Regulatory Glossary

The requirement under Article 4 of the EU AI Act for providers and deployers to ensure their staff and other involved persons have a sufficient level of AI literacy, considering the context and intended audience.

A machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, generating outputs such as predictions, recommendations, decisions, or content.

The process by which a provider of a high-risk AI system verifies and demonstrates that the system meets all applicable requirements of the EU AI Act before it can be placed on the market.

The transfer of personal data from the EEA to a third country or international organisation, which under the GDPR requires specific safeguards such as adequacy decisions, standard contractual clauses, or binding corporate rules.

Any legal person or undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, as defined and regulated by the Markets in Crypto-Assets Regulation (MiCA).

The natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data under the GDPR.

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, acting only on the controller's documented instructions.

A systematic assessment required under Article 35 GDPR when data processing is likely to result in a high risk to the rights and freedoms of natural persons, also referenced by the EU AI Act for high-risk AI systems involving personal data.

The set of rights granted by the GDPR to individuals (data subjects) with respect to their personal data, including the rights of access, rectification, erasure, restriction, portability, and objection.

The ability of a financial entity to build, assure, and review its operational integrity and reliability by ensuring the full range of ICT-related capabilities needed to address the security of its network and information systems.

The principle under the CSRD requiring companies to report both how sustainability matters affect the company (financial materiality) and how the company impacts people and the environment (impact materiality).

The disclosure of environmental, social, and governance information by companies, mandated under the CSRD through the European Sustainability Reporting Standards (ESRS) for in-scope EU and non-EU companies.

An organisation operating in a critical sector under the NIS2 Directive (energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, or space) that is subject to the most stringent cybersecurity obligations and proactive supervisory oversight.

The degree to which a company's economic activities meet the technical screening criteria of the EU Taxonomy Regulation, qualifying them as environmentally sustainable investments.

A general-purpose AI model trained on broad data at scale, capable of being adapted to a wide range of downstream tasks. The EU AI Act regulates these under the framework of general-purpose AI (GPAI) models.

An AI system that poses significant risks to health, safety, or fundamental rights and is subject to strict requirements under the EU AI Act, including conformity assessments, human oversight, and documentation obligations.

The framework of policies, procedures, and controls that financial entities and essential/important entities must implement to identify, protect against, detect, respond to, and recover from ICT-related risks.

The DORA framework requiring financial entities to manage risks arising from their dependence on ICT third-party service providers, including contractual requirements, concentration risk monitoring, and an oversight framework for critical providers.

An organisation in sectors covered by the NIS2 Directive (such as postal services, waste management, chemicals, food, manufacturing, digital providers, or research) that must comply with cybersecurity obligations but is subject to lighter, ex-post supervisory oversight.

The obligation under DORA and NIS2 for regulated entities to detect, classify, and report significant cybersecurity and ICT-related incidents to the relevant competent authorities within prescribed timeframes.

The legal principle by which a more specific regulation takes precedence over a more general one, critically relevant for resolving overlaps between EU frameworks such as DORA, NIS2, and the GDPR.

The mandatory regulatory approval process under the Markets in Crypto-Assets Regulation that issuers of asset-referenced tokens and e-money tokens, as well as crypto-asset service providers, must complete before operating in the EU.

The ongoing process by which organisations ensure they adhere to all applicable laws, regulations, guidelines, and specifications relevant to their business operations, particularly in the context of EU regulatory frameworks.

The classification framework for greenhouse gas emissions: Scope 1 covers direct emissions from owned sources, Scope 2 covers indirect emissions from purchased energy, and Scope 3 covers all other indirect emissions across the value chain.

Advanced cybersecurity testing required by DORA in which financial entities simulate real-world attack scenarios based on current threat intelligence to evaluate the resilience of their critical ICT systems and processes.