Back to Public Wiki.

TermDefinitionArticleTextAlso used in…
‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/ECArt. 3(19)CyberResilience
Accessibility 2Extent to which products, systems, services, environments and facilities can be used by people from a population with the widest range of user needs, characteristics and capabilities to achieve identified goals in identified contexts of use (which includes direct use or use supported by assistive technologies).ALTAI
account information service providern account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366Art. 3 (37)DORA
AccountabilityThis term refers to the idea that one is responsible for their action – and as a corollary their consequences – and must be able to explain their aims, motivations, and reasons. Accountability has several dimensions. Accountability is sometimes required by law. For example, the General Data Protection Regulation (GDPR) requires organisations that process personal data to ensure security measures are in place to prevent data breaches and report if these fail. But accountability might also express an ethical standard, and fall short of legal consequences. Some tech firms that do not invest in facial recognition technology in spite of the absence of a ban or technological moratorium might do so out of ethical accountability considerations.ALTAI
AccuracyThe goal of an AI model is to learn patterns that generalize well for unseen data. It is important to check if a trained AI model is performing well on unseen examples that have not been used for training the model. To do this, the model is used to predict the answer on the test dataset and then the predicted target is compared to the actual answer. The concept of accuracy is used to evaluate the predictive capability of the AI model. Informally, accuracy is the fraction of predictions the model got right. A number of metrics are used in machine learning (ML) to measure the predictive accuracy of a model. The choice of the accuracy metric to be used depends on the ML task.ALTAI
active recipient of an online platforma recipient of the service that has engaged with an online platform by either requesting the online platform to host information or being exposed to information hosted by the online platform and disseminated through its online interfaceArt. 3(p)Digital Services Act
active recipient of an online search enginea recipient of the service that has submitted a query to an online search engine and been exposed to information indexed and presented on its online interfaceArt. 3(q)Digital Services Act
actively exploited vulnerabilitya vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system ownerArt. 3(42)CyberResilience
administrator of critical benchmarksan administrator of ‘critical benchmarks’ as defined in Article 3(1), point (25), of Regulation (EU) 2016/1011, i.e.

‘critical benchmark’ means a benchmark other than a regulated-data benchmark that fulfils any of the conditions laid down in Article 20(1) and which is on the list established by the Commission pursuant to that Article;
Art. 3 (57)DORAArticle 3(1), point (25), of Regulation (EU) 2016/1011
advertisementinformation designed to promote the message of a legal or natural person, irrespective of whether to achieve commercial or non-commercial purposes, and presented by an online platform on its online interface against remuneration specifically for promoting that informationArt. 3(r)Digital Services Act
AI biasAI (or algorithmic) bias describes systematic and repeatable errors in a computer system that create unfair outcomes, such as favouring one arbitrary group of users over others. Bias can emerge due to many factors, including but not limited to the design of the algorithm or the unintended or unanticipated use or decisions relating to the way data is coded, collected, selected or used to train the algorithm. Bias can enter into algorithmic systems as a result of pre-existing cultural, social, or institutional expectations; because of technical limitations of their design; or by being used in unanticipated contexts or by audiences who are not considered in the software’s initial design. AI bias is found across platforms, including but not limited to search engine results and social media platforms, and can have impacts ranging from inadvertent privacy violations to reinforcing social biases of race, gender, sexuality, and ethnicity.ALTAI
AI designerAI designers bridge the gap between AI capabilities and user needs. For example, they can create prototypes showing some novel AI capabilities and how they might be used if the product is deployed, prior to the possible development of the AI product. AI designers also work with development teams to better understand user needs and how to build technology that addresses those needs. Additionally, they can support AI developers by designing platforms to support data collection and annotation, ensuring that data collection respects some properties (such as safety and fairness).ALTAI
AI developerAn AI developer is someone who performs some of the tasks included in the AI development. AI development is the process of conceiving, specifying, designing, training, programming, documenting, testing, and bug fixing involved in creating and maintaining AI applications, frameworks, or other AI components. It includes writing and maintaining the AI source code, as well as all that is involved between the conception of the software through to the final manifestation and use of the software.ALTAI
AI Ethics Review BoardAn AI Ethics Review Board or AI Ethics Committee should be composed of a diverse group of stakeholders and expertises, including gender, background, age and other factors. The purpose for which the AI Ethics Board is created should be clear to the organisation establishing it and the members who are invited to join it. The members should have an independent role that is not influenced by any economic or other considerations. Bias and conflicts of interest should be avoided. The overall size can vary depending on the scope of the task. Both the authority the AI Ethics Review Board has and the access to information should be proportionate to their ability to fulfill the task to their best possible ability.ALTAI
AI literacyskills, knowledge and understanding that allow providers, deployers and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can causeArt. 3(56)EU AI Act
AI Officethe Commission’s function of contributing to the implementation, monitoring and supervision of AI systems and general-purpose AI models, and AI governance provided for in Commission Decision of 24 January 2024; references in this Regulation to the AI Office shall be construed as references to the CommissionArt. 3(47)EU AI Act
AI regulatory sandboxa controlled framework set up by a competent authority which offers providers or prospective providers of AI systems the possibility to develop, train, validate and test, where appropriate in real-world conditions, an innovative AI system, pursuant to a sandbox plan for a limited time under regulatory supervisionArt. 3(55)EU AI Act
AI reliabilityAn AI system is said to be reliable if it behaves as expected, even for novel inputs on which it has not been trained or tested earlier.ALTAI
AI system 2Artificial intelligence (AI) systems are software (and possibly also hardware) systems designed by humans that, given a complex goal, act in the physical or digital dimension by perceiving their environment through data acquisition, interpreting the collected structured or unstructured data, reasoning on the knowledge, or processing the information, derived from this data and deciding the best action(s) to take to achieve the given goal. AI systems can either use symbolic rules or learn a numeric model, and they can also adapt their behaviour by analysing how the environment is affected by their previous actions. As a scientific discipline, AI includes several approaches and techniques, such as machine learning (of which deep learning and reinforcement learning are specific examples), machine reasoning (which includes planning, scheduling, knowledge representation and reasoning, search, and optimization), and robotics (which includes control, perception, sensors and actuators, as well as the integration of all other techniques into cyber-physical systems). A separate document prepared by the AI HLEG and elaborating on the definition of AI used for the purpose of this document is titled “A definition of AI: Main capabilities and scientific disciplines”.ALTAI
AI Systema machine-based system that is designed to operate with varying levels of autonomy, and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environmentsArt. 3(1)EU AI Act
AI system environment-This denotes everything in the world which surrounds the AI system, but which is not a part of the system itself. More technically, an environment can be described as a situation in which the system operates. AI systems get information from their environment via sensors that collect data and modify the environment via suitable actuators. Depending on whether the environment is in the physical or virtual world, actuators can be hardware, such as robotic arms, or software, such as programs that make changes in some digital structure.ALTAI
ancillary insurance intermediaryan ancillary insurance intermediary as defined in Article 2(1), point (4), of Directive (EU) 2016/97, i.e.

