Glossary

The degree to which an AI system produces correct output. Article 15 of the EU AI Act requires high-risk systems to achieve an appropriate level of accuracy. Providers must document accuracy levels and communicate them to deployers.

The Dutch competition and consumer authority. The ACM supervises AI in the context of consumer protection, platform regulation (DMA/DSA), and competition. The ACM's Data and Algorithms Taskforce specifically focuses on markets where algorithms play a role.

Systematically testing AI systems for vulnerabilities by exposing them to deliberately misleading or malicious input. Required for GPAI models with systemic risk. Includes red teaming, jailbreak attempts, and robustness testing.

Natural persons or groups of persons who are affected by an AI system. This can include direct users, but also persons who are subject to AI decisions (such as applicants in AI screening). The AI Act specifically protects the rights of affected persons.

The Dutch conduct supervisor for financial markets. The AFM supervises AI applications affecting consumers and investors, such as creditworthiness assessment and robo-advice. Works together with DNB for integrated AI supervision in the financial sector.

The sanction system under the EU AI Act. Fines can reach up to: €35 million or 7% of global turnover for prohibited practices, €15 million or 3% for other infringements, and €7.5 million or 1% for providing incorrect information. Lower thresholds apply for SMEs and startups.

An AI system that can autonomously perform tasks on behalf of a user, such as answering emails, writing code, or making purchases. AI agents can independently make decisions and take actions, raising questions about human oversight and liability under the AI Act.

A specialist in auditing AI systems and processes. AI audit specialists assess technical documentation, test AI systems, and evaluate governance structures to verify EU AI Act compliance.

A professional who assesses AI systems and AI governance for compliance, effectiveness, and risks. AI auditors conduct internal and external audits to verify that AI systems comply with the EU AI Act and other relevant standards.

The advisory body consisting of representatives from all EU member states that advises the Commission on AI Act implementation. The AI Board promotes consistent application, coordinates between national authorities, and advises on guidelines and standardization requests.

A compliance professional specialized in AI regulation, particularly the EU AI Act. AI compliance experts help organizations identify obligations, implement compliance processes, and prepare for audits. They often collaborate with legal and technical teams.

A function within an organization responsible for ensuring compliance with AI regulations. The AI Compliance Officer develops and monitors AI compliance policies, coordinates with regulators, and reports to management on compliance risks.

A specialist who supports organizations in meeting AI laws and regulations. AI compliance specialists focus on practical implementation of compliance requirements, including documentation, risk management, and internal controls for AI systems.

A consultant who advises organizations on ethical aspects of AI development and use. AI ethics consultants help identify ethical risks, develop ethical guidelines, and implement ethical reviews for AI projects.

An expert in AI ethics who helps organizations navigate ethical issues surrounding artificial intelligence. This includes matters such as algorithmic bias, privacy, autonomy, and the societal impact of AI systems.

A specialist dealing with the ethical dimensions of AI within organizations. AI ethics specialists conduct ethical impact analyses, develop ethical frameworks, and train teams in ethically responsible AI use.

AI systems used by police and judiciary, such as predictive policing, risk assessment, and evidence analysis. Strictly regulated under the AI Act: real-time biometric identification is largely prohibited, and many applications are high-risk. Additional safeguards for fundamental rights are required.

AI systems used for migration management, such as traveler risk assessment, visa applications, and asylum requests. Designated as high-risk in Annex III. Systems may not discriminate based on nationality or ethnicity. Additional transparency requirements apply.

The set of principles, policies, processes, and structures by which organizations ensure responsible and ethical use of AI. Includes risk management, compliance, transparency, accountability, and human oversight.

A professional who combines expertise in AI governance and regulatory compliance. These experts help organizations comply with the EU AI Act, GDPR, and other AI-related laws and regulations while implementing broader governance principles. They are essential for organizations seeking to deploy AI responsibly and compliantly.

An advisor who helps organizations establish and implement AI governance frameworks. This includes policies, processes, and controls for responsible AI use, including compliance with the EU AI Act and other relevant regulations. AI governance consultants bridge the gap between technology, ethics, and business strategy.

An expert in AI governance who advises organizations on establishing governance structures, policies, and processes for responsible AI development and use. AI governance experts often have backgrounds in both technology and policy/law.

