Glossary

  • The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the GDPR and other frameworks, including APEC's Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
  • Organizations must take every reasonable step to ensure the data processed is accurate and, where necessary, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing data processing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Accuracy also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation.
  • When an end user deliberately provides information, typically through the use of web forms, text boxes, check boxes or radio buttons.
  • A vulnerability for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner Source: Article 3(39) of Cyber Resilience Act (draft 2022)
  • A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements: the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred,the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules,the international commitments the third country or international organisation concerned has entered(...)
  • A machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Source: Article 3(1) of the EU AI Act (EU AI ACT)
  • The process in which personal data is altered in such a way that it no longer can be related back to a given individual through an irreversible process. Among many techniques, there are three primary ways that data is anonymized: - Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. - Generalization (cohort) takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). - Noise addition (salting) takes identifying values from a given data set and switches them with identifying values from another individual in that data set.
  • GDPR refers to appropriate safeguards in a number of contexts, including: - the transfer of personal data to third countries outside the European Union; - the processing of special categories of data; and - the processing of personal data in a law enforcement context. This generally refers to the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules. This may also refer to the use of encryption or pseudonymization, standard data protection clauses adopted by the European Commission, contractual clauses authorized by a supervisory authority, or certification schemes or codes of conduct authorized by the Commission or a(...)
  • Any natural or legal person established within the Union who has received a written mandate from a manufacturer to act on his or her behalf in relation to specified tasks Source: Article 3(19) of Cyber Resilience Act (draft 2022)
  • Any natural or legal person located or established in the Union who has received and accepted a written mandate from a provider of an AI System or a General Purpose AI Model to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation Source: Article 3(5) of the EU AI Act (EU AI ACT)
  • Data is "available" if it is accessible when needed by the organization or data subject. GDPR requires that an organization be able to ensure the availability of personal data and have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Lack of availability of the personal data may constitute a personal data breach.
  • Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. Acronym: BCR Source: Regulation 2016/679 (GDPR) glossary
  • Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. Acronym: BCR Source: Regulation 2016/679 (GDPR) glossary
  • Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. Should be considered as a special category of data only where it allows for such unique identification of a data subject. glossary
  • A marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential requirements set out in Annex I and other applicable Union legislation harmonising the conditions for the marketing of products (‘Union harmonisation legislation’) providing for its affixing Source: Article 3(32) of Cyber Resilience Act (draft 2022)
  • A digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations Source: Directive 2022/2555 (NIS2)
  • Introduced by GDPR, codes of conduct are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses. Codes of conduct must be developed by industry trade groups, associations or other bodies representing categories of controllers or processors. They must be approved by supervisory authorities or the European Data Protection Board, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation. Source: Article 40 GDPR.
  • A document, other than a standard, containing technical solutions providing a means to comply with certain requirements and obligations established under this Regulation Source: Article 2(42) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Software or hardware intended for integration into an electronic information system Source: Article 3(8) of Cyber Resilience Act (draft 2022)
  • The process of verifying whether the essential requirements set out in Annex I have been fulfilled Source: Article 3(28) of Cyber Resilience Act (draft 2022)
  • A body defined in Article 2(13) of Regulation (EU) No 765/2008 Source: Article 3(29) of Cyber Resilience Act (draft 2022)
  • An item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user Source: Article 2(5) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Source: Regulation 2016/679 (GDPR) glossary
  • Any natural person who is acting for purposes which are outside that person’s trade, business, craft or profession Source: Article 2(23) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers. Source: Directive 2022/2555 (NIS2)
  • The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Source: Regulation 2016/679 (GDPR) glossary
  • A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as: - "first-party" -- if they are placed by the website that is visited; - "third-party" -- if they are placed by a party other than the visited website; - "session cookies" -- if they are deleted when a session ends; or - "persistent cookies" -- if they remain longer.
