EU Compliance Glossary

Adequacy Decision

GDPR Art. 45

A formal decision by the European Commission determining that a third country, a territory, or one or more specified sectors within a third country ensures an adequate level of data protection. Personal data can flow freely from the EU to jurisdictions covered by an adequacy decision without requiring additional safeguards such as SCCs or BCRs. The Commission periodically reviews and can revoke adequacy decisions.

AI Office

EU AI Act Art. 64

The body established within the European Commission to support the implementation and enforcement of the EU AI Act, particularly regarding general-purpose AI models. The AI Office develops codes of practice, coordinates with national authorities, and has direct enforcement powers over GPAI model providers, including the ability to impose fines.

AI Regulatory Sandbox

EU AI Act Art. 57-62

A controlled environment established by a national competent authority that enables the development, testing, and validation of innovative AI systems for a limited time before their placement on the market. The EU AI Act requires each Member State to establish at least one AI regulatory sandbox by August 2026, with priority access for SMEs and startups.

AI System

EU AI Act Art. 3(1)

A machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. This definition aligns with the OECD definition and forms the jurisdictional trigger for the EU AI Act.

Annex A Controls

ISO/IEC 27001:2022 Annex A

The reference set of information security controls provided in ISO 27001 Annex A (aligned with ISO 27002). The 2022 revision organises 93 controls into four themes: Organisational, People, Physical, and Technological. Organisations select applicable controls based on their risk assessment and document the rationale in the Statement of Applicability.

Asset Inventory

ISO/IEC 27001:2022 Annex A Control 5.9

A register of information assets (data, software, hardware, services, people, and intangible assets) that the organisation identifies, classifies, and manages as part of its ISMS. The asset inventory supports risk assessment by ensuring all assets that require protection are identified, assigned ownership, and subject to appropriate controls throughout their lifecycle.

Audit Trail

A chronological record of system activities, user actions, and data changes that provides documentary evidence of the sequence of events relevant to a security or compliance investigation. Audit trails enable accountability, support forensic analysis, and are required by most EU regulatory frameworks including GDPR (demonstrating processing activities) and DORA (incident reconstruction).

Binding Corporate Rules (BCRs)

GDPR Art. 47

Internal rules adopted by a multinational group of undertakings for international transfers of personal data from the EU to group entities in third countries that do not benefit from an adequacy decision. BCRs must be approved by the competent supervisory authority and ensure an adequate level of data protection, including enforceable data subject rights and effective legal remedies.

Certification Body

ISO/IEC 27006

An independent, accredited organisation authorised to conduct audits and issue ISO 27001 certificates. Certification bodies assess whether an organisation's ISMS conforms to the requirements of the standard through Stage 1 (documentation review) and Stage 2 (implementation audit) assessments, followed by periodic surveillance audits to maintain certification validity.

Competent Authority

NIS2 Directive Art. 8

The national authority designated by each EU Member State to oversee the implementation of NIS2 within its jurisdiction. Competent authorities are responsible for supervision, enforcement, and imposing administrative fines on essential and important entities that fail to comply with cybersecurity risk-management measures.

Compliance Framework

A structured set of guidelines, standards, regulations, and best practices that an organisation follows to meet its legal, regulatory, and industry obligations. In the EU context, organisations typically operate under multiple overlapping frameworks — such as NIS2, DORA, GDPR, and ISO 27001 — necessitating a unified control-mapping approach to avoid duplication and ensure comprehensive coverage.

Conformity Assessment

EU AI Act Art. 43

The process by which a provider verifies that a high-risk AI system complies with the requirements laid down in the EU AI Act before placing it on the market or putting it into service. Depending on the use case, conformity assessment may be carried out by the provider (self-assessment with internal controls) or by a notified body (third-party assessment).

Consent

GDPR Art. 4(11), Art. 7

Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or clear affirmative action, signify agreement to the processing of their personal data. GDPR consent must be as easy to withdraw as it is to give, and controllers must be able to demonstrate that consent was obtained.

Continual Improvement

ISO/IEC 27001:2022 Clause 10.2

The ongoing effort to enhance the suitability, adequacy, and effectiveness of the ISMS. ISO 27001 requires organisations to continually improve the ISMS through the use of corrective actions, management review outputs, audit findings, and analysis of security events. Continual improvement follows the Plan-Do-Check-Act (PDCA) cycle embedded throughout the standard.