AI systems used as safety components in critical infrastructure such as energy, water, transport, and telecom. High-risk under Annex III. Requires conformity assessment by notified body in many cases. Cybersecurity requirements are particularly stringent.

AI systems used in education, such as adaptive learning systems, automated assessment, and admission decisions. Designated as high-risk in Annex III when used for access, assignment, performance evaluation, or behavior monitoring. Emotion recognition in educational contexts is prohibited.

The proposed EU directive harmonizing national liability rules for AI. Makes it easier for victims to claim damages through burden of proof alleviations. Requires disclosure of evidence by AI operators. Complements the AI Act.

The complete cycle of an AI system from conception to decommissioning. Includes: design, data collection, training, validation, deployment, monitoring, and maintenance. The AI Act requires risk management throughout the entire lifecycle.

The ability to understand, critically evaluate, and responsibly use AI technology. Article 4 of the EU AI Act requires organizations to ensure that employees working with AI are sufficiently AI-literate. This obligation has been in effect since February 2025.

The European AI Office is the body within the European Commission responsible for implementing the EU AI Act. The AI Office develops guidelines, coordinates with national supervisors, and oversees GPAI models and prohibited practices.

A voluntary initiative by the European Commission where organizations can join to comply with the EU AI Act before it becomes fully effective. Participants gain access to resources, best practices, and a network of other organizations.

An advisor who helps organizations or governments develop AI policy. AI policy advisors have expertise in AI regulation, governance, and the broader policy context. They advise on the impact of new laws and regulations such as the EU AI Act.

A specialist focused on AI policy and regulation. AI policy specialists analyze the impact of AI legislation, develop policy proposals, and advise stakeholders on compliance strategies.

An expert in AI regulation who advises organizations on laws and regulations for artificial intelligence. AI regulatory experts closely follow developments such as the EU AI Act, AI Liability Directive, and sector-specific AI rules.

A controlled environment set up by regulators where organizations can test AI innovations with regulatory guidance. Member states must establish these sandboxes under the EU AI Act to promote innovation.

A specialist in AI laws and regulations who helps organizations understand and implement compliance requirements. AI regulatory specialists translate complex legislation into practical guidelines.

A risk management professional specialized in AI-related risks. AI Risk Managers identify, assess, and manage risks associated with AI systems, including operational, compliance, reputational, and ethical risks. They work closely with AI governance and compliance teams.

A specialist who helps organizations identify and mitigate risks associated with AI systems. AI risk specialists conduct risk assessments in accordance with the EU AI Act and develop risk management measures.

The RDI's expertise center conducting research on complex and emerging AI risks. The AISSL analyzes new threats such as the "Internet of Agents", performs technical evaluations of AI systems, and supports other supervisors with technical expertise.

A consultant who helps organizations develop an AI strategy that integrates both business objectives and compliance requirements. AI strategy consultants advise on the roadmap for AI adoption, including EU AI Act preparedness.

According to the EU AI Act: a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

An advisor who guides organizations through their AI transformation, with attention to both technical implementation and governance and compliance. This role combines strategic advice with practical guidance in implementing responsible AI.

The chain of actors involved in developing and deploying AI systems: from hardware and cloud providers, through model developers and system integrators, to deployers and end users. The AI Act assigns obligations to different links in the chain.

A set of instructions or rules that a computer follows to perform a task or solve a problem. In the context of AI: the mathematical models and procedures that determine how an AI system processes input into output.

The Dutch policy framework on Overheid.nl with guidelines for responsible algorithm use by government. The framework provides practical tools for risk assessment, transparency, and human control in algorithmic decision-making.

A public register in which government organizations transparently disclose which algorithms and AI systems they use. In the Netherlands, this is mandatory for government bodies. It contains information about purpose, operation, data, and responsibilities.

A systematic evaluation of an AI system's potential societal effects. Covers analysis of risks to fundamental rights, discrimination, privacy, and transparency. Similar to FRIA but broader in scope, including economic and social impact.

Assessment List for Trustworthy AI. A practical self-assessment checklist developed by the European Commission to evaluate whether AI systems meet ethical guidelines for trustworthy AI. Contains questions about transparency, diversity, fairness, and accountability.

The annex containing the list of prohibited AI practices (Article 5). Includes: subliminal manipulation, exploitation of vulnerabilities, social scoring by governments, individual predictive policing, untargeted scraping for facial recognition, emotion recognition at work/education, and biometric categorization on sensitive characteristics.

