Glossary
Glossary
Definitions of the core Decision Infrastructure concepts in DecisionOS: decision memo, readiness score, NIS2 Art. 20, DORA ICT risk, stakeholder alignment, sovereign cloud, zero trust and more.
A
Audit-ready decision
Also: Audit-proof decision, Supervisory-ready decision
A decision whose record is structured, evidence-backed and stakeholder-signed to a level that a third-party auditor, a supervisor or a board reviewer can reconstruct the reasoning without interviewing the original team.
AI Act Risk Categories
Also: EU AI Act Risk Classes
Four-tier classification under the EU AI Act: prohibited (Art. 5), high-risk (Annex I/III), limited risk (Art. 50 transparency), minimal risk. Classification is the first duty; it must be documented and defensible.
AI Act Conformity Assessment
Also: AI Act Art. 43, EU AI Act Konformitätsbewertung
Procedure to demonstrate that a high-risk AI system complies with the EU AI Act before being placed on the market or put into service. Mandatory for all Annex III high-risk systems from 2 August 2026.
B
BSI C5
Also: Cloud Computing Compliance Criteria Catalogue, C5 attestation
Cloud audit catalogue of the German BSI that defines minimum security baseline and transparency duties. Evidenced via an ISAE 3000 C5 attestation. De facto standard for cloud procurement in the German market.
BAIT
Also: German Banking Supervisory Requirements for IT
BaFin circular that concretises IT requirements for credit institutions. Specifies MaRisk AT 7.2 for IT strategy, information security, user permissions, project management, application development, and IT outsourcing.
BCM
Also: Business Continuity Management
Discipline for maintaining critical business processes during disruptions. Standards: ISO 22301, BSI Standard 200-4. Mandatory under BAIT/VAIT and DORA Art. 11 in the financial sector.
C
Compliance mapping
Also: Regulatory mapping, Control mapping
The explicit link between a decision (vendor, architecture, control) and the specific regulatory articles, controls or standards it satisfies. Without compliance mapping, a memo cannot be defended under audit against a named clause.
CVE
Also: Common Vulnerabilities and Exposures
Global identifier for publicly known security vulnerabilities in software and hardware. Format CVE-YYYY-NNNN, run by MITRE on behalf of CISA. More than 200,000 CVEs as of 2025.
CVSS
Also: Common Vulnerability Scoring System
Standardised scoring system for vulnerabilities with a 0-10 score. Current version CVSS v4.0 (2023). Measures Base, Temporal and Environmental Metrics. Often criticised for lack of exploitability signal.
CSPM
Also: Cloud Security Posture Management
Software category for continuous review of cloud configurations against security benchmarks (CIS, NIST, BSI cloud requirements). Finds misconfigurations like open S3 buckets, missing encryption, insecure IAM policies.
CWPP
Also: Cloud Workload Protection Platform
Software category for protecting cloud workloads (VMs, containers, serverless) at runtime. Combines vulnerability scanning, config review, runtime monitoring, container and K8s security.
CNAPP
Also: Cloud Native Application Protection Platform
Gartner platform category that combines CSPM, CWPP, CIEM, KSPM, DSPM and IaC scanning into one tool. Answer to tool fragmentation in cloud security stacks.
CASB
Also: Cloud Access Security Broker
Security layer between users and SaaS providing visibility (shadow IT discovery), data protection (DLP), compliance, and threat protection across SaaS apps. Four functions per Gartner: visibility, compliance, data security, threat protection.
Confidential Computing
Also: Trusted Execution Environment, TEE
Hardware-based isolation that keeps data encrypted during processing (data-in-use). Complements encryption at rest and in transit. Technologies: Intel SGX, Intel TDX, AMD SEV-SNP, ARM CCA, Nvidia H100 Confidential Computing.
Cyber Resilience Act (CRA)
Also: EU Cyber Resilience Act, Regulation (EU) 2024/2847, CRA
EU Regulation 2024/2847 setting horizontal cybersecurity requirements for products with digital elements. Entered into force on 10 December 2024. Main obligations apply from 11 December 2027. Reporting duties for actively exploited vulnerabilities apply from 11 September 2026.
