|
Mandatory/optional
|
Scope (filter)
|
Variable
|
|
Mandatory variables
|
|
|
(1)
|
main economic activity of the enterprise, in the previous calendar year
|
|
(2)
|
average number of employees and self-employed persons, in the previous calendar year
|
|
(3)
|
total value of turnover (in monetary terms, excluding VAT), in the previous calendar year
|
|
(4)
|
number of employees and self-employed persons or percentage of the total number of employees and self-employed persons who have access to the internet for business purposes
|
|
(5)
|
employment of ICT specialists
|
|
(6)
|
provision of any type of training to develop ICT-related skills for ICT specialists employed by the enterprise, in the previous calendar year
|
|
(7)
|
provision of any type of training to develop ICT-related skills for other persons employed, in the previous calendar year
|
|
(8)
|
recruitment of or the attempt to recruit ICT specialists in the previous calendar year
|
|
|
(ii)
|
for enterprises with employees and self-employed persons who have access to the internet for business purposes:
|
|
|
(9)
|
use of any type of fixed connection to the internet
|
|
(11)
|
use of social media (i.e. having a user profile or an account)
|
|
(12)
|
having web sales of goods or services via the enterprise’s websites or apps (including extranets), in the previous calendar year
|
|
(13)
|
having web sales of goods or services via e-commerce marketplace websites or apps used by several enterprises for trading goods or services, in the previous calendar year
|
|
(14)
|
having Electronic Data Interchange (EDI)-type sales of goods or services, in the previous calendar year
|
|
(15)
|
use of Enterprise Resource Planning (ERP) software to manage resources by sharing information among different functional areas such as accounting, planning, production, marketing
|
|
(16)
|
use of Customer Relationship Management (CRM) software for managing information about customers such as relations or transactions
|
|
(17)
|
use of Business Intelligence (BI) software for accessing and analysing data such as from data warehouses or data lakes from internal IT systems and/or external sources and for presenting analytical findings in reports, summaries, dashboards, graphs, charts or maps to provide users with detailed insights for decision-making or strategic planning
|
|
(18)
|
sharing data electronically with suppliers or customers within the supply chain, for example via websites or apps, EDI-type systems, real-time sensors or tracking
|
|
(19)
|
performing data analytics (from internal and external data sources) by own employees
|
|
(20)
|
having data analytics performed by an external enterprise or organisation for the enterprise (including data analytics based on data from internal and external sources)
|
|
(21)
|
use of Artificial Intelligence (AI) technologies performing analysis of written language (such as text mining)
|
|
(22)
|
use of AI technologies converting spoken language into machine-readable format (speech recognition)
|
|
(23)
|
use of AI technologies generating written, spoken language or programming codes (natural language generation, speech synthesis)
|
|
(24)
|
use of AI technologies generating pictures, videos, sound/audio
|
|
(25)
|
use of AI technologies identifying objects or persons based on images or videos (image recognition, image processing)
|
|
(26)
|
use of machine learning (such as deep learning) for data analysis
|
|
(27)
|
use of AI technologies automating different workflows or assisting in decision-making (such as AI based software robotic process automation)
|
|
(28)
|
use of AI technologies enabling physical movement of machines via autonomous decisions based on observation of surroundings (autonomous robots, self-driving vehicles, autonomous drones)
|
|
(29)
|
use of paid cloud computing services
|
|
(30)
|
application of the ICT security measures on enterprise’s ICT systems: authentication based on a combination of at least two authentication mechanisms (i.e. combination of for example user-defined password, one-time password (OTP), code generated via a security token or received via a smartphone, biometric method (such as based on fingerprints, voice, face)
|
|
(31)
|
application of the ICT security measures on enterprise’s ICT systems: encryption of data, documents or e-mails
|
|
(32)
|
application of the ICT security measures on enterprise’s ICT systems: data backup to a separate location (including backup to the cloud)
|
|
(33)
|
application of the ICT security measures on enterprise’s ICT systems: ICT security monitoring system used to detect suspicious activity (such as intrusion detection or prevention systems that monitors users’ or devices’ behaviour, network traffic), excluding anti-virus software and default firewall solution included in the operating system of personal computers and routers
