This reference collects the key technical terms around the EU AI Act, NIS-2 and AI models. It is designed as a look-up resource — for newcomers as well as professionals who need to explain a term quickly and consistently.
EU AI Act
AI Act. Regulation (EU) 2024/1689 on the regulation of artificial intelligence in the single market. The world’s first comprehensive AI regulation, adopted in 2024, applicable in stages until 2027.
AI Office. A body within the European Commission that supervises GPAI models, issues guidelines and interprets contested questions. Operational since spring 2024.
Article 50 EU AI Act. Transparency obligations — chatbot labelling, AI watermarking, deepfake disclaimers, information requirements for emotion recognition. Fully applicable from 2 August 2026.
Annex III. The list of high-risk AI applications — HR/application screening, credit scoring, education, law enforcement, migration, critical infrastructure, biometric identification. Fully applicable from 2 August 2027.
GPAI. General-purpose AI — models that can be used for a wide range of tasks and serve as the foundation for many other AI applications. Subject to dedicated obligations under Art. 53 ff. AI Act.
Code of Practice (GPAI). A voluntary compliance guideline for GPAI providers, drawn up by independent experts. Signatories are considered compliant with the corresponding AI Act obligations.
Presumption of conformity. A legal principle: whoever follows a harmonised standard or a recognised code of practice is presumed to be compliant. The burden of proof is reversed.
Foundation model. A large, general AI model trained on broad data sets that can be adapted for diverse downstream tasks. Frequently used synonymously with GPAI.
Systemic risk. In the AI Act context: GPAI models with very high training compute (threshold at 10^25 FLOP) or exceptional reach. Subject to stricter obligations than “ordinary” GPAI.
NIS-2 / Cybersecurity
NIS-2 Directive. Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. Successor to the 2016 NIS Directive. The transposition deadline was October 2024; national implementation laws enter into force in stages.
NISG 2026. Austria’s Network and Information System Security Act 2026 — the national implementation of the NIS-2 Directive. Adopted on 12 December 2025, in force from 1 October 2026.
Essential entity. NIS-2 term for companies with 250+ employees or €50m annual turnover in the 11 highly critical sectors (energy, transport, banking, health, drinking water, digital infrastructure, ICT services, public administration, space, etc.).
Important entity. NIS-2 term for companies with 50+ employees or €10m annual turnover in the 7 other critical sectors (postal services, waste, chemicals, food, etc.). Lower maximum penalties than essential entities.
KRITIS. Critical infrastructure — regulated in Germany by the BSI Act and the KRITIS Regulation; implemented in Austria through the NISG. KRITIS operators are a subset of NIS-2 addressees with additional obligations.
Incident reporting obligation. The NIS-2 duty to report significant security incidents. Initial report within 24 hours, update within 72 hours, final report within one month.
Supply chain security. The NIS-2 requirement that affected entities assess their sub-suppliers for cybersecurity suitability and bind them contractually. This pushes NIS-2 requirements down the value chain.
CERT. Computer Emergency Response Team — a response team for IT security incidents. CERT.at is Austria’s national CERT (operated by nic.at); CERT-Bund is part of the German BSI.
CSIRT. Computer Security Incident Response Team — the umbrella term for incident response teams. CERT.at simultaneously serves as Austria’s national CSIRT.
ENISA. European Union Agency for Cybersecurity. Based in Athens and Heraklion. Publishes standards, threat reports and best-practice guidelines.
BSI. Bundesamt für Sicherheit in der Informationstechnik — Germany’s federal cybersecurity authority, based in Bonn. Publishes WID alerts, IT-Grundschutz and the BSI standards.
NIS contact point. In Austria, the authority responsible for NIS implementation, organisationally part of the Federal Ministry of the Interior. Reachable via nis.gv.at.
Data protection and adjacent legislation
GDPR. General Data Protection Regulation (EU) 2016/679 — applicable since May 2018. Remains valid in parallel to the AI Act; AI applications processing personal data are subject to both frameworks.
EDPB. European Data Protection Board — the body of national data protection authorities; issues guidelines on the GDPR and increasingly on AI Act questions.
EDPS. European Data Protection Supervisor — the EU’s data protection authority; audits EU institutions and issues opinions on legislative proposals.
Data Act. Regulation (EU) 2023/2854 on harmonised rules on fair access to data. Applicable from September 2025; dedicated obligations for manufacturers of connected products.
Technology
MCP. Model Context Protocol — an open standard by Anthropic for connecting AI models to external tools, data sources and services. Enables “real” agent functionality.
RAG. Retrieval-Augmented Generation — an architecture pattern in which an AI model queries external knowledge sources before generating an answer. The method of choice against hallucinations.
Fine-tuning. Adapting a pre-trained model to specific data or tasks. Relevant in the AI Act context because substantial fine-tuning can move the user into the role of a GPAI provider.
Inference. The productive use of a trained model — i.e. “letting the model answer”. As opposed to training, which learns the model parameters.
Token. The smallest processing unit in a language model — typically a fragment of a word. Costs and context windows are measured in tokens.
Glossary as of 25 May 2026 (English edition published 11 June 2026). Suggestions for missing terms, corrections or additional definitions are welcome at any time via the contact page or our Fider board. Labelling in line with Art. 50 EU AI Act: research and first draft by AI-assisted curation, editorial approval by Lumi AI News Editorial.