The annex to the EU AI Act containing the list of high-risk AI application areas. This includes 8 categories: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice.

The annex listing areas in which AI systems are classified as high-risk. Covers 8 domains: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice. Specific use cases are detailed per domain.

The annex specifying required content of technical documentation. Includes: general description, detailed system description, monitoring procedures, risk management system, change history, applied standards, EU declaration of conformity, and contact details.

The article setting requirements for data and data governance practices for high-risk AI. Training, validation, and test datasets must be relevant, representative, error-free, and complete. Bias must be detected and addressed.

The article mandating technical documentation for high-risk AI systems. Documentation must be prepared before placing on the market and kept up to date. Annex IV specifies the required content.

The article mandating automatic logging for high-risk AI systems. Logs must record events relevant for identifying risks and facilitating post-market monitoring. Logs must be retained for an appropriate period.

The article mandating transparency for high-risk AI systems. Systems must be designed so deployers can interpret and correctly use the output. Instructions for use must contain clear information about capabilities and limitations.

The article mandating human oversight for high-risk AI systems. Systems must be capable of being effectively overseen by natural persons. This includes the ability to understand the system, correctly interpret output, and intervene or stop if necessary.

The article setting technical performance requirements for high-risk AI systems. Systems must achieve appropriate levels of accuracy, robustness, and cybersecurity. They must be resilient to errors, inconsistencies, and malicious actions.

The core article listing obligations of providers of high-risk AI systems. Includes: ensuring conformity, establishing quality management system, maintaining documentation, affixing CE marking, registering in EU database, and taking corrective measures for non-conformity.

The article mandating a quality management system for providers of high-risk AI. The system must be documented in writing and includes: compliance strategy, design processes, test procedures, risk management, post-market monitoring, and incident reporting.

The article establishing obligations of deployers of high-risk AI systems. Deployers must: use systems according to instructions, monitor input data, retain logs, inform affected persons, ensure human oversight, and report relevant incidents.

The article mandating a Fundamental Rights Impact Assessment (FRIA) for certain deployers of high-risk AI. Required for public bodies and private parties providing public services. The assessment must be registered and made available to the market surveillance authority.

The article in the EU AI Act that requires providers and deployers to ensure that personnel working with AI systems have sufficient AI literacy, taking into account their technical knowledge, experience, and context of use.

The article establishing transparency obligations for certain AI systems: (1) AI interacting with persons must clearly indicate this, (2) emotion recognition and biometric categorization must be disclosed, (3) deepfakes must be labeled as AI-generated, (4) AI-generated content must be marked in machine-readable format.

The article establishing basic obligations for providers of GPAI models. Includes: preparing technical documentation, providing information to downstream providers, establishing copyright compliance policy, and publishing a training data summary.

The article establishing additional obligations for GPAI models with systemic risk. Models above the 10^25 FLOP threshold or designated by the Commission must: perform model evaluations, assess and mitigate systemic risks, report serious incidents, and ensure adequate cybersecurity.

The article requiring member states to establish AI regulatory sandboxes. Sandboxes provide a controlled environment for developing and testing innovative AI under supervision. At least one sandbox per member state must be operational by August 2026.

The article in the EU AI Act that determines when an AI system is classified as high-risk. A system is high-risk if it (a) is a safety component of a product under EU product legislation, or (b) falls under the use cases in Annex III, unless it poses no significant risk.

The article mandating a risk management system for high-risk AI systems. This system must identify, analyze, evaluate, and mitigate risks throughout the entire lifecycle. It must be iterative and regularly updated.

A natural or legal person established in the EU designated by a provider from outside the EU to fulfill obligations under the AI Act on their behalf. Required for non-EU providers placing high-risk AI or GPAI on the EU market.

The tendency of people to trust AI output and evaluate it less critically than human advice. A risk for high-risk AI systems where human oversight is required. AI literacy training should address automation bias.

Systematic, unwanted deviation in AI output leading to unfair or discriminatory results for certain groups. Can arise from training data, model design, or implementation. The EU AI Act requires measures to detect and mitigate bias in high-risk systems.