‘ancillary insurance intermediary’ means any natural or legal person, other than a credit institution or an investment firm as defined in points (1) and (2) of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council (1), who, for remuneration, takes up or pursues the activity of insurance distribution on an ancillary basis, provided that all the following conditions are met:
(a) the principal professional activity of that natural or legal person is other than insurance distribution;
(b) the natural or legal person only distributes certain insurance products that are complementary to a good or service;
(c) the insurance products concerned do not cover life assurance or liability risks, unless that cover complements the good or service which the intermediary provides as its principal professional activity;
Art. 3 (50)DORAArticle 2(1), point (4), of Directive (EU) 2016/97
Assistive TechnologySoftware or hardware that is added to or incorporated within an ICT system to increase accessibility. Often it is specifically designed to assist people with disabilities in carrying out daily activities. Assistive technology includes wheelchairs, reading machines, devices for grasping, etc. In the area of Web Accessibility, common software-based assistive technologies include screen readers, screen magnifiers, speech synthesizers, and voice input software that operate in conjunction with graphical desktop browsers (among other user agents). Hardware assistive technologies include alternative keyboards and pointing devices.ALTAI
AuditAn audit is an independent examination of some required properties of an entity, be it a company, a product, or a piece of software. Audits provide third-party assurance to various stakeholders that the subject matter is free from material misstatement. The term is most frequently applied to audits of the financial information relating to a legal person, but can be applied to anything else.ALTAI
AuditabilityAuditability refers to the ability of an AI system to undergo the assessment of the system’s algorithms, data and design processes. This does not necessarily imply that information about business models and Intellectual Property related to the AI system must always be openly available. Ensuring traceability and logging mechanisms from the early design phase of the AI system can help enable the system’s auditability.ALTAI
authorised representative 2a natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasksArt. 3(15)CyberResilience
authorised representativea natural or legal person located or established in the Union who has received and accepted a written mandate from a provider of an AI system or a general-purpose AI model to, respectively, perform and carry out on its behalf the obligations and procedures established by this RegulationArt. 3(5)EU AI Act
automated decision-making systemssystems which are used to take or support, by electronic means, decisions that significantly affect persons performing platform work, including the working conditions of platform workers, in particular decisions affecting their recruitment, their access to and the organisation of work assignments, their earnings, including the pricing of individual assignments, their safety and health, their working time, their access to training, their promotion or its equivalent, and their contractual status including the restriction, suspension or termination of their account.Art. 2(i)Platform Work
automated monitoring systemssystems which are used for or which support monitoring, supervising or evaluating, by electronic means, the work performance of persons performing platform work or the activities carried out within the work environment, including by collecting personal dataArt. 2(h)Platform Work
Autonomous AI systemsAn autonomous AI system is an AI system that performs behaviors or tasks with a high degree of autonomy, that is, without external influence.ALTAI
binding corporate rulespersonal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activityArt. 4(20)GDPR
biometric categorisation systeman AI system for the purpose of assigning natural persons to specific categories on the basis of their biometric data, unless it is ancillary to another commercial service and strictly necessary for objective technical reasonsArt. 3(40)EU AI Act
biometric data 2personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic dataArt. 4(14)GDPR
biometric datapersonal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, such as facial images or dactyloscopic dataArt. 3(34)EU AI Act
biometric identificationthe automated recognition of physical, physiological, behavioural, or psychological human features for the purpose of establishing the identity of a natural person by comparing biometric data of that individual to biometric data of individuals stored in a databaseArt. 3(35)EU AI Act
biometric verificationthe automated, one-to-one verification, including authentication, of the identity of natural persons by comparing their biometric data to previously provided biometric dataArt. 3(36)EU AI Act
cachinga service, consisting of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients upon their requestArt. 3(g)(ii)Digital Services Act
CE marking 2a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixingArt. 3(31)CyberResilience
CE markinga marking by which a provider indicates that an AI system is in conformity with the requirements set out in Chapter III, Section 2 and other applicable Union harmonisation legislation, providing for its affixingArt. 3(24)EU AI Act
central counterpartya central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012Art. 3 (40)DORA
central securities depositorya central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014Art. 3 (42)DORA
commercial communication‘commercial communication’ as defined in Article 2, point (f), of Directive 2000/31/ECArt. 3(w)Digital Services ActArticle 2, point (f), of Directive 2000/31/EC
common specificationa set of technical specifications as defined in Article 2, point (4) of Regulation (EU) No 1025/2012, providing means to comply with certain requirements established under this RegulationArt. 3(28)EU AI ActArticle 2, point (4) of Regulation (EU) No 1025/2012
common specificationa document, other than a standard, containing technical solutions providing a means to comply with certain requirements and obligations established under this RegulationArt. 2(42)EU Data Act
componentsoftware or hardware intended for integration into an electronic information systemArt. 3(6)CyberResilience
Confidence scoreMuch of AI involves estimating some quantity, such as the probability that the output is a correct answer to the given input. Confidence scores, or confidence intervals, are a way of quantifying the uncertainty of such an estimate. A low confidence score associated with the output of an AI system means that the system is not too sure that the specific output is correct.ALTAI
conformity assessment 2the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilledArt. 3(27)CyberResilience
conformity assessmentthe process of demonstrating whether the requirements set out in Chapter III, Section 2 relating to a high-risk AI system have been fulfilledArt. 3(20)EU AI Act
conformity assessment body 2a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008Art. 3(28)CyberResilience
conformity assessment bodya body that performs third-party conformity assessment activities, including testing, certification and inspectionArt. 3(21)EU AI Act
connected productan item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the userArt. 2(5)EU Data Act
consent of the data subjectany freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or herArt. 4(11)GDPR
consumer 3a natural person who acts for purposes which are outside that person’s trade, business, craft or professionArt. 3(18)CyberResilience
consumer 2any natural person who is acting for purposes which are outside his or her trade, business, craft, or professionArt. 3(c)Digital Services Act
consumerany natural person who is acting for purposes which are outside that person’s trade, business, craft or professionArt. 2(23)EU Data Act
content moderationthe activities, whether automated or not, undertaken by providers of intermediary services, that are aimed, in particular, at detecting, identifying and addressing illegal content or information incompatible with their terms and conditions, provided by recipients of the service, including measures taken that affect the availability, visibility, and accessibility of that illegal content or that information, such as demotion, demonetisation, disabling of access to, or removal thereof, or that affect the ability of the recipients of the service to provide that information, such as the termination or suspension of a recipient’s accountArt. 3(t)Digital Services Act
controllerthe natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State lawArt. 4(7)GDPR
credit institutioncredit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council, i.e.

‘credit institution’ means an undertaking the business of which consists of any of the following:
(a) to take deposits or other repayable funds from the public and to grant credits for its own account;
(b)  to carry out any of the activities referred to in points (3) and (6) of Section A of Annex I to Directive 2014/65/EU of the European Parliament and of the Council (6), where one of the following applies, but the undertaking is not a commodity and emission allowance dealer, a collective investment undertaking or an insurance undertaking:
(i) the total value of the consolidated assets of the undertaking is equal to or exceeds EUR 30 billion;
(ii) the total value of the assets of the undertaking is less than EUR 30 billion, and the undertaking is part of a group in which the total value of the consolidated assets of all undertakings in that group that individually have total assets of less than EUR 30 billion and that carry out any of the activities referred to in points (3) and (6) of Section A of Annex I to Directive 2014/65/EU is equal to or exceeds EUR 30 billion; or
(iii) the total value of the assets of the undertaking is less than EUR 30 billion, and the undertaking is part of a group in which the total value of the consolidated assets of all undertakings in the group that carry out any of the activities referred to in points (3) and (6) of Section A of Annex I to Directive 2014/65/EU is equal to or exceeds EUR 30 billion, where the consolidating supervisor, in consultation with the supervisory college, so decides in order to address potential risks of circumvention and potential risks for the financial stability of the Union;

for the purposes of points (b)(ii) and (b)(iii), where the undertaking is part of a third‐country group, the total assets of each branch of the third‐country group authorised in the Union shall be included in the combined total value of the assets of all undertakings in the group;
Art. 3 (31)DORAArticle 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council
credit rating agencya credit rating agency as defined in Article 3(1), point (b), of Regulation (EC) No 1060/2009Art. 3 (54)DORA
critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31Art. 3 (23)DORA
critical infrastructurecritical infrastructure as defined in Article 2, point (4), of Directive (EU) 2022/2557Art. 3(62)EU AI Act
critical or important functiona function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services lawArt. 3 (22)DORA
cross-border processingeither:

(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Art. 4(23)GDPR
crowdfunding service providera crowdfunding service provider as defined in Article 2(1), point (e), of Regulation (EU) 2020/1503 of the European Parliament and of the CouncilArt. 3 (58)DORA
crypto-asset service providera crypto-asset service provider as defined in the relevant provision of the Regulation on markets in crypto-assetsArt. 3 (54)DORA
CSIRT designated as coordinatora CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555Art. 3(51)CyberResilience
customera natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing servicesArt. 2(30)EU Data Act
cyber threat 2a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881Art. 3(46)CyberResilience
cyber threat‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881, i.e.