|
|
(34)
|
application of the ICT security measures on enterprise’s ICT systems: ICT risk assessment, i.e. periodical assessment of probability and consequences of ICT security incidents
|
|
(35)
|
making persons employed aware of their obligations in ICT security related issues through voluntary training or internally available information (such as information on the intranet)
|
|
(36)
|
making persons employed aware of their obligations in ICT security related issues through compulsory training courses or viewing compulsory material
|
|
(37)
|
making persons employed aware of their obligations in ICT security related issues through a contract (such as contract of employment)
|
|
(38)
|
ICT related security incidents experienced in the previous calendar year leading to the following consequences: unavailability of ICT services due to attack from outside, such as ransomware attacks, Denial of Service attacks
|
|
(39)
|
ICT related security incidents experienced in the previous calendar year leading to the following consequences: destruction or corruption of data due to infection of malicious software or unauthorised intrusion
|
|
(40)
|
ICT related security incidents experienced in the previous calendar year leading to the following consequences: disclosure of confidential data due to intrusion, pharming, phishing attack, intentional actions by own employees
|
|
|
(iii)
|
for enterprises using any type of fixed internet connection:
|
|
|
(41)
|
maximum contracted download speed of the fastest fixed internet connection in the ranges: [0 Mbit/s, < 30 Mbit/s], [30 Mbit/s, < 100 Mbit/s], [100 Mbit/s, < 500 Mbit/s], [500 Mbit/s, < 1 Gbit/s], [≥ 1 Gbit/s]
|
|
|
(iv)
|
for enterprises which had web sales of goods and services via the enterprise’s websites or apps and/or via e-commerce marketplace websites or apps used by several enterprises for trading goods or services, in the previous calendar year:
|
|
|
(42)
|
value of web sales of goods or services, or percentage of total turnover generated by web sales of goods and services, in the previous calendar year
|
|
(43)
|
percentage of value of web sales generated by web sales to private consumers (Business to Consumers: B2C), in the previous calendar year
|
|
(44)
|
percentage of value of web sales generated by web sales to other enterprises (Business to Business: B2B) and to public sector (Business to Government: B2G), in the previous calendar year
|
|
|
(v)
|
for enterprises which had web sales of goods and services via the enterprise’s websites or apps and via e-commerce marketplace websites or apps used by several enterprises for trading goods or services, in the previous calendar year:
|
|
|
(45)
|
percentage of value of web sales of goods or services generated by sales via the enterprise’s websites or apps (including extranets), in the previous calendar year
|
|
(46)
|
percentage of value of web sales of goods or services generated by sales via e-commerce marketplace websites or apps used by several enterprises for trading goods or services, in the previous calendar year
|
|
|
(vi)
|
for enterprises which had EDI-type sales of goods and services, in the previous calendar year:
|
|
|
(47)
|
value of EDI-type sales of goods or services or percentage of the total turnover generated by EDI-type sales of goods or services, in the previous calendar year
|
|
|
(vii)
|
for enterprises which have recruited or tried to recruit ICT specialists in the previous calendar year:
|
|
|
(48)
|
having vacancies for ICT specialists that were difficult to fill
|
|
|
(viii)
|
for enterprises performing data analytics (from internal and external data sources) by own employees:
|
|
|
(49)
|
performing data analytics on data from transaction records such as sale details, payments records (for example from ERP, enterprise’s webshop)
|
|
(50)
|
performing data analytics on data about customers such as customer purchasing information, location, preferences, customer reviews, searches (for example from CRM system or enterprise’s website)
|
|
(51)
|
performing data analytics on data from social media, including from enterprise’s own social media profiles (such as personal information, comments, video, audio, images)
|
|
(52)
|
performing data analytics on web data (such as search engine trends, web scraping data)
|
|
(53)
|
performing data analytics on location data from the use of portable devices or vehicles (such as portable devices using mobile telephone networks, wireless connections or GPS)
|
|
(54)
|
performing data analytics on data from smart devices or sensors (such as Machine to Machine (M2M) communications, sensors installed in machinery, manufacturing sensors, smart meters, Radio frequency identification (RFID) tags)
|
|
(55)
|
