Accountability
The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the GDPR and other frameworks, including APEC's Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
Accuracy
Organizations must take every reasonable step to ensure the data processed is accurate and, where necessary, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing dataprocessing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Accuracy also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation.
When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons.
Actively Exploited Vulnerability
A vulnerability for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner
Source: Article 3(39) of Cyber Resilience Act (draft 2022)
Adequate Level of Protection
A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements:
the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred,the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules,the international commitments the third country or international organisation concerned has entered(...)
AI Literacy
Skills, knowledge and understanding that allow Providers, Deployers and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed deployment of AI Systems, as well as to gain awareness about the opportunities and Risks of AI and possible harm it can cause
Source: Article 3(56) of the EU AI Act
#EUAIActDefinitions
AI Office
The Commission’s function of contributing to the implementation, monitoring and supervision of AI Systems and General-Purpose AI Models and AI governance provided in Commission Decision of 24 January 2024; references in this Regulation to the AI Office shall be construed as references to the Commission
Source: Article 3(47) of the EU AI Act
#EUAIActDefinitions
AI Regulatory Sandbox
A controlled framework set up by a Competent Authority which offers Providers or prospective Providers of AI Systems the possibility to develop, train, validate and test, where appropriate in Real-World Conditions, an innovative AI System, pursuant to a Sandbox Plan for a limited time under regulatory supervision.
Source: Article 3(55) of the EU AI Act
#EUAIActDefinitions
AI System
A machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.
Source: Article 3(1) of the EU AI Act
#EUAIActDefinitions
Anonymization
The process in which personal data is altered in such a way that it no longer can be related back to a given individual through an irreversible process. Among many techniques, there are three primary ways that data is anonymized:
- Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability.
- Generalization (cohort) takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24).
- Noise addition (salting) takes identifying values from a given data set and switches them with identifying values from another individual in that data set.
Authorised Representative
Any natural or legal person established within the Union who has received a written mandate from a manufacturer to act on his or her behalf in relation to specified tasks
Source: Article 3(19) of Cyber Resilience Act (draft 2022)
Any natural or legal person located or established in the Union who has received and accepted a written mandate from a provider of an AI System or a General-Purpose AI Model to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation
Source: Article 3(5) of the EU AI Act
#EUAIActDefinitions
BCRPersonal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
Acronym: BCR
Source: Regulation 2016/679 (GDPR)
glossary
Biometric Categorisation System
An AI System for the purpose of assigning natural persons to specific categories on the basis of their Biometric Data, unless it is ancillary to another commercial service and strictly necessary for objective technical reasons
Source: Article 3(40) of the EU AI Act
#EUAIActDefinitions
Biometric DataPersonal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. Should be considered as a special category of data only where it allows for such unique identification of a data subject.
glossary
Biometric DataPersonal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, such as facial images or dactyloscopic data.
Source: Article 3(34) of the EU AI Act
#EUAIActDefinitions
Biometric Identification
The automated recognition of physical, physiological, behavioural, or psychological human features for the purpose of establishing the identity of a natural person by comparing Biometric Data of that individual to Biometric Data of individuals stored in a database
Source: Article 3(35) of the EU AI Act
#EUAIActDefinitions
Biometric Verification
The automated, one-to-one verification, including authentication, of the identity of natural persons by comparing their Biometric Data to previously provided Biometric Data;
Source: Article 3(36) of the EU AI Act
#EUAIActDefinitions
CE Marking
A marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential requirements set out in Annex I and other applicable Union legislation harmonising the conditions for the marketing of products (‘Union harmonisation legislation’) providing for its affixing
Source: Article 3(32) of Cyber Resilience Act (draft 2022)
CE Marking of ConformityCE marking - A marking by which a Provider indicates that an AI System is in conformity with the requirements set out in Chapter III, Section 2 and other applicable Union harmonisation legislation providing for its affixing.
Source: Article 3(24) of the EU AI Act
#EUAIActDefinitions
Cloud Computing Service
A digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations
Source: Directive 2022/2555 (NIS2)
Codes of Conduct
Introduced by GDPR, codes of conduct are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses. Codes of conduct must be developed by industry trade groups, associations or other bodies representing categories of controllers or processors. They must be approved by supervisory authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation.