Control

A safeguard or countermeasure — whether technical, administrative, physical, or legal — designed to manage risk by reducing the likelihood or impact of a threat exploiting a vulnerability. Controls can be preventive, detective, corrective, or deterrent. In multi-framework environments, a single control may satisfy requirements across multiple regulations through control mapping.

Control Mapping

The process of aligning a single implemented control to the corresponding requirements of multiple regulatory frameworks, standards, or internal policies. Control mapping eliminates duplicative effort by demonstrating that one control satisfies equivalent obligations across frameworks — for example, mapping an access control policy to NIS2 Art. 21, DORA Art. 9, GDPR Art. 32, and ISO 27001 Annex A 8.3 simultaneously.

Critical ICT Third-Party Provider

DORA Art. 31

An ICT third-party service provider designated by the ESAs as critical based on criteria including the systemic impact of a failure, the degree of substitutability, and the number of financial entities that rely on it. Critical ICT third-party providers are subject to the DORA Oversight Framework, including direct oversight by a designated Lead Overseer.

CSIRT

NIS2 Directive Art. 10-11

Computer Security Incident Response Team. Under NIS2, each Member State must designate one or more CSIRTs responsible for incident handling, providing early warnings, and issuing advisories. CSIRTs coordinate through the EU CSIRT Network to facilitate cross-border incident response.

Cybersecurity Risk-Management Measures

NIS2 Directive Art. 21

The technical, operational, and organisational measures that essential and important entities must implement to manage the risks posed to the security of their network and information systems. NIS2 Article 21 enumerates a minimum baseline including incident handling, supply chain security, encryption, access control, and multi-factor authentication.

Data Controller

GDPR Art. 4(7)

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller bears primary responsibility for compliance with GDPR principles, including lawfulness, fairness, transparency, and data minimisation.

Data Portability

GDPR Art. 20

The right of a data subject to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance. This right applies when processing is based on consent or contract and is carried out by automated means. It aims to empower data subjects and reduce vendor lock-in.

Data Processor

GDPR Art. 4(8), Art. 28

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. Processors must act only on documented instructions from the controller and implement appropriate technical and organisational security measures. The relationship must be governed by a binding contract or legal act specifying the subject-matter, duration, and nature of processing.

Data Protection Impact Assessment (DPIA)

GDPR Art. 35

A structured assessment required under GDPR when processing is likely to result in a high risk to the rights and freedoms of natural persons. DPIAs must describe the processing operations, assess their necessity and proportionality, evaluate risks, and identify mitigation measures. The supervisory authority must be consulted if residual risks remain high after mitigation.

Data Protection Officer (DPO)

GDPR Art. 37-39

An independent compliance role required under GDPR for public authorities and organisations whose core activities involve regular and systematic monitoring of data subjects at scale, or large-scale processing of special categories of data. The DPO advises on compliance, monitors adherence to GDPR, cooperates with the supervisory authority, and serves as the contact point for data subjects.

Data Subject

GDPR Art. 4(1), Chapter III

An identified or identifiable natural person whose personal data is being collected, held, or processed. Data subjects have specific rights under the GDPR, including the right of access, rectification, erasure, data portability, and the right to object to certain types of processing.

Data Subject Access Request (DSAR)

GDPR Art. 15

A request by a data subject to obtain confirmation from a controller as to whether their personal data is being processed and, if so, to access that data along with supplementary information including the purposes of processing, categories of data, recipients, and retention periods. Controllers must respond within one month, extendable by two months for complex requests.

Deployer

EU AI Act Art. 3(4), Art. 26

A natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity. Deployers of high-risk AI systems must ensure human oversight, monitor the system's operation, and inform affected individuals about the use of AI in decisions that affect them.

Digital Operational Resilience

DORA Art. 3(1)

The ability of a financial entity to build, assure, and review its technological operational integrity by ensuring — either directly or indirectly through the services of ICT third-party providers — the full range of ICT-related capabilities needed to address the security of the network and information systems that the financial entity uses. DORA establishes a harmonised EU framework for achieving this resilience.

Early Warning

NIS2 Directive Art. 23(4)(a)

The initial notification that an essential or important entity must submit to its CSIRT or competent authority within 24 hours of becoming aware of a significant incident. The early warning must indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have cross-border impact. A fuller incident notification follows within 72 hours.

ESA (European Supervisory Authorities)

DORA Art. 31-44

The three EU-level supervisory bodies — the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA). Under DORA, the ESAs jointly develop regulatory technical standards and designate critical ICT third-party providers for oversight.

