Want a personalised demo or do you have questions - book a demo
Power up your compliance workflow with AI Features from .legal
Book 1:1 demo meeting
AI Features
All the terms you need to know in compliance, data protection, and information security.
Access control is the set of mechanisms ensuring only authorised users can access specific systems, data and resources at the right time.
Technical and organisational measures ensuring only authorised users have access to systems and data, based on the need-to-know principle as defined in ISO 27001.
CIS Control 1 requires organisations to maintain a complete and accurate inventory of all hardware assets to enable effective protection and management.
The process of identifying, classifying and protecting an organisation's information assets as part of the ISO 27001 implementation.
The 93 information security controls in ISO 27001:2022, covering organisational, people, physical and technological domains.
A mandatory ISO 27001 document specifying which Annex A controls the organisation applies, with justification for selections and exclusions.
A security copy of data and systems that enables recovery after data loss, ransomware attacks or system failures.
The legal ground that entitles an organisation to process personal data under GDPR Article 6.
A documented plan for how an organisation detects, handles and recovers from cyberattacks or serious IT incidents, as required under NIS2.
The EU directive on critical entities resilience (Directive 2022/2557), setting requirements for physical and organisational resilience of critical service providers.
The 11 critical sectors defined by the CER Directive, within which national authorities designate critical entities subject to resilience requirements.
A set of 18 prioritised security controls from the Center for Internet Security, providing a practical framework for defending against common cyber threats.
Computer Security Incident Response Team — the national unit responsible for receiving, analysing and coordinating the handling of cybersecurity incidents under NIS2.
A data processor is an external party that processes personal data on behalf of the data controller, as defined in GDPR Article 4(8).
A written agreement between a data controller and a data processor governing the processing of personal data, as required by GDPR Article 28.
CIS Control 3 covers processes and technical controls for identifying, classifying, securely handling, storing and disposing of organisational data.
The data controller is the organisation that determines the purposes and means of processing personal data, as defined in GDPR Article 4(7).
A sector under NIS2 covering organisations that provide foundational digital services such as DNS, TLD registries, cloud computing, data centres and CDNs.
The ability of a financial entity to build, assure and maintain its operational integrity by deploying ICT capabilities to prevent, withstand, respond to and recover from ICT disruptions.
The EU regulation on digital operational resilience for the financial sector (Regulation 2022/2554), setting requirements for ICT risk management, incident reporting and resilience testing.
A person who advises the organisation on data protection and serves as the contact point for the supervisory authority, as required under the GDPR.
The broad category of organisations subject to DORA, including banks, insurers, payment institutions, investment firms and crypto-asset service providers.
The EU's General Data Protection Regulation (Regulation 2016/679), governing the processing of personal data and establishing rights for data subjects.
A structured process for detecting, reporting, assessing and handling information security incidents to minimise damage and prevent recurrence.
NIS2's requirement to report significant cybersecurity incidents to national authorities within 24 hours (early warning) and 72 hours (full notification).
The organised approach to detecting, containing, eliminating and recovering from a cybersecurity incident, minimising damage and restoring normal operations.
DORA's requirement for financial entities to classify and report major ICT-related incidents to supervisory authorities using standardised formats and prescribed deadlines.
A business continuity plan specifically for ICT systems and services, which DORA requires financial entities to document and test to ensure operational continuity during disruptions.
DORA's core requirement for financial entities to establish a robust framework for identifying, assessing and managing information and communication technology risks.
The risks financial entities assume when using ICT service providers. DORA requires contractual guarantees, ongoing monitoring and exit strategies to manage these risks.
Three levels (IG1, IG2, IG3) in CIS Controls that differentiate implementation requirements based on the organisation's size, resources and risk level.
DORA's framework for voluntary sharing of cyber threat information and intelligence in trusted communities to strengthen collective resilience in the financial sector.
A top-level document establishing management's vision and commitment to information security. A mandatory requirement in ISO 27001 (Clause 5.2).
A systematic and independent review of the organisation's ISMS to assess conformity with ISO 27001 requirements and effectiveness of implementation.
An Information Security Management System (ISMS) is a systematic framework of policies, processes and controls for managing information security. The core requirement of ISO 27001.
A formal third-party verification that an organisation's ISMS meets the requirements in the ISO/IEC 27001 standard for information security management.
CIS Control 5 covers the processes for creating, administering, reviewing and deactivating user and administrator accounts to minimise the risk of unauthorised access.