‘cyber threat’ means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;
Art. 3 (12)DORAArticle 2, point (8), of Regulation (EU) 2019/881
cyber-attacka malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an assetArt. 3 (14)DORA
cybersecuritycybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881Art. 3(3)CyberResilience
cybersecurity riskthe potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incidentArt. 3(37)CyberResilience
dataany digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recordingArt. 2(1)EU Data Act
data concerning healthpersonal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health statusArt. 4(15)GDPR
data egress chargesdata transfer fees charged to customers for extracting their data through the network from the ICT infrastructure of a provider of data processing services to the system of a different provider or to on-premises ICT infrastructureArt. 2(35)EU Data Act
Data governanceData governance is a term used on both a macro and a micro level. On the macro level, data governance refers to the governing of cross-border data flows by countries, and hence is more precisely called international data governance. On the micro level, data governance is a data management concept concerning the capability that enables an organization to ensure that high data quality exists throughout the complete lifecycle of the data, and data controls are implemented that support business objectives. The key focus areas of data governance include data availability, usability, consistency, integrity, and sharing. It also regards establishing processes to ensure effective data management throughout the enterprise such as accountability for the adverse effects of poor data quality and ensuring that the data which an enterprise has can be used by the entire organization.ALTAI
data holdera natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related serviceArt. 2(13)EU Data Act
data intermediation servicedata intermediation service as defined in Article 2, point (11), of Regulation (EU) 2022/868 [Data Governance Act]

[a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data, excluding at least the following:

(a) services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users;

(b) services that focus on the intermediation of copyright-protected content;

(c) services that are exclusively used by one data holder in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things;

(d) data sharing services offered by public sector bodies that do not aim to establish commercial relationships;]
Art. 2(10)EU Data ActArticle 2, point (11), of Regulation (EU) 2022/868
Data poisoningData poisoning occurs when an adversarial actor attacks an AI system, and is able to inject bad data into the AI model’s training set, thus making the AI system learn something that it should not learn. Examples show that in some cases these data poisoning attacks on neural nets can be very effective, causing a significant drop in accuracy even with very little data poisoning. Other kinds of poisoning attacks do not aim to change the behavior of the AI system, but rather they insert a backdoor, which is a data that the model’s designer is not aware of, but that the attacker can leverage to get the AI system to do what they want.ALTAI
data processing servicedigital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interactionArt. 2(8)EU Data Act
Data Protection Impact Assessment (DPIA)Evaluation of the effects that the processing of personal data might have on individuals to whom the data relates. A DPIA is necessary in all cases in which the technology creates a high risk of violation of the rights and freedoms of individuals. The law requires a DPIA in case of automated processing, including profiling (i), processing of personal data revealing sensitive information like racial of ethnic origin, political opinions, religious or philosophical beliefs (ii), processing of personal data relating to criminal convictions and offences (iii) and systematic monitoring of a publicly accessible area on a large scale (iv).ALTAI
Data Protection Officer (DPO)This denotes an expert on data protection law. The function of a DPO is to internally monitor a public or private organisation’s compliance with GDPR. Public or private organisations must appoint DPOs in the following circumstances: (i) data processing activities are carried out by a public authority or body, except for courts acting in their judicial capacity; (ii) the processing of personal data requires regular and systematic monitoring of individuals on a large scale; (iii) the processing of personal data reveals sensitive information like racial of ethnic origin, political opinions, religious or philosophical beliefs, or refers to criminal convictions and offences. A DPO must be independent of the appointing organisation.ALTAI
data recipienta natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation adopted in accordance with Union lawArt. 2(14)EU Data Act
data reporting service providera data reporting service provider within the meaning of Regulation (EU) No 600/2014, as referred to in Article 2(1), points (34) to (36) thereofArt. 3 (46)DORA
data subject 2data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679

[an identified or identifiable natural person]
Art. 2(11)EU Data ActArt. 4(1) GDPR
data subjectan identified or identifiable natural personArt. 4(1)GDPR
deep fakeAI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthfulArt. 3(60)EU AI Act
deployera natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activityArt. 3(4)EU AI Act
digital assetselements in digital form, including applications, for which the customer has the right of use, independently from the contractual relationship with the data processing service it intends to switch fromArt. 2(32)EU Data Act
digital labour platforma natural or legal person providing a service which meets all of the following requirements:
(i) it is provided, at least in part, at a distance by electronic means, such as by means of a website or a mobile application;
(ii) it is provided at the request of a recipient of the service;
(iii) it involves, as a necessary and essential component, the organisation of work performed by individuals in return for payment, irrespective of whether that work is performed online or in a certain location;
(iv) it involves the use of automated monitoring systems or automated decision-making systems
Art. 2(a)Platform Work
digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptionsArt. 3 (1)DORA
Digital Services Coordinator of destinationthe Digital Services Coordinator of a Member State where the intermediary service is providedArt. 3(o)Digital Services Act
Digital Services Coordinator of establishmentthe Digital Services Coordinator of the Member State where the main establishment of a provider of an intermediary service is located or its legal representative resides or is establishedArt. 3(n)Digital Services Act
dissemination to the publicmaking information available, at the request of the recipient of the service who provided the information, to a potentially unlimited number of third partiesArt. 3(k)Digital Services Act
distance contract‘distance contract’ as defined in Article 2, point (7), of Directive 2011/83/EUArt. 3(l)Digital Services ActArticle 2, point (7), of Directive 2011/83/EU
distributor 2a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its propertiesArt. 3(17)CyberResilience
distributora natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union marketArt. 3(7)EU AI Act
downstream providera provider of an AI system, including a general-purpose AI system, which integrates an AI model, regardless of whether the AI model is provided by themselves and vertically integrated or provided by another entity based on contractual relationsArt. 3(68)EU AI Act
economic operatorthe manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this RegulationArt. 3(12)CyberResilience
electronic information system(a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital dataArt. 3(7)CyberResilience
electronic money institutionan electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the CouncilArt. 3 (38)DORA
electronic money institution exempted pursuant to Directive 2009-110-ECan electronic money institution benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/ECArt. 3 (39)DORA
emotion recognition systeman AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric dataArt. 3(39)EU AI Act
Encryption, Pseudonymisation, Aggregation, and AnonymisationPseudonymisation refers to the idea that it is not possible to attribute personal data to a specific data subject without additional information. By contrast to pseudonymisation, anonymisation consists in preventing any identification of individuals from personal data. The link between an individual and personal data is definitively erased. Encryption is the procedure whereby clear text information is disguised by using especially a hash key. Encrypted results are unintelligible data for persons who do not have the encryption key. Aggregation is a process whereby data is gathered and expressed in a summary form, especially for statistical analysis.ALTAI
end-pointany device that is connected to a network and serves as an entry point to that networkArt. 3(11)CyberResilience
End-userAn end-user is the person that ultimately uses or is intended to ultimately use the AI system. This could either be a consumer or a professional within a public or private organisation. The end-user stands in contrast to users who support or maintain the product, such as system administrators, database administrators, information technology experts, software professionals and computer technicians.ALTAI
enterprise 2a natural or legal person that, in relation to contracts and practices covered by this Regulation, is acting for purposes which are related to that person’s trade, business, craft or professionArt. 2(24)EU Data ActArt. 4(18) GDPR
enterprisea natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activityArt. 4(18)GDPRArt. 2(24) EU Data Act
European standarda European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012Art. 3(35)CyberResilience
ExplainabilityFeature of an AI system that is intelligible to non-experts. An AI system is intelligible if its functionality and operations can be explained non technically to a person not skilled in the art.ALTAI
exploitable vulnerabilitya vulnerability that has the potential to be effectively used by an adversary under practical operational conditionsArt. 3(41)CyberResilience
exportable datafor the purpose of Articles 23 EU Data Act to Article 31 EU Data Act and Article 35 EU Data Act , means the input and output data, including metadata, directly or indirectly generated, or cogenerated, by the customer’s use of the data processing service, excluding any assets or data protected by intellectual property rights, or constituting a trade secret, of providers of data processing services or third partiesArt. 2(38)EU Data Act
FairnessFairness refers to a variety of ideas known as equity, impartiality, egalitarianism, non-discrimination and justice. Fairness embodies an ideal of equal treatment between individuals or between groups of individuals. This is what is generally referred to as ‘substantive’ fairness. But fairness also encompasses a procedural perspective, that is the ability to seek and obtain relief when individual rights and freedoms are violated.ALTAI
Fault toleranceFault tolerance is the property that enables a system to continue operating properly in the event of the failure of (or one or more faults within) some of its components. If its operating quality decreases at all, the decrease is proportional to the severity of the failure, as compared to a naively designed system, in which even a small failure can cause total breakdown. Fault tolerance is particularly sought after in high-availability or safetycritical systems. Redundancy or duplication is the provision of additional functional capabilities that would be unnecessary in a fault-free environment. This can consist of backup components that automatically ‘kick in’ if one component fails.ALTAI
filing systemany structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basisArt. 4(6)GDPR
floating-point operationany mathematical operation or assignment involving floating-point numbers, which are a subset of the real numbers typically represented on computers by an integer of fixed precision scaled by an integer exponent of a fixed baseArt. 3(67)EU AI Act
free and open-source softwaresoftware the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributableArt. 3(48)CyberResilience
functional equivalencere-establishing on the basis of the customer’s exportable data and digital assets, a minimum level of functionality in the environment of a new data processing service of the same service type after the switching process, where the destination data processing service delivers a materially comparable outcome in response to the same input for shared features supplied to the customer under the contractArt. 2(37)EU Data Act
general-purpose AI modelan AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the marketArt. 3(63)EU AI Act
general-purpose AI systeman AI system which is based on a general-purpose AI model, and which has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systemsArt. 3(66)EU AI Act
genetic datapersonal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in questionArt. 4(13)GDPR
groupa group as defined in Article 2, point (11), of Directive 2013/34/EU, i.e.