Critical ICT Third-Party Provider (CTPP)
Also: DORA CTPP, Lead Overseer-supervised provider
ICT third-party provider designated critical by the European Commission under DORA Art. 31, falling under direct supervision of one of the three European Supervisory Authorities (EBA, EIOPA, ESMA). First CTPP designations expected in 2025/2026.
D
Decision memo
Also: Entscheidungsmemo, Decision record
A short structured document that captures why a decision was made, the options considered, the criteria and trade-offs, the stakeholders involved and the accepted risks. A good decision memo is auditable months later.
DORA ICT risk management
Also: Digital Operational Resilience Act, DORA Art. 28, ICT third-party risk
The EU Digital Operational Resilience Act regulates the operational resilience of financial entities against ICT risks, with particularly prescriptive expectations around ICT third-party risk management (Art. 28) and contractual arrangements (Art. 30).
Defensible record
Also: Audit trail, Decision of record
A single versioned artefact that captures a decision in enough structure, with enough evidence and stakeholder context, that it can be defended under audit, in a board review, or 12 months later when the original team is no longer in place.
Dealbreaker
Also: Knock-out criterion, Ausschlusskriterium
A hard requirement that immediately disqualifies an option if not met, independent of weighted scoring. Dealbreakers enforce non-negotiable constraints (EU hosting, specific certifications, data residency) and prevent weak options from winning on aggregate scores.
DORA
Also: Digital Operational Resilience Act, Regulation (EU) 2022/2554
EU regulation on digital operational resilience in the financial sector. Directly applicable since 17 January 2025. Five pillars: ICT risk management, incident management, resilience testing including TLPT, third-party governance, information sharing.
DLP
Also: Data Loss Prevention, Data Leakage Prevention
Software category for detecting and preventing unauthorised data outflow. Operates on endpoints, network and cloud. Classifies content (regex, fingerprinting, ML) and enforces policies.
DMARC / DKIM / SPF
Also: Email authentication, Email spoofing protection
Three standards that together authenticate email senders and impede spoofing. SPF authenticates the sending IP, DKIM signs the content, DMARC links both via the From header and defines the policy.
DPIA
Also: Data Protection Impact Assessment, DSFA, Datenschutz-Folgenabschätzung
Mandatory assessment under GDPR Art. 35 where processing is likely to result in high risk to the rights and freedoms of natural persons. Required e.g. for systematic evaluation, large-scale processing of special categories and systematic monitoring of public areas.
E
Evidence grade
Also: Evidence honesty layer, Source grading
A grade attached to each claim in a decision memo, showing whether the claim is backed by primary source, vendor-confirmed evidence, independent research, or an assumption. Assumption-heavy memos carry visible warnings rather than quiet confidence.
EDR (Endpoint Detection and Response)
Also: Endpoint Detection and Response, Next-gen endpoint security
A class of endpoint security tools that continuously records endpoint activity and enables detection, investigation and response to threats that evade traditional antivirus. Most enterprise security incidents today are detected or contained at the EDR layer.
EU AI Act
Also: AI Act, Regulation (EU) 2024/1689
World's first comprehensive AI law. Four risk classes: prohibited, high-risk, limited (transparency), minimal. Phased application from February 2025 to August 2027.
F
FIDO2
Also: WebAuthn, CTAP2
Open authentication standard of FIDO Alliance and W3C, comprising WebAuthn (browser/platform interface) and CTAP2 (device protocol). Foundation for phishing-resistant MFA and Passkeys.
FRIA
Also: Fundamental Rights Impact Assessment
Mandatory assessment under EU AI Act Art. 27 for deployment of specific high-risk AI systems. Required for public bodies and private deployers of essential services before first use.
G
GPAI / Foundation Models
Also: General-Purpose AI Models
General-purpose AI models under EU AI Act Art. 51-56. Obligations from August 2025: technical documentation, info for downstream providers, copyright policy, training data summary. Systemic-risk models additionally need model evaluation, adversarial testing, incident tracking.
GDPR Art. 32 TOMs
Also: Technical and organisational measures, Art. 32 GDPR, TOMs
Technical and organisational measures to ensure a level of security appropriate to the risk when processing personal data. Duty under Art. 32 GDPR, applicable to every controller and processor in the EU.
