Glossary

  • The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the GDPR and other frameworks, including APEC's Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
  • Organizations must take every reasonable step to ensure the data processed is accurate and, where necessary, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing data processing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Accuracy also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation.
  • When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons.
  • A vulnerability for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner Source: Article 3(39) of Cyber Resilience Act (draft 2022)
  • A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements: the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred,the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules,the international commitments the third country or international organisation concerned has entered(...)
  • Skills, knowledge and understanding that allow Providers, Deployers and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed deployment of AI Systems, as well as to gain awareness about the opportunities and Risks of AI and possible harm it can cause Source: Article 3(56) of the EU AI Act #EUAIActDefinitions
  • The Commission’s function of contributing to the implementation, monitoring and supervision of AI Systems and General-Purpose AI Models and AI governance provided in Commission Decision of 24 January 2024; references in this Regulation to the AI Office shall be construed as references to the Commission Source: Article 3(47) of the EU AI Act #EUAIActDefinitions
  • A controlled framework set up by a Competent Authority which offers Providers or prospective Providers of AI Systems the possibility to develop, train, validate and test, where appropriate in Real-World Conditions, an innovative AI System, pursuant to a Sandbox Plan for a limited time under regulatory supervision. Source: Article 3(55) of the EU AI Act #EUAIActDefinitions
  • A machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Source: Article 3(1) of the EU AI Act #EUAIActDefinitions
  • The process in which personal data is altered in such a way that it no longer can be related back to a given individual through an irreversible process. Among many techniques, there are three primary ways that data is anonymized: - Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. - Generalization (cohort) takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). - Noise addition (salting) takes identifying values from a given data set and switches them with identifying values from another individual in that data set.
  • GDPR refers to appropriate safeguards in a number of contexts, including: - the transfer of personal data to third countries outside the European Union; - the processing of special categories of data; and - the processing of personal data in a law enforcement context. This generally refers to the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules. This may also refer to the use of encryption or pseudonymization, standard data protection clauses adopted by the European Commission, contractual clauses authorized by a supervisory authority, or certification schemes or codes of conduct authorized by the Commission or a(...)
  • Any natural or legal person established within the Union who has received a written mandate from a manufacturer to act on his or her behalf in relation to specified tasks Source: Article 3(19) of Cyber Resilience Act (draft 2022) Any natural or legal person located or established in the Union who has received and accepted a written mandate from a provider of an AI System or a General-Purpose AI Model to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation Source: Article 3(5) of the EU AI Act #EUAIActDefinitions
  • Data is "available" if it is accessible when needed by the organization or data subject. GDPR requires that an organization be able to ensure the availability of personal data and have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Lack of availability of the personal data may constitute a personal data breach.
  • Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. Acronym: BCR Source: Regulation 2016/679 (GDPR) glossary
  • Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. Acronym: BCR Source: Regulation 2016/679 (GDPR) glossary
  • An AI System for the purpose of assigning natural persons to specific categories on the basis of their Biometric Data, unless it is ancillary to another commercial service and strictly necessary for objective technical reasons Source: Article 3(40) of the EU AI Act #EUAIActDefinitions
  • Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. Should be considered as a special category of data only where it allows for such unique identification of a data subject. glossary
  • Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, such as facial images or dactyloscopic data. Source: Article 3(34) of the EU AI Act #EUAIActDefinitions
  • The automated recognition of physical, physiological, behavioural, or psychological human features for the purpose of establishing the identity of a natural person by comparing Biometric Data of that individual to Biometric Data of individuals stored in a database Source: Article 3(35) of the EU AI Act #EUAIActDefinitions
  • The automated, one-to-one verification, including authentication, of the identity of natural persons by comparing their Biometric Data to previously provided Biometric Data; Source: Article 3(36) of the EU AI Act #EUAIActDefinitions
  • A marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential requirements set out in Annex I and other applicable Union legislation harmonising the conditions for the marketing of products (‘Union harmonisation legislation’) providing for its affixing Source: Article 3(32) of Cyber Resilience Act (draft 2022)
  • CE marking - A marking by which a Provider indicates that an AI System is in conformity with the requirements set out in Chapter III, Section 2 and other applicable Union harmonisation legislation providing for its affixing. Source: Article 3(24) of the EU AI Act #EUAIActDefinitions
  • A digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations Source: Directive 2022/2555 (NIS2)
  • Introduced by GDPR, codes of conduct are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses. Codes of conduct must be developed by industry trade groups, associations or other bodies representing categories of controllers or processors. They must be approved by supervisory authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation. Source: Article 40 GDPR.