‘group’ means a parent undertaking and all its subsidiary undertakings;
Art. 3 (26)DORAArticle 2, point (11), of Directive 2013/34/EU
group of undertakingsa controlling undertaking and its controlled undertakingsArt. 4(19)GDPR
hardwarea physical electronic information system, or parts thereof capable of processing, storing or transmitting digital dataArt. 3(5)CyberResilience
harmonised standard 3a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012Art. 3(36)CyberResilience
harmonised standard 2a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012

[a European standard adopted on the basis of a request made by the Commission for the application of Union harmonisation legislation]
Art. 2(43)EU Data ActArticle 2, point (1)(c), of Regulation (EU) No 1025/2012

Art. 3(37) EU AI Act
harmonised standarda harmonised standard as defined in Article 2(1), point (c), of Regulation (EU) No 1025/2012Art. 3(27)EU AI ActArticle 2, point (1)(c), of Regulation (EU) No 1025/2012

Art. 2(43) EU Data Act
high-impact capabilitiescapabilities that match or exceed the capabilities recorded in the most advanced general-purpose AI modelsArt. 3(64)EU AI Act
hostinga service, consisting of the storage of information provided by, and at the request of, a recipient of the serviceArt. 3(g)(iii)Digital Services Act
Human oversight, human-in-the-loop, human-on-the-loop, human-in-commandHuman oversight helps ensure that an AI system does not undermine human autonomy or causes other adverse effects. Oversight may be achieved through governance mechanisms such as a human-in-the-loop (HITL), human-on-the-loop (HOTL), or human-in-command (HIC) approach. Human-in-the-loop refers to the capability for human intervention in every decision cycle of the system, which in many cases is neither possible nor desirable. Humanon-the-loop refers to the capability for human intervention during the design cycle of the system and monitoring the system’s operation. Human-in-command refers to the capability to oversee the overall activity of the AI system (including its broader economic, societal, legal and ethical impact) and the ability to decide when and how to use the system in any particular situation. This can include the decision not to use an AI system in a particular situation, to establish levels of human discretion during the use of the system, or to ensure the ability to override a decision made by a system. Moreover, it must be ensured that public enforcers have the ability to exercise oversight in line with their mandate. Oversight mechanisms can be required in varying degrees to support other safety and control measures, depending on the AI system’s application area and potential risk. All other things being equal, the less oversight a human can exercise over an AI system, the more extensive testing and stricter governance is required.ALTAI
ICT asseta software or hardware asset in the network and information systems used by the financial entityArt. 3 (7)DORA
ICT concentration riskan exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions, or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the Union as a wholeArt. 3 (29)DORA
ICT intra-group service provideran undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or controlArt. 3 (20)DORA
ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environmentArt. 3 (5)DORA
ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone servicesArt. 3 (21)DORA
ICT subcontractor established in a third countryan ICT subcontractor that is a legal person established in a third-country and that has entered into a contractual arrangement either with an ICT third-party service provider, or with an ICT third-party service provider established in a third countryArt. 3 (28)DORA
ICT third-party riskan ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangementsArt. 3 (18)DORA
ICT third-party service provideran undertaking providing ICT servicesArt. 3 (19)DORA
ICT third-party service provider established in a third countryan ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT servicesArt. 3 (24)DORA
ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entityArt. 3 (8)DORA
illegal contentany information that, in itself or in relation to an activity, including the sale of products or the provision of services, is not in compliance with Union law or the law of any Member State which is in compliance with Union law, irrespective of the precise subject matter or nature of that lawArt. 3(h)Digital Services Act
importer 2a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the UnionArt. 3(16)CyberResilience
importera natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third countryArt. 3(6)EU AI Act
incidentan incident as defined in Article 6, point (6), of Directive (EU) 2022/2555Art. 3(43)CyberResilience
incident having an impact on the security of the product with digital elementsan incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functionsArt. 3(44)CyberResilience
indirect connectiona connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or networkArt. 3(10)CyberResilience
information asseta collection of information, either tangible or intangible, that is worth protectingArt. 3 (6)DORA
information society service 2a ‘service’ as defined in Article 1(1), point (b), of Directive (EU) 2015/1535Art. 3(a)Digital Services ActArticle 1(1), point (b), of Directive (EU) 2015/1535
information society servicea service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council 19)Art. 4(25)GDPR
informed consentmeans a subject’s freely given, specific, unambiguous and voluntary expression of his or her willingness to participate in a particular testing in real-world conditions, after having been informed of all aspects of the testing that are relevant to the subject’s decision to participateArt. 3(59)EU AI Act
input datadata provided to or directly acquired by an AI system on the basis of which the system produces an outputArt. 3(33)EU AI Act
institution exempted pursuant to Directive 2013-36-EUan entity as referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU, i.e.

5.   This Directive shall not apply to the following:
(2) central banks;
(3) post office giro institutions;
(4) in Denmark, the ‘Eksport Kredit Fonden’, the ‘Eksport Kredit Fonden A/S’, the ‘Danmarks Skibskredit A/S’ and the ‘KommuneKredit’;
(5) in Germany, the ‘Kreditanstalt für Wiederaufbau’, ‘Landwirtschaftliche Rentenbank’, ‘Bremer Aufbau-Bank GmbH’, ‘Hamburgische Investitions- und Förderbank’, ‘Investitionsbank Berlin’, ‘Investitionsbank des Landes Brandenburg’, ‘Investitionsbank Schleswig-Holstein’, ‘Investitions- und Förderbank Niedersachsen – NBank’, ‘Investitions- und Strukturbank Rheinland-Pfalz’, ‘Landeskreditbank Baden-Württemberg – Förderbank’, ‘LfA Förderbank Bayern’, ‘NRW.BANK’, ‘Saarländische Investitionskreditbank AG’, ‘Sächsische Aufbaubank – Förderbank’, ‘Thüringer Aufbaubank’, undertakings which are recognised under the ‘Wohnungsgemeinnützigkeitsgesetz’ as bodies of State housing policy and are not mainly engaged in banking transactions, and undertakings recognised under that law as non-profit housing undertakings;
(6) in Estonia, the ‘hoiu-laenuühistud’, as cooperative undertakings that are recognised under the ‘hoiu-laenuühistu seadus’;
(7) in Ireland, the Strategic Banking Corporation of Ireland, credit unions and friendly societies;
(8) in Greece, the ‘Ταμείο Παρακαταθηκών και Δανείων’ (Tamio Parakatathikon kai Danion);
(9) in Spain, the ‘Instituto de Crédito Oficial’;
(10) in France, the ‘Caisse des dépôts et consignations’;
(11) in Croatia, the ‘kreditne unije’ and the ‘Hrvatska banka za obnovu i razvitak’;
(12) in Italy, the ‘Cassa depositi e prestiti’;
(13) in Latvia, the ‘krājaizdevu sabiedrības’, undertakings that are recognised under the ‘krājaizdevu sabiedrību likums’ as cooperative undertakings rendering financial services solely to their members;
(14) in Lithuania, the ‘kredito unijos’ other than the ‘centrinės kredito unijos’;
(15) in Hungary, the ‘MFB Magyar Fejlesztési Bank Zártkörűen Működő Részvénytársaság’ and the ‘Magyar Export-Import Bank Zártkörűen Működő Részvénytársaság’;
(16) in Malta, ‘The Malta Development Bank’;
(17) in the Netherlands, the ‘Nederlandse Investeringsbank voor Ontwikkelingslanden NV’, the ‘NV Noordelijke Ontwikkelingsmaatschappij’, the ‘NV Limburgs Instituut voor Ontwikkeling en Financiering’, the ‘Ontwikkelingsmaatschappij Oost-Nederland NV’ and kredietunies;
(18) in Austria, undertakings recognised as housing associations in the public interest and the ‘Österreichische Kontrollbank AG’
(19) in Poland, the ‘Spółdzielcze Kasy Oszczędnościowo — Kredytowe’ and the ‘Bank Gospodarstwa Krajowego’;
(20) in Portugal, the ‘Caixas Económicas’ existing on 1 January 1986 with the exception of those incorporated as limited companies and of the ‘Caixa Económica Montepio Geral’;
(21) in Slovenia, the ‘SID-Slovenska izvozna in razvojna banka, d.d. Ljubljana’;
(22) in Finland, the ‘Teollisen yhteistyön rahasto Oy/Fonden för industriellt samarbete AB’, and the ‘Finnvera Oyj/Finnvera Abp’;
(23) in Sweden, the ‘Svenska Skeppshypotekskassan’;
(24) in the United Kingdom, National Savings and Investments (NS&I), CDC Group plc, the Agricultural Mortgage Corporation Ltd, the Crown Agents for overseas governments and administrations, credit unions and municipal banks.”
Art. 3 (32)DORAArticle 2(5), points (4) to (23), of Directive 2013/36/EU
institution for occupational retirement provisionan institution for occupational retirement provision as defined in Article 6, point (1), of Directive (EU) 2016/2341Art. 3 (52)DORA
instructions for usethe information provided by the provider to inform the deployer of in particular an AI system’s intended purpose and proper useArt. 3(15)EU AI Act
insurance intermediaryan insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 of the European Parliament and of the Council, i.e.