  • means any of the following: (a) online intermediation services; (b) online search engines; (c) online social networking services; (d) video-sharing platform services; (e) number-independent interpersonal communications services; (f) operating systems; (g) web browsers; (h) virtual assistants; (i) cloud computing services; (j) online advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by an undertaking that provides any of the core platform services listed in points (a) to (i). Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • A product with digital elements that presents a cybersecurity risk in accordance with the criteria laid down in Article 6(2) and whose core functionality is set out in Annex III Source: Article 3(3) of Cyber Resilience Act (draft 2022)
  • (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. Source: Regulation 2016/679 (GDPR) glossary
  • A natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services Source: Article 2(30) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons. Source: Regulation (EU) 2019/881 (Cybersecurity Act), as quoted in NIS2
  • The activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats. Source: Regulation (EU) 2019/881 (Cybersecurity Act), as quoted in NIS2 glossary
  • Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)
  • Any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording. Source: Regulation (EU) 2022/1925 (Digital Markets Act), Article 2(1) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) glossary
  • A service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for powerdistribution and environmental control. Source: Regulation (EU) 2019/881 (Cybersecurity Act), as quoted in NIS2 glossary
  • Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Source: Regulation 2016/679 (GDPR) glossary
  • Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Source: Regulation 2016/679 (GDPR) glossary
  • Data transfer fees charged to customers for extracting their data through the network from the ICT infrastructure of a provider of data processing services to the system of a different provider or to on-premises ICT infrastructure Source: Article 2(35) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service Source: Article 2(13) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Data intermediation service as defined in Article 2, point (11), of Regulation (EU) 2022/868 (Data Governance Act. Source: Article 2(10) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction Source: Article 2(8) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: - a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;- processing on a large scale of special categories of data referred to in Article 9(1)(...)
  • Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: - a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;- processing on a large scale of special categories of data referred to in Article 9(1)(...)
  • A natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation adopted in accordance with Union law Source: Article 2(14) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • An identified or identifiable (living) natural person. Source: Regulation 2016/679 (GDPR)
  • Any natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity. Source: Article 3(4) of the EU AI Act (EU AI ACT)
  • Elements in digital form, including applications, for which the customer has the right of use, independently from the contractual relationship with the data processing service it intends to switch from Source: Article 2(32) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828
  • Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828
  • The sector of products and services provided by means of, or through, information society services. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.For the purposes of this definition: i. "at a distance" means that the service is provided without the parties being simultaneously present; ii. "by electronic means" means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, andentirely transmitted, conveyed and received by wire, by radio, by optical means or by otherelectromagnetic means; iii. "at the individual request of a recipient of services" means that the service is provided through thetransmission of data on individual request. Source: Article 1(1)(b) of Directive (EU) 2015/1535, as quoted by NIS2 glossary
  • Any natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties Source: Article 3(21) of Cyber Resilience Act (draft 2022)
  • Any natural or legal person in the supply chain, other than the Provider or the Importer, that makes an AI System available on the Union market. Source: Article 3(7) of the EU AI Act (EU AI ACT)
  • An entity that provides:a) Publicly available recursive domain name resolution services for internet end-users; orb) Authoritative domain name resolution services for third-party use, with the exception of root nameservers. Source: NIS2 glossary
  • A hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources. Source: Directive 2022/2555 (NIS2) glossary
  • A hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources. Source: Directive 2022/2555 (NIS2) glossary
  • The manufacturer, the authorised representative, the importer, the distributor, or any other natural or legal person who is subject to obligations laid down by this Regulation Source: Article 3(17) of Cyber Resilience Act (draft 2022)
  • Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. glossary
  • A service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services: a) ‘internet access service’, which means a publicly available electronic communications service thatprovides access to the internet, and thereby connectivity to virtually all end points of the internet,irrespective of the network technology and terminal equipment used (Article 2, second paragraph, point(2) of Regulation (EU) 2015/2120); b) interpersonal communications service; and c) services consisting wholly or mainly in the conveyance of signals such as transmissionservices used for the provision of machine-to-machine services and for broadcasting. Source: Article 2(4) of Directive (EU) 2018/1972, as quoted in NIS2 glossary