The framework for planning and preparing an organisation to maintain critical business processes and ensure rapid recovery after disruptive events, including information security continuity under ISO 27001.
A systematic assessment of how a planned data processing activity affects the rights and freedoms of data subjects, required under GDPR Article 35 when processing is likely to result in a high risk.
An organisation designated by national authorities as critical under the CER Directive because it provides an essential service whose disruption would have significant negative consequences for society.
An ICT provider designated as critical by the EU financial supervisory authorities under DORA, subject to direct EU oversight and heightened requirements.
A technique that transforms data into a form that can only be read by authorised parties holding the correct key. Encryption protects data against unauthorised access both at rest and in transit.
NIS2's requirement that management bodies approve cybersecurity measures and can be held personally accountable for non-compliance.
A periodic review of the ISMS by top management that evaluates performance and ensures continued suitability, adequacy and effectiveness.
NIS2's requirement to assess and manage cybersecurity risks in the supply chain, including IT suppliers and sub-suppliers.
Managing information security risks associated with the use of external suppliers, including requirements for supplier agreements and ongoing monitoring.
The automated recording of events in IT systems, used to detect security incidents, investigate breaches and document access to systems and data.
CIS Control 8 covers the collection, protection and analysis of audit logs from systems and applications to detect and investigate security incidents.
CIS Control 9 covers technical and organisational controls to protect against threats via email and web browsers, including phishing and malware.
An authentication method requiring two or more independent verification factors to grant access, significantly reducing the risk of unauthorised access from compromised credentials.
A security measure that divides a network into isolated segments or zones to limit access and minimise the spread of an attack.
The EU directive on network and information security (Directive 2022/2555), setting requirements for cybersecurity risk management, incident reporting and supply chain security.
The CER Directive's requirement for critical entities to notify competent authorities of incidents that significantly disrupt the provision of essential services.
An authorised and controlled simulation of a cyberattack against an organisation's systems to identify exploitable vulnerabilities before a real attacker finds them.
Any information that can identify a natural person directly or indirectly, as defined in GDPR Article 4(1).
A data protection technique that replaces direct identifiers with artificial pseudonyms, so that data cannot be attributed to a specific individual without separate supplementary information.
The ability of a critical entity or organisation to prevent, absorb, adapt to and recover from incidents that could disrupt the delivery of essential services.
NIS2's requirement to implement appropriate technical and organisational measures based on an ongoing assessment of cybersecurity risks.
The obligatory analysis that critical entities under CER must carry out to identify relevant risks that could affect the delivery of their essential services.
A systematic process to identify, analyse and evaluate information security risks as the basis for selecting appropriate controls in an ISMS.
The systematic process under DORA by which financial entities test the robustness of their ICT systems, including vulnerability assessments, scenario-based tests and TLPT.
A freely given, specific, informed and unambiguous indication by which a data subject agrees to the processing of their personal data under GDPR.
The administrative sanctions that NIS2 provides for in cases of non-compliance, including fines of up to EUR 10 million or 2% of global turnover for essential entities.
CIS Control 4 requires organisations to establish and maintain secure configurations for all enterprise hardware and software to minimise the attack surface.
The practice of educating and training employees to recognise and respond to information security threats such as phishing, social engineering and data mishandling.
The technical and organisational measures that NIS2 Article 21 requires essential and important entities to implement, including encryption, access control and network security.
CIS Control 2 requires organisations to maintain a complete inventory of authorised software and actively prevent the installation and execution of unauthorised software.
CIS Control 7 requires a continuous and structured process for discovering, assessing and remediating vulnerabilities in an organisation's systems and software.
The security safeguards an organisation implements to protect personal data under GDPR Article 32, encompassing both technology-based and process-based measures.
NIS2's two-tier supervisory regime where essential entities face proactive supervision and important entities reactive supervision from national authorities.
An advanced form of penetration testing based on threat emulation that certain financial entities are required to conduct under DORA at least every three years.
An organisation in a high-priority NIS2 sector subject to the strictest cybersecurity requirements and proactive supervisory oversight.
A service critical to the maintenance of vital societal functions, economic activity, public safety or public health, as defined in the CER Directive.
An organisation in a NIS2 Annex II sector subject to cybersecurity requirements with reactive supervisory oversight from national authorities.
A security model that assumes no user, device or network segment is trustworthy by default and requires continuous verification of all access requests.
The EU's comprehensive regulation on artificial intelligence, classifying AI systems by risk level and imposing requirements from development to deployment.
The AI Act requirement that all persons working with AI systems must have sufficient competencies, applicable from August 2025.