”‘insurance intermediary’ means any natural or legal person, other than an insurance or reinsurance undertaking or their employees and other than an ancillary insurance intermediary, who, for remuneration, takes up or pursues the activity of insurance distribution;
Art. 3 (49)DORAArticle 2(1), point (3), of Directive (EU) 2016/97
insurance undertakingan insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/ECArt. 3 (47)DORA
intended purpose 2the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentationArt. 3(23)CyberResilience
intended purposethe use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentationArt. 3(12)EU AI Act
intermediarya natural or legal person that, for the purpose of making platform work available to or through a digital labour platform:
(i) establishes a contractual relationship with that digital labour platform and a contractual relationship with the person performing platform work; or
(ii)is in a subcontracting chain between that digital labour platform and the person performing platform work
Art. 2(e)Platform Work
intermediary serviceone of the following information society services:
(i) a ‘mere conduit’ service, consisting of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network;

(ii) a ‘caching’ service, consisting of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients upon their request;

(iii) a ‘hosting’ service, consisting of the storage of information provided by, and at the request of, a recipient of the service;
Art. 3(g)Digital Services Act
international organisationan organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.Art. 4(26)GDPR
international standardan international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012Art. 3(34)CyberResilience
interoperabilitythe ability of two or more data spaces or communication networks, systems, connected products, applications, data processing services or components to exchange and use data in order to perform their functionsArt. 2(40)EU Data Act
InterpretabilityInterpretability refers to the concept of comprehensibility, explainability, or understandability. When an element of an AI system is interpretable, this means that it is possible at least for an external observer to understand it and find its meaning.ALTAI
investment firman investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU, i.e.

‘investment firm’ means any legal person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis.

Member States may include in the definition of investment firms undertakings which are not legal persons, provided that:
(a) their legal status ensures a level of protection for third parties’ interests equivalent to that afforded by legal persons; and
(b) they are subject to equivalent prudential supervision appropriate to their legal form.

However, where a natural person provides services involving the holding of third party funds or transferable securities, that person may be considered to be an investment firm for the purposes of this Directive and of Regulation (EU) No 600/2014 only if, without prejudice to the other requirements imposed in this Directive, in Regulation (EU) No 600/2014, and in Directive 2013/36/EU, that person complies with the following conditions:

(a) the ownership rights of third parties in instruments and funds must be safeguarded, especially in the event of the insolvency of the firm or of its proprietors, seizure, set-off or any other action by creditors of the firm or of its proprietors;
(b) the firm must be subject to rules designed to monitor the firm’s solvency and that of its proprietors;
(c) the firm’s annual accounts must be audited by one or more persons empowered, under national law, to audit accounts;
(d) where the firm has only one proprietor, that person must make provision for the protection of investors in the event of the firm’s cessation of business following the proprietor’s death or incapacity or any other such event;
Art. 3 (33)DORAArticle 4(1), point (1), of Directive 2014/65/EU
issuer of asset-referenced tokensan issuer of asset-referenced tokens as defined in the relevant provision of the Regulation on markets in crypto-assetsArt. 3 (56)DORA
joint committeethe committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010Art. 3 (62)DORA
law enforcementactivities carried out by law enforcement authorities or on their behalf for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public securityArt. 3(46)EU AI Act
law enforcement authority(a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or
(b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
Art. 3(45)EU AI Act
lead overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this RegulationArt. 3 (61)DORA
legacy ICT systeman ICT system that has reached the end of its lifecycle (end-of-life), that is not suitable for upgrades or fixes, for technological or commercial reasons, or is no longer supported by its supplier or by an ICT third-party service provider, but that is still in use and supports the functions of the financial entity;Art. 3 (3)DORA
LifecycleThe lifecycle of an AI system includes several interdependent phases ranging from its design and development (including sub-phases such as requirement analysis, data collection, training, testing, integration), installation, deployment, operation, maintenance, and disposal. Given the complexity of AI (and in general information) systems, several models and methodologies have been defined to manage this complexity, especially during the design and development phases, such as waterfall, spiral, agile software development, rapid prototyping, and incremental.ALTAI
logical connectiona virtual representation of a data connection implemented through a software interfaceArt. 3(8)CyberResilience
main establishment(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation
Art. 4(16)GDPR
major ICT-related incidentan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entityArt. 3 (10)DORA
major operational or security payment-related incidentan operational or security payment-related incident that has a high adverse impact on the payment-related services providedArt. 3 (11)DORA
making available on the market 3the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of chargeArt. 3(22)CyberResilience
making available on the market 2any supply of a connected product for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of chargeArt. 2(21)EU Data ActArt. 3(10) EU AI Act
making available on the marketthe supply of an AI system or a general-purpose AI model for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of chargeArt. 3(10)EU AI ActArt. 2(21) EU Data Act
management bodya management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national lawArt. 3 (30)DORA
management companya management company as defined in Article 2(1), point (b), of Directive 2009/65/ECArt. 3 (45)DORA
manager of alternative investment fundsa manager of alternative investment funds as defined in Article 4(1), point (b), of Directive 2011/61/EUArt. 3 (44)DORA
manufacturera natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of chargeArt. 3(13)CyberResilience
market surveillance authority 2a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020Art. 3(33)CyberResilience
market surveillance authoritythe national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020;Art. 3(26)EU AI Act
medium-sized enterprisea financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 millionArt. 3 (64)DORA
mere conduita service, consisting of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication networkArt. 3(g)(i)Digital Services Act
metadataa structured description of the contents or the use of data facilitating the discovery or use of that dataArt. 2(2)EU Data Act
microenterprise 2a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 millionArt. 3 (60)DORA
microenterprisea microenterprise as defined in Article 2(3) of the Annex to Recommendation 2003/361/EC

[an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million]
Art. 2(26)EU Data ActArticle 2(3) of the Annex to Recommendation 2003/361/EC
Model EvasionEvasion is one of the most common attacks on machine learning models (ML) performed during production. It refers to designing an input, which seems normal for a human but is wrongly classified by ML models. A typical example is to change some pixels in a picture before uploading, so that the image recognition system fails to classify the result.ALTAI
Model InversionModel inversion refers to a kind of attack to AI models, in which the access to a model is abused to infer information about the training data. So, model inversion turns the usual path from training data into a machine-learned model from a one-way one to a two-way one, permitting the training data to be estimated from the model with varying degrees of accuracy. Such attacks raise serious concerns given that training data usually contain privacy-sensitive information.ALTAI
national competent authoritymeans a notifying authority or a market surveillance authority; as regards AI systems put into service or used by Union institutions, agencies, offices and bodies, references to national competent authorities or market surveillance authorities in this Regulation shall be construed as references to the European Data Protection Supervisor;Art. 3(48)EU AI Act
near missa near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555Art. 3(45)CyberResilience
network and information systema network and information system as defined in Article 6, point 1, of Directive (EU) 2022/2555, i.e.