Essential Entity

NIS2 Directive Art. 3(1), Annex I

An organisation operating in a sector of high criticality — such as energy, transport, banking, health, water, digital infrastructure, or public administration — that exceeds the medium-sized enterprise threshold. Essential entities face the strictest supervisory regime under NIS2, including proactive ex-ante supervision by competent authorities.

EU Data Sovereignty

The principle that personal data and regulated data generated within the European Union should be stored, processed, and governed under EU jurisdiction and subject exclusively to EU law. EU data sovereignty encompasses infrastructure residency (data centres within the EU), legal jurisdiction (avoiding exposure to extraterritorial access laws such as the US CLOUD Act), and technological sovereignty (using EU-developed or open-source tooling where feasible).

EU-CyCLONe

NIS2 Directive Art. 16

The European Cyber Crises Liaison Organisation Network. EU-CyCLONe supports the coordinated management of large-scale cybersecurity incidents and crises at the operational level. It serves as an intermediary between the technical-level CSIRT Network and the political-level Integrated Political Crisis Response arrangements (IPCR).

Evidence

Documentation, artefacts, or records that demonstrate the implementation and effectiveness of a compliance control. Evidence types include policies, configuration screenshots, access logs, training records, penetration test reports, and vendor agreements. Auditors rely on evidence to validate that controls are not merely documented but operationally effective.

Foundation Model

EU AI Act Art. 51-56

A large-scale AI model trained on broad data at scale, designed for generality of output, and adaptable to a wide range of distinctive tasks. Under the EU AI Act, foundation models are regulated through the GPAI provisions. Providers of foundation models with systemic risk face additional obligations including adversarial testing, incident monitoring, and ensuring adequate cybersecurity protections.

Gap Analysis

A systematic assessment comparing an organisation's current security posture and compliance maturity against the requirements of a specific framework or regulation. Gap analysis identifies deficiencies (gaps) that must be addressed through remediation plans, prioritised by risk severity and regulatory deadlines. It is typically the first step in a compliance implementation programme.

General-Purpose AI (GPAI)

EU AI Act Art. 3(63), Art. 51-56

An AI model trained with a large amount of data using self-supervision at scale, that displays significant generality, is capable of competently performing a wide range of distinct tasks, and can be integrated into a variety of downstream systems or applications. GPAI providers must provide technical documentation, comply with the EU Copyright Directive, and publish a sufficiently detailed summary of the training data.

High-Risk AI System

EU AI Act Art. 6, Annex III

An AI system that is intended to be used as a safety component of a product, or is itself a product, covered by EU harmonisation legislation listed in Annex I, or falls within one of the use cases enumerated in Annex III (e.g., biometric identification, critical infrastructure, employment, law enforcement). High-risk AI systems must comply with strict requirements for data quality, transparency, human oversight, accuracy, robustness, and cybersecurity.

ICT Concentration Risk

DORA Art. 29

The exposure arising from a financial entity's over-reliance on a single ICT third-party provider or a small group of providers, creating systemic vulnerability if that provider experiences a disruption. DORA requires financial entities to identify, monitor, and mitigate ICT concentration risk as part of their third-party risk management strategy.

ICT Risk

DORA Art. 3(5)

Any reasonably identifiable circumstance relating to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, any technology-dependent tool or process, the operation and processes of a financial entity, or the provision of financial services. ICT risk is the central concept in DORA's risk management framework.

ICT-Related Incident

DORA Art. 3(8), Art. 19

A single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems and has an adverse impact on the availability, authenticity, integrity, or confidentiality of data, or on the services provided by the financial entity. Major ICT-related incidents must be classified and reported to the competent authority.

Important Entity

NIS2 Directive Art. 3(2), Annex II

An organisation operating in sectors listed in NIS2 Annex I or Annex II that meets the medium-sized enterprise threshold but does not qualify as an essential entity. Important entities are subject to ex-post supervision, meaning authorities intervene only upon evidence of non-compliance or after an incident.

Information Security Policy

ISO/IEC 27001:2022 Clause 5.2

A top-level documented policy, approved by management, that sets the direction and principles for information security within the organisation. The policy must be appropriate to the purpose of the organisation, include a commitment to satisfying applicable requirements, and provide a framework for setting information security objectives. It must be communicated to all relevant parties.

Information Sharing Arrangement

DORA Art. 45

A voluntary arrangement among financial entities to exchange cyber threat intelligence, indicators of compromise, tactics, techniques, and procedures (TTPs). DORA explicitly encourages such arrangements to strengthen collective resilience across the financial sector, provided they comply with data protection, competition, and confidentiality rules.