A machine-based system designed to operate with varying levels of autonomy, generating outputs such as predictions, recommendations or decisions.
AI systems and applications entirely banned under the EU AI Act due to the unacceptable risk they pose to fundamental rights.
An AI model trained on large datasets that can perform a wide range of tasks, such as GPT-4, Llama and Gemini. Subject to specific requirements from August 2025.
An AI system used in critical areas that must meet strict requirements for safety, transparency and human oversight under the AI Act.
The requirement that high-risk AI systems must be designed so that humans can effectively monitor, understand and override the system.
The formal process by which a provider documents that a high-risk AI system meets all requirements of the EU AI Act before it can be placed on the market.
The AI Act’s risk-based classification system dividing AI systems into four levels: unacceptable (prohibited), high, limited and minimal risk.
The party that develops or markets an AI system under its own name, bearing primary responsibility for compliance with the AI Act.
CE marking in a cybersecurity context documents that a product with digital elements meets the essential security requirements of the Cyber Resilience Act.
EU regulation setting horizontal cybersecurity requirements for all products with digital elements placed on the European market.
The requirements the Cyber Resilience Act places on manufacturers of products with digital elements, covering security by design, vulnerability handling, CE marking and technical documentation.
Any software or hardware product with a data connection to a device or network, as defined by the Cyber Resilience Act.
The requirements the Cyber Resilience Act places on manufacturers to identify, report and remediate security vulnerabilities in products with digital elements throughout the support period.
A principle where cybersecurity is integrated into a product from the design phase rather than added subsequently. A binding requirement under the Cyber Resilience Act.
A formalised, machine-readable list of all software components, libraries and dependencies in a product. SBOM is a requirement under the Cyber Resilience Act.
B2B data sharing under the Data Act gives organisations the right to share and receive data from connected products on fair and transparent terms.
Cloud switching under the Data Act gives organisations the right to change cloud providers without unreasonable barriers, fees or data loss.
The Data Act (Regulation 2023/2854) is the EU's regulation on fair access to and use of data from connected products and related services.
A data holder is the entity that controls access to data from connected products and is obliged to make data available under the Data Act.
Data portability under the Data Act gives users and organisations the right to move data from connected products and cloud services to alternative providers.
Interoperability under the Data Act requires that data and services can function across systems and providers to enable genuine data portability.
A connected product is a physical item that collects data and communicates them via a network connection, governed by the EU's Data Act.
Algorithmic transparency is the requirement that digital platforms must disclose to users how their recommender systems and automated decisions function.
A trusted flagger is an organisation with special status under the Digital Services Act that has priority when reporting illegal content to online platforms.
The Digital Services Act is the EU regulation governing digital intermediary services with requirements for content moderation, transparency and user rights.
An intermediary service is a digital service that acts as an intermediary by transmitting, caching or hosting information from users under the DSA.
Content moderation encompasses platforms' processes for identifying, assessing and acting on user-generated content under the DSA.
The Digital Services Coordinator is the national authority each EU country must designate to supervise compliance with the Digital Services Act.
A very large online platform (VLOP) is an online platform with over 45 million active users in the EU, subject to enhanced DSA obligations.
Illegal content under the DSA is any information that violates EU law or a member state's national law, regardless of subject matter.
Anonymisation is the process of treating personal data so that it becomes permanently impossible to identify the data subject.
Processing security covers the technical and organisational measures that protect personal data against unauthorised access, loss and destruction under GDPR Article 32.
The Danish Data Protection Act supplements the GDPR with national rules on CPR numbers, consent age thresholds and criminal data.
A data breach is a security incident that leads to unauthorised access to, loss of or alteration of personal data, requiring notification within 72 hours.
Data minimisation is a GDPR principle requiring that you only collect personal data that is adequate, relevant and limited to what is necessary.
Data portability is the data subject's right to receive personal data in a structured, machine-readable format and transfer it to another controller.
The Danish Data Protection Agency is Denmark's independent supervisory authority for data protection, supervising compliance with the GDPR and Danish Data Protection Act.
The data subject is the natural person whose personal data is processed by an organisation under the GDPR.
Sensitive personal data are special categories requiring extra protection, including health, political beliefs, sexual orientation and biometric data.
Purpose limitation is a GDPR principle requiring that personal data is collected only for specified, explicit and legitimate purposes.
A record of processing activities documents all the ways an organisation processes personal data, as required by GDPR Article 30.
The right of access gives data subjects the right to see what personal data an organisation processes about them under GDPR Article 15.
