49 key terms from GDPR, NIS2, AI Act, DORA, CRA, DSA, CSRD, MiCA, and more — clearly defined and linked to their source regulations.
EU regulations use precise legal terminology that can be unfamiliar to developers, business leaders, and even legal professionals new to EU law. Understanding these terms is essential for correctly interpreting your obligations. Each definition below is grounded in the actual text of the relevant regulation.
Any information relating to an identified or identifiable natural person (data subject). Includes names, email addresses, IP addresses, location data, and online identifiers. GDPR Article 4(1).
The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. GDPR Article 4(7).
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. GDPR Article 4(8).
An identified or identifiable natural person whose personal data is processed. GDPR Article 4(1).
One of six legal grounds required for processing personal data: consent, contract, legal obligation, vital interests, public task, or legitimate interests. GDPR Article 6.
A process to identify and minimise data protection risks. Required when processing is likely to result in a high risk to individuals, particularly when using new technologies. GDPR Article 35.
EU-approved contractual safeguards for transferring personal data outside the EEA to countries without an adequacy decision. Adopted by the European Commission. GDPR Article 46.
A European Commission decision determining that a third country, territory, or sector ensures an adequate level of data protection, permitting data transfers without additional safeguards. GDPR Article 45.
The right of a data subject to obtain erasure of their personal data without undue delay, where the data is no longer necessary, consent is withdrawn, or the processing was unlawful. GDPR Article 17.
The right of a data subject to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. GDPR Article 20.
A designated expert responsible for monitoring GDPR compliance, advising the controller/processor, and serving as a contact point for data subjects and supervisory authorities. Required for public authorities, large-scale systematic monitoring, and large-scale processing of special category data. GDPR Articles 37-39.
An independent public authority established by an EU Member State to monitor the application of the GDPR, protect data subject rights, and impose administrative fines. Also known as a Data Protection Authority (DPA). GDPR Article 51.
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a person, health data, or data concerning a person's sex life or sexual orientation. Processing is prohibited unless a specific condition applies. GDPR Article 9.
The GDPR mechanism whereby a controller or processor with establishments in multiple Member States deals primarily with the supervisory authority of its main establishment (lead supervisory authority). GDPR Article 56.
An organisation in a sector of high criticality (energy, transport, banking, healthcare, water, digital infrastructure) subject to ex-ante supervision under NIS2. Faces higher fines (€10M / 2% of global turnover). NIS2 Article 3.
An organisation in sectors including postal services, waste management, chemicals, food, manufacturing, and digital providers, subject to ex-post supervision under NIS2. Faces fines of €7M / 1.4% of global turnover. NIS2 Article 4.
Phased reporting obligations: early warning within 24 hours, incident notification within 72 hours, intermediate report within one month, and final report within one month of the intermediate report. NIS2 Article 23.
Obligation for essential and important entities to assess and manage cybersecurity risks in their supply chain, including risks from third-party service providers. NIS2 Article 21(2)(d).
Advanced cybersecurity testing simulating real-world attack scenarios, required for significant entities under NIS2. Based on the TIBER-EU framework. NIS2 Article 27.
An AI system classified as high risk because it is used in critical infrastructure, education, employment, law enforcement, migration, healthcare, or justice. Subject to strict conformity assessment, data governance, transparency, and human oversight requirements. AI Act Articles 6-7.
An AI model trained on broad data at scale, capable of performing a wide variety of distinct tasks. GPAI providers must publish technical documentation and training data summaries. Models with systemic risk face additional obligations. AI Act Article 3(63).
AI systems that are banned outright under the AI Act, including social scoring, real-time biometric identification in public spaces (with narrow exceptions), emotion recognition in workplaces and schools, and manipulative subliminal techniques. AI Act Article 5.
The process by which a provider demonstrates that a high-risk AI system meets all requirements of the AI Act before placing it on the market. May involve self-assessment or third-party assessment by a notified body. AI Act Article 43.
A voluntary code developed by the AI Office to help GPAI providers demonstrate compliance. Adherence creates a presumption of conformity. AI Act Article 56.
An enterprise providing digital and data services, including cloud computing, software, data analytics, and data centre services, to financial entities. Critical ICT providers face direct EU-level oversight under DORA. DORA Article 2(25).