  • Any system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data Source: Article 3(9) of Cyber Resilience Act (draft 2022)
  • An access right granted to particular users or programmes to perform an extended set of security-relevant operations within an electronic information system that, if misused or compromised, could allow a malicious actor to gain wider access to the resources of a system or organisation Source: Article 3(14) of Cyber Resilience Act (draft 2022)
  • Any natural or legal person using core platform services other than as a business user. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Any device that is connected to a network and serves as an entry point to that network Source: Article 3(15) of Cyber Resilience Act (draft 2022)
  • A natural or legal person that, in relation to contracts and practices covered by this Regulation, is acting for purposes which are related to that person’s trade, business, craft or profession Source: Article 2(24) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations. Source: Directive 2022/2555 (NIS2) glossary
  • A registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller. Source: Directive 2022/2555 (NIS2) glossary
  • For the purpose of Articles 23 to 31 and Article 35, means the input and output data, including metadata, directly or indirectly generated, or cogenerated, by the customer’s use of the data processing service, excluding any assets or data protected by intellectual property rights, or constituting a trade secret, of providers of data processing services or third parties Source: Article 2(38) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Re-establishing on the basis of the customer’s exportable data and digital assets, a minimum level of functionality in the environment of a new data processing service of the same service type after theswitching process, where the destination data processing service delivers a materially comparable outcome in response to the same input for shared features supplied to the customer under the contract Source: Article 2(37) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • An undertaking providing core platform services, designated pursuant to Article 3 DMA Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Go to the official publication Regulation (EU) 2016/679 glossary
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Go to the official publication Regulation (EU) 2016/679 glossary
  • Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. Source: Regulation 2016/679 (GDPR) glossary
  • A physical electronic information system, or parts thereof capable of processing, storing or transmitting of digital data Source: Article 3(7) of Cyber Resilience Act (draft 2022)
  • A harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; Source: Article 3(34) of Cyber Resilience Act (draft 2022)
  • A harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012 Source: Article 2(43) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A product with digital elements that presents a cybersecurity risk in accordance with the criteria laid down in Article 6(5) Source: Article 3(4) of Cyber Resilience Act (draft 2022)
  • A set of activities performed to design, develop, deliver or maintain an ICT product or ICT service Source: Article 2(14) of Regulation (EU) 2019/881 (Cybersecurity Act), as quoted by NIS 2 glossary
  • An element or a group of elements of a network or information system Source: Article 2(12) of Regulation (EU) 2019/881 (Cybersecurity Act), as quoted by NIS 2 glossary
  • A service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems Source: Article 2(13) of Regulation (EU) 2019/881 (Cybersecurity Act), as quoted by NIS 2 glossary
  • A type of service provided together with or in support of core platform services that enables any type of verification of the identity of end users or business users, regardless of the technology used. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Any natural or legal person established in the Union who places on the marketproduct with digital elements that bears the name or trademark of a natural or legal person established outside the Union Source: Article 3(20) of Cyber Resilience Act (draft 2022)
  • Any natural or legal person located or established in the Union that places on the market an AI System that bears the name or trademark of a natural or legal person established outside the Union. Source: Article 3(6) of the EU AI Act (EU AI ACT)
  • An event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted orprocessed data or of the services offered by, or accessible via, network and information systems. Source: Directive 2022/2555 (NIS2) glossary
  • Any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident. Source: Directive 2022/2555 (NIS2) glossary
  • A connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network Source: Article 3(12) of Cyber Resilience Act (draft 2022)
  • The use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation Source: Article 3(24) of Cyber Resilience Act (draft 2022)
  • The use for which an AI System is intended by the Provider, including the specific context and conditions of use, as specified in the information supplied by the Provider in the Instructions for Use, promotional or sales materials and statements, as well as in the technical documentation. Source: Article 3(12) of the EU AI Act (EU AI ACT)
