EU AI Act Compliance Glossary

A

Accuracy, robustness and cybersecurity

Performance and resilience requirements against error/manipulation.

Why it matters for SMEs: Technical quality requirements with compliance consequences.

AI literacy

Obligation to ensure relevant staff have sufficient AI understanding.

Why it matters for SMEs: Practical training requirement for safe operation.

AI model

A computational model enabling inference and output generation, often integrated into an AI system.

Why it matters for SMEs: Important for understanding model vs system responsibilities.

AI Office

EU-level governance body coordinating implementation and oversight aspects.

Why it matters for SMEs: Shapes guidance and supervisory interpretation.

AI system

A machine-based system that can infer from input to generate outputs such as predictions, content, recommendations, or decisions.

Why it matters for SMEs: Core scope term: determines whether the Act applies to your tool/workflow.

Authorized representative

EU-established entity mandated by provider to perform specified legal tasks.

Why it matters for SMEs: Critical for non-EU providers operating in EU markets.

B

Biometric categorisation

Assigning people to categories using biometric data.

Why it matters for SMEs: Can raise discrimination and rights risks.

Biometric identification

Recognition/verification of persons based on biometric data patterns.

Why it matters for SMEs: Highly sensitive and often tightly restricted.

C

CE marking

Mark indicating conformity with relevant Union harmonisation legislation.

Why it matters for SMEs: Signals lawful placement where required.

Codes of practice

Industry-developed frameworks for demonstrating compliance with AI Act obligations, particularly for GPAI models.

Why it matters for SMEs: GPAI providers can use codes of practice to show compliance — check if your vendor is a signatory.

Conformity assessment

Procedure demonstrating compliance with applicable requirements before market use.

Why it matters for SMEs: Central for high-risk pathways.

D

Data governance

Controls ensuring data quality, relevance, representativeness, and bias handling.

Why it matters for SMEs: Directly affects system reliability and fairness.

Deep fake

AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places or events and would falsely appear authentic or truthful.

Why it matters for SMEs: Deployers must disclose deep fakes under Article 50(4) transparency rules.

Deployer

A natural or legal person using an AI system under its authority in professional activity.

Why it matters for SMEs: Most SMEs are deployers and still have obligations.

Deployer instructions

Provider-supplied instructions for lawful and safe use of AI system.

Why it matters for SMEs: Deployers must align operations with these constraints.

Distributor

Actor in the supply chain, other than provider/importer, making AI systems available on market.

Why it matters for SMEs: Distribution context requires due diligence before onward supply.

Downstream provider

A provider of an AI system that integrates an AI model provided by another entity based on contractual relations.

Why it matters for SMEs: Relevant when your product integrates a third-party AI model — you inherit obligations.

E

Emotion recognition system

AI inferring emotional states from biometric or behavioral signals.

Why it matters for SMEs: Restricted in certain workplace/education scenarios.

EU database

Union-level database for relevant AI system registrations/disclosures.

Why it matters for SMEs: Registration status may be a legal requirement.

F

Free and open-source AI component

An AI component provided under an open-source licence allowing access, usage, modification, and distribution, with publicly available parameters.

Why it matters for SMEs: Open-source GPAI models get exemptions from some documentation obligations (Article 53(2)).

Fundamental Rights Impact Assessment (FRIA)

Assessment of rights impacts and mitigations for high-impact deployments.

Why it matters for SMEs: Important for rights-sensitive use cases and governance evidence.

G

General-purpose AI model (GPAI)

Model displaying significant generality and capable of many distinct tasks.

Why it matters for SMEs: Widely relevant due to ChatGPT/Copilot-style adoption.

General-purpose AI system

An AI system based on a general-purpose AI model, capable of serving a variety of purposes for direct use or integration.

Why it matters for SMEs: Distinct from the model itself — the system is what end-users interact with (e.g., ChatGPT).

H

High-risk AI system

AI system meeting risk criteria under legal framework and Annex categories.

Why it matters for SMEs: High-risk status drives deeper controls and documentation.

Human oversight

Measures enabling human monitoring and intervention in AI operation.

Why it matters for SMEs: Reduces automation harm in consequential contexts.

I

Importer

EU-based actor placing on the Union market an AI system bearing a non-EU provider’s name.

Why it matters for SMEs: Importer checks can affect procurement and market entry.

Inference

The process by which an AI system derives outputs (predictions, content, recommendations, decisions) from the inputs it receives.

Why it matters for SMEs: The defining characteristic that distinguishes AI systems from conventional software under the Act.

Input data

Data provided to or directly acquired by an AI system, on the basis of which the system produces an output.

Why it matters for SMEs: Understanding input data helps define what your system processes and related GDPR obligations.

Intended purpose

Use intended by provider, reflected in instructions, promotional materials, and documentation.

Why it matters for SMEs: Drives risk classification and compliance scope.

L

Logging (record-keeping)

Automatic recording of events enabling traceability and investigation.