Any of 21 categories of regulated financial institutions covered by DORA, including banks, payment institutions, investment firms, crypto-asset service providers, insurers, central counterparties, and trading venues. DORA Article 2.
The comprehensive internal governance and control framework that financial entities must implement to manage ICT risks, covering identification, protection, detection, response, recovery, and learning. DORA Article 5.
The three EU financial supervisory authorities (EBA, EIOPA, ESMA) that oversee critical ICT third-party providers under DORA's direct oversight framework. DORA Article 28.
Any software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately. Covers IoT devices, operating systems, firmware, routers, and standalone software. CRA Article 3(1).
A formal record containing the details and supply chain relationships of various components used in building software. Required under the CRA for all products with digital elements. CRA Article 11.
The requirement that products with digital elements are designed and developed in a way that ensures an appropriate level of cybersecurity, considering the risk to users. CRA Article 8.
Obligation to identify, track, document, and responsibly disclose vulnerabilities. Exploited vulnerabilities must be notified to ENISA within 24 hours, with a corrective update within 72 hours. CRA Article 11.
A legal person who develops and supplies open-source software products for commercial activities. Introduced by the CRA with lighter obligations focused on cybersecurity policy documentation and vulnerability coordination. CRA Article 3(18).
An online platform reaching 45 million or more monthly active users in the EU (approximately 10% of the EU population). Subject to the most stringent DSA obligations including risk assessments, audits, and data access for researchers. DSA Article 33.
A mechanism that allows users to notify an online platform of illegal content. Platforms must provide an easily accessible, user-friendly mechanism for submitting notices. DSA Article 16.
A notification provided to the recipient of a service when content is removed or access is restricted, explaining the reason and available redress mechanisms. DSA Article 17.
The CSRD requirement to assess sustainability topics from two perspectives: impact materiality (the company's impacts on people and the environment) and financial materiality (sustainability matters that create financial risks or opportunities for the company). CSRD Article 19a.
The detailed reporting standards adopted by the European Commission that companies must follow when preparing sustainability reports under the CSRD. Covers cross-cutting, environmental, social, and governance standards.
The level of independent audit required for CSRD sustainability reports. The auditor provides a conclusion that nothing has come to their attention causing them to believe the report is materially misstated. Will transition to reasonable assurance over time. CSRD Article 26a.
A crypto-asset that is not an e-money token and purports to maintain a stable value by referencing one or more official currencies, commodities, or crypto-assets. Commonly called a stablecoin. MiCA Article 3(1)(4).
A crypto-asset that purports to maintain a stable value by referencing the value of a single official currency. Functionally equivalent to electronic money. MiCA Article 3(1)(5).
A legal person providing one or more crypto-asset services professionally, including custody, exchange, trading platform operation, portfolio management, advisory, transfer, or order execution. MiCA Article 3(1(10).
A digital service defined by the DMA that serves as an important gateway between businesses and consumers, including online intermediation services, search engines, social networking, video-sharing, messaging, operating systems, web browsers, and virtual assistants. DMA Article 2(2).
The official portal for European Union law, providing free access to EU treaties, legislation, case law, and preparatory documents in all official EU languages. Law4Devs sources all regulatory text verbatim from EUR-Lex.
The unique identifier assigned to each document in EUR-Lex. Format: [sector][year][document type][serial number]. For example, 32016R0679 is the CELEX number for the GDPR (Regulation, 2016, serial 0679).
An EU Regulation is directly applicable in all Member States without national transposition. An EU Directive sets binding objectives that Member States must achieve through national legislation, leading to 27 potentially different implementations.
The principle that certain EU regulations apply to organisations established outside the EU if they offer goods or services to EU residents or monitor their behaviour. Applies to GDPR, DSA, AI Act, and several other frameworks.
A non-legislative act adopted by the European Commission under powers delegated by the co-legislators (Parliament and Council). Delegated acts supplement or amend specific non-essential elements of a legislative act. Used extensively under the CRA, AI Act, and DORA.
Detailed technical specifications developed by European Supervisory Authorities and adopted by the Commission to ensure consistent harmonisation of specific aspects of EU financial regulation. Used under DORA and PSD2.
Every term in this glossary comes from actual EU regulations — accessible as structured JSON via Law4Devs.