  • A set of technical specifications as defined in Article 2, point (4) of Regulation (EU) No 1025/2012, providing means to comply with certain requirements established under this Regulation. Source: Article 3(28) of the EU AI Act #EUAIActDefinitions
  • A document, other than a standard, containing technical solutions providing a means to comply with certain requirements and obligations established under this Regulation Source: Article 2(42) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Software or hardware intended for integration into an electronic information system Source: Article 3(8) of Cyber Resilience Act (draft 2022)
  • The process of verifying whether the essential requirements set out in Annex I have been fulfilled Source: Article 3(28) of Cyber Resilience Act (draft 2022)
  • The process of demonstrating whether the requirements set out in Chapter III, Section 2 relating to a High-Risk AI System have been fulfilled. Source: Article 3(20) of the EU AI Act #EUAIActDefinitions
  • A body defined in Article 2(13) of Regulation (EU) No 765/2008 Source: Article 3(29) of Cyber Resilience Act (draft 2022)
  • A body that performs third-party Conformity Assessment activities, including testing, certification and inspection. Source: Article 3(21) of the EU AI Act #EUAIActDefinitions
  • An item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user Source: Article 2(5) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Source: Regulation 2016/679 (GDPR) glossary
  • Any natural person who is acting for purposes which are outside that person’s trade, business, craft or profession Source: Article 2(23) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers. Source: Directive 2022/2555 (NIS2)
  • The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Source: Regulation 2016/679 (GDPR) glossary
  • A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as: - "first-party" -- if they are placed by the website that is visited; - "third-party" -- if they are placed by a party other than the visited website; - "session cookies" -- if they are deleted when a session ends; or - "persistent cookies" -- if they remain longer.
  • means any of the following: (a) online intermediation services; (b) online search engines; (c) online social networking services; (d) video-sharing platform services; (e) number-independent interpersonal communications services; (f) operating systems; (g) web browsers; (h) virtual assistants; (i) cloud computing services; (j) online advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by an undertaking that provides any of the core platform services listed in points (a) to (i). Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Critical infrastructure as defined in Article 2, point (4), of Directive (EU) 2022/2557 Source: Article 3(62) of the EU AI Act #EUAIActDefinitions
  • A product with digital elements that presents a cybersecurity risk in accordance with the criteria laid down in Article 6(2) and whose core functionality is set out in Annex III Source: Article 3(3) of Cyber Resilience Act (draft 2022)
  • (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. Source: Regulation 2016/679 (GDPR) glossary
  • A natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services Source: Article 2(30) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons. Source: Regulation (EU) 2019/881 (Cybersecurity Act), as quoted in NIS2
  • The activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats. Source: Regulation (EU) 2019/881 (Cybersecurity Act), as quoted in NIS2 glossary
  • Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)
  • Any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording. Source: Regulation (EU) 2022/1925 (Digital Markets Act), Article 2(1) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) glossary
  • A service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for powerdistribution and environmental control. Source: Regulation (EU) 2019/881 (Cybersecurity Act), as quoted in NIS2 glossary
  • Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Source: Regulation 2016/679 (GDPR) glossary
  • Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Source: Regulation 2016/679 (GDPR) glossary
  • Data transfer fees charged to customers for extracting their data through the network from the ICT infrastructure of a provider of data processing services to the system of a different provider or to on-premises ICT infrastructure Source: Article 2(35) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service Source: Article 2(13) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Data intermediation service as defined in Article 2, point (11), of Regulation (EU) 2022/868 (Data Governance Act. Source: Article 2(10) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction Source: Article 2(8) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: - a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;- processing on a large scale of special categories of data referred to in Article 9(1)(...)
  • Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: - a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;- processing on a large scale of special categories of data referred to in Article 9(1)(...)