Identifying persons based on unique physical characteristics such as face, fingerprint, iris, or voice. Real-time biometric identification by law enforcement in public spaces is prohibited under the EU AI Act (with limited exceptions). Other forms are high-risk.

The marking indicating that a product complies with EU regulations. High-risk AI systems must be CE marked before they can be placed on the EU market. The marking is applied after successful conformity assessment.

The European standardization organizations responsible for developing harmonized standards for the EU AI Act. CEN (general standards) and CENELEC (electrotechnical standards) collaborate on technical specifications for AI systems, such as risk management, bias detection, and cybersecurity.

A C-level executive responsible for an organization's AI strategy and governance. The Chief AI Officer (CAIO) leads AI transformation, ensures responsible AI use, and aligns AI initiatives with business objectives. The CAIO plays a crucial role in EU AI Act compliance.

Voluntary codes of conduct developed by GPAI providers under coordination of the AI Office to demonstrate how they comply with GPAI obligations. Providers adhering to an approved code are deemed to comply with the relevant obligations until harmonized standards become available.

The field of AI enabling computers to interpret and understand visual information. Includes image recognition, object detection, facial recognition, and video analysis. Many computer vision applications such as biometric identification are high-risk or prohibited.

The procedure by which it is demonstrated that a high-risk AI system meets the requirements of the EU AI Act. Depending on the type of system, this can be performed by the provider themselves or by a notified body.

The European regulation for cybersecurity of products with digital elements. The CRA establishes horizontal cybersecurity requirements for hardware and software, including AI components. AI systems must comply with both CRA (for cybersecurity) and AI Act (for AI-specific risks).

AI systems that assess the creditworthiness of natural persons or establish a credit score. Explicitly designated as high-risk in Annex III (point 5b) of the EU AI Act due to the impact on access to financial services and the risk of discrimination.

The protection of AI systems against cyberattacks and unauthorized access. Article 15 of the EU AI Act requires high-risk AI systems to provide an appropriate level of cybersecurity. This includes protection against adversarial attacks, data poisoning, and model extraction.

The European regulation for fair access to and use of data. The Data Act regulates who has access to data generated by connected products and services. Relevant for AI systems using data from IoT devices and other sources.

The set of processes for managing training, validation, and test data for high-risk AI systems (Article 10). Includes choices about data collection, data analysis, bias detection, gap identification, and privacy measures. Must be documented in the technical documentation.

The European regulation establishing a framework for the reuse of public sector data, data intermediaries, and data altruism. The DGA facilitates secure data sharing, which is relevant for training AI models with diverse datasets.

A type of attack where malicious data is injected into an AI model's training data to manipulate its behavior. The AI Act requires high-risk systems to be resilient against such attacks as part of cybersecurity requirements (Article 15).

The suitability of datasets for the intended purpose of an AI system. The EU AI Act requires training, validation, and test data for high-risk systems to meet quality criteria such as relevance, representativeness, completeness, and error-freeness (Article 10).

A subset of machine learning that uses artificial neural networks with multiple layers. Deep learning is the foundation for many modern AI applications such as image recognition, speech processing, and large language models (LLMs). Requires large amounts of data and computing power.

AI-generated or manipulated image, audio, or video content showing people saying or doing things they did not do. Under the EU AI Act (Article 50), deepfakes must be clearly labeled as AI-generated, unless for clearly artistic or satirical purposes.

A natural or legal person who uses an AI system under their own responsibility, other than for personal, non-professional use. Deployers of high-risk AI must ensure correct use, human oversight, and in some cases perform an FRIA.

An EU amendment package to simplify digital legislation. For the AI Act, it concerns proposal COM(2025)836, on which the Council and European Parliament reached a provisional political agreement on 7 May 2026. Formal adoption and publication still need to follow.

Natural or legal person in the supply chain who makes an AI system available on the EU market, other than the provider or importer. Distributors must verify that the system has a CE marking.

The European regulation for fair and open digital markets, targeting "gatekeepers" (large platforms). The DMA regulates how large tech companies offer their platform services and may affect the deployment of AI systems by these platforms.

The central bank and financial supervisor of the Netherlands. DNB supervises AI use in the financial sector, particularly for high-risk applications such as credit scoring and insurance assessment. DNB integrates AI Act compliance into existing prudential supervision.