Source: Article 40 GDPR.
Common Specification
A set of technical specifications as defined in Article 2, point (4) of Regulation (EU) No 1025/2012, providing means to comply with certain requirements established under this Regulation.
Source: Article 3(28) of the EU AI Act
#EUAIActDefinitions
Common Specifications
A document, other than a standard, containing technical solutions providing a means to comply with certain requirements and obligations established under this Regulation
Source: Article 2(42) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Conformity Assessment
The process of verifying whether the essential requirements set out in Annex I have been fulfilled
Source: Article 3(28) of Cyber Resilience Act (draft 2022)
Conformity Assessment
The process of demonstrating whether the requirements set out in Chapter III, Section 2 relating to a High-RiskAI System have been fulfilled.
Source: Article 3(20) of the EU AI Act
#EUAIActDefinitions
Conformity Assessment Body
A body defined in Article 2(13) of Regulation (EU) No 765/2008
Source: Article 3(29) of Cyber Resilience Act (draft 2022)
Conformity Assessment Body
A body that performs third-party Conformity Assessment activities, including testing, certification and inspection.
Source: Article 3(21) of the EU AI Act
#EUAIActDefinitions
Connected Product
An item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user
Source: Article 2(5) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Consent
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Source: Regulation 2016/679 (GDPR)
glossary
Consumer
Any natural person who is acting for purposes which are outside that person’s trade, business, craft or profession
Source: Article 2(23) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Content Delivery Network
A network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers.
Source: Directive 2022/2555 (NIS2)
Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Source: Regulation 2016/679 (GDPR)
glossary
Cookies
A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already.
Cookies may be referred to as:
- "first-party" -- if they are placed by the website that is visited;
- "third-party" -- if they are placed by a party other than the visited website;
- "session cookies" -- if they are deleted when a session ends; or
- "persistent cookies" -- if they remain longer.
Core Platform Service
means any of the following:
(a) online intermediation services;
(b) online search engines;
(c) online social networking services;
(d) video-sharing platform services;
(e) number-independent interpersonal communications services;
(f) operating systems;
(g) web browsers;
(h) virtual assistants;
(i) cloud computing services;
(j) online advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by an undertaking that provides any of the core platform services listed in points (a) to (i).
Source: Regulation (EU) 2022/1925 (Digital Markets Act)
Cross-Border Processing
(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Source: Regulation 2016/679 (GDPR)
glossary
Customer
A natural or legal person that has entered into a contractual relationship with a provider of dataprocessing services with the objective of using one or more dataprocessing services
Source: Article 2(30) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Cyber Threat
Any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons.
Source: Regulation (EU) 2019/881 (Cybersecurity Act), as quoted in NIS2
Cybersecurity Act
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)
Data
Any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording.
Source: Regulation (EU) 2022/1925 (Digital Markets Act), Article 2(1) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
glossary
Data Centre Service
A service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for powerdistribution and environmental control.
Source: Regulation (EU) 2019/881 (Cybersecurity Act), as quoted in NIS2
glossary
health dataPersonal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Source: Regulation 2016/679 (GDPR)
glossary
Data Concerning HealthPersonal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Source: Regulation 2016/679 (GDPR)
glossary
Data Egress ChargesData transfer fees charged to customers for extracting their data through the network from the ICT infrastructure of a provider of dataprocessing services to the system of a different provider or to on-premises ICT infrastructure
Source: Article 2(35) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Data Holder
A natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service
Source: Article 2(13) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Data Intermediation ServiceData intermediation service as defined in Article 2, point (11), of Regulation (EU) 2022/868 (Data Governance Act.
Source: Article 2(10) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Data Processing Service
A digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction
Source: Article 2(8) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Data Protection Impact Assessment
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;- processing on a large scale of special categories of data referred to in Article 9(1)(...)
DPIA
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;- processing on a large scale of special categories of data referred to in Article 9(1)(...)
Data Recipient
A natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation adopted in accordance with Union law
Source: Article 2(14) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Data Subject
An identified or identifiable (living) natural person.
Source: Regulation 2016/679 (GDPR)
Deep Fake
AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful.