  • A natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation adopted in accordance with Union law Source: Article 2(14) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • An identified or identifiable (living) natural person. Source: Regulation 2016/679 (GDPR)
  • AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful. Source: Article 3(60) of the EU AI Act #EUAIActDefinitions
  • Any natural or legal person, public authority, agency or other body using an AI System under its authority except where the AI System is used in the course of a personal non-professional activity. Source: Article 3(4) of the EU AI Act #EUAIActDefinitions
  • Elements in digital form, including applications, for which the customer has the right of use, independently from the contractual relationship with the data processing service it intends to switch from Source: Article 2(32) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828
  • Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828
  • The sector of products and services provided by means of, or through, information society services. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.For the purposes of this definition: i. "at a distance" means that the service is provided without the parties being simultaneously present; ii. "by electronic means" means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, andentirely transmitted, conveyed and received by wire, by radio, by optical means or by otherelectromagnetic means; iii. "at the individual request of a recipient of services" means that the service is provided through thetransmission of data on individual request. Source: Article 1(1)(b) of Directive (EU) 2015/1535, as quoted by NIS2 glossary
  • Any natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties Source: Article 3(21) of Cyber Resilience Act (draft 2022)
  • A natural or legal person in the supply chain, other than the Provider or the Importer, that Makes an AI System Available on the Union market. Source: Article 3(7) of the EU AI Act #EUAIActDefinitions
  • An entity that provides:a) Publicly available recursive domain name resolution services for internet end-users; orb) Authoritative domain name resolution services for third-party use, with the exception of root nameservers. Source: NIS2 glossary
  • A hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources. Source: Directive 2022/2555 (NIS2) glossary
  • A hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources. Source: Directive 2022/2555 (NIS2) glossary
  • A Provider of an AI System, including a General-Purpose AI System, which integrates an AI Model, regardless of whether the AI Model is provided by themselves and vertically integrated or provided by another entity based on contractual relations. Source: Article 3(68) of the EU AI Act #EUAIActDefinitions
  • The manufacturer, the authorised representative, the importer, the distributor, or any other natural or legal person who is subject to obligations laid down by this Regulation Source: Article 3(17) of Cyber Resilience Act (draft 2022)
  • Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. glossary
  • A service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services: a) ‘internet access service’, which means a publicly available electronic communications service thatprovides access to the internet, and thereby connectivity to virtually all end points of the internet,irrespective of the network technology and terminal equipment used (Article 2, second paragraph, point(2) of Regulation (EU) 2015/2120); b) interpersonal communications service; and c) services consisting wholly or mainly in the conveyance of signals such as transmissionservices used for the provision of machine-to-machine services and for broadcasting. Source: Article 2(4) of Directive (EU) 2018/1972, as quoted in NIS2 glossary
  • Any system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data Source: Article 3(9) of Cyber Resilience Act (draft 2022)
  • An access right granted to particular users or programmes to perform an extended set of security-relevant operations within an electronic information system that, if misused or compromised, could allow a malicious actor to gain wider access to the resources of a system or organisation Source: Article 3(14) of Cyber Resilience Act (draft 2022)
  • An AI System for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their Biometric Data Source: Article 3(39) of the EU AI Act #EUAIActDefinitions
  • Any natural or legal person using core platform services other than as a business user. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Any device that is connected to a network and serves as an entry point to that network Source: Article 3(15) of Cyber Resilience Act (draft 2022)
  • A natural or legal person that, in relation to contracts and practices covered by this Regulation, is acting for purposes which are related to that person’s trade, business, craft or profession Source: Article 2(24) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations. Source: Directive 2022/2555 (NIS2) glossary
  • A registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller. Source: Directive 2022/2555 (NIS2) glossary
  • For the purpose of Articles 23 to 31 and Article 35, means the input and output data, including metadata, directly or indirectly generated, or cogenerated, by the customer’s use of the data processing service, excluding any assets or data protected by intellectual property rights, or constituting a trade secret, of providers of data processing services or third parties Source: Article 2(38) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Any mathematical operation or assignment involving floating-point numbers, which are a subset of the real numbers typically represented on computers by an integer of fixed precision scaled by an integer exponent of a fixed base. Source: Article 3(67) of the EU AI Act #EUAIActDefinitions
