Supervisory Authority

TECHNICAL DEFINITION

A Supervisory Authority, often called a Data Protection Authority (DPA), is an independent public regulatory body established within a jurisdiction (e.g., an EU Member State) to enforce data protection laws like GDPR. Its mandate includes monitoring compliance, investigating complaints from data subjects, conducting audits of data controllers and processors, and issuing corrective powers and administrative fines.

BACKGROUND

The Artificial Intelligence Act is a European Union regulation concerning artificial intelligence (AI). It establishes a common regulatory and legal framework for AI within the European Union (EU). The regulation entered into force on 1 August 2024, with provisions that shall come into operation gradually over the following 6 to 36 months.

SYNONYMS & ALIASES

• Data Protection Authority
• DPA
• Information Commissioner
• Privacy Commissioner
• Data Protection Ombudsman
• Regulator

USAGE NOTE

This term is central to the GDPR framework, as each EU member state is required to have at least one Supervisory Authority to oversee data protection.

DEVELOPERS

Organizations developing technology related to Supervisory Authority.

• Cybersecurity and Infrastructure Security Agency (CISA)

  A U.S. federal agency responsible for understanding, managing, and reducing risk to the nation's cyber and physical infrastructure. CISA develops and shares threat intelligence, provides tools for risk management, and acts as a central coordinating body for national cybersecurity defense.

• National Institute of Standards and Technology (NIST)

  A U.S. government agency that develops and promotes measurement, standards, and technology to enhance economic security. NIST is renowned for creating foundational cybersecurity frameworks, guidelines, and best practices, such as the NIST Cybersecurity Framework and the SP 800 series, which are widely adopted globally.

• European Union Agency for Cybersecurity (ENISA)

  The EU's agency dedicated to achieving a high common level of cybersecurity across Europe. ENISA develops advice and recommendations on cybersecurity, supports policy development and implementation, and assists Member States and EU institutions in responding to cyber incidents.

• National Cyber Security Centre (NCSC)

  The United Kingdom's national technical authority for cyber threats. As part of GCHQ, the NCSC provides guidance, manages major incidents, and develops standards and technologies to protect the UK's critical services from cyber attacks.

• Bundesamt für Sicherheit in der Informationstechnik (BSI)

  The German Federal Office for Information Security is the central IT security service provider for the German federal government. The BSI develops security standards (like IT-Grundschutz), tests and certifies IT products, and provides warnings and information on cyber threats to the public.

• Agence nationale de la sécurité des systèmes d'information (ANSSI)

  The National Cybersecurity Agency of France is the national authority for cybersecurity and cyberdefence. ANSSI is responsible for preventing and reacting to IT incidents, developing security standards and certifications, and providing technical expertise to government agencies and critical infrastructure operators.

• MITRE Corporation

  A not-for-profit organization that manages federally funded research and development centers (FFRDCs). MITRE develops widely adopted cybersecurity frameworks and knowledge bases that act as de facto industry standards, including the ATT&CK framework, Common Vulnerabilities and Exposures (CVE), and Common Weakness Enumeration (CWE).

• Information Commissioner's Office (ICO)

  The UK’s independent supervisory authority for data protection and information rights. The ICO enforces regulations like the GDPR and Data Protection Act, which mandates specific cybersecurity measures for protecting personal data, thereby driving the development and adoption of security technologies.