Compliance Glossary

The selective restriction of access to resources, systems, and data based on user identity and authorization. Access control is a fundamental security control required by ISO 27001, SOC 2, DORA, and GDPR to ensure that only authorized personnel can access sensitive information.

The state of being prepared for a compliance audit at any time, with all necessary documentation, evidence, and controls in place. Continuous audit readiness replaces the traditional 'audit scramble' approach with always-on compliance monitoring and evidence collection.

A chronological record of all system activities, data changes, and user actions that provides documentary evidence of compliance. Audit trails are required by DORA, ISO 27001, and SOC 2 to demonstrate accountability, detect anomalies, and support forensic investigations.

Germany's integrated financial regulatory authority responsible for supervising banks, insurance companies, and securities trading. BaFin is the primary competent authority for DORA compliance in Germany, receiving incident reports and conducting supervisory reviews.

BaFin's regulatory framework specifying IT requirements for German banks. BAIT translates MaRisk into concrete IT security standards covering information security management, user access management, IT projects, application development, IT operations, and outsourcing.

The capability of an organization to continue delivering products or services at acceptable predefined levels following a disruptive incident. Business continuity planning is a core component of both DORA and ISO 27001 requirements.

A structured process for requesting, reviewing, approving, and implementing changes to IT systems and infrastructure. Required by ISO 27001 (Annex A.12.1.2), SOC 2, and DORA to minimize disruption and ensure changes don't introduce new vulnerabilities.

The set of policies, technologies, and controls designed to protect data, applications, and infrastructure in cloud computing environments. With financial services increasingly adopting cloud solutions, cloud security is critical for DORA, ISO 27001, and GDPR compliance.

The use of technology to streamline and automate compliance processes including evidence collection, control monitoring, risk assessment, policy management, and audit preparation. Compliance automation significantly reduces manual effort and improves accuracy.

An ongoing process of observing, evaluating, and maintaining awareness of information security controls, vulnerabilities, and threats. Continuous monitoring ensures that compliance status is maintained between formal audits and enables rapid detection of control failures.

A legally binding contract between a data controller and data processor that governs the processing of personal data. Required by GDPR Article 28, a DPA specifies the scope, purpose, and duration of processing, as well as the obligations of each party.

A designated role within an organization responsible for overseeing data protection strategy and GDPR compliance. Under GDPR, certain organizations are required to appoint a DPO, particularly public bodies and organizations that process sensitive data at scale.

The requirement that data be stored and processed within specific geographic boundaries. Under GDPR and German data protection law, personal data of EU residents must be adequately protected when transferred outside the EU, making EU/German data residency a competitive advantage for compliance platforms.

An EU regulation that establishes uniform requirements for the security of network and information systems in the financial sector. DORA became mandatory on January 17, 2025, and applies to banks, insurance companies, investment firms, and their critical ICT service providers.

A process designed to systematically analyze, identify, and minimize data protection risks of a project or plan. DPIAs are required under GDPR Article 35 when data processing is likely to result in a high risk to the rights and freedoms of individuals.

A comprehensive investigation or assessment conducted before entering into a business relationship or transaction. In compliance contexts, due diligence refers to the thorough evaluation of third-party providers, business partners, or acquisition targets for regulatory and security risks.

The process of converting data into a coded form that can only be read by authorized parties with the correct decryption key. Encryption protects data both at rest and in transit, and is a fundamental requirement across all major compliance frameworks.

The practice of securing end-user devices such as laptops, desktops, and mobile devices from cybersecurity threats. Endpoint security is critical for DORA compliance, covering device management, malware protection, and ensuring corporate data remains protected on employee devices.

The process of gathering, organizing, and maintaining documentation that demonstrates compliance with specific controls and requirements. Automated evidence collection integrates with IT systems to continuously capture proof of control effectiveness.