Why it matters for SMEs: Critical for incident analysis and accountability.

M

Making available on the market

Supply of system/model for distribution or use in EU commercial activity.

Why it matters for SMEs: Important for supply-chain actors and contracts.

N

National competent authority

Member State authority responsible for supervision/enforcement tasks.

Why it matters for SMEs: Primary contact point in national compliance interactions.

Notified body

Designated independent conformity-assessment body under EU framework.

Why it matters for SMEs: May be required depending on assessment route.

P

Placing on the market

First making available of an AI system/model on EU market.

Why it matters for SMEs: Triggers key market entry compliance checkpoints.

Post-market monitoring

Continuous collection and review of system performance/risk data after deployment.

Why it matters for SMEs: Essential for lifecycle compliance and incident prevention.

Post-market monitoring plan

Documented process for monitoring, incident detection, and corrective actions.

Why it matters for SMEs: Key evidence artifact in audits and reviews.

Prohibited AI practices

AI uses considered unacceptable and banned by law.

Why it matters for SMEs: Immediate no-go gate for product and deployment decisions.

Provider

A natural or legal person that develops or places an AI system/model on the market under its name.

Why it matters for SMEs: Provider obligations are broader and lifecycle-heavy.

Publicly accessible space

Any physical place accessible to an undetermined number of natural persons, regardless of access conditions.

Why it matters for SMEs: Critical for understanding where real-time biometric identification restrictions apply.

Putting into service

First use of system/model by deployer for intended purpose in EU.

Why it matters for SMEs: Operational launch point for deployer duties.

Q

Quality management system (QMS)

Organizational system of policies/processes ensuring consistent compliance execution.

Why it matters for SMEs: Required maturity layer for sustained compliance.

R

Real-time remote biometric identification

Immediate/near-immediate remote identification processing.

Why it matters for SMEs: Particularly sensitive in public-space contexts.

Reasonably foreseeable misuse

Use not intended but reasonably predictable due to behavior or context.

Why it matters for SMEs: Must be considered in risk management and safety planning.

Recall of an AI system

Any measure aimed at achieving the return to the provider, taking out of service, or disabling an AI system already made available.

Why it matters for SMEs: Authorities can order recalls for non-compliant systems — understand the risk.

Regulatory sandbox

Supervised environment for developing/testing innovative AI under authority guidance.

Why it matters for SMEs: Useful path for innovation with controlled risk.

Remote biometric identification

Biometric identification at distance without active subject cooperation.

Why it matters for SMEs: Use context is heavily regulated and scrutinized.

Risk management system

Iterative process for identifying, evaluating, mitigating, and monitoring AI risks.

Why it matters for SMEs: Foundational control layer for high-risk compliance.

S

Safety component

Component of a product/system that fulfills a safety function where failure endangers safety.

Why it matters for SMEs: Can elevate compliance obligations in regulated products.

Sandbox plan

A document agreed between a participating provider and competent authority describing objectives, conditions, and requirements for sandbox activities.

Why it matters for SMEs: Required for participation in an AI regulatory sandbox — free for SMEs.

Serious incident

Incident causing or likely causing serious harm to health, safety, rights, or property.

Why it matters for SMEs: Triggers escalation and reporting processes.

Social scoring

Evaluating or classifying natural persons over time based on social behaviour or known, inferred or predicted personal characteristics.

Why it matters for SMEs: Prohibited under Article 5(1)(c) — one of the banned AI practices.

Substantial modification

Change affecting compliance with requirements or intended purpose profile.

Why it matters for SMEs: Can shift role and obligations, including provider-like duties.

Systemic risk (GPAI)

High-impact risk from very capable models with broad downstream effects.

Why it matters for SMEs: Impacts advanced model governance expectations.

T

Technical documentation

Detailed documentation package demonstrating design, function, and compliance controls.

Why it matters for SMEs: Core evidence for high-risk systems.

Testing data

Data used for providing an independent evaluation of an AI system to confirm expected performance before market placement.

Why it matters for SMEs: Separate from training/validation — must independently verify system performance.

Training data

Data used for training an AI system through fitting its learnable parameters.

Why it matters for SMEs: Key concept for data governance obligations under Article 10.

Transparency obligations

Duty to inform users/subjects in specific AI interaction/content contexts.

Why it matters for SMEs: Frequent requirement for deployers and public-facing tools.

V

Validation data

Data used for evaluating a trained AI system and tuning its non-learnable parameters and learning process.

Why it matters for SMEs: Required for bias testing and performance verification in high-risk systems.

Value chain actor

Any participant in production, distribution, import, deployment, or operation of AI.

Why it matters for SMEs: Clarifies shared responsibilities in contracts and controls.

W

Withdrawal of an AI system

Any measure aimed at preventing an AI system in the supply chain from being made available on the market.

Why it matters for SMEs: Distinct from recall — withdrawal stops future distribution, recall addresses deployed systems.