  • A network facility which enables the interconnection of more than two independent networks (autonomous systems), primarily for the purpose of facilitating the exchange of internet traffic, which provides interconnection only for autonomous systems and which neither requires the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomoussystem nor alters or otherwise interferes with such traffic. Source: Directive 2022/2555 (NIS2) glossary
  • The ability to exchange information and mutually use the information which has been exchanged through interfaces or other solutions, so that all elements of hardware or software work with other hardware and software and with users in all the ways in which they are intended to function. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • The ability of two or more data spaces or communication networks, systems, connected products, applications, data processing services or components to exchange and use data in order to perform their functions Source: Article 2(40) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • An incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States. Source: Directive 2022/2555 (NIS2) glossary
  • Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Source: Regulation 2016/679 (GDPR) glossary
  • A virtual representation of a data connection implemented through a software interface Source: Article 3(10) of Cyber Resilience Act (draft 2022)
  • Any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge Source: Article 3(23) of Cyber Resilience Act (draft 2022) Any supply of a connected product for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge Source: Article 2(21) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Any supply of an AI System or a General Purpose AI Model for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge. Source: Article 3(10) of the EU AI Act (EU AI ACT)
  • A managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management. Source: Directive 2022/2555 (NIS2) glossary
  • An entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely. Source: Directive 2022/2555 (NIS2) glossary
  • Any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge Source: Article 3(18) of Cyber Resilience Act (draft 2022)
  • The authority as defined in Article 3, point (4) of Regulation (EU) 2019/1020 Source: Article 3(33) of Cyber Resilience Act (draft 2022)
  • A structured description of the contents or the use of data facilitating the discovery or use of that dataSource: Article 2(2) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Coherent framework of a Member State providing strategic objectives and priorities in the area of cybersecurity and the governance to achieve them in that Member State. Source: Directive 2022/2555 (NIS2) glossary
  • An event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise. Source: Directive 2022/2555 (NIS2) glossary
  • a) An electronic communications network, which means transmission systems, whether or not basedon a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed (Article 2(1) of Directive (EU) 2018/1972);b) Any device or group of interconnected or related devices, one or more of which, pursuant to aprogramme, carry out automatic processing of digital data; orc) Digital data stored, processed, retrieved or transmitted by(...)
  • Data or hardware or software functionality that is accessible either locally or through a network or another connected device Source: Article 3(16) of Cyber Resilience Act (draft 2022)
  • Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148
  • Data other than personal data. Source: Article 2(4) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A conformity assessment body designated in accordance with Article 33 of this Regulation and other relevant Union harmonisation legislation Source: Article 3(30) of Cyber Resilience Act (draft 2022)
  • The national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring Source: Article 3(27) of Cyber Resilience Act (draft 2022)
  • ICT infrastructure and computing resources owned, rented or leased by the customer, located in the data centre of the customer itself and operated by the customer or by a third-party Source: Article 2(33) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A service using software, including a website, part of a website or an application, operated by or on behalf of a trader which allows consumers to conclude distance contracts with other traders or consumers. Source: Article 2(n) of Directive 2005/29/EC
  • A digital service that allows users to input queries in order to perform searches of, in principle, all websites, or all websites in a particular language, on the basis of a query on any subject in the form of a keyword, voice request, phrase or other input, and returns results in any format in which information related to the requested content can be found. Source: Article 2 (5) of Regulation (EU) 2019/1150
  • Aa platform that enables end users to connect and communicate with each other, share content and discover other users and content across multiple devices and, in particular, via chats, posts, videos and recommendations. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • A technical specification in the field of information and communication technologies which is performance oriented towards achieving interoperability between data processing services Source: Article 2(41) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • A system software that controls the basic functions of the hardware or software and enables software applications to run on it. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Programmable digital systems or devices that interact with the physical environment or manage devices that interact with the physical environment Source: Article 3(5) of Cyber Resilience Act (draft 2022)
  • The Provider, the product manufacturer, the Deployer, the Authorised Representative, the Importer or the Distributor. Source: Article 3(8) of the EU AI Act (EU AI ACT)