  • Re-establishing on the basis of the customer’s exportable data and digital assets, a minimum level of functionality in the environment of a new data processing service of the same service type after theswitching process, where the destination data processing service delivers a materially comparable outcome in response to the same input for shared features supplied to the customer under the contract Source: Article 2(37) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • An undertaking providing core platform services, designated pursuant to Article 3 DMA Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Go to the official publication Regulation (EU) 2016/679 glossary
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Go to the official publication Regulation (EU) 2016/679 glossary
  • An AI Model, including where such an AI Model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is Placed on the Market and that can be integrated into a variety of downstream systems or applications, except AI Models that are used for research, development or prototyping activities before they are Placed on the Market. Source: Article 3(63) of the EU AI Act #EUAIActDefinitions
  • An AI System which is based on a General-Purpose AI Model and which has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI Systems. Source: Article 3(66) of the EU AI Act #EUAIActDefinitions
  • Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. Source: Regulation 2016/679 (GDPR) glossary
  • A physical electronic information system, or parts thereof capable of processing, storing or transmitting of digital data Source: Article 3(7) of Cyber Resilience Act (draft 2022)
  • A harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; Source: Article 3(34) of Cyber Resilience Act (draft 2022)
  • A harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012 Source: Article 2(43) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A harmonised standard as defined in Article 2(1)(c) of Regulation (EU) No 1025/2012. Source: Article 3(27) of the EU AI Act #EUAIActDefinitions
  • capabilities that match or exceed the capabilities recorded in the most advanced General-Purpose AI Models. Source: Article 3(64) of the EU AI Act #EUAIActDefinitions
  • A product with digital elements that presents a cybersecurity risk in accordance with the criteria laid down in Article 6(5) Source: Article 3(4) of Cyber Resilience Act (draft 2022)
  • A set of activities performed to design, develop, deliver or maintain an ICT product or ICT service Source: Article 2(14) of Regulation (EU) 2019/881 (Cybersecurity Act), as quoted by NIS 2 glossary
  • An element or a group of elements of a network or information system Source: Article 2(12) of Regulation (EU) 2019/881 (Cybersecurity Act), as quoted by NIS 2 glossary
  • A service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems Source: Article 2(13) of Regulation (EU) 2019/881 (Cybersecurity Act), as quoted by NIS 2 glossary
  • A type of service provided together with or in support of core platform services that enables any type of verification of the identity of end users or business users, regardless of the technology used. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Any natural or legal person established in the Union who places on the marketproduct with digital elements that bears the name or trademark of a natural or legal person established outside the Union Source: Article 3(20) of Cyber Resilience Act (draft 2022)
  • A natural or legal person located or established in the Union that places on the market an AI System that bears the name or trademark of a natural or legal person established in a third country. Source: Article 3(6) of the EU AI Act #EUAIActDefinitions
  • An event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted orprocessed data or of the services offered by, or accessible via, network and information systems. Source: Directive 2022/2555 (NIS2) glossary
  • Any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident. Source: Directive 2022/2555 (NIS2) glossary
  • A connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network Source: Article 3(12) of Cyber Resilience Act (draft 2022)
  • A subject’s freely given, specific, unambiguous and voluntary expression of his or her willingness to participate in a particular Testing in Real-World Conditions, after having been informed of all aspects of the testing that are relevant to the subject’s decision to participate. Source: Article 3(59) of the EU AI Act #EUAIActDefinitions
  • Data provided to or directly acquired by an AI System on the basis of which the system produces an output. Source: Article 3(33) of the EU AI Act #EUAIActDefinitions
  • The information provided by the Provider to inform the Deployer of, in particular, an AI System’s Intended Purpose and proper use. Source: Article 3(15) of the EU AI Act #EUAIActDefinitions
  • The use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation Source: Article 3(24) of Cyber Resilience Act (draft 2022)
  • The use for which an AI System is intended by the Provider, including the specific context and conditions of use, as specified in the information supplied by the Provider in the Instructions for Use, promotional or sales materials and statements, as well as in the technical documentation. Source: Article 3(12) of the EU AI Act #EUAIActDefinitions
  • The use for which an AI System is intended by the Provider, including the specific context and conditions of use, as specified in the information supplied by the Provider in the Instructions for Use, promotional or sales materials and statements, as well as in the technical documentation. Source: Article 3(12) of the EU AI Act #EUAIActDefinitions
  • A network facility which enables the interconnection of more than two independent networks (autonomous systems), primarily for the purpose of facilitating the exchange of internet traffic, which provides interconnection only for autonomous systems and which neither requires the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomoussystem nor alters or otherwise interferes with such traffic. Source: Directive 2022/2555 (NIS2) glossary