The European regulation for digital operational resilience in the financial sector. DORA sets requirements for ICT risk management, incident reporting, and testing for financial institutions. AI systems in the financial sector must comply with both DORA and the AI Act.

A provider that builds an AI system on top of a GPAI model from another party (upstream provider). Downstream providers have their own compliance obligations but may need certain information from the upstream provider to fulfill them.

An assessment required under the GDPR when processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. For AI systems, often required alongside the FRIA.

The European regulation for digital services that sets rules for online platforms and search engines. The DSA requires transparency about recommendation algorithms and prohibits manipulative patterns. Relevant for AI systems that recommend or moderate content.

The Dutch privacy regulator that together with the RDI is responsible for AI supervision. The DPA oversees GDPR compliance and plays a key role in assessing AI systems that process personal data. The Directorate for Algorithm Coordination specifically coordinates AI Act supervision.

AI systems that attempt to infer human emotions from biometric data such as facial expressions, voice, or body posture. Under the EU AI Act, emotion recognition in the workplace and in education is prohibited since February 2025, with exceptions for medical or safety reasons.

Supervision and enforcement of compliance with the EU AI Act by national market surveillance authorities. Fines can reach up to €35 million or 7% of global annual turnover for prohibited practices, and €15 million or 3% for other violations.

The set of activities through which supervisors enforce compliance with the AI Act. Includes: market surveillance, audits, inspections, corrective measures, warnings, recalls, and fines. National market surveillance authorities are responsible for enforcement.

The world's first comprehensive AI legislation, adopted by the European Union. The law regulates the development and use of artificial intelligence within the EU based on a risk-based approach. The EU AI Act entered into force in August 2024 with phased implementation until 2027.

A consultant who advises organizations on all aspects of the EU AI Act, from initial impact analysis to full compliance implementation. EU AI Act consultants often work with legal, technical, and business teams to ensure a holistic approach.

A professional with in-depth knowledge of the European AI Regulation (EU AI Act) who advises organizations on compliance, risk classification, and implementation. EU AI Act experts help companies navigate complex regulations and set up AI governance frameworks. Looking for an EU AI Act expert? Connect via LinkedIn: linkedin.com/in/zahed-ashkara-51a0b2198

A specialized advisor who guides organizations through EU AI Act implementation. Specialists in this field have expertise in risk assessment, conformity processes, and technical documentation for AI systems. They translate legal requirements into practical measures.

The public database managed by the European Commission where high-risk AI systems and GPAI models must be registered (Article 71). The database contains information about the system, provider, and risk profile and is accessible to the public.

A formal statement by the provider that a high-risk AI system complies with AI Act requirements. Must be drawn up for each high-risk system, retained for 10 years, and provided to authorities upon request. Content is specified in Annex V.

The degree to which the operation and decisions of an AI system can be explained to people. High-risk AI systems must be sufficiently transparent so that users can interpret and correctly use the output.

The process of further training a pre-trained AI model on specific data for a particular task or domain. Organizations that fine-tune foundation models may under certain circumstances be classified as providers under the EU AI Act, with associated obligations.

The computational threshold above which a GPAI model is automatically classified as having systemic risk. FLOP (Floating Point Operations) measures the computing capacity used for training. Models above 10^25 FLOP receive additional obligations such as red teaming and systemic risk assessment.

A large AI model trained on broad data that can be adapted for diverse downstream tasks. Examples include GPT-4, Claude, and Gemini. Under the EU AI Act, foundation models placed on the market fall under GPAI regulation (Chapter V).

An assessment that deployers of high-risk AI must perform to determine the impact on fundamental rights before the system is put into use. Required for government bodies and essential services.

General Data Protection Regulation. The European privacy legislation that regulates the processing of personal data. The GDPR and EU AI Act complement each other: AI systems that process personal data must comply with both.

General Purpose AI models that can perform a wide range of tasks, such as ChatGPT. GPAI falls under specific transparency obligations in the EU AI Act. GPAI with systemic risk (such as very large language models) have additional obligations.

Erroneous output from AI systems (especially LLMs) where the model generates convincing-sounding but factually incorrect information. An important risk with generative AI that users must be informed about as part of AI literacy.

European standards developed by CEN/CENELEC at the request of the European Commission. AI systems that comply with published harmonized standards receive a "presumption of conformity" with the EU AI Act, simplifying the conformity assessment. Examples: prEN 18228 (risk management), prEN 18283 (bias).