A systematic assessment comparing an organization's current security and compliance posture against the requirements of a target framework (e.g., DORA, ISO 27001, SOC 2). Gap analysis identifies missing controls, insufficient processes, and remediation priorities.

The EU regulation governing the processing of personal data of individuals within the European Economic Area. GDPR establishes strict rules for data collection, storage, processing, and transfer, with penalties of up to 4% of annual global turnover for violations.

The process of identifying, assessing, and mitigating risks associated with information and communication technology systems. Under DORA, financial entities must maintain a comprehensive ICT risk management framework covering identification, protection, detection, response, and recovery.

The formal process of detecting, classifying, and reporting ICT-related incidents to competent authorities. DORA Articles 17-23 establish specific requirements for incident classification, initial notification, intermediate reports, and final reports to supervisory authorities.

The exchange of threat intelligence, vulnerability information, and best practices between organizations and authorities. DORA Article 45 encourages financial entities to participate in information sharing arrangements to improve collective cybersecurity resilience.

A systematic approach to managing sensitive company information to keep it secure, consisting of policies, procedures, and technical controls. An ISMS is the core requirement of ISO 27001 and provides the organizational framework for information security governance.

The international standard for information security management systems (ISMS). ISO 27001 provides a systematic approach to managing sensitive company information, ensuring it remains secure through a framework of policies, processes, and technical controls.

A security mechanism that requires users to provide two or more verification factors to gain access to a system. MFA significantly reduces the risk of unauthorized access and is recommended or required by DORA, ISO 27001, SOC 2, and GDPR security measures.

The updated EU directive on cybersecurity that expands the scope of the original NIS Directive to cover more sectors and entities. NIS2 introduces stricter security requirements, incident reporting obligations, and enforcement measures with significant penalties for non-compliance.

The ability of an organization to deliver critical operations through disruption. In the context of DORA, it specifically refers to digital operational resilience — the capacity of financial entities to build, assure, and review their technological operational integrity.

A simulated cyberattack against a system, network, or application to evaluate its security. Penetration testing identifies vulnerabilities that could be exploited by real attackers and is required under DORA's digital operational resilience testing framework.

A systematic process of identifying potential threats, evaluating vulnerabilities, and determining the likelihood and impact of risks to an organization's information assets and operations. Risk assessments are foundational to ISO 27001, DORA, and virtually every compliance framework.

A technology platform that collects, analyzes, and correlates security events from across an organization's IT infrastructure to detect threats and support incident response. SIEM is essential for meeting DORA's detection and monitoring requirements.

A compliance framework developed by the AICPA that defines criteria for managing customer data based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are essential for SaaS companies and service providers.

The management of cybersecurity risks throughout the supply chain, including all third-party vendors, software providers, and service partners. Both DORA and NIS2 mandate supply chain security measures to protect against cascading failures and targeted attacks.

The process of identifying, assessing, and controlling risks arising from outsourcing to third-party service providers. Under DORA Article 28, financial entities must maintain a register of all ICT third-party providers and conduct thorough due diligence on critical providers.

An advanced form of security testing mandated by DORA Articles 26-27 for significant financial entities. TLPT uses real-world threat intelligence to simulate adversary tactics and test an organization's detection, response, and recovery capabilities against realistic attack scenarios.

BaFin's IT regulatory framework for insurance companies in Germany. VAIT mirrors BAIT's structure but addresses insurance-specific requirements for IT governance, security, and outsourcing, and has been updated to align with DORA.

A structured evaluation of the security posture and compliance status of third-party vendors before and during a business relationship. DORA Article 28 mandates specific due diligence requirements for ICT service providers used by financial entities.

The continuous process of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. Effective vulnerability management is a key requirement of DORA, ISO 27001, and SOC 2 to maintain system security and operational resilience.

A security model based on the principle of 'never trust, always verify' that requires strict identity verification for every person and device attempting to access resources, regardless of their network location. Zero Trust is increasingly recommended for DORA and NIS2 compliance.