‘network and information system’ means:
(a) an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
(b) any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
(c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance
Art. 3 (2)DORAArticle 6, point 1, of Directive (EU) 2022/2555
non-personal data 2data other than personal dataArt. 2(4)EU Data ActArt. 3(51) EU AI Act
non-personal datadata other than personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679Art. 3(51)EU AI ActArt. 2(4) EU Data Act
notified body 2a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislationArt. 3(29)CyberResilience
notified bodyconformity assessment body notified in accordance with this Regulation and other relevant Union harmonisation legislation;Art. 3(22)EU AI Act
notifying authority 2the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoringArt. 3(26)CyberResilience
notifying authoritythe national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;Art. 3(19)EU AI Act
on-premises ICT infrastructureICT infrastructure and computing resources owned, rented or leased by the customer, located in the data centre of the customer itself and operated by the customer or by a third-partyArt. 2(33)EU Data Act
Online continual learningThe ability to continually learn over time by accommodating new knowledge while retaining previously learned experiences is referred to as continual or lifelong learning. Learning continually is crucial for agents and robots operating in changing environments and required to acquire, fine-tune, adapt, and transfer increasingly complex representations of knowledge. Such a continuous learning task has represented a long-standing challenge for machine learning and neural networks and, consequently, for the development of artificial intelligence (AI) systems. The main issue of computational models regarding lifelong learning is that they are prone to catastrophic forgetting or catastrophic interference, i.e., training a model with new information interferes with previously learned knowledge.ALTAI
online interfaceany software, including a website or a part thereof, and applications, including mobile applicationsArt. 3(m)Digital Services Act
online platforma hosting service that, at the request of a recipient of the service, stores and disseminates information to the public, unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of this RegulationArt. 3(i)Digital Services Act
online search enginean intermediary service that allows users to input queries in order to perform searches of, in principle, all websites, or all websites in a particular language, on the basis of a query on any subject in the form of a keyword, voice request, phrase or other input, and returns results in any format in which information related to the requested content can be foundArt. 3(j)Digital Services Act
open interoperability specificationa technical specification in the field of information and communication technologies which is performance oriented towards achieving interoperability between data processing servicesArt. 2(41)EU Data Act
open-source software stewarda legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those productsArt. 3(14)CyberResilience
operational or security payment-related incidenta single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entityArt. 3 (9)DORA
operatora provider, product manufacturer, deployer, authorised representative, importer or distributorArt. 3(8)EU AI Act
parent undertakinga parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU, i.e.

‘parent undertaking’ means an undertaking which controls one or more subsidiary undertakings;
Art. 3 (27)DORAArticle 2, point (9), and Article 22 of Directive 2013/34/EU
payment institutiona payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366Art. 3 (35)DORA
payment institution exempted pursuant to Directive (EU) 2015-2366a payment institution exempted pursuant to Article 32(1) of Directive (EU) 2015/2366Art. 3 (36)DORA
Pen testA penetration test, colloquially known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorised parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.ALTAI
performance of an AI systemthe ability of an AI system to achieve its intended purpose;Art. 3(18)EU AI Act
person performing platform workan individual performing platform work, irrespective of the nature of the contractual relationship or the designation of that relationship by the parties involvedArt. 2(c)Platform Work
personal data 4personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679Art. 3(47)CyberResilience
personal data 3personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679

[any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person]
Art. 2(3)EU Data ActArt. 4(1) GDPR

Art. 3(50) EU AI Act
personal dataany information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural personArt. 4(1)GDPRArt. 3(50) EU AI Act

Art. 2(3) EU Data Act
personal data 2personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679

[any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person]
Art. 3(50)EU AI ActArt. 4(1) GDPR

Art. 2(3) EU Data Act
personal data breacha breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processedArt. 4(12)GDPR
persons with disabilities‘persons with disabilities’ as referred to in Article 3, point (1), of Directive (EU) 2019/882 of the European Parliament and of the CouncilArt. 3(v)Digital Services ActArticle 3, point (1), of Directive (EU) 2019/882
physical connectiona connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio wavesArt. 3(9)CyberResilience
placing on the market 3the first making available of a product with digital elements on the Union marketArt. 3(21)CyberResilience
placing on the market 2the first making available of a connected product on the Union marketArt. 2(22)EU Data ActArt. 3(9) EU AI Act
placing on the marketthe first making available of an AI system or a general-purpose AI model on the Union marketArt. 3(9)EU AI ActArt. 2(22) EU Data Act
platform workwork organised through a digital labour platform and performed in the Union by an individual on the basis of a contractual relationship between the digital labour platform or an intermediary, and the individual, irrespective of whether there is a contractual relationship between the individual or an intermediary and the recipient of the serviceArt. 2(b)Platform Work
platform workermeans any person performing platform work who has or is deemed to have an employment contract or an employment relationship as defined by the law, collective agreements or practice in force in the Member States with consideration to the case-law of the Court of JusticeArt. 2(d)Platform Work
post-market monitoring systemall activities carried out by providers of AI systems to collect and review experience gained from the use of AI systems they place on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions;Art. 3(25)EU AI Act
post-remote biometric identification systemremote biometric identification system other than a real-time remote biometric identification system;Art. 3(43)EU AI Act
processing 2any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or other means of making them available, alignment or combination, restriction, erasure or destructionArt. 2(7)EU Data ActArt. 4(2) GDPR
processingany operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destructionArt. 4(2)GDPRArt. 2(7) EU DAta Act
processora natural or legal person, public authority, agency or other body which processes personal data on behalf of the controllerArt. 4(8)GDPR
product datadata generated by the use of a connected product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturerArt. 2(15)EU Data Act
product with digital elementsa software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separatelyArt. 3(1)CyberResilience
profiling 3profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679 (GDPR)

[any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements]
Art. 2(20)EU Data ActArt. 4(4) GDPR

Art. 3(52) EU AI Act
profilingany form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movementsArt. 4(4)GDPRArt. 3(52) EU AI Act

Art. 2(20) EU Data Act
profiling 2profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679 (GDPR)

[any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements]
Art. 3(52)EU AI ActArt. 4(4) GDPR

Art. 2(20) EU Data Act
providera natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge;Art. 3(3)EU AI Act
pseudonymisationthe processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural personArt. 4(5)GDPR
public authorityany government or other public administration entity, including national central banksArt. 3 (65)DORA
public emergencyan exceptional situation, limited in time, such as a public health emergency, an emergency resulting from natural disasters, a human-induced major disaster, including a major cybersecurity incident, negatively affecting the population of the Union or the whole or part of a Member State, with a risk of serious and lasting repercussions for living conditions or economic stability, financial stability, or the substantial and immediate degradation of economic assets in the Union or the relevant Member State and which is determined or officially declared in accordance with the relevant procedures under Union or national lawArt. 2(29)EU Data Act
public sector bodynational, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodiesArt. 2(28)EU Data Act
publicly accessible spaceany publicly or privately owned physical place accessible to an undetermined number of natural persons, regardless of whether certain conditions for access may apply, and regardless of the potential capacity restrictions;Art. 3(44)EU AI Act
putting into servicethe supply of an AI system for first use directly to the deployer or for own use in the Union for its intended purposeArt. 3(11)EU AI Act
readily available dataproduct data and related service data that a data holder lawfully obtains or can lawfully obtain from the connected product or related service, without disproportionate effort going beyond a simple operationArt. 2(17)EU Data Act
real-time remote biometric identification systema  remote biometric identification system whereby the capturing of biometric data, the comparison and the identification all occur without a significant delay, comprising not only instant identification, but also limited short delays in order to avoid circumvention;Art. 3(42)EU AI Act
real-world testing plana document that describes the objectives, methodology, geographical, population and temporal scope, monitoring, organisation and conduct of testing in real-world conditionsArt. 3(53)EU AI Act
reasonably foreseeable misuse 2the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systemsArt. 3(25)CyberResilience
reasonably foreseeable misusethe use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems, including other AI systemsArt. 3(13)EU AI Act
reasonably foreseeable useuse that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactionsArt. 3(24)CyberResilience
recallrecall as defined in Article 3, point (22), of Regulation (EU) 2019/1020Art. 3(49)CyberResilience
recall of an AI systemany measure aiming to achieve the return to the provider or taking out of service or disabling the use of an AI system made available to deployersArt. 3(16)EU AI Act
recipienta natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processingArt. 4(9)GDPR
recipient of the serviceany natural or legal person who uses an intermediary service, in particular for the purposes of seeking information or making it accessibleArt. 3(b)Digital Services Act
recommender systema fully or partially automated system used by an online platform to suggest in its online interface specific information to recipients of the service or prioritise that information, including as a result of a search initiated by the recipient of the service or otherwise determining the relative order or prominence of information displayedArt. 3(s)Digital Services Act
Red teamRed teaming is the practice whereby a red team or independent group challenges an organisation to improve its effectiveness by assuming an adversarial role or point of view. It is often used to help identify and address potential security vulnerabilities.ALTAI
Redress by designRedress by design relates to the idea of establishing, from the design phase, mechanisms to ensure redundancy, alternative systems, alternative procedures, etc. in order to be able to effectively detect, audit, rectify the wrong decisions taken by a perfectly functioning system and, if possible, improve the system.ALTAI
reinsurance intermediarya reinsurance intermediary as defined in Article 2(1), point (5), of Directive (EU) 2016/97, i.e.