Internal Audit

ISO/IEC 27001:2022 Clause 9.2

A planned and systematic evaluation conducted by or on behalf of the organisation to assess whether the ISMS conforms to its own requirements and the requirements of ISO 27001, and whether it is effectively implemented and maintained. Internal audits must be conducted at planned intervals and the results reported to management for review and corrective action.

ISMS

ISO/IEC 27001:2022 Clause 4-10

Information Security Management System. A systematic framework of policies, procedures, guidelines, and associated resources managed by an organisation to protect its information assets. ISO 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organisation's overall business risks.

Joint Controller

GDPR Art. 26

Two or more controllers that jointly determine the purposes and means of processing personal data. Joint controllers must establish a transparent arrangement defining their respective responsibilities for complying with GDPR obligations — particularly regarding the exercise of data subject rights and the provision of information. The arrangement must reflect the joint controllers' respective roles and relationships vis-a-vis the data subjects.

Lawful Basis

GDPR Art. 6

One of six legal grounds under GDPR Article 6 that must be established before personal data can be processed: consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interest. Selecting the appropriate lawful basis is a foundational compliance decision that affects the data subject's rights and the controller's obligations.

Lead Overseer

DORA Art. 33-37

The European Supervisory Authority (EBA, ESMA, or EIOPA) designated to exercise direct oversight over a critical ICT third-party service provider. The Lead Overseer can conduct inspections, issue recommendations, and request remediation plans. If recommendations are not followed, the Lead Overseer can request that financial entities suspend or terminate arrangements with the provider.

Legitimate Interest

GDPR Art. 6(1)(f), Recital 47

A lawful basis for processing under GDPR Article 6(1)(f), applicable when processing is necessary for the legitimate interests of the controller or a third party, provided those interests are not overridden by the fundamental rights and freedoms of the data subject. A legitimate interest assessment (LIA) must be documented, balancing the controller's interests against the impact on the data subject.

Lex Specialis

NIS2 Directive Art. 4

A legal principle meaning 'law governing a specific subject matter.' Under NIS2, sector-specific EU legislation (such as DORA for the financial sector) that imposes cybersecurity requirements equivalent to or stricter than NIS2 takes precedence. Entities covered by a lex specialis may be exempt from corresponding NIS2 obligations to avoid regulatory duplication.

Management Body Obligations

NIS2 Directive Art. 20

NIS2 requires the management bodies (boards, executive committees) of essential and important entities to approve cybersecurity risk-management measures, oversee their implementation, and undergo cybersecurity training. Management body members can be held personally liable for non-compliance, making cybersecurity a board-level governance obligation.

Management Review

ISO/IEC 27001:2022 Clause 9.3

A formal, periodic review by top management of the organisation's ISMS to ensure its continuing suitability, adequacy, and effectiveness. Management reviews must consider the status of previous actions, changes in internal and external issues, nonconformities, monitoring and measurement results, audit results, and opportunities for continual improvement.

Multi-Tenancy

A software architecture in which a single instance of an application serves multiple customers (tenants), with each tenant's data logically or physically isolated from others. In the EU compliance context, multi-tenancy must be implemented with rigorous tenant isolation — typically through row-level security policies, per-tenant encryption schemas, and strict access controls — to satisfy GDPR data protection and NIS2 security requirements.

National Cybersecurity Strategy

NIS2 Directive Art. 7

A comprehensive strategic framework that each EU Member State must adopt under NIS2, setting out cybersecurity objectives, governance structures, risk assessment methodologies, and education programmes. The strategy must also address supply chain security, vulnerability disclosure, and support for SMEs.

National Market Surveillance Authority

EU AI Act Art. 70

The authority designated by each EU Member State to supervise the AI systems placed on the market or put into service within its territory. Market surveillance authorities have investigative powers, can request access to training data, can order corrective actions, and can prohibit or restrict the availability of non-compliant AI systems.

NIS Cooperation Group

NIS2 Directive Art. 14

A strategic group composed of representatives of Member States, the European Commission, and ENISA that facilitates strategic cooperation and the exchange of information on NIS2 implementation. The Cooperation Group develops guidance, shares best practices, and coordinates peer reviews of Member State cybersecurity policies.

Operational Resilience Testing

DORA Art. 24-25

A range of testing activities — including vulnerability assessments, network security assessments, scenario-based tests, and threat-led penetration testing — that financial entities must perform to evaluate the effectiveness of their ICT risk management and digital operational resilience capabilities. The scope and frequency of testing must be proportionate to the entity's risk profile.