Source: Article 3(60) of the EU AI Act
#EUAIActDefinitions
Deployer
Any natural or legal person, public authority, agency or other body using an AI System under its authority except where the AI System is used in the course of a personal non-professional activity.
Source: Article 3(4) of the EU AI Act
#EUAIActDefinitions
Digital Assets
Elements in digital form, including applications, for which the customer has the right of use, independently from the contractual relationship with the data processing service it intends to switch from
Source: Article 2(32) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
DMA
Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828
Digital Markets Act
Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828
Digital Sector
The sector of products and services provided by means of, or through, information society services.
Source: Regulation (EU) 2022/1925 (Digital Markets Act)
Digital Service
Any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.For the purposes of this definition:
i. "at a distance" means that the service is provided without the parties being simultaneously present;
ii. "by electronic means" means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, andentirely transmitted, conveyed and received by wire, by radio, by optical means or by otherelectromagnetic means;
iii. "at the individual request of a recipient of services" means that the service is provided through thetransmission of data on individual request.
Source: Article 1(1)(b) of Directive (EU) 2015/1535, as quoted by NIS2
glossary
Distributor
Any natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties
Source: Article 3(21) of Cyber Resilience Act (draft 2022)
Distributor
A natural or legal person in the supply chain, other than the Provider or the Importer, that Makes an AI System Available on the Union market.
Source: Article 3(7) of the EU AI Act
#EUAIActDefinitions
DNS Service Provider
An entity that provides:a) Publicly available recursive domain name resolution services for internet end-users; orb) Authoritative domain name resolution services for third-party use, with the exception of root nameservers.
Source: NIS2
glossary
Domain Name System
A hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources.
Source: Directive 2022/2555 (NIS2)
glossary
DNS
A hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources.
Source: Directive 2022/2555 (NIS2)
glossary
Downstream Provider
A Provider of an AI System, including a General-Purpose AI System, which integrates an AI Model, regardless of whether the AI Model is provided by themselves and vertically integrated or provided by another entity based on contractual relations.
Source: Article 3(68) of the EU AI Act
#EUAIActDefinitions
eIDAS
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
glossary
Electronic Communications Service
A service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services:
a) ‘internet access service’, which means a publicly available electronic communications service thatprovides access to the internet, and thereby connectivity to virtually all end points of the internet,irrespective of the network technology and terminal equipment used (Article 2, second paragraph, point(2) of Regulation (EU) 2015/2120);
b) interpersonal communications service; and
c) services consisting wholly or mainly in the conveyance of signals such as transmissionservices used for the provision of machine-to-machine services and for broadcasting.
Source: Article 2(4) of Directive (EU) 2018/1972, as quoted in NIS2
glossary
Electronic Information System
Any system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data
Source: Article 3(9) of Cyber Resilience Act (draft 2022)
Elevated Privilege
An access right granted to particular users or programmes to perform an extended set of security-relevant operations within an electronic information system that, if misused or compromised, could allow a malicious actor to gain wider access to the resources of a system or organisation
Source: Article 3(14) of Cyber Resilience Act (draft 2022)
Emotion Recognition System
An AI System for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their Biometric Data
Source: Article 3(39) of the EU AI Act
#EUAIActDefinitions
End Users
Any natural or legal person using core platform services other than as a business user.
Source: Regulation (EU) 2022/1925 (Digital Markets Act)
Endpoint
Any device that is connected to a network and serves as an entry point to that network
Source: Article 3(15) of Cyber Resilience Act (draft 2022)
Enterprise
A natural or legal person that, in relation to contracts and practices covered by this Regulation, is acting for purposes which are related to that person’s trade, business, craft or profession
Source: Article 2(24) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Entity (NIS2)
A natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations.
Source: Directive 2022/2555 (NIS2)
glossary
Exportable Data
For the purpose of Articles 23 to 31 and Article 35, means the input and output data, including metadata, directly or indirectly generated, or cogenerated, by the customer’s use of the data processing service, excluding any assets or data protected by intellectual property rights, or constituting a trade secret, of providers of dataprocessing services or third parties
Source: Article 2(38) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Floating-Point Operation
Any mathematical operation or assignment involving floating-point numbers, which are a subset of the real numbers typically represented on computers by an integer of fixed precision scaled by an integer exponent of a fixed base.