Legitimate interest is a GDPR legal basis permitting processing without consent when the organisation's interest outweighs the data subject's rights.
The duty to inform requires data controllers to tell data subjects how their personal data is processed, pursuant to GDPR Articles 13 and 14.
A third-country transfer occurs when personal data is sent from the EU/EEA to a country outside this area, requiring a valid GDPR transfer mechanism.
Privacy by design requires data protection to be built into systems and processes from the outset, as required by GDPR Article 25.
A privacy policy informs data subjects about how your organisation collects, processes and protects their personal data.
Profiling is automated processing of personal data used to evaluate personal aspects such as preferences, behaviour or reliability.
The right to erasure gives data subjects the right to have their personal data deleted under certain conditions.
Standard Contractual Clauses (SCCs) are EU-approved contract clauses for transferring personal data to third countries.
A sub-processor is a supplier that your data processor engages to carry out parts of the data processing on your behalf.
Application security covers the processes and tools that protect software against vulnerabilities and attacks throughout the development lifecycle.
Data classification is the process of categorising data by sensitivity, value and criticality to ensure appropriate protection levels.
Data masking replaces sensitive data with fictitious but realistic values, enabling safe use in testing, development and analysis.
Data deletion is the process of permanently and securely removing data so it cannot be recovered, in compliance with retention policies.
DLP (Data Loss Prevention) prevents sensitive data from leaving the organisation via unauthorised channels through monitoring, detection and blocking.
DNS security protects the Domain Name System against manipulation, poisoning and abuse through technologies such as DNSSEC and DNS filtering.
Endpoint security protects end-user devices such as computers, mobiles and tablets against malware, ransomware and unauthorised access.
A firewall is a network security system that monitors and filters inbound and outbound network traffic based on defined security rules.
Physical security protects an organisation’s premises, IT equipment and personnel against unauthorised access, theft and environmental threats.
Identity management (IAM) governs digital identities and controls access to systems and data, ensuring the right people have the right access.
Configuration management establishes and maintains secure default settings for systems, servers and network devices to reduce the attack surface.
Malware protection covers the technologies and processes that defend systems against viruses, ransomware, trojans and other malicious software.
Mobile device management (MDM) gives organisations central control over smartphones, tablets and portable devices to enforce security policies.
SIEM aggregates and analyses security data from the entire IT environment in real time to detect threats and support incident response.
Patch management is the process of identifying, testing and installing software updates to close security vulnerabilities in a timely manner.
PAM controls and monitors accounts with elevated rights in IT systems, protecting the accounts that can cause the most damage if compromised.
Vulnerability scanning automatically identifies known security vulnerabilities in systems, networks and applications for prioritised remediation.
Secure development integrates security throughout the software development lifecycle, from design through coding and testing to operations.
Threat intelligence is the collection, analysis and use of data about cyber threats to make informed security decisions and strengthen defences.
Web filtering controls which websites users can access, protecting against malware distribution, phishing attacks and data leaks.
A business continuity plan (BCP) describes how your organisation maintains critical business functions during and after a crisis or serious incident.
Compliance management is the systematic process of identifying, implementing and monitoring adherence to laws, regulations and internal policies.
A compliance framework is the combined structure of policies, processes, controls and accountability arrangements ensuring an organisation meets all applicable requirements.
Due diligence is a systematic investigation of a company, supplier or partner conducted before entering into an agreement to uncover risks and ensure compliance.
Governance is the management structure defining how an organisation makes decisions, allocates responsibilities and ensures control and compliance.
Internal audit is an independent and objective assessment of whether an organisation's processes, controls and compliance efforts work as intended.
Disaster recovery is the process of restoring IT systems, data and infrastructure after a serious incident such as a cyber attack or hardware failure.
Regulatory compliance is the process of ensuring your organisation meets all applicable laws, regulations and regulatory requirements.
Policies and procedures are the internal documents that translate legal requirements and standards into concrete practice in your organisation.
A record of processing activities is a documented overview of all the processing activities your organisation carries out with personal data.
A risk assessment is a systematic process that identifies, analyses and evaluates risks so you can prioritise your measures.
Third-party risk is the risk that arises when your organisation depends on external suppliers, partners or service providers.
Whistleblowing is the reporting of legal violations or serious irregularities in a workplace, through a scheme that protects the reporter against retaliation.
No terms match your search.
.jpeg)
.jpg)
.jpg)
.jpg)
-1.png)
.jpeg)
.jpg)
