Glossary on AI governance and technology oversight

Regulation (EU) 2024/1689 of the European Parliament and the Council of 13 June 2024 laying down harmonised rules on artificial intelligence. Full application from 2 August 2026.

AI systemArt. 3(1) of Regulation (EU) 2024/1689

A machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers from the input it receives how to generate outputs (predictions, content, recommendations or decisions) that can influence physical or virtual environments.

High-risk systemAnnex III of Regulation (EU) 2024/1689

An AI system whose use is included in one of the areas listed in Annex III (among others: biometrics, critical infrastructures, education, employment, access to essential services, law enforcement, migration and justice administration). It is subject to reinforced obligations on risk management, data quality, transparency, human oversight and record-keeping.

Prohibited practiceArt. 5 of Regulation (EU) 2024/1689

Use of AI explicitly prohibited by the Regulation due to incompatibility with fundamental rights. Includes, among others, subliminal cognitive manipulation, general-purpose social scoring, biometric categorisation by sensitive traits and certain forms of real-time remote biometric identification. Sanctioned with up to 7 % of global annual turnover.

Human oversightArt. 14 of Regulation (EU) 2024/1689

Requirement that high-risk AI systems can be effectively overseen by natural persons during their use, with the ability to understand the system's operation, decide not to use the output, override it or interrupt the system. Oversight must be proportionate to risk and documented.

DeployerArt. 26 of Regulation (EU) 2024/1689

Natural or legal person using an AI system under its authority. Responsible, among other obligations, for using the system in accordance with the provider's instructions, ensuring human oversight, maintaining operating logs and reporting serious incidents. Deployer status is not transferred to the provider of the system.

General-purpose AI model (GPAI)Art. 3(63) and Chapter V of Regulation (EU) 2024/1689

AI model trained with large volumes of data through large-scale self-supervision, displaying significant generality and capable of competently performing a wide range of distinct tasks regardless of how it is placed on the market or integrated into downstream systems. Models with systemic risk are subject to additional obligations.

Conformity assessmentArt. 43 of Regulation (EU) 2024/1689

Procedure demonstrating that a high-risk AI system complies with the requirements of Chapter II of the Regulation. Concludes with the EU declaration of conformity and, where appropriate, the CE marking. Without these elements, the system cannot be placed on the market or put into service in the EU.

Serious incidentArt. 73 of Regulation (EU) 2024/1689

Any malfunction or incident related to a high-risk AI system that directly or indirectly causes death, serious harm to health, serious disruption to critical infrastructure or infringement of fundamental rights. Must be notified to the competent authority within short timeframes from the moment of awareness.

Regulatory and soft-law framework governing the functioning of the board of directors in Spanish companies, with particular relevance for listed companies and large family-owned businesses.

Recommendation 23 of the Good Governance CodeSpanish Good Governance Code for Listed Companies, CNMV (current version)

Recommendation that expressly allows the board of directors, exercising its self-organisation power, to constitute specialised committees in addition to those named by the Code itself (audit, nominations and remuneration). It is the regulatory basis for setting up a specialised committee on technology, data and AI without the need for any regulatory change.

Independent directorArt. 529 duodecies of the Spanish Companies Act

Director appointed on the basis of personal and professional conditions, able to perform their duties without being conditioned by relationships with the company or its group, its significant shareholders or its executives. Independence is a qualitative criterion subject to continuous assessment.

Specialised board committeeArts. 529 terdecies and following of the Spanish Companies Act

Internal body of the board of directors with delegated functions in a specific subject area. The Companies Act expressly regulates audit and nominations & remuneration committees. The board may constitute additional specialised committees in the exercise of its self-organisation power.

Duty of careArt. 225 of the Spanish Companies Act

Director's duty to discharge their office with the diligence of an orderly entrepreneur. Includes the right and duty to demand and obtain the information adequate and necessary to fulfil their obligations. In technology matters, its enforceability has increased as European sectoral regulation (AI Act, DORA, NIS2) has incorporated specific duties for the management body.

Audit committeeArt. 529 quaterdecies of the Spanish Companies Act

Mandatory board committee in listed companies and public-interest entities. Oversees, among other matters, the effectiveness of internal control, the risk management systems (including technology risk) and the financial reporting process.

European regulatory body applicable to digital risk oversight, cybersecurity and operational resilience, with specific obligations for the management body.

DORARegulation (EU) 2022/2554 on digital operational resilience

Regulation fully applicable since 17 January 2025 to financial sector entities. Establishes uniform requirements on the security of network and information systems of financial entities and their critical ICT third-party providers. Assigns the management body ultimate responsibility for ICT risk management.

NIS2Directive (EU) 2022/2555 on cybersecurity

European cybersecurity directive replacing NIS1, expanding the sectors covered and reinforcing requirements for essential and important entities. Includes specific obligations of the management body on approval of measures, training, supervision and accountability. National transposition with individual sanctions for directors in case of serious non-compliance.

GDPRRegulation (EU) 2016/679 on Data Protection

General data protection regulation applicable to all processing of personal data in the EU. Establishes principles (lawfulness, minimisation, integrity, accountability), controller obligations, data subject rights and the sanctions regime (up to 4 % of global annual turnover). A cross-cutting regulatory basis that interweaves with the AI Act when systems process personal data.

Cyber risk

Risk of financial loss, operational disruption or reputational damage arising from failures, outages or attacks affecting an organisation's information systems. Its treatment as a board matter has intensified with DORA, NIS2 and applicable sectoral frameworks, ceasing to be an exclusively technical matter.

International and national standards used to structure certifiable technology internal control. Their selection and maintenance is a matter typically reported to the board through the audit committee or the specialised technology committee.

ISO/IEC 27001International standard on information security management

Standard that specifies the requirements for establishing, implementing, maintaining and continuously improving an information security management system (ISMS). Certifiable by an accredited body. It is one of the reference frameworks to demonstrate to clients, auditors and regulators the maturity of security control.

ISO/IEC 42001International standard on AI management

Standard published in December 2023 that specifies the requirements for implementing an AI management system (AIMS) in organisations that develop, deploy or use AI systems. Designed to be compatible with the EU AI Act and certifiable as a complement to ISO/IEC 27001 and ISO 9001.

PCI DSSPayment Card Industry Data Security Standard

Mandatory standard for any entity that stores, processes or transmits payment card holder data. Its current version (v4.0) reinforces requirements on cryptography, authentication and monitoring. Applies regardless of country and is typically audited annually.

ENS — Spanish National Security FrameworkRoyal Decree 311/2022

Mandatory Spanish framework for the public sector and its technology providers. Establishes the security policy and minimum requirements for the protection of processed information and services provided. Basic, Medium and High categories. Compliance is evidenced by declaration or certification depending on the category.