EU Compliance Glossary

Required for high-risk AI systems under EU AI Act Article 11. Annex IV specifies what the documentation must contain: system description and purpose, design specifications, training data and methodology, testing results, risk management system, human oversight measures, and post-market monitoring plan. Must be kept up to date and made available to regulators on request.

Binding Corporate Rules are internal data protection policies that multinational corporations can use to transfer personal data within their corporate group to countries outside the EU/EEA. BCRs must be approved by a lead Data Protection Authority and are a significant undertaking — typically taking 1–2 years to obtain approval.

Regulation (EU) 2024/2847 establishes cybersecurity requirements for products with digital elements — hardware and software sold in the EU. Manufacturers must assess cybersecurity risks, apply security by design, provide security updates for the product lifecycle, and report actively exploited vulnerabilities. Most requirements apply from December 11, 2027.

The process by which a high-risk AI system is checked against AI Act requirements before it is placed on the market or put into service. Most high-risk systems can undergo self-assessment (internal conformity assessment). Systems in Annex III paragraphs 1(a) and 6 (biometric systems, remote biometric identification) require a third-party notified body assessment.

The CE mark indicates that a product meets EU safety, health, and environmental requirements. For high-risk AI systems, affixing a CE mark requires completing a conformity assessment, drawing up an EU declaration of conformity, and registering the system in the EU AI Act database. The CE mark must be affixed before the system is placed on the EU market.

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) applies to financial entities and their critical ICT third-party providers. It requires ICT risk management frameworks, incident classification and reporting, regular resilience testing, and contractual requirements for third-party ICT providers. Fully applicable since January 17, 2025.

Regulation (EU) 2022/2065 sets obligations for online intermediaries and platforms. Very large platforms and search engines (over 45 million EU users) face the strictest requirements, including algorithmic transparency, risk assessments, and independent audits. Obligations scale by platform size and type.

Each EU member state has a national Data Protection Authority (DPA) responsible for enforcing GDPR and related data protection laws. The DPA where your EU establishment is located is your lead supervisory authority for cross-border processing. Examples: CNIL (France), BfDI (Germany), ICO (UK — post-Brexit), DPC (Ireland).

A Data Protection Officer is required under GDPR Article 37 for public authorities, organisations that systematically monitor individuals at large scale, or organisations that process special category data at large scale. The DPO monitors GDPR compliance, advises on DPIAs, and acts as the contact point for the supervisory authority.

Required under GDPR Article 35 before processing that is likely to result in a high risk to individuals — such as systematic profiling, large-scale processing of special categories, or public area monitoring. The DPIA must describe the processing, assess necessity and proportionality, identify risks, and document mitigating measures.

GDPR grants individuals eight rights: access (Article 15), rectification (Article 16), erasure (Article 17 — 'right to be forgotten'), restriction of processing (Article 18), data portability (Article 20), objection (Article 21), not to be subject to automated decisions (Article 22), and the right to be informed (Articles 13–14). Requests must be responded to within one month.

Regulation (EU) 2024/1689 — the world's first comprehensive AI regulation. It classifies AI systems into four risk tiers (minimal, limited, high, unacceptable) and imposes obligations proportionate to risk. High-risk AI systems must be registered, documented, and assessed before deployment. The high-risk deadline is August 2, 2026.

NIS2 Directive Article 3 classifies organisations in critical sectors as 'essential entities' if they exceed the threshold for large enterprises (250+ employees or €50M+ turnover) or are designated critical regardless of size. Essential entities are subject to stricter supervision, including proactive supervision and higher penalty ceilings (up to €10M or 2% of global turnover).

The requirement that data be stored and processed within the European Union or European Economic Area. Relevant for GDPR compliance (Chapter V transfers), public sector procurement, and sectors with regulatory requirements (healthcare, finance, defence). Not the same as data sovereignty — residency is about location, sovereignty is about who has access.

A public EU-level database (Article 71) where providers of high-risk AI systems must register before placing their systems on the market. The database is maintained by the European AI Office and allows market surveillance authorities and the public to identify which high-risk AI systems are available. Providers in the public sector must also register on behalf of deployers.

The General Data Protection Regulation (Regulation (EU) 2016/679) is the EU's primary data protection law. In force since May 2018, it applies to any organisation that processes personal data of EU residents, regardless of where the organisation is based. Maximum fines are €20 million or 4% of global annual turnover, whichever is higher.