‘reinsurance intermediary’ means any natural or legal person, other than a reinsurance undertaking or its employees, who, for remuneration, takes up or pursues the activity of reinsurance distribution;
Art. 3 (51)DORAArticle 2(1), point (5), of Directive (EU) 2016/97
reinsurance undertakinga reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/ECArt. 3 (48)DORA
related servicea digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected productArt. 2(6)EU Data Act
related service datadata representing the digitisation of user actions or of events related to the connected product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related service by the providerArt. 2(16)EU Data Act
relevant and reasoned objectionan objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the UnionArt. 4(24)GDPR
remote biometric identification systeman AI system for the purpose of identifying natural persons, without their active involvement, typically at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database;Art. 3(41)EU AI Act
remote data processingdata processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functionsArt. 3(2)CyberResilience
representativea natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this RegulationArt. 4(17)GDPR
representatives of persons performing platform workworkers’ representatives and, insofar as provided for in national law and practiceArt. 2(g)Platform Work
ReproducibilityReproducibility refers to the closeness between the results of two actions, such as two scientific experiments, that are given the same input and use the methodology, as described in a corresponding scientific evidence (such as a scientific publication). A related concept is replication, which is the ability to independently achieve non-identical conclusions that are at least similar, when differences in sampling, research procedures and data analysis methods may exist. Reproducibility and replicability together are among the main tools of the scientific method.ALTAI
restriction of processingthe marking of stored personal data with the aim of limiting their processing in the futureArt. 4(3)GDPR
riskthe combination of the probability of an occurrence of harm and the severity of that harmArt. 3(2)EU AI Act
Robustness AIRobustness of an AI system encompasses both its technical robustness (appropriate in a given context, such as the application domain or life cycle phase) and as well as its robustness from a social perspective (ensuring that the AI system duly takes into account the context and environment in which the system operates). This is crucial to ensure that, even with good intentions, no unintentional harm can occur. Robustness is the third of the three components necessary for achieving Trustworthy AI.ALTAI
safety componenta component of a product or of an AI system which fulfils a safety function for that product or AI system, or the failure or malfunctioning of which endangers the health and safety of persons or propertyArt. 3(14)EU AI Act
same service typea set of data processing services that share the same primary objective, data processing service model and main functionalitiesArt. 2(9)EU Data Act
sandbox plana document agreed between the participating provider and the competent authority describing the objectives, conditions, timeframe, methodology and requirements for the activities carried out within the sandbox;Art. 3(54)EU AI Act
securitisation repositorya securitisation repository as defined in Article 2, point (23), of Regulation (EU) 2017/2402 of the European Parliament and of the CouncilArt. 3 (59)DORA
security of network and information systemssecurity of network and information systems as defined in Article 6, point 2, of Directive (EU) 2022/2555, i.e.

‘security of network and information systems’ means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems;
Art. 3 (4)DORAArticle 6, point 2, of Directive (EU) 2022/2555
Self-learning AI systemSelf-learning (or self-supervised learning) AI systems recognize patterns in the training data in an autonomous way, without the need for supervision.ALTAI
sensitive operational dataoperational data related to activities of prevention, detection, investigation or prosecution of criminal offences, the disclosure of which could jeopardise the integrity of criminal proceedings;Art. 3(38)EU AI Act
serious incidentan incident or malfunctioning of an AI system that directly or indirectly leads to any of the following:
(a) the death of a person, or serious harm to a person’s health;
(b) a serious and irreversible disruption of the management or operation of critical infrastructure.
(c) the infringement of obligations under Union law intended to protect fundamental rights;
(d) serious harm to property or the environment
Art. 3(49)EU AI Act
significant cyber threata cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incidentArt. 3 (13)DORA
significant cybersecurity riska cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruptionArt. 3(38)CyberResilience
small and non-interconnected investment firman investment firm that meets the conditions laid out in Article 12(1) of Regulation (EU) 2019/2033 of the European Parliament and of the CouncilArt. 3 (34)DORA
small enterprise 2a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 millionArt. 3 (63)DORA
small enterprisea small enterprise as defined in Article 2(2) of the Annex to Recommendation 2003/361/EC

[an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million]
Art. 2(25)EU Data ActArticle 2(2) of the Annex to Recommendation 2003/361/EC
small institution for occupational retirement provisionan institution for occupational retirement provision which operates pension schemes which together have less than 100 members in totalArt. 3 (53)DORA
smart contracta computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological orderingArt. 2(39)EU Data Act
softwarethe part of an electronic information system which consists of computer codeArt. 3(4)CyberResilience
software bill of materialsa formal record containing details and supply chain relationships of components included in the software elements of a product with digital elementsArt. 3(39)CyberResilience
special categories of personal datathe categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679, Article 10 of Directive (EU) 2016/680 and Article 10(1) of Regulation (EU) 2018/1725;Art. 3(37)EU AI Act
StandardsStandards are norms designed by industry and/or Governments that set product or services’ specifications. They are a key part of our society as they ensure quality and safety in both products and services in international trade. Businesses can be seen to benefit from standards as they can help cut costs by improved systems and procedures put in place. Standards are internationally agreed by experts and they usually represent what the experts think is the best way of doing something. It could be about making a product, managing a process, delivering a service or supplying materials – standards cover a huge range of activities. Standards are released by international organizations, such as ISO (International Organisation for Standardisation), IEEE (The Institute of Electrical and Electronics Engineers) Standard Association, and NIST (National Institute of Standards and Technology).ALTAI
subjectA subject is a person or a group of persons affected by the AI system (such as the recipient of benefits where the decision to grant or reject benefits is underpinned by an AIsystem, or the general public for facial recognition).ALTAI
subjectfor the purpose of real-world testing, means a natural person who participates in testing in real-world conditions;Art. 3(58)EU AI Act
subsidiarya subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU, i.e.