Outsourcing Arrangement

DORA Art. 28-30

An arrangement whereby a financial entity uses an ICT third-party service provider to perform processes, services, or activities that would otherwise be performed by the entity itself. DORA imposes specific contractual requirements for outsourcing arrangements supporting critical or important functions, including exit strategies and audit rights.

Peer Review

NIS2 Directive Art. 19

A mechanism established under NIS2 whereby Member States voluntarily submit their cybersecurity policies, capabilities, and NIS2 implementation to review by designated experts from other Member States. Peer reviews aim to improve the overall level of cybersecurity maturity across the Union and foster mutual learning.

Personal Data

GDPR Art. 4(1)

Any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Post-Market Monitoring

EU AI Act Art. 72

A systematic process that providers of high-risk AI systems must establish to collect, document, and analyse relevant data on the performance of their AI systems throughout their lifecycle. Post-market monitoring aims to identify and address non-conformities, verify continued compliance, and enable timely corrective action. Serious incidents must be reported to market surveillance authorities.

Prohibited AI Practice

EU AI Act Art. 5

An AI application that is banned outright under the EU AI Act due to its unacceptable risk to fundamental rights and safety. Prohibited practices include social scoring by public authorities, real-time remote biometric identification in public spaces (with limited exceptions), manipulation techniques that exploit vulnerabilities, and emotion recognition in workplaces and educational institutions.

Proportionality Principle

DORA Art. 4

A foundational DORA principle requiring that ICT risk management, testing, and reporting obligations be applied in a manner proportionate to the size, risk profile, nature, scale, and complexity of the financial entity's activities. Microenterprises and certain smaller entities benefit from a simplified ICT risk management framework under DORA's proportionality rules.

Provider

EU AI Act Art. 3(3)

A natural or legal person, public authority, agency, or other body that develops an AI system or a general-purpose AI model, or that has an AI system or GPAI model developed on its behalf, and places it on the market or puts it into service under its own name or trademark. Providers bear the primary compliance obligations under the EU AI Act, including conformity assessment and post-market monitoring.

Register of Information

DORA Art. 28(3)

A mandatory register that financial entities must maintain documenting all contractual arrangements with ICT third-party service providers. The register must cover the nature of the services, subcontractors, data locations, and criticality assessments. It must be kept up to date and made available to competent authorities upon request.

Regulatory Sandbox

A supervised environment established by a regulatory authority that allows organisations to test innovative products, services, or business models under relaxed or tailored regulatory conditions for a limited period. In the EU, regulatory sandboxes are mandated by the EU AI Act for AI systems and have been adopted voluntarily by several financial supervisory authorities for fintech innovation under DORA-adjacent initiatives.

Remediation

The process of addressing identified compliance gaps, vulnerabilities, or audit findings by implementing corrective actions — such as deploying new controls, updating policies, or reconfiguring systems. Effective remediation includes assigning ownership, setting deadlines, tracking progress, and verifying that the corrective actions achieve the intended risk reduction.

Right to Erasure

GDPR Art. 17

Also known as the 'right to be forgotten.' A data subject's right to obtain from the controller the erasure of their personal data without undue delay when the data is no longer necessary for its original purpose, consent is withdrawn, the subject objects to processing, or the data was unlawfully processed. The right is not absolute and may be overridden by legal obligations or public interest considerations.

Risk Appetite

The amount and type of risk that an organisation is willing to accept in pursuit of its objectives. Risk appetite is set at the board level and provides the strategic boundary within which risk management decisions are made. It differs from risk tolerance, which defines the acceptable deviation from risk appetite thresholds for specific risk categories or individual risks.

Risk Classification

EU AI Act Art. 5-6, Title III-IV

The EU AI Act's four-tier classification system that determines the regulatory obligations applicable to an AI system: unacceptable risk (prohibited), high risk (strict requirements), limited risk (transparency obligations), and minimal risk (voluntary codes of conduct). The classification is determined primarily by the intended purpose and context of use of the AI system.

Risk Tolerance

The specific boundaries of acceptable risk variation for a particular risk category, defined within the broader risk appetite. While risk appetite expresses strategic willingness (e.g., 'we accept moderate operational risk'), risk tolerance provides measurable thresholds (e.g., 'system downtime must not exceed 4 hours per quarter'). Tolerance levels guide control selection and monitoring thresholds.