AI systems that pose a significant risk to health, safety, or fundamental rights of persons. These are listed in Annex III of the AI Act and include biometric identification, critical infrastructure, education, employment, law enforcement, and credit assessment. High-risk systems must comply with strict requirements for risk management, data quality, transparency, and human oversight.

AI systems used for HR purposes such as CV screening, candidate selection, performance evaluation, and dismissal decisions. Explicitly designated as high-risk in Annex III. Emotion recognition in job interviews is prohibited. Employers must inform employees about AI use.

The requirement that high-risk AI systems are designed so that they can be effectively overseen by natural persons during their use. This must prevent AI systems from autonomously causing harm. Includes the ability to intervene and override.

A design pattern where a human is part of the decision-making process of an AI system. The human can intervene, approve or reject decisions, or stop the system. A form of human oversight required for high-risk AI.

A design pattern where a human can monitor the operation of an AI system and intervene if necessary, but is not involved in every individual decision. Less intensive than human-in-the-loop. Acceptable for some high-risk systems depending on context.

A design pattern where an AI system operates fully autonomously without human intervention. Problematic under the AI Act for high-risk systems that require effective human oversight. Only acceptable for minimal risk AI.

A design pattern where a human sets boundaries and constraints before an AI system operates autonomously, without real-time intervention. The human defines operational parameters, rules, and exceptions before deployment. This is a less intensive form of human oversight than human-in-the-loop or human-on-the-loop.

A Dutch instrument developed by the government to assess the impact of algorithms on human rights. The IAMA helps organizations identify and mitigate risks. An AI Act update of the IAMA is expected in 2026.

Natural or legal person established in the EU who places an AI system on the EU market from a provider outside the EU. Importers must verify that the system complies with the EU AI Act.

The process whereby a trained AI model processes new input to generate output (predictions, classifications, content). Inference is a core characteristic of AI systems under the AI Act definition: the system itself derives how to generate output based on learned patterns.

The information that providers of high-risk AI systems must provide to deployers (Article 13). Includes intended purpose, known limitations, expected performance, instructions for human oversight, and maintenance requirements. Must be understandable for the deployer.

The use for which an AI system is intended by the provider, as described in the instructions for use, marketing, and technical documentation. The intended purpose partly determines risk classification and applicable obligations under the EU AI Act.

A conformity assessment procedure where the provider self-assesses whether a high-risk AI system meets requirements, without involvement of a notified body. Allowed for most high-risk systems except biometric identification and critical infrastructure.

An emerging paradigm where autonomous AI agents collaborate via the internet, delegate tasks, and dynamically organize without human intervention. This creates new risks around misinformation, system overload, and lack of standardized communication protocols between agents.

Techniques to bypass the safety measures and restrictions of AI models, causing the model to generate content that would normally be blocked. GPAI providers with systemic risk must test their models for jailbreaking as part of adversarial testing.

AI systems with limited risk for which only transparency obligations apply. Users must be informed that they are interacting with AI. This applies to chatbots, deepfakes, and AI-generated content that could mislead people.

Large language models like GPT-4, Claude, or Gemini. AI systems trained on enormous amounts of text that can generate human-like text. Often fall under GPAI regulations in the EU AI Act.

A branch of artificial intelligence where systems learn from data to perform tasks without being explicitly programmed. ML models identify patterns in training data and apply these to new situations. Most AI systems under the EU AI Act are based on machine learning techniques.

The national authority responsible for supervising compliance with the EU AI Act. In the Netherlands, this is likely the Dutch Data Protection Authority (AP) in combination with sector-specific supervisors.

AI systems used in healthcare, such as diagnostic support, treatment planning, and medical image analysis. Much medical AI falls under both the AI Act and the Medical Device Regulation (MDR). Systems that diagnose or recommend treatments are typically high-risk.

AI systems that do not fall under specific EU AI Act obligations, such as AI in video games, spam filters, or search algorithms. The vast majority of AI systems fall into this category. General laws like GDPR still apply.

A standardized document describing key information about an AI model: intended use, performance metrics, limitations, training data, and ethical considerations. Model cards increase transparency and help deployers assess whether a model is suitable for their use case.

