Compliance Glossary

The selective restriction of access to resources, systems, and data based on user identity and authorization. Access control is a fundamental security control required by ISO 27001, SOC 2, DORA, and GDPR to ensure that only authorized personnel can access sensitive information.

The process of verifying the identity of customers and assessing their risk profile to prevent money laundering and terrorist financing.

The process of identifying and cataloging all hardware, software, and network devices within an organization's IT infrastructure.

Information obtained by auditors during an audit to provide a reasonable basis for their conclusions about the subject matter.

The formal statement by an auditor regarding the fairness and accuracy of an organization's financial statements.

The state of being prepared for a compliance audit at any time, with all necessary documentation, evidence, and controls in place. Continuous audit readiness replaces the traditional 'audit scramble' approach with always-on compliance monitoring and evidence collection.

A chronological record of all system activities, data changes, and user actions that provides documentary evidence of compliance. Audit trails are required by DORA, ISO 27001, and SOC 2 to demonstrate accountability, detect anomalies, and support forensic investigations.

Germany's integrated financial regulatory authority responsible for supervising banks, insurance companies, and securities trading. BaFin is the primary competent authority for DORA compliance in Germany, receiving incident reports and conducting supervisory reviews.

BaFin's regulatory framework specifying IT requirements for German banks. BAIT translates MaRisk into concrete IT security standards covering information security management, user access management, IT projects, application development, IT operations, and outsourcing.

A set of company-wide data protection policies and rules that are legally binding on all group companies.

The capability of an organization to continue delivering products or services at acceptable predefined levels following a disruptive incident. Business continuity planning is a core component of both DORA and ISO 27001 requirements.

A systematic process to evaluate the potential impact of a disaster on an organization's operations and to identify critical business functions that require support to maintain business continuity.

The process of measuring, managing, and reporting an organization's carbon emissions to track its carbon footprint and inform carbon reduction strategies.

The process of issuing, distributing, managing, and revoking digital certificates within an organization.

A chronological record documenting the handling, control, storage, and transfer of evidence or records to ensure their integrity and admissibility in legal proceedings.

A structured process for requesting, reviewing, approving, and implementing changes to IT systems and infrastructure. Required by ISO 27001 (Annex A.12.1.2), SOC 2, and DORA to minimize disruption and ensure changes don't introduce new vulnerabilities.

A software tool or service that acts as an intermediary between cloud-based services and enterprise IT to provide security, compliance, and governance.

The set of policies, technologies, and controls designed to protect data, applications, and infrastructure in cloud computing environments. With financial services increasingly adopting cloud solutions, cloud security is critical for DORA, ISO 27001, and GDPR compliance.

The process of examining and evaluating a software program's source code by peers, with the aim of identifying and fixing errors, vulnerabilities, and improving code quality.

The use of technology to streamline and automate compliance processes including evidence collection, control monitoring, risk assessment, policy management, and audit preparation. Compliance automation significantly reduces manual effort and improves accuracy.

The collective attitude, values, and behaviors that demonstrate a commitment to ethical conduct and adherence to laws, regulations, and internal policies within an organization.

The difference between the current state of compliance and the desired state as defined by regulatory requirements or best practices.

The ongoing process of tracking and evaluating an organization's adherence to internal policies, procedures, and external regulatory requirements.

The process of standardizing, controlling, and maintaining the configuration of IT systems and applications.

A database used in IT service management to store and manage information about an organization's IT infrastructure, including hardware, software, and network components.

An ongoing process of observing, evaluating, and maintaining awareness of information security controls, vulnerabilities, and threats. Continuous monitoring ensures that compliance status is maintained between formal audits and enables rapid detection of control failures.

Actions or tasks performed by an organization to monitor and ensure the effectiveness of its control framework.

A deviation from an established internal control that could lead to a misstatement of an organization's financial statements.

The measure of how well a control, such as a policy or procedure, operates to achieve its intended risk management objective.

A set of policies, procedures, and controls implemented by an organization to manage risk and ensure regulatory compliance.

A specific goal or purpose for implementing a control within an organization's control framework.

The process of evaluating the effectiveness of internal controls within an organization to ensure they are operating as intended.

A specific measure taken to address and eliminate the cause of a control deficiency or weakness in an organization's internal control system.

The strategic process of managing communication during a crisis to ensure accurate, timely, and consistent information is provided to stakeholders and the public.

The process of planning for and managing a crisis or emergency situation to minimize negative impacts on an organization, its stakeholders, and the public.

Computer Security Incident Response Teams, which are specialized units that handle cybersecurity incidents and threats.