H
I
IAM (Identity and Access Management)
Also: Identity Management, IGA, PAM
The stack of systems that governs who has access to which systems under which conditions. IAM covers authentication, single sign-on, lifecycle management, access governance (IGA) and privileged access management (PAM), and is the most commonly breached control in enterprise environments.
ISO 27001
Also: ISO/IEC 27001, ISMS
International standard for information security management systems. Current version ISO/IEC 27001:2022. Certifiable through accredited bodies. Core framework for ISMS implementation, risk treatment, continuous improvement.
ISO 27002
Also: ISO/IEC 27002:2022
Companion standard to ISO 27001 that fleshes out the 93 Annex A controls. Not certifiable, but the practical handbook for implementation.
IGA
Also: Identity Governance and Administration
Software category for identity governance: lifecycle management, role modelling, access recertification, segregation of duties, audit trail. Pulls the governance layer out of IAM.
ICT Concentration Risk
Also: DORA Art. 29, Third-party concentration
Risk arising from dependence on a small number of or a single ICT third-party provider. DORA Art. 29 obliges financial entities to perform an explicit analysis and steering. Supervisors focus particularly on cloud hyperscalers and core banking system providers.
K
L
M
MDR (Managed Detection and Response)
Also: Managed Detection and Response, 24/7 SOC-as-a-service
A service that provides outsourced 24/7 monitoring, detection and response on top of an EDR or XDR platform. MDR replaces the need to staff a full in-house security operations centre while keeping incident ownership internal.
MFA
Also: Multi-Factor Authentication
Authentication combining at least two factors from knowledge (password), possession (hardware token, smartphone) and inherence (biometrics). Mandatory under NIS2 Art. 21 (j) and DORA Art. 9.
N
NIS2 Art. 20
Also: NIS2 Article 20, Management body responsibility under NIS2
The NIS2 article that makes the management body of an essential or important entity directly accountable for approving and overseeing cybersecurity risk-management measures. Management bodies that fail this duty can be held personally liable.
NIS2
Also: NIS2 Directive, Directive (EU) 2022/2555
EU directive on network and information security. Replaces NIS1, widens scope to around 30,000 German companies in 18 sectors, introduces personal management body liability, sets ten minimum cybersecurity measures under Article 21.
O
P
Passkeys
Also: WebAuthn Passkeys, Discoverable Credentials
Phishing-resistant authentication credentials per WebAuthn/FIDO2 that keep private keys on the device and are unlocked biometrically or by PIN. Replace classic passwords and SMS OTP.
PAM
Also: Privileged Access Management, Privileged Account Management
Software category for governing privileged access: vault, session management, just-in-time permissions, session recording, zero standing privilege. Mandatory stack under NIS2 and DORA for admin access.
R
Readiness Score
Also: Decision Readiness Score, Confidence Score
A 0–100 score that quantifies how decision-ready a memo actually is. It breaks down into criteria coverage, evidence quality, risk analysis, stakeholder alignment and formal governance. A score above 70 signals audit readiness.
RFP (Request for Proposal)
Also: Ausschreibung, Request for Quotation, RFQ
A structured document that invites vendors to propose a solution against specified requirements, evaluation criteria and timeline. RFPs are the formal front-end of most enterprise buying processes; DecisionOS sits upstream of the RFP and downstream of it, not inside it.
RTO / RPO
Also: Recovery Time Objective, Recovery Point Objective
Two core BCM metrics. RTO = maximum downtime by which a process must be back online. RPO = maximum tolerable data loss measured in time.
S
Stakeholder alignment
Also: Buying committee alignment, Decision alignment
The state in which every material stakeholder on a decision has a visible position (support, neutral, block), a named top concern and a documented next step. Without stakeholder alignment, decisions stall or reverse post-signature.
Stakeholder brief
Also: Persona brief, Role-specific memo view
A role-tailored summary of a decision memo written for a specific persona (CISO, CFO, CEO, COO, IT-Leitung). Each brief surfaces the criteria, risks and trade-offs that this role cares about most, without rewriting the underlying memo.
