, business, craft or profession | Art. 3(f) | Digital Services Act | |
| trading venue | a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU, i.e. ”‘trading venue’ means a regulated market, an MTF or an OTF;” Supplemental definitions: (21) ‘regulated market’ means a multilateral system operated and/or managed by a market operator, which brings together or facilitates the bringing together of multiple third-party buying and selling interests in financial instruments – in the system and in accordance with its non-discretionary rules – in a way that results in a contract, in respect of the financial instruments admitted to trading under its rules and/or systems, and which is authorised and functions regularly and in accordance with Title III of this Directive (22) ‘multilateral trading facility’ or ‘MTF’ means a multilateral system, operated by an investment firm or a market operator, which brings together multiple third-party buying and selling interests in financial instruments – in the system and in accordance with non-discretionary rules – in a way that results in a contract in accordance with Title II of this Directive (23) ‘organised trading facility’ or ‘OTF’ means a multilateral system which is not a regulated market or an MTF and in which multiple third-party buying and selling interests in bonds, structured finance products, emission allowances or derivatives are able to interact in the system in a way that results in a contract in accordance with Title II of this Directive | Art. 3 (43) | DORA | Article 4(1), point (24), of Directive 2014/65/EU |
| training data | data used for training an AI system through fitting its learnable parameters; | Art. 3(29) | EU AI Act | |
| Trustworthy AI | Trustworthy AI has three components: (1) it should be lawful, ensuring compliance with all applicable laws and regulations (2) it should be ethical, demonstrating respect for, and ensure adherence to, ethical principles and values and (3) it should be robust, both from a technical and social perspective, since, even with good intentions, AI systems can cause unintentional harm. Trustworthy AI concerns not only the trustworthiness of the AI system itself but also comprises the trustworthiness of all processes and actors that are part of the AI system’s life cycle. | ALTAI | ||
| turnover | the amount derived by an undertaking within the meaning of Article 5(1) of Council Regulation (EC) No 139/2004 (39). | Art. 3(x) | Digital Services Act | Article 5(1) of Council Regulation (EC) No 139/2004 (39). |
| Union bodies | the Union bodies, offices and agencies set up by or pursuant to acts adopted on the basis of the Treaty on European Union, the TFEU or the Treaty establishing the European Atomic Energy Community | Art. 2(27) | EU Data Act | |
| Union harmonisation legislation | Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies | Art. 3(32) | CyberResilience | |
| Universal Design | Terms such as “Design for All”, “Universal Design”, “accessible design”, “barrier‐free design”, “inclusive design” and “transgenerational design” are often used interchangeably with the same meaning. These concepts have been developed by different stakeholders working to deliver high levels of accessibility. A parallel development of human-centred design emerged within ergonomics focusing on usability. These related concepts are expressed in the human rights perspective of the Design for All approach. The Design for All approach focuses on user involvement and experiences during the design and development process to achieve accessibility and usability. It should be applied from the earliest possible time, and throughout all stages in the life of products and services which are intended for mainstream use. A Design for All approach also focuses on user requirements and interoperability between products and services across the end-to-end chain of use to reach inclusive and non-stigmatizing solutions. | ALTAI | ||
| Use case | A use case is a specific situation in which a product or service could potentially be used. For example, self-driving cars or care robots are use cases for AI. | ALTAI | ||
| user | A user is a person that uses, supports or maintains the product, such as system administrators, database administrators, information technology experts, software professionals and computer technicians. | ALTAI | ||
| user | a natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services | Art. 2(12) | EU Data Act | |
| validation data | data used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process in order, inter alia, to prevent underfitting or overfitting; | Art. 3(30) | EU AI Act | |
| validation data set | a separate data set or part of the training data set, either as a fixed or variable split; | Art. 3(31) | EU AI Act | |
| virtual assistants | software that can process demands, tasks or questions including those based on audio, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls the functions of connected products | Art. 2(31) | EU Data Act | |
| vulnerability 2 | a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat | Art. 3(40) | CyberResilience | |
| vulnerability | a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited | Art. 3 (16) | DORA | |
| widespread infringement | any act or omission contrary to Union law protecting the interest of individuals, which: (a) has harmed or is likely to harm the collective interests of individuals residing in at least two Member States other than the Member State in which: (i) the act or omission originated or took place; (ii) the provider concerned, or, where applicable, its authorised representative is located or established; or (iii) the deployer is established, when the infringement is committed by the deployer; (b) has caused, causes or is likely to cause harm to the collective interests of individuals and has common features, including the same unlawful practice or the same interest being infringed, and is occurring concurrently, committed by the same operator, in at least three Member States; | Art. 3(61) | EU AI Act | |
| withdrawal | withdrawal as defined in Article 3, point (23), of Regulation (EU) 2019/1020 | Art. 3(50) | CyberResilience | |
| withdrawal of an AI system | any measure aiming to prevent an AI system in the supply chain being made available on the market | Art. 3(17) | EU AI Act | |
| workers’ representatives | representatives of platform workers, such as trade unions and representatives who are freely elected by the platform workers in accordance with national law and practice | Art. 2(f) | Platform Work | |
| Workflow of the model | The workflow of an AI model shows the phases needed to build the model and their interdependencies. Typical phases are: Data collection and preparation, Model development, Model training, Model accuracy evaluation, Hyperparameters’ tuning, Model usage, Model maintenance, Model versioning. These stages are usually iterative: one may need to reevaluate and go back to a previous step at any point in the process. | ALTAI |