‘subsidiary undertaking’ means an undertaking controlled by a parent undertaking, including any subsidiary undertaking of an ultimate parent undertaking;
Art. 3 (25)DORAArticle 2, point (10), and Article 22 of Directive 2013/34/EU
substantial connection to the Uniona connection of a provider of intermediary services with the Union resulting either from its establishment in the Union or from specific factual criteria, such as:

- a significant number of recipients of the service in one or more Member States in relation to its or their population; or
- the targeting of activities towards one or more Member States
Art. 3(e)Digital Services Act
substantial modification 2a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessedArt. 3(30)CyberResilience
substantial modificationa change to an AI system after its placing on the market or putting into service which is not foreseen or planned in the initial conformity assessment carried out by the provider and as a result of which the compliance of the AI system with the requirements set out in Chapter III, Section 2 is affected or results in a modification to the intended purpose for which the AI system has been assessed;Art. 3(23)EU AI Act
supervisory authorityan independent public authority which is established by a Member State pursuant to Article 51;Art. 4(21)GDPR
supervisory authority concerneda supervisory authority which is concerned by the processing of personal data because: • (a) the controller or processor is established on the territory of the Member State of that supervisory authority; • (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or • (c) a complaint has been lodged with that supervisory authority;Art. 4(22)GDPR
support periodthe period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex IArt. 3(20)CyberResilience
switchingthe process involving a source provider of data processing services, a customer of a data processing service and, where relevant, a destination provider of data processing services, whereby the customer of a data processing service changes from using one data processing service to using another data processing service of the same service type, or other service, offered by a different provider of data processing services, or to an on-premises ICT infrastructure, including through extracting, transforming and uploading the dataArt. 2(34)EU Data Act
switching chargescharges, other than standard service fees or early termination penalties, imposed by a provider of data processing services on a customer for the actions mandated by this Regulation for switching to the system of a different provider or to on-premises ICT infrastructure, including data egress chargesArt. 2(36)EU Data Act
systemic riska risk that is specific to the high-impact capabilities of general-purpose AI models, having a significant impact on the Union market due to their reach, or due to actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or the society as a whole, that can be propagated at scale across the value chainArt. 3(65)EU AI Act
terms and conditionsall clauses, irrespective of their name or form, which govern the contractual relationship between the provider of intermediary services and the recipients of the serviceArt. 3(u)Digital Services Act
testing datadata used for providing an independent evaluation of the AI system in order to confirm the expected performance of that system before its placing on the market or putting into service;Art. 3(32)EU AI Act
testing in real-world conditionsthe temporary testing of an AI system for its intended purpose in real-world conditions outside a laboratory or otherwise simulated environment, with a view to gathering reliable and robust data and to assessing and verifying the conformity of the AI system with the requirements of this Regulation and it does nor qualify as placing the AI system on the market or putting it into service within the meaning of this Regulation, provided that all the conditions laid down in Article 57 or 60 are fulfilledArt. 3(57)EU AI Act
third partya natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal dataArt. 4(10)GDPR
threat intelligenceinformation that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivationsArt. 3 (15)DORA
threat-led penetration testing (TLPT)a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systemsArt. 3 (19)DORA
offer services in the Unionenabling natural or legal persons in one or more Member States to use the services of a provider of intermediary services that has a substantial connection to the Union;Art. 3(d)Digital Services Act
TraceabilityAbility to track the journey of a data input through all stages of sampling, labelling, processing and decision making.ALTAI
trade repositorya trade repository as defined in Article 2, point (2), of Regulation (EU) No 648/2012Art. 3 (41)DORA
trade secrettrade secret as defined in Article 2, point (1), of Directive (EU) 2016/943

[‘trade secret’ means information which meets all of the following requirements:

(a) it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;

(b) it has commercial value because it is secret;

(c) it has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret;]
Art. 2(18)EU Data ActArticle 2, point (1), of Directive (EU) 2016/943
trade secret holdera trade secret holder as defined in Article 2, point (2), of Directive (EU) 2016/943

[any natural or legal person lawfully controlling a trade secret]
Art. 2(19)EU Data ActArticle 2, point (2), of Directive (EU) 2016/943
traderany natural person, or any legal person irrespective of whether it is privately or publicly owned, who is acting, including through any person acting in his or her name or on his or her behalf, for purposes relating to his or her trade, business, craft or professionArt. 3(f)Digital Services Act
trading venuea trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU, i.e.

‘trading venue’ means a regulated market, an MTF or an OTF;
Supplemental definitions:
(21) ‘regulated market’ means a multilateral system operated and/or managed by a market operator, which brings together or facilitates the bringing together of multiple third-party buying and selling interests in financial instruments – in the system and in accordance with its non-discretionary rules – in a way that results in a contract, in respect of the financial instruments admitted to trading under its rules and/or systems, and which is authorised and functions regularly and in accordance with Title III of this Directive
(22) ‘multilateral trading facility’ or ‘MTF’ means a multilateral system, operated by an investment firm or a market operator, which brings together multiple third-party buying and selling interests in financial instruments – in the system and in accordance with non-discretionary rules – in a way that results in a contract in accordance with Title II of this Directive
(23) ‘organised trading facility’ or ‘OTF’ means a multilateral system which is not a regulated market or an MTF and in which multiple third-party buying and selling interests in bonds, structured finance products, emission allowances or derivatives are able to interact in the system in a way that results in a contract in accordance with Title II of this Directive
Art. 3 (43)DORAArticle 4(1), point (24), of Directive 2014/65/EU
training datadata used for training an AI system through fitting its learnable parameters;Art. 3(29)EU AI Act
Trustworthy AITrustworthy AI has three components: (1) it should be lawful, ensuring compliance with all applicable laws and regulations (2) it should be ethical, demonstrating respect for, and ensure adherence to, ethical principles and values and (3) it should be robust, both from a technical and social perspective, since, even with good intentions, AI systems can cause unintentional harm. Trustworthy AI concerns not only the trustworthiness of the AI system itself but also comprises the trustworthiness of all processes and actors that are part of the AI system’s life cycle.ALTAI
turnoverthe amount derived by an undertaking within the meaning of Article 5(1) of Council Regulation (EC) No 139/2004 (39).Art. 3(x)Digital Services ActArticle 5(1) of Council Regulation (EC) No 139/2004 (39).
Union bodiesthe Union bodies, offices and agencies set up by or pursuant to acts adopted on the basis of the Treaty on European Union, the TFEU or the Treaty establishing the European Atomic Energy CommunityArt. 2(27)EU Data Act
Union harmonisation legislationUnion legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation appliesArt. 3(32)CyberResilience
Universal DesignTerms such as “Design for All”, “Universal Design”, “accessible design”, “barrier‐free design”, “inclusive design” and “transgenerational design” are often used interchangeably with the same meaning. These concepts have been developed by different stakeholders working to deliver high levels of accessibility. A parallel development of human-centred design emerged within ergonomics focusing on usability. These related concepts are expressed in the human rights perspective of the Design for All approach. The Design for All approach focuses on user involvement and experiences during the design and development process to achieve accessibility and usability. It should be applied from the earliest possible time, and throughout all stages in the life of products and services which are intended for mainstream use. A Design for All approach also focuses on user requirements and interoperability between products and services across the end-to-end chain of use to reach inclusive and non-stigmatizing solutions.ALTAI
Use caseA use case is a specific situation in which a product or service could potentially be used. For example, self-driving cars or care robots are use cases for AI.ALTAI
userA user is a person that uses, supports or maintains the product, such as system administrators, database administrators, information technology experts, software professionals and computer technicians.ALTAI
usera natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related servicesArt. 2(12)EU Data Act
validation datadata used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process in order, inter alia, to prevent underfitting or overfitting;Art. 3(30)EU AI Act
validation data seta separate data set or part of the training data set, either as a fixed or variable split;Art. 3(31)EU AI Act
virtual assistantssoftware that can process demands, tasks or questions including those based on audio, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls the functions of connected productsArt. 2(31)EU Data Act
vulnerability 2a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threatArt. 3(40)CyberResilience
vulnerabilitya weakness, susceptibility or flaw of an asset, system, process or control that can be exploitedArt. 3 (16)DORA
widespread infringementany act or omission contrary to Union law protecting the interest of individuals, which:
(a) has harmed or is likely to harm the collective interests of individuals residing in at least two Member States other than the Member State in which:
(i) the act or omission originated or took place;
(ii) the provider concerned, or, where applicable, its authorised representative is located or established; or
(iii) the deployer is established, when the infringement is committed by the deployer;
(b) has caused, causes or is likely to cause harm to the collective interests of individuals and has common features, including the same unlawful practice or the same interest being infringed, and is occurring concurrently, committed by the same operator, in at least three Member States;
Art. 3(61)EU AI Act
withdrawalwithdrawal as defined in Article 3, point (23), of Regulation (EU) 2019/1020Art. 3(50)CyberResilience
withdrawal of an AI systemany measure aiming to prevent an AI system in the supply chain being made available on the marketArt. 3(17)EU AI Act
workers’ representativesrepresentatives of platform workers, such as trade unions and representatives who are freely elected by the platform workers in accordance with national law and practiceArt. 2(f)Platform Work
Workflow of the modelThe workflow of an AI model shows the phases needed to build the model and their interdependencies. Typical phases are: Data collection and preparation, Model development, Model training, Model accuracy evaluation, Hyperparameters’ tuning, Model usage, Model maintenance, Model versioning. These stages are usually iterative: one may need to reevaluate and go back to a previous step at any point in the process.ALTAI