Risk Treatment Plan

ISO/IEC 27001:2022 Clause 6.1.3

A documented plan specifying the actions, responsibilities, timelines, and resources for implementing the controls selected to address identified information security risks. The risk treatment plan operationalises the risk assessment output and the Statement of Applicability, assigning clear ownership for each treatment action and tracking implementation to completion.

Significant Incident

NIS2 Directive Art. 23(3)

A security incident that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. NIS2 requires significant incidents to be notified to the CSIRT or competent authority within 24 hours (early warning), with a full notification within 72 hours.

Standard Contractual Clauses (SCCs)

GDPR Art. 46(2)(c)

Pre-approved sets of contractual terms adopted by the European Commission that provide appropriate data protection safeguards for international transfers of personal data to third countries lacking an adequacy decision. Following the Schrems II judgment (CJEU C-311/18), SCCs must be supplemented by a transfer impact assessment evaluating whether the destination country's legal framework ensures an essentially equivalent level of protection.

Statement of Applicability (SoA)

ISO/IEC 27001:2022 Clause 6.1.3(d)

A documented statement listing all the controls from ISO 27001 Annex A, indicating which are applicable and which are not, with justification for exclusions. The SoA is a core artefact of the ISMS certification process, bridging the risk assessment findings with the selected controls and demonstrating that the organisation has considered all relevant security measures.

Sub-outsourcing

DORA Art. 29(2)

The practice whereby an ICT third-party service provider delegates part of the outsourced services to another provider (a sub-contractor). DORA requires financial entities to identify and monitor sub-outsourcing chains, ensure contractual provisions allow oversight, and assess the risks introduced by sub-outsourcing, particularly for critical or important functions.

Supervisory Authority

GDPR Art. 51-59

An independent public authority established by each EU Member State to monitor the application of the GDPR. Supervisory authorities — commonly known as Data Protection Authorities (DPAs) — investigate complaints, conduct audits, issue corrective measures, and can impose administrative fines of up to 4% of annual global turnover or EUR 20 million, whichever is higher.

Supply Chain Security

NIS2 Directive Art. 21(2)(d)

The set of obligations under NIS2 requiring entities to evaluate and address cybersecurity risks within their supply chains and supplier relationships. Entities must consider the security practices of their direct suppliers, the vulnerabilities specific to each supplier, and the overall quality of products and services. DORA extends this concept further for financial entities with ICT third-party provider oversight.

Systemic Risk

EU AI Act Art. 3(65), Art. 51

A risk specific to the high-impact capabilities of general-purpose AI models, where the model's reach or actual negative effects — including major accidents, disruptions to critical sectors, or serious consequences for public health and safety — are significant at Union level due to the model's scale or the breadth of its downstream use. GPAI models exceeding a cumulative compute threshold of 10^25 FLOPs are presumed to pose systemic risk.

Tenant Isolation

The security principle ensuring that data belonging to one tenant in a multi-tenant system cannot be accessed, modified, or inferred by another tenant. Implementation techniques include database row-level security (RLS) with tenant-scoped policies, per-tenant encryption keys, network segmentation, and strict API-level access controls. Tenant isolation is a non-negotiable requirement for cloud-based compliance platforms operating under EU data protection regulations.

TIBER-EU

DORA Recital 46, Art. 26(11)

Threat Intelligence-Based Ethical Red Teaming. The ECB-developed framework that provides a controlled, bespoke methodology for intelligence-led red team tests of financial entities' critical live production systems. DORA's TLPT requirements are built on TIBER-EU principles, and Member States may recognise TIBER-EU tests as fulfilling DORA's TLPT obligations.

TLPT (Threat-Led Penetration Testing)

DORA Art. 26-27

A form of advanced testing mandated by DORA for certain financial entities, modelled on the TIBER-EU framework. TLPT simulates the tactics, techniques, and procedures of real threat actors against live production systems of financial entities. TLPT must be conducted at least every three years using qualified external testers, and results must be reported to competent authorities.

Transparency Obligation

EU AI Act Art. 50

Requirements under the EU AI Act for certain AI systems to ensure that users and affected individuals are informed about their interaction with AI. Systems that interact with natural persons (e.g., chatbots) must disclose that the user is interacting with AI. AI-generated deepfakes, synthetic text, and emotionally manipulative content must be labelled as such.

Voluntary Notification

NIS2 Directive Art. 30

NIS2 permits entities — including those not classified as essential or important — to submit voluntary notifications about incidents, cyber threats, or near misses to their CSIRT or competent authority. Voluntary notifications are processed under the same procedures as mandatory notifications, without imposing additional obligations on the reporting entity.