Source: Article 3(67) of the EU AI Act
#EUAIActDefinitions
Functional Equivalence
Re-establishing on the basis of the customer’s exportable data and digital assets, a minimum level of functionality in the environment of a new data processing service of the same service type after theswitching process, where the destination data processing service delivers a materially comparable outcome in response to the same input for shared features supplied to the customer under the contract
Source: Article 2(37) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).
Go to the official publication Regulation (EU) 2016/679
glossary
General Data Protection Regulation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).
Go to the official publication Regulation (EU) 2016/679
glossary
General-Purpose AI Model
An AI Model, including where such an AI Model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is Placed on the Market and that can be integrated into a variety of downstream systems or applications, except AI Models that are used for research, development or prototyping activities before they are Placed on the Market.
Source: Article 3(63) of the EU AI Act
#EUAIActDefinitions
Genetic DataPersonal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Source: Regulation 2016/679 (GDPR)
glossary
Harmonised Standard
A harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;
Source: Article 3(34) of Cyber Resilience Act (draft 2022)
Harmonised Standard
A harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012
Source: Article 2(43) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Harmonised Standard
A harmonised standard as defined in Article 2(1)(c) of Regulation (EU) No 1025/2012.
Source: Article 3(27) of the EU AI Act
#EUAIActDefinitions
ICT Process
A set of activities performed to design, develop, deliver or maintain an ICT product or ICT service
Source: Article 2(14) of Regulation (EU) 2019/881 (Cybersecurity Act), as quoted by NIS 2
glossary
ICT Product
An element or a group of elements of a network or information system
Source: Article 2(12) of Regulation (EU) 2019/881 (Cybersecurity Act), as quoted by NIS 2
glossary
Identification Service
A type of service provided together with or in support of core platform services that enables any type of verification of the identity of end users or business users, regardless of the technology used.
Source: Regulation (EU) 2022/1925 (Digital Markets Act)
Importer
Any natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union
Source: Article 3(20) of Cyber Resilience Act (draft 2022)
Importer
A natural or legal person located or established in the Union that places on the market an AI System that bears the name or trademark of a natural or legal person established in a third country.
Source: Article 3(6) of the EU AI Act
#EUAIActDefinitions
Incident
An event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted orprocessed data or of the services offered by, or accessible via, network and information systems.
Source: Directive 2022/2555 (NIS2)
glossary
Incident Handling
Any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident.
Source: Directive 2022/2555 (NIS2)
glossary
A connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network
Source: Article 3(12) of Cyber Resilience Act (draft 2022)
Informed Consent
A subject’s freely given, specific, unambiguous and voluntary expression of his or her willingness to participate in a particular Testing in Real-World Conditions, after having been informed of all aspects of the testing that are relevant to the subject’s decision to participate.
Source: Article 3(59) of the EU AI Act
#EUAIActDefinitions
Input DataData provided to or directly acquired by an AI System on the basis of which the system produces an output.
Source: Article 3(33) of the EU AI Act
#EUAIActDefinitions
Intended Purpose
The use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation
Source: Article 3(24) of Cyber Resilience Act (draft 2022)
Intended Purpose
The use for which an AI System is intended by the Provider, including the specific context and conditions of use, as specified in the information supplied by the Provider in the Instructions for Use, promotional or sales materials and statements, as well as in the technical documentation.
Source: Article 3(12) of the EU AI Act
#EUAIActDefinitions
Intended Purpose
The use for which an AI System is intended by the Provider, including the specific context and conditions of use, as specified in the information supplied by the Provider in the Instructions for Use, promotional or sales materials and statements, as well as in the technical documentation.
Source: Article 3(12) of the EU AI Act
#EUAIActDefinitions
Internet Exchange Point
A network facility which enables the interconnection of more than two independent networks (autonomous systems), primarily for the purpose of facilitating the exchange of internet traffic, which provides interconnection only for autonomous systems and which neither requires the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomoussystem nor alters or otherwise interferes with such traffic.
Source: Directive 2022/2555 (NIS2)
glossary
Interoperability
The ability to exchange information and mutually use the information which has been exchanged through interfaces or other solutions, so that all elements of hardware or software work with other hardware and software and with users in all the ways in which they are intended to function.
