Every definition quotes
the regulation itself.

Under Article 3(4) of the EU AI Act, any natural or legal person using an AI system under its authority, except where used in a personal non-professional activity.

"any natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity."

A data protection impact assessment, required under Article 35 GDPR where processing is likely to result in a high risk to the rights and freedoms of natural persons.

"Where a type of processing in particular using new technologies… is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data."

Under Article 3 NIS 2, entities of a type listed in Annex I operating in sectors of high criticality that exceed the medium-enterprise size threshold.

"entities of a type referred to in Annex I which exceed the ceilings for medium-sized enterprises…"

Article 3(2) GDPR extends the regulation to controllers and processors outside the EU where they offer goods or services to, or monitor the behaviour of, data subjects in the EU.

"…the processing is related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union."

Under Article 3(63) of the EU AI Act, an AI model that displays significant generality and is capable of competently performing a wide range of distinct tasks.

"an AI model… that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market."

Internal confidence grade assigned to each claim by the three-judge pipeline (Gemini extractor, Sonnet Judge A, Sonar Judge B). Grade A = all three agree; Grade B = 2-of-3 with weak dissent; flagged otherwise.

"…claims must carry a verbatim evidence_snippet; verdicts must come from the known judge-ID allowlist."

Under Article 6 of the EU AI Act, an AI system qualifies as high-risk where it meets the product-safety criteria in Annex I or operates in one of the use-cases listed in Annex III (biometrics, critical infrastructure, education, employment, access to services, law enforcement, migration, justice, democratic processes).

"…an AI system shall be considered to be high-risk where both of the following conditions are fulfilled… the AI system is intended to be used as a safety component of a product, or the AI system is itself a product, covered by the Union harmonisation legislation listed in Annex I."

Not defined in statute. Used by the EU AI Office and national AI authorities to refer to confidently-asserted false outputs from generative AI. Discussed in the EU AI Act recitals as a source of systemic risk for GPAI models.

"…risks can arise from how the models are used, including risks from errors, bias, or misinformation generated by the model, sometimes called 'hallucinations'." (Recital context, aggregated regulator guidance)

Under Article 3(8) DORA, a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems.

"a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and has an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity."

Chapter V GDPR regulates transfers of personal data to third countries. Permitted on one of: adequacy decision (Art. 45), appropriate safeguards such as SCCs or BCRs (Art. 46), or derogations (Art. 49).

"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if… the conditions laid down in this Chapter are complied with by the controller and processor."

Under Article 26 GDPR, two or more controllers who jointly determine the purposes and means of processing. Must agree a transparent allocation of responsibilities in an arrangement made available to data subjects.

"Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities…"

A lawful basis for processing under Article 6(1)(f) GDPR where processing is necessary for the legitimate interests of the controller or a third party, provided those interests are not overridden by the data subject's rights.

"processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…"

The AI Act's transparency tier. Article 50 requires providers of systems interacting with humans or generating synthetic media to inform users that they are dealing with an AI.

"Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system…"

The majority of AI systems. Not covered by Title III obligations; voluntary codes encouraged in recital 27.

"This Regulation creates a legal framework for AI… without creating undue legal obstacles… Providers and deployers of AI systems that are not high-risk should be encouraged to apply voluntarily to such AI systems the requirements set out in this Regulation for high-risk AI systems."

Under Article 4(1) GDPR, any information relating to an identified or identifiable natural person.

"any information relating to an identified or identifiable natural person ('data subject')."

Under Article 4(12) GDPR, a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

Under Article 4(8) GDPR, the natural or legal person which processes personal data on behalf of the controller.

"a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."

Under Article 3(3) of the EU AI Act, the natural or legal person that develops an AI system or a general-purpose AI model, or has it developed, and places it on the market or into service under its own name or trademark.

"…a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark…"

Under Article 4(5) GDPR, processing personal data so it can no longer be attributed to a specific data subject without additional information, held separately and subject to technical and organisational measures.

"the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately…"

Article 5 of the EU AI Act prohibits subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, predictive policing based solely on profiling, untargeted facial image scraping, emotion recognition in workplaces and schools, biometric categorisation inferring sensitive attributes, and real-time remote biometric identification in public spaces (with narrow exceptions).

"The following AI practices shall be prohibited: (a) the placing on the market, the putting into service or the use of an AI system that deploys subliminal techniques beyond a person's consciousness…"

Under Article 17 GDPR (the "right to be forgotten"), the data subject's right to obtain erasure of personal data without undue delay where specified grounds apply.

"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies…"

Under Article 9 GDPR, processing of special category data is prohibited unless a specified condition applies. The categories: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed for unique identification, health data, sex life or sexual orientation.

"Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited."

Under Article 46(2)(c) GDPR, pre-approved contractual terms issued by the Commission that provide appropriate safeguards for transfers of personal data to third countries.

"…the appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by: … (c) standard data protection clauses adopted by the Commission…"

Under Article 3(65) of the EU AI Act, a risk specific to the high-impact capabilities of general-purpose AI models that has a significant impact on the Union market with actual or reasonably foreseeable negative effects.

"a risk that is specific to the high-impact capabilities of general-purpose AI models, having a significant impact on the Union market due to their reach, or due to actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or the society as a whole…"

Under Article 26 DORA, advanced penetration testing required of systemically important financial entities at least every three years, based on threat intelligence about a firm's specific threat landscape.

"Financial entities… shall carry out at least every 3 years advanced testing by means of TLPT… The testing shall be based on threat intelligence about the financial entity under consideration…"