  • The ability to exchange information and mutually use the information which has been exchanged through interfaces or other solutions, so that all elements of hardware or software work with other hardware and software and with users in all the ways in which they are intended to function. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • The ability of two or more data spaces or communication networks, systems, connected products, applications, data processing services or components to exchange and use data in order to perform their functions Source: Article 2(40) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • An incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States. Source: Directive 2022/2555 (NIS2) glossary
  • Activities carried out by law enforcement authorities or on their behalf for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Source: Article 3(46) of the EU AI Act #EUAIActDefinitions
  • (a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or (b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Source: Article 3(45) of the EU AI Act #EUAIActDefinition
  • Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Source: Regulation 2016/679 (GDPR) glossary
  • A virtual representation of a data connection implemented through a software interface Source: Article 3(10) of Cyber Resilience Act (draft 2022)
  • Any supply of an AI System or a General Purpose AI Model for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge. Source: Article 3(10) of the EU AI Act #EUAIActDefinitions Any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge Source: Article 3(23) of Cyber Resilience Act (draft 2022) Any supply of a connected product for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge Source: Article 2(21) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management. Source: Directive 2022/2555 (NIS2) glossary
  • An entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely. Source: Directive 2022/2555 (NIS2) glossary
  • Any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge Source: Article 3(18) of Cyber Resilience Act (draft 2022)
  • The national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020. Source: Article 3(26) of the EU AI Act #EUAIActDefinitions The authority as defined in Article 3, point (4) of Regulation (EU) 2019/1020 Source: Article 3(33) of Cyber Resilience Act (draft 2022)
  • A structured description of the contents or the use of data facilitating the discovery or use of that dataSource: Article 2(2) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • notifying authority or a market surveillance authority; as regards AI systems put into service or used by Union institutions, agencies, offices and bodies, references to national competent authorities or market surveillance authorities in this Regulation shall be construed as references to the European Data Protection Supervisor. Source: Article 3(48) of the EU AI Act #EUAIActDefinitions
  • Coherent framework of a Member State providing strategic objectives and priorities in the area of cybersecurity and the governance to achieve them in that Member State. Source: Directive 2022/2555 (NIS2) glossary
  • An event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise. Source: Directive 2022/2555 (NIS2) glossary
  • a) An electronic communications network, which means transmission systems, whether or not basedon a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed (Article 2(1) of Directive (EU) 2018/1972);b) Any device or group of interconnected or related devices, one or more of which, pursuant to aprogramme, carry out automatic processing of digital data; orc) Digital data stored, processed, retrieved or transmitted by(...)
  • Data or hardware or software functionality that is accessible either locally or through a network or another connected device Source: Article 3(16) of Cyber Resilience Act (draft 2022)
  • Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148
  • Data other than personal data. Source: Article 2(4) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) Also used: Article 3(51) of the EU AI Act #EUAIActDefinitions
  • A conformity assessment body designated in accordance with Article 33 of this Regulation and other relevant Union harmonisation legislation Source: Article 3(30) of Cyber Resilience Act (draft 2022)
  • A Conformity Assessment Body notified in accordance with this Regulation and other relevant Union harmonisation legislation. Source: Article 3(22) of the EU AI Act #EUAIActDefinitions
  • The national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring Source: Article 3(27) of Cyber Resilience Act (draft 2022)
  • The national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of Conformity Assessment Bodies and for their monitoring. Source: Article 3(19) of the EU AI Act #EUAIActDefinitions
  • ICT infrastructure and computing resources owned, rented or leased by the customer, located in the data centre of the customer itself and operated by the customer or by a third-party Source: Article 2(33) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A service using software, including a website, part of a website or an application, operated by or on behalf of a trader which allows consumers to conclude distance contracts with other traders or consumers. Source: Article 2(n) of Directive 2005/29/EC
  • A digital service that allows users to input queries in order to perform searches of, in principle, all websites, or all websites in a particular language, on the basis of a query on any subject in the form of a keyword, voice request, phrase or other input, and returns results in any format in which information related to the requested content can be found. Source: Article 2 (5) of Regulation (EU) 2019/1150
  • Aa platform that enables end users to connect and communicate with each other, share content and discover other users and content across multiple devices and, in particular, via chats, posts, videos and recommendations. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • A technical specification in the field of information and communication technologies which is performance oriented towards achieving interoperability between