A type of attack where an attacker attempts to create a copy of an AI model by systematically analyzing its output. The AI Act requires high-risk systems to be protected against such attacks. Relevant for intellectual property and security risks.

A computing system inspired by the human brain, consisting of layers of interconnected nodes (neurons). Neural networks form the basis of deep learning and many modern AI systems. They learn patterns from data by adjusting weights through training.

The European framework for product regulation on which the EU AI Act is based. The NLF includes principles such as CE marking, conformity assessment, market surveillance, and harmonized standards. This framework is also used for machinery directives, medical devices, and other product categories.

The European directive for cybersecurity of network and information systems. NIS-2 requires essential and important entities to implement appropriate security measures. AI systems falling under NIS-2 must comply with both NIS-2 cybersecurity requirements and AI Act requirements where applicable.

The field of AI concerned with interaction between computers and human language. Includes text understanding, translation, sentiment analysis, and text generation. LLMs are advanced NLP systems. Relevant for chatbots, virtual assistants, and translation services.

An independent organization designated by an EU member state to perform conformity assessments for certain high-risk AI systems. Required when self-assessment is not permitted.

An umbrella term in the AI Act for providers, deployers, authorized representatives, importers, and distributors. Operators are the parties in the AI value chain that have obligations under the AI Act, depending on their specific role.

A phenomenon where an AI model becomes too specifically trained on training data and therefore performs poorly on new, unseen data. Overfitting can lead to unreliable results in practice. Good data governance and validation procedures help prevent overfitting.

The system that providers of high-risk AI must establish to actively collect data about the performance of their systems after they have been placed on the market (Article 72). Purpose is to identify new risks and take corrective measures.

Remote biometric identification of persons that takes place after the fact (not real-time). Classified as high-risk under the AI Act, not prohibited. Requires conformity assessment and additional safeguards. Distinction from real-time is crucial for legal classification.

The legal principle whereby AI systems that comply with harmonized standards are deemed to comply with the corresponding requirements of the EU AI Act. This simplifies the burden of proof in conformity assessments but does not relieve providers of their responsibility for actual compliance.

A principle where privacy and data protection are built into the design of AI systems from the start, not as an afterthought. Required under both the GDPR and the EU AI Act for high-risk systems.

Legal liability for damage caused by AI products. The revised Product Liability Directive (PLD) brings AI systems under the product liability regime. Providers can be liable for defective AI systems, even if the defect arises during deployment.

AI applications completely banned by the EU AI Act due to unacceptable risk. This includes: social scoring by governments, manipulative AI, exploitation of vulnerable groups, real-time biometric identification by police in public spaces (with exceptions), and emotion recognition in workplaces and education.

The practice of designing and optimizing textual instructions (prompts) to generative AI models to obtain desired output. While prompt engineering itself is not regulated, the deployment of prompted AI systems for certain purposes may fall under the AI Act.

The natural or legal person who develops or has developed an AI system and places it on the market or puts it into service under their own name. Providers of high-risk AI have the heaviest compliance obligations, including CE marking, conformity assessment, and technical documentation.

An AI architecture that combines generative models with a knowledge base or database. The system first retrieves relevant information and uses this as context for generating answers. RAG can reduce hallucinations and makes AI output verifiable.

The Dutch supervisory authority responsible for coordinating AI supervision together with the DPA. The RDI oversees digital infrastructure, telecom, and cybersecurity. Under the EU AI Act, the RDI functions as coordinating market surveillance authority and manages the AI Regulatory Sandbox.

Remote biometric identification of persons in real-time in public spaces. Largely prohibited under the AI Act for law enforcement, with limited exceptions for counter-terrorism, missing persons, and serious crimes (subject to judicial approval).

Testing AI systems in real conditions outside lab environments, as described in Article 60 of the EU AI Act. Real-world testing is permitted under strict conditions, including approval by the market surveillance authority, informed consent of participants, and a testing plan.

Use of an AI system in a manner inconsistent with the intended purpose, but which a provider can reasonably foresee based on human behavior or interaction with other systems. Providers must also test high-risk systems for foreseeable misuse.

A corrective measure requiring an AI system already placed on the market to be retrieved. Can be imposed by market surveillance authorities for serious non-conformity or unacceptable risks. Providers must inform users and remove the system from the market.