Cybersecurity Risk Management is the process of identifying, assessing, and prioritizing cybersecurity risks to protect data and systems against threats.

Data Breach Notification refers to the requirement under data protection laws for organizations to report security breaches involving personal data to relevant authorities and, in some cases, to the individuals affected.

A set of strategies and tools used to detect and prevent unauthorized access to, use of, or disclosure of sensitive information.

A legally binding contract between a data controller and data processor that governs the processing of personal data. Required by GDPR Article 28, a DPA specifies the scope, purpose, and duration of processing, as well as the obligations of each party.

A designated role within an organization responsible for overseeing data protection strategy and GDPR compliance. Under GDPR, certain organizations are required to appoint a DPO, particularly public bodies and organizations that process sensitive data at scale.

The requirement that data be stored and processed within specific geographic boundaries. Under GDPR and German data protection law, personal data of EU residents must be adequately protected when transferred outside the EU, making EU/German data residency a competitive advantage for compliance platforms.

Data Subject Rights refer to the rights granted to individuals under data protection laws, allowing them to control their personal data.

A separate network segment that is isolated from the internal network but exposed to the internet, used to host publicly accessible services.

An approach that integrates security practices into the DevOps process, ensuring that security is considered throughout the software development lifecycle.

The ability of an organization to withstand and recover from digital disruptions, ensuring the continuity of its operations and safeguarding its digital assets.

A documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster.

The policy and process of retaining documents and records for a specified period to meet legal, regulatory, and business requirements.

An EU regulation that establishes uniform requirements for the security of network and information systems in the financial sector. DORA became mandatory on January 17, 2025, and applies to banks, insurance companies, investment firms, and their critical ICT service providers.

An approach in sustainability reporting that considers both the financial materiality of issues to the company and their societal impact.

A process designed to systematically analyze, identify, and minimize data protection risks of a project or plan. DPIAs are required under GDPR Article 35 when data processing is likely to result in a high risk to the rights and freedoms of individuals.

A comprehensive investigation or assessment conducted before entering into a business relationship or transaction. In compliance contexts, due diligence refers to the thorough evaluation of third-party providers, business partners, or acquisition targets for regulatory and security risks.

A security solution that monitors and analyzes endpoint activity to detect and respond to potential threats.

The process of converting data into a coded form that can only be read by authorized parties with the correct decryption key. Encryption protects data both at rest and in transit, and is a fundamental requirement across all major compliance frameworks.

The practice of securing end-user devices such as laptops, desktops, and mobile devices from cybersecurity threats. Endpoint security is critical for DORA compliance, covering device management, malware protection, and ensuring corporate data remains protected on employee devices.

The European Union Agency for Cybersecurity, responsible for supporting EU member states in improving their cybersecurity capabilities.

European Supervisory Authorities, which are three independent authorities responsible for the supervision and regulation of financial markets in the EU.

Entities identified as critical to the continuity and stability of digital operational services within the European Union.

A set of standards being developed by the European Financial Reporting Advisory Group (EFRAG) to establish a comprehensive framework for sustainability reporting.

The process of gathering, organizing, and maintaining documentation that demonstrates compliance with specific controls and requirements. Automated evidence collection integrates with IT systems to continuously capture proof of control effectiveness.

The systematic collection, evaluation, and maintenance of evidence to support audit findings and conclusions.

An independent examination of an organization's financial statements, operations, and compliance with laws and regulations conducted by an external auditor.

A systematic assessment comparing an organization's current security and compliance posture against the requirements of a target framework (e.g., DORA, ISO 27001, SOC 2). Gap analysis identifies missing controls, insufficient processes, and remediation priorities.

The EU regulation governing the processing of personal data of individuals within the European Economic Area. GDPR establishes strict rules for data collection, storage, processing, and transfer, with penalties of up to 4% of annual global turnover for violations.

An integrated framework that encompasses the governance structure, risk management processes, and compliance requirements of an organization.

The risk associated with the over-reliance on a single or limited number of ICT service providers, potentially leading to system vulnerabilities and disruptions.

The process of identifying, assessing, and mitigating risks associated with information and communication technology systems. Under DORA, financial entities must maintain a comprehensive ICT risk management framework covering identification, protection, detection, response, and recovery.

A framework for ensuring appropriate access to resources and data within an organization, while minimizing security risks.

Entities that are designated as important due to their significant impact on the digital operational services within the European Union.