  • A software application, service or user interface which facilitates purchases of digital content or digital services within a software application, including content, subscriptions, features or functionality, and the payments for such purchases. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Source: Regulation 2016/679 (GDPR) glossary
  • A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Source: Regulation 2016/679 (GDPR) glossary
  • Any connection between electronic information systems or components implemented using physical means, including through electrical or mechanical interfaces, wires or radio waves Source: Article 3(11) of Cyber Resilience Act (draft 2022)
  • The first making available of a product with digital elements on the Union market Source: Article 3(22) of Cyber Resilience Act (draft 2022) The first making available of a connected product on the Union market Source: Article 2(22) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • The first making available of an AI System or a General Purpose AI model on the Union market. Source: Article 3(9) of the EU AI Act (EU AI AC
  • An access right granted to particular users or programmes to perform security-relevant operations within an electronic information system Source: Article 3(13) of Cyber Resilience Act (draft 2022)
  • Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Source: Regulation 2016/679 (GDPR) glossary
  • A natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller. Source: Regulation 2016/679 (GDPR) glossary
  • Data generated by the use of a connected product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer Source: Article 2(15) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • Any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately. Source: Article 3(1) of Cyber Resilience Act (draft 2022)
  • Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  • A natural or legal person, public authority, agency or other body that develops an AI system or a general purpose AI model or that has an AI system or a general purpose AI model developed and places them on the market or puts the system into service under its own name or trademark, whether for payment or free of charge. Source: Article 3(2) of the EU AI Act (EU AI ACT)
  • The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • An entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: a) It is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; b) It has legal personality or is entitled by law to act on behalf of another entity with legal personality; c) It is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative,managerial or supervisory board, more than half of whose members are appointed by the State,regional authorities or by other bodies governed by public law; d) It has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or(...)
  • An electronic communications network used wholly or mainly for the provision of publicly available electronic communications services which support the transfer of information between network termination points. Source: Article 2(8) of Directive (EU) 2018/1972, as quoted in NIS2 glossary
  • An exceptional situation, limited in time, such as a public health emergency, an emergency resulting from natural disasters, a human induced major disaster, including a major cybersecurity incident, negatively affecting the population of the Union or the whole or part of a Member State, with a risk of serious and lasting repercussions for living conditions or economic stability, financial stability, or the substantial and immediate degradation of economic assets in the Union or the relevant Member State and which is determined or officially declared in accordance with the relevant procedures under Union or national law Source: Article 2(29) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • The supply of an AI System for first use directly to the Deployer or for own use in the Union for its intended purpose. Source: Article 3(11) of the EU AI Act (EU AI ACT)
  • A trust service that meets the applicable requirements laid down in Regulation (EU) No 910/2014. Source: Article 3(17) eIDAS
  • A trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body. Source: Article 3 (20) eIDAS, as quoted by NIS2 glossary
  • The relative prominence given to goods or services offered through online intermediation services, online social networking services, video-sharing platform services or virtual assistants, or the relevance given to search results by online search engines, as presented, organised or communicated by the undertakings providing online intermediation services, online social networking services, video-sharing platform services, virtual assistants or online search engines, irrespective of the technological means used for such presentation, organisation or communication and irrespective of whether only one result is presented or communicated. Source: Regulation (EU) 2022/1925 (Digital Markets Act)
  • Product data and related service data that a data holder lawfully obtains or can lawfully obtain from the connected product or related service, without disproportionate effort going beyond a simple operation Source: Article 2(17) of the EU Regulation on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
  • The use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems Source: Article 3(26) of Cyber Resilience Act (draft 2022)
  • The use of an AI System in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems, including other AI Systems. Source: Article 3(13) of the EU AI Act (EU AI ACT)
  • Use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions Source: Article 3(25) of Cyber Resilience Act (draft 2022)
  • A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those