EU compliance terms, defined

EU Regulation (EU) 2024/1689 — risk-based AI governance framework. Prohibitions Article 5 in force 2025-02-02. GPAI obligations 2026-08-02. High-risk obligations 2027-08-02. Max exposure €35M or 7% global turnover.

French national cybersecurity agency. Implements NIS2 transposition in France. Reference : cyber.gouv.fr

CRA Article on vulnerability handling obligations : SBOM, coordinated disclosure policy, mitigation measures, security update process.

CRA Article on incident reporting obligations : early warning within 24h, intermediate report 72h, final report 14 days post-event resolution.

Mandatory marking for products placed on the EU market within scope of harmonized EU regulations including CRA, RED, AI Act (high-risk systems).

Unique identifier for EU legal documents on EUR-Lex (e.g. 32024R2847 = CRA Regulation 2024).

Process by which a manufacturer demonstrates fulfilment of regulation requirements. CRA + AI Act + RED define module pathways (self-assessment vs Notified Body).

EU regulation (EU) 2024/2847 imposing cybersecurity obligations on manufacturers / importers / distributors of products with digital elements placed on the EU market. Full enforcement 2027-12-11. Max exposure €15M or 2.5% global turnover.

EU Regulation (EU) 2022/2554 — operational resilience for financial entities. In force 2025-01-17. Covers ICT risk management, incident reporting, third-party ICT risk, oversight.

Contract under GDPR Article 28 between data controller and data processor. NexCyber's DPA is available at /legal/dpa.

Brussels-based industry association representing the European cybersecurity ecosystem. NexCyber joined the CRA Working Group in May 2026.

Edwards-curve digital signature algorithm (EdDSA over Curve25519). Pre-quantum signature. Used by NexCyber in hybrid with ML-DSA-65 for transition period.

EU agency providing cybersecurity guidance, threat landscape reports, and supporting Member States in NIS2/CRA implementation.

High-criticality sectors under NIS2 (energy, transport, banking, health, drinking water, digital infrastructure, ICT-managed services, public administration, space). Stricter obligations + higher penalties than 'important entities'.

Official EU law database. Source of truth for regulation text. URL : eur-lex.europa.eu

EU-coordinated vulnerability database operated by ENISA. CRA Article 14 mandatory reporting destination for actively exploited vulnerabilities.

EU Regulation (EU) 2016/679 on the protection of natural persons regarding processing of personal data. Max exposure €20M or 4% turnover.

AI Act Article 3(63) — AI models trained on broad data, displaying significant generality, and capable of performing distinct tasks. GPAI obligations in force 2026-08-02.

AI systems classified high-risk per Article 6(2) + Annex III (biometric, critical infrastructure, education, employment, essential services, law enforcement, migration, justice/democracy). Full obligations in force 2027-08-02.

Other critical sectors under NIS2 (postal, waste, chemicals, food, manufacturing, digital providers, research). Standard NIS2 obligations + max €7M or 1.4% turnover penalties.

NIST FIPS 204 post-quantum digital signature scheme based on module learning with errors. ML-DSA-65 = Category 3 (192-bit classical / 128-bit quantum security).

NexCyber-issued structured compliance artifact, cryptographically signed (hybrid Ed25519 + ML-DSA-65), verifiable by auditors, procurement systems, regulators in seconds. Not an official EU regulatory certification.

EU Directive (EU) 2022/2555 strengthening cybersecurity for essential and important entities across 18 sectors. Transposition deadline 2024-10-17. Max exposure €10M or 2% global turnover.

Third-party conformity assessment body designated by an EU Member State. Required for CRA Annex III important products + AI Act Annex III high-risk systems.

Cryptographic algorithms resistant to attack by classical and quantum adversaries. NexCyber MRCC uses NIST FIPS 204 ML-DSA-65 (Cat 3) in hybrid with Ed25519.

UK equivalent of EU CRA for connected products. In force 2024-04-29. Not in NexCyber scope but referenced for UK market readers.

Responsibility assignment matrix used in compliance to identify personally liable parties under EU regulations. NexCyber's Responsibility Mapper outputs a RACI per regulation per role.

EU Directive 2014/53/EU. Cybersecurity requirements via Delegated Regulation (EU) 2022/30 in force 2025-08-01 for connected products.

Machine-readable inventory of software components (open source + commercial) used in a product. CRA Annex I requires SBOM in 'commonly used machine-readable format'.

Trigger event under CRA / AI Act / NIS2 that resets compliance obligations. NexCyber MRCC re-issuance required after substantial modifications.