The formal process of detecting, classifying, and reporting ICT-related incidents to competent authorities. DORA Articles 17-23 establish specific requirements for incident classification, initial notification, intermediate reports, and final reports to supervisory authorities.

A classification system used to categorize the severity of incidents, typically based on their impact on business operations, security, and legal compliance.

Specific evidence used to detect potential security breaches or cyber attacks, such as IP addresses, domain names, or file hashes.

The exchange of threat intelligence, vulnerability information, and best practices between organizations and authorities. DORA Article 45 encourages financial entities to participate in information sharing arrangements to improve collective cybersecurity resilience.

The level of risk that exists before any controls or mitigation actions are put in place.

An independent, objective assurance and consulting activity designed to add value and improve an organization's operations by evaluating and improving the effectiveness of risk management, control, and governance processes.

Network security systems that monitor and analyze network traffic to detect and prevent unauthorized access or malicious activities.

A systematic approach to managing sensitive company information to keep it secure, consisting of policies, procedures, and technical controls. An ISMS is the core requirement of ISO 27001 and provides the organizational framework for information security governance.

The international standard for information security management systems (ISMS). ISO 27001 provides a systematic approach to managing sensitive company information, ensuring it remains secure through a framework of policies, processes, and technical controls.

Quantitative or qualitative measures used to identify the occurrence of risk events and assess the effectiveness of risk management.

A security principle that limits user access to the bare minimum permissions necessary to perform their job functions.

Legitimate Interest is a lawful basis for processing personal data under data protection laws, where processing is necessary for the legitimate interests of a controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

A significant deficiency in internal control over financial reporting that could result in a material misstatement of the financial statements.

A framework used to assess the maturity of an organization's processes, typically in the context of governance, risk management, and compliance.

The average time it takes to identify the occurrence of an incident or a breach in security.

The average time required to restore normal operations after an incident.

The average time taken after detecting an incident to begin an organized response to address the issue.

A security mechanism that requires users to provide two or more verification factors to gain access to a system. MFA significantly reduces the risk of unauthorized access and is recommended or required by DORA, ISO 27001, SOC 2, and GDPR security measures.

The practice of dividing a network into separate segments to enhance security and performance by isolating different network traffic.

The updated EU directive on cybersecurity that expands the scope of the original NIS Directive to cover more sectors and entities. NIS2 introduces stricter security requirements, incident reporting obligations, and enforcement measures with significant penalties for non-compliance.

The process of monitoring an organization's compliance with regulations without physically being present at the organization's premises.

An in-person examination conducted by regulatory or supervisory authorities at the premises of an organization to verify compliance.

The ability of an organization to deliver critical operations through disruption. In the context of DORA, it specifically refers to digital operational resilience — the capacity of financial entities to build, assure, and review their technological operational integrity.

The process of identifying, acquiring, installing, and verifying patches for software vulnerabilities to maintain system security.

A simulated cyberattack against a system, network, or application to evaluate its security. Penetration testing identifies vulnerabilities that could be exploited by real attackers and is required under DORA's digital operational resilience testing framework.

The process of identifying and assessing the risk associated with politically exposed persons (PEPs) to prevent corruption and money laundering.

The process of creating, implementing, and maintaining policies within an organization to ensure compliance with legal and regulatory requirements.

An approach to systems design that incorporates privacy considerations throughout the development process.

A subset of Identity and Access Management (IAM) focused on managing and controlling access to critical systems and sensitive data by privileged users.

The systematic process of recording, maintaining, and preserving records to ensure their availability for future reference and use.

The maximum acceptable amount of data loss measured in time that can be tolerated in the event of a disaster. It is a critical component of disaster recovery planning.

The maximum acceptable duration of time within which a business process must be restored after a disaster or disruption. It is a critical component of disaster recovery planning.

A method of testing an organization's security posture by having an 'attack team' (Red Team) attempt to breach security measures while a 'defending team' (Blue Team) tries to prevent them.

A comprehensive list maintained by an organization that contains all relevant information about its data assets, processing activities, and compliance with data protection regulations.

The systematic approach to identifying, evaluating, and implementing changes in response to regulatory updates or new legal requirements.

A thorough review conducted by regulatory authorities to assess an organization's compliance with laws and regulations.

A strategic plan to address and correct identified control deficiencies or weaknesses in an organization's internal control framework.

The remaining risk after implementing risk treatment measures. It is the risk that persists despite controls being in place.

The level of risk an organization is willing to accept in pursuit of its strategic objectives.

A systematic process of identifying potential threats, evaluating vulnerabilities, and determining the likelihood and impact of risks to an organization's information assets and operations. Risk assessments are foundational to ISO 27001, DORA, and virtually every compliance framework.