Source: Regulation (EU) 2022/1925 (Digital Markets Act)
The ability of two or more data spaces or communication networks, systems, connected products, applications, dataprocessing services or components to exchange and use data in order to perform their functions
Source: Article 2(40) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Large-Scale Cybersecurity Incident
An incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States.
Source: Directive 2022/2555 (NIS2)
glossary
Law Enforcement
Activities carried out by law enforcement authorities or on their behalf for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Source: Article 3(46) of the EU AI Act
#EUAIActDefinitions
Law Enforcement Authority
(a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or
(b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Source: Article 3(45) of the EU AI Act
#EUAIActDefinition
Logical Connection
A virtual representation of a data connection implemented through a software interface
Source: Article 3(10) of Cyber Resilience Act (draft 2022)
Making Available on the Market
Any supply of an AI System or a General Purpose AI Model for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge.
Source: Article 3(10) of the EU AI Act
#EUAIActDefinitions
Any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge
Source: Article 3(23) of Cyber Resilience Act (draft 2022)
Any supply of a connected product for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge
Source: Article 2(21) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Managed Service Provider
An entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely.
Source: Directive 2022/2555 (NIS2)
glossary
Manufacturer
Any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge
Source: Article 3(18) of Cyber Resilience Act (draft 2022)
Market Surveillance Authority
The national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020.
Source: Article 3(26) of the EU AI Act
#EUAIActDefinitions
The authority as defined in Article 3, point (4) of Regulation (EU) 2019/1020
Source: Article 3(33) of Cyber Resilience Act (draft 2022)
Metadata
A structured description of the contents or the use of data facilitating the discovery or use of that dataSource: Article 2(2) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
National Cybersecurity Strategy
Coherent framework of a Member State providing strategic objectives and priorities in the area of cybersecurity and the governance to achieve them in that Member State.
Source: Directive 2022/2555 (NIS2)
glossary
Near Miss
An event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise.
Source: Directive 2022/2555 (NIS2)
glossary
Network and Information System
a) An electronic communications network, which means transmission systems, whether or not basedon a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed (Article 2(1) of Directive (EU) 2018/1972);b) Any device or group of interconnected or related devices, one or more of which, pursuant to aprogramme, carry out automatic processing of digital data; orc) Digital data stored, processed, retrieved or transmitted by(...)
Networking or Computing ResourcesData or hardware or software functionality that is accessible either locally or through a network or another connected device
Source: Article 3(16) of Cyber Resilience Act (draft 2022)
NIS2
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148
Non-Personal DataData other than personal data.
Source: Article 2(4) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Also used: Article 3(51) of the EU AI Act
#EUAIActDefinitions
Notified Body
A conformity assessment body designated in accordance with Article 33 of this Regulation and other relevant Union harmonisation legislation
Source: Article 3(30) of Cyber Resilience Act (draft 2022)
Notified Body
A Conformity Assessment Body notified in accordance with this Regulation and other relevant Union harmonisation legislation.
Source: Article 3(22) of the EU AI Act
#EUAIActDefinitions
Notifying Authority
The national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring
Source: Article 3(27) of Cyber Resilience Act (draft 2022)
Notifying Authority
The national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of Conformity Assessment Bodies and for their monitoring.
Source: Article 3(19) of the EU AI Act
#EUAIActDefinitions
On-Premises ICT Infrastructure
ICT infrastructure and computing resources owned, rented or leased by the customer, located in the data centre of the customer itself and operated by the customer or by a third-party
Source: Article 2(33) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Online Marketplace
A service using software, including a website, part of a website or an application, operated by or on behalf of a trader which allows consumers to conclude distance contracts with other traders or consumers.
Source: Article 2(n) of Directive 2005/29/EC
Online Search Engine
A digital service that allows users to input queries in order to perform searches of, in principle, all websites, or all websites in a particular language, on the basis of a query on any subject in the form of a keyword, voice request, phrase or other input, and returns results in any format in which information related to the requested content can be found.
Source: Article 2 (5) of Regulation (EU) 2019/1150
Online Social Networking Service
Aa platform that enables end users to connect and communicate with each other, share content and discover other users and content across multiple devices and, in particular, via chats, posts, videos and recommendations.
Source: Regulation (EU) 2022/1925 (Digital Markets Act)