SIEM (Security Information and Event Management)
Also: Log management platform, Security analytics platform
A platform that centralises security logs, enables long-term retention, runs correlation rules and supports investigation. SIEM is the evidence layer under EDR, XDR and SOC operations and the single largest line item in most security budgets.
Sovereign cloud
Also: Souveräne Cloud, EU-sovereign cloud
A cloud deployment model that guarantees operational, legal and technical control of data and workloads within a specific jurisdiction (typically the EU). Sovereign cloud answers the concern that hyperscaler deployments remain exposed to foreign jurisdiction, primarily the US CLOUD Act.
SOC 2 Type 2
Also: Service Organization Control 2, SOC 2 Type II
Audit report by a US public accountant under AICPA SSAE 18 standard, confirming the operating effectiveness of a service organisation's controls over a period (typically 6-12 months). Refers to Trust Service Criteria.
SBOM
Also: Software Bill of Materials
Machine-readable inventory of all components in a software incl. versions, licences and dependencies. Formats: SPDX, CycloneDX, SWID. Mandatory in regulated areas; in the US driven by Executive Order 14028.
SSPM
Also: SaaS Security Posture Management
Software category for reviewing SaaS configurations (Microsoft 365, Salesforce, Google Workspace, Slack, GitHub). Finds over-privileged apps, weak sharing settings, MFA gaps, external data flows.
SASE
Also: Secure Access Service Edge
Gartner architecture category combining network (SD-WAN) and security functions (SWG, CASB, ZTNA, FWaaS, RBI) on a single cloud platform. SSE is the variant without SD-WAN.
SSE
Also: Security Service Edge
Subset of SASE without SD-WAN. Bundles SWG, CASB, ZTNA and (increasingly) DLP/RBI in a cloud platform. Stand-alone Gartner Magic Quadrant exists.
Schrems II
Also: CJEU C-311/18, Privacy Shield ruling
CJEU ruling of 16 July 2020 that invalidated the EU-US Privacy Shield and only allowed Standard Contractual Clauses (SCC) under additional safeguards. Consequence: third-country data transfers need a Transfer Impact Assessment (TIA) plus additional protective measures.
Supply Chain Risk
Also: Software Supply Chain Risk
Risks from the software and hardware supply chain: compromised open-source packages, build-pipeline attacks, updates with backdoors, sub-suppliers without audit trail. Mandatory under NIS2 Art. 21 (d) and DORA Art. 28 (sub-outsourcing).
T
TCO modelling
Also: Total Cost of Ownership, TCO analysis
A structured estimate of the full lifetime cost of a vendor decision, including licence, implementation, integration, operation, change management and exit cost. List price is usually 20 to 40 percent of real TCO; modelling exposes the rest.
Trade-off analysis
Also: Option trade-off, Sensitivity analysis
The explicit documentation of what each option gives up to deliver its strengths. Good trade-off analysis makes the cost of the winning option as visible as its benefits, and shows how robust the choice is to changes in weights.
TISAX
Also: Trusted Information Security Assessment Exchange
Audit standard and exchange platform of the German automotive association (VDA) for information security. ISA catalogue is the assessment grid, ENX operates the platform.
TIA
Also: Transfer Impact Assessment
Assessment of the protection level in the recipient country for data transfers to third countries after Schrems II. Required under SCC, BCR, and Art. 49 derogations. Output: decision whether the transfer may proceed without, with, or not at all.
TPRM
Also: Third-Party Risk Management
Discipline and tool category for governing risks from external providers (SaaS, cloud, outsourcing, advisory). Mandatory under DORA Art. 28-30 for financial entities and NIS2 Art. 21 (d) for essential/important entities.
V
Vendor matrix
Also: Vendor comparison matrix, Weighted vendor comparison
A structured comparison of vendor options across weighted criteria, showing scores, evidence per cell and an aggregate result. A good vendor matrix separates dealbreakers from weighted criteria and makes every score traceable to a source.
VAIT
Also: German Insurance Supervisory Requirements for IT
BaFin circular for insurance undertakings. Counterpart to BAIT in banking, derived from MaGo. Regulates IT strategy, information security, user permissions, IT projects and outsourcing.