performing data analytics on government authorities’ open data (such as enterprise public records, weather conditions, topographic conditions, transport data, housing data, buildings data)
|
|
(56)
|
performing data analytics on satellite data (such as satellite imagery, navigation signals, position signals), including data acquired from enterprise’s own infrastructure or from externally provided service (for example AWS Ground Station) and excluding location data from the use of portable devices or vehicles using GPS)
|
|
|
(ix)
|
for enterprises using AI technologies, referring specifically to mandatory variables (21) to (28), acquistion of AI:
|
|
|
(57)
|
software/system developed by own employees (including those employed in parent or affiliate enterprise)
|
|
(58)
|
software/system developed by external providers for the enterprise
|
|
(59)
|
open-source software was used free of charge or for a fee
|
|
(60)
|
closed-source software was used free of charge or for a fee
|
|
|
(x)
|
for enterprises using open or closed-source software:
|
|
|
(61)
|
modification of AI software or systems by own employees (including those employed in parent or affiliate enterprise) and/or external providers
|
|
|
(xi)
|
for enterprises using paid cloud computing services:
|
|
|
(62)
|
use of email as a paid cloud computing service
|
|
(63)
|
use of office software (such as word processors or spreadsheets) as a paid cloud computing service
|
|
(64)
|
use of finance or accounting software applications as a paid cloud computing service
|
|
(65)
|
use of ERP software applications as paid cloud computing service
|
|
(66)
|
use of CRM software applications as a paid cloud computing service
|
|
(67)
|
use of security software applications (such as antivirus program, network access control) as paid cloud computing service
|
|
(68)
|
use of hosting the enterprise’s database(s) as a paid cloud computing service
|
|
(69)
|
use of storage of files as a paid cloud computing service
|
|
(70)
|
use of computing power to run the enterprise’s own software as a paid cloud computing service
|
|
(71)
|
use of computing platform providing a hosted environment for application development, testing or deployment (such as reusable software modules, application programming interfaces (APIs)) as a paid cloud computing service
|
|
(72)
|
use of AI software and systems generating text, images, video, audio content or codes as paid cloud computing service
|
|
|
Optional variables
|
|
|
(1)
|
performance of ICT functions (such as maintenance of ICT infrastructure, support for office software, development or support of business management software/systems and/or web solutions, security and data protection) by own employees (including those employed in parent or affiliate enterprises), in the previous calendar year
|
|
(2)
|
performance of ICT functions (such as maintenance of ICT infrastructure, support for office software, development or support of business management software/systems and/or web solutions, security and data protection) by external suppliers, in the previous calendar year
|
|
|
(ii)
|
for enterprises with employees and self-employed persons who have access to the internet for business purposes:
|
|
|
(3)
|
pay to advertise on the internet (such as adverts on search engines, on social media, on other websites or apps)
|
|
(4)
|
selling (access to) any of the enterprise’s own data (such as data about the enterprise’s customers’ preferences, data from the enterprise’s smart devices or sensors), in the previous calendar year
|
|
(5)
|
purchasing (access to) any data (such as data about other enterprise’s customers’ preferences, data from other enterprise’s smart devices or sensors), in the previous calendar year
|
|
(6)
|
application of the ICT security measures on enterprise’s ICT systems: authentication via strong password (such as minimum length, use of numbers and special characters, changed periodically)
|
|
(7)
|
application of the ICT security measures on enterprise’s ICT systems: authentication via biometric methods used to access the enterprise’s ICT system (such as authentication based on fingerprints, voice, face)
|
|
(8)
|
application of the ICT security measures on enterprise’s ICT systems: network access control (management of user rights in enterprise’s network)
|
|
(9)
|
application of the ICT security measures on enterprise’s ICT systems: Virtual Private Network (VPN), which extends the private network across a public network to enable secure exchange of data over public network
|
|
(10)
|
application of the ICT security measures on enterprise’s ICT systems: maintaining log files that enable analysis after ICT security incidents
|
|
(11)
|
application of the ICT security measures on enterprise’s ICT systems: ICT security tests (such as performing penetration tests, testing security alert system, reviewing security measures, testing of backup systems)