A testing method where experts try to "break" an AI system by finding vulnerabilities, bias, or unwanted behavior. Required for GPAI models with systemic risk under the EU AI Act. Part of adversarial testing to ensure robustness.

The practice of developing and using AI systems in an ethical, transparent, and fair manner aligned with human values. Includes principles such as fairness, accountability, transparency, and privacy. The EU AI Act codifies responsible AI principles into legislation.

A consultant who guides organizations in implementing responsible AI practices. This includes ethical AI principles, fairness, transparency, accountability, and minimizing bias. Responsible AI consultants help translate ethical principles into concrete technical and organizational measures.

An expert who advises organizations on responsible AI development and implementation. Responsible AI experts focus on safeguarding human values and rights in AI systems, including privacy, non-discrimination, and transparency. They work closely with development teams and stakeholders.

A specialist focused on ensuring ethical and responsible AI practices within organizations. This role involves assessing AI systems for bias, fairness, and societal impact, and advising on mitigating measures.

The right of natural and legal persons to lodge complaints about AI systems with the national market surveillance authority. Complaints may concern non-conformity with the AI Act. Supervisors must handle complaints and take appropriate measures.

A continuous iterative process throughout the entire lifecycle of a high-risk AI system, consisting of identification, analysis, estimation, evaluation, and treatment of risks. Required under Article 9 of the EU AI Act.

The degree to which an AI system continues to function correctly under varying conditions, including unexpected input, adversarial attacks, and changing environments. Article 15 of the EU AI Act requires high-risk systems to be sufficiently robust.

The scientific panel of independent experts advising the AI Office on GPAI models and systemic risks (Article 68). The panel can perform model evaluations, issue alerts, and contribute to methodology development for assessing GPAI capabilities.

The obligation for providers to report serious incidents with high-risk AI systems to the market surveillance authority (Article 73). A serious incident is one that results in death, serious health damage, or serious infringement of fundamental rights. Notification must be within 15 days.

The use of AI to assign individuals a score based on their behavior, characteristics, or social connections. Social scoring by governments is explicitly prohibited under the EU AI Act due to the unacceptable risk to fundamental rights.

A modification to an AI system not foreseen by the provider in the initial conformity assessment that may affect compliance with the AI Act. Substantial modifications require a new conformity assessment to be performed.

AI-generated or significantly modified content including text, images, audio, and video. The EU AI Act requires synthetic media that appears to depict persons or real events to be marked as AI-generated in a machine-readable manner.

Risk that a GPAI model may have negative effects on public health, safety, public security, fundamental rights, or society as a whole. GPAI models with systemic risk (determined by computing power >10^25 FLOPS) have additional obligations such as adversarial testing and incident reporting.

The detailed description of a high-risk AI system that providers must prepare and maintain (Article 11). Includes system description, design specifications, risk management, test results, and instructions. Must remain available for 10 years after placing on the market.

A dataset used to evaluate the final performance of a trained AI model. Test data is only used after training and validation to obtain an unbiased performance measurement. The AI Act requires test data to be representative and error-free.

The dataset used to train an AI model. The quality, representativeness, and lawful acquisition of training data is crucial for AI system quality. Article 10 of the EU AI Act sets data governance requirements for high-risk systems. GPAI providers must publish a training data summary.

A publicly available summary of the data used to train a GPAI model. Required under Article 52 of the AI Act. Must be sufficiently detailed to inform copyright holders. The AI Office is developing a template for these summaries.

The requirement to inform users about interaction with AI systems. Applies to chatbots, deepfakes, and AI-generated content. High-risk AI must also provide instructions for use and information about capabilities and limitations.

AI that is (1) lawful, (2) ethical, and (3) robust. Defined by the EU High-Level Expert Group on AI. Forms the basis for the ethical guidelines enshrined in the EU AI Act.

A dataset used to tune and optimize an AI model during development. Validation data is separate from training and test data to prevent overfitting. The AI Act requires validation data for high-risk systems to meet quality criteria.

Technique to invisibly mark AI-generated content for later detection. The EU AI Act requires GPAI providers with systemic risk to "mark their output in a machine-readable format". Watermarking is one method to comply with this transparency obligation.

Removing an AI system from the market that is still in the supply chain but has not yet been delivered to end users. Differs from recall in that the system has not reached users. Can be voluntary by the provider or mandatory by supervisors.