A visual representation of risks, using colors to indicate the level of risk, helping to quickly identify areas of high, medium, and low risk.

The individual or team accountable for managing a specific risk within an organization, ensuring appropriate risk treatment and monitoring.

A document or database that systematically records all risks identified within an organization, along with their potential impacts and proposed mitigation strategies.

The maximum level of risk that an organization is prepared to accept in pursuit of its objectives.

The process of selecting and implementing actions to modify risk, including avoiding, reducing, sharing, or accepting the risk.

An access control method that restricts system access to authorized users by assigning permissions based on their roles within an organization.

Regulatory Technical Standards for Information and Communication Technology, which are binding technical regulations developed to implement specific provisions of EU legislation.

The process of checking individuals or entities against sanctions lists to ensure compliance with international sanctions regulations.

A technology platform that collects, analyzes, and correlates security events from across an organization's IT infrastructure to detect threats and support incident response. SIEM is essential for meeting DORA's detection and monitoring requirements.

A system that allows users to log in once and gain access to multiple related, yet independent software systems without logging in again at each of them.

A cybersecurity practice that integrates and automates various security processes to enhance the efficiency of incident response.

A centralized unit that monitors and manages an organization's security posture, including incident detection, response, and threat intelligence.

A compliance framework developed by the AICPA that defines criteria for managing customer data based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are essential for SaaS companies and service providers.

A set of model clauses approved by the European Commission to facilitate international data transfers while ensuring adequate protection.

SAST and DAST are two types of application security testing methods used to detect vulnerabilities in software applications.

An evaluation by supervisory authorities to ensure that financial institutions and other regulated entities are operating in compliance with regulations.

The management of cybersecurity risks throughout the supply chain, including all third-party vendors, software providers, and service partners. Both DORA and NIS2 mandate supply chain security measures to protect against cascading failures and targeted attacks.

NIS2 is a regulatory framework that sets standards for the security of digital operational technology and supply chains within the EU. It aims to enhance the overall security of network and information systems.

A report filed by financial institutions when they suspect a transaction may involve money laundering, terrorist financing, or other illegal activities.

The practice of disclosing an organization's environmental, social, and governance (ESG) performance to stakeholders.

A simulated emergency management exercise conducted to practice and evaluate the effectiveness of an organization's response to potential incidents.

The process of aligning an organization's reporting and classification systems with a specific taxonomy to ensure consistency and comparability.

The process of identifying, assessing, and controlling risks arising from outsourcing to third-party service providers. Under DORA Article 28, financial entities must maintain a register of all ICT third-party providers and conduct thorough due diligence on critical providers.

The process of gathering, analyzing, and disseminating information about threats to an organization's security posture.

A penetration testing approach that focuses on identifying and exploiting vulnerabilities that are most likely to be targeted by specific threats.

A model that separates an organization's risk management and control functions into three distinct lines of defense to ensure effective oversight and governance.

An advanced form of security testing mandated by DORA Articles 26-27 for significant financial entities. TLPT uses real-world threat intelligence to simulate adversary tactics and test an organization's detection, response, and recovery capabilities against realistic attack scenarios.

The behavior and attitudes set by the highest-level executives and board members that establish the ethical and compliance standards for an organization.

The process of continuously monitoring transactions for suspicious activity to detect and report potential money laundering or fraud.

A set of criteria for electronic transactions to ensure trust, security, and confidence in digital services.

Distinct categories of attestation engagements in assurance services, where Type I assesses a system's description and operation, and Type II evaluates the effectiveness of controls over a period.

BaFin's IT regulatory framework for insurance companies in Germany. VAIT mirrors BAIT's structure but addresses insurance-specific requirements for IT governance, security, and outsourcing, and has been updated to align with DORA.

A structured evaluation of the security posture and compliance status of third-party vendors before and during a business relationship. DORA Article 28 mandates specific due diligence requirements for ICT service providers used by financial entities.

The continuous process of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. Effective vulnerability management is a key requirement of DORA, ISO 27001, and SOC 2 to maintain system security and operational resilience.

A firewall specifically designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

The act of reporting misconduct or illegal activities within an organization, typically by an employee or insider.

A security framework that unifies multiple detection and response technologies across an organization's IT environment to provide a more comprehensive view of threats.

A security model based on the principle of 'never trust, always verify' that requires strict identity verification for every person and device attempting to access resources, regardless of their network location. Zero Trust is increasingly recommended for DORA and NIS2 compliance.