General Purpose AI models (EU AI Act Chapter V) are AI models trained on broad data that can perform a wide range of tasks. Providers must maintain technical documentation, comply with copyright transparency, and publish summaries of training data. GPAI models with 'systemic risk' (trained using >10^25 FLOPs) face additional obligations including adversarial testing and incident reporting.

Defined in EU AI Act Article 6 and Annex III. High-risk AI systems are those used in critical infrastructure, educational/vocational training, employment, essential services (credit, insurance), law enforcement, migration, biometric identification, and administration of justice. They require conformity assessment, Annex IV documentation, registration in the EU database, and human oversight.

NIS2 Directive Article 3 classifies medium-sized organisations in sectors covered by the directive as 'important entities' (100–249 employees or €10–50M turnover). Important entities are subject to reactive supervision and lower penalty ceilings (up to €7M or 1.4% of global turnover). Both essential and important entities must implement Article 21 security measures.

NIS2 Article 23 requires essential and important entities to notify their national CSIRT (Computer Security Incident Response Team) and competent authority of significant incidents. Timeline: early warning within 24 hours, incident notification within 72 hours, final report within one month. A 'significant' incident is one that causes or could cause serious operational disruption or financial loss.

GDPR Article 6 requires every processing activity to have a lawful basis. The six bases are: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Consent requires a specific, informed, freely given, and unambiguous indication of agreement. Legitimate interests requires a balancing test.

Directive (EU) 2022/2555 on the security of network and information systems. In force since January 2023, it replaces the original NIS Directive and significantly broadens scope. Organisations in 18 critical sectors are classified as 'essential' or 'important' entities and must implement security measures and report incidents within 24–72 hours.

A third-party conformity assessment body designated by an EU member state and notified to the European Commission. For the AI Act, certain high-risk AI systems (primarily remote biometric identification systems) require assessment by a notified body rather than self-assessment. Notified bodies are accredited, audited organisations — not government agencies.

GDPR Article 25 requires 'data protection by design and by default' — building data protection into systems and processes from the outset, not as an afterthought. Default settings must be the most privacy-protective option. In practice: minimal data collection, pseudonymisation, access controls, and retention limits embedded at the design stage.

Processing personal data in such a way that it can no longer be attributed to a specific individual without additional information — provided that additional information is kept separately and subject to technical and organisational measures. Pseudonymised data is still personal data under GDPR, but carries reduced risk and qualifies for certain GDPR mitigations.

EU AI Act Article 5 prohibits eight categories of AI practices outright: subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow law enforcement exceptions), retrospective RBI databases not tied to specific investigations, emotion recognition in workplace/education, and biometric categorisation by protected characteristics.

Under GDPR Article 30, controllers and processors must maintain a record of processing activities. The record must include the purposes of processing, categories of data subjects and personal data, recipients, transfers to third countries, retention periods, and security measures. Generally required for organisations with 250+ employees, or smaller ones doing high-risk processing.

Standard Contractual Clauses are pre-approved data transfer contracts that provide an adequate safeguard for transferring personal data from the EU/EEA to third countries not covered by an adequacy decision. The current EU SCCs were adopted in June 2021. UK SCCs (International Data Transfer Agreements) are separate.

An assessment of which of an organisation's digital services and infrastructure are subject to the jurisdiction of non-EU law — particularly the US CLOUD Act, US FISA, and UK IPA. A sovereignty audit maps SaaS tools, cloud providers, and data processors against their legal headquarters and parent company structure to quantify CLOUD Act exposure for data covered by GDPR or sector-specific regulations.

Technical and Organisational Measures are the security and privacy safeguards that organisations must implement. Under GDPR Article 32, TOMs include encryption, pseudonymisation, access controls, and incident response. Under NIS2 Article 21, TOMs extend to supply chain security, cryptography policies, multi-factor authentication, and business continuity. TOMs must be appropriate to the risk.

The Clarifying Lawful Overseas Use of Data Act (2018) allows US law enforcement to compel US-based cloud providers to hand over data stored anywhere in the world — including in EU data centres. This creates a conflict with GDPR when the data contains personal data of EU residents. EU-sovereign cloud services from EU-headquartered providers without US parent companies are outside CLOUD Act jurisdiction.