|
|
(12)
|
invoices sent in electronic form, in a standard structure suitable for automated processing (e-invoices), excluding the transmission of PDF files, in the previous calendar year
|
|
(13)
|
invoices sent in electronic form not suitable for automated processing, including the transmission of PDF files, in the previous calendar year
|
|
(14)
|
invoices sent in paper form, in the previous calendar year
|
|
|
(iii)
|
for enterprises paying to advertise on the internet:
|
|
|
(15)
|
use of targeted advertising based on content or keywords searched by internet users
|
|
(16)
|
use of targeted advertising based on the tracking of internet users’ past activities or profile
|
|
(17)
|
use of targeted advertising based on the geolocation of internet users
|
|
(18)
|
use of any other method of targeted advertising on the internet than the ones specified in optional variables (15), (16) or (17)
|
|
|
(iv)
|
for enterprises with vacancies for ICT specialists that were difficult to fill, when trying to recruit ICT specialists in the previous calendar year:
|
|
|
(19)
|
difficulties to recruit ICT specialists due to lack of applications, in the previous calendar year
|
|
(20)
|
difficulties to recruit ICT specialists due to applicants’ lack of relevant ICT related qualifications from education and/or training, in the previous calendar year
|
|
(21)
|
difficulties to recruit ICT specialists due to applicants’ lack of relevant work experience, in the previous calendar year
|
|
(22)
|
difficulties to recruit ICT specialists due to applicants’ too high salary expectations, in the previous calendar year
|
|
|
(v)
|
for enterprises using AI technologies, referring specifically to mandatory variables (21) to (28), type of purposes:
|
|
|
(23)
|
use of AI software or systems for marketing or sales (such as customer profiling, price optimisation, personalised marketing offers, market analysis based on machine learning, chatbots based on natural language processing for customer support, autonomous robots for orders processing, robo-advisor for automated planning, for example of investment (1))
|
|
(24)
|
use of AI software or systems for production or service processes (such as predictive maintenance or process optimization based on machine learning, tools to classify products or find defects in products based on computer vision, autonomous drones for production surveillance, security or inspection tasks, assembly works performed by autonomous robots, credit scoring based on machine learning (2))
|
|
(25)
|
use of AI software or systems for organisation of business administration processes or management (such as business virtual assistants based on machine learning and/or natural language processing (for example for document drafting), data analysis or strategic decision making based on machine learning (for example risk assessment), planning or business forecasting based on machine learning, human resources management based on machine learning or natural language processing (for example candidates pre-selection screening, employee profiling or performance analysis)
|
|
(26)
|
use of AI software or systems for logistics (such as autonomous robots for pick-and-pack solutions in warehouses for parcel shipping, tracing, distribution or sorting, route optimization based on machine learning)
|
|
(27)
|
use of AI software or systems for ICT security (such as face recognition based on computer vision for authentication of ICT users, detection and prevention of cyber-attacks based on machine learning)
|
|
(28)
|
use of AI software or systems for accounting, controlling or finance management (such as machine learning to analyse data that helps to make financial decisions, invoice processing based on machine learning, machine learning or natural language processing used for bookkeeping tasks)
|
|
(29)
|
use of AI software or systems for research and development (R & D) or innovation activity, excluding research on Artificial Intelligence (such as analysis of data for conducting research, solving research problems, developing a new or significantly improved product/service based on machine learning)
|
|
(30)
|
processing data (such as sex, age, racial or ethnic origin, disability, religion or belief, sexual orientation, facial images, record of purchases, occupation or address) on individuals (such as employees, job applicants or customers) using AI technologies
|
|
|
(vi)
|
for enterprises which used AI technologies to process data on individuals:
|
|
|
(31)
|
having measures (such as analysing the results of various machine learning models, examining the dataset that was used to train the machine learning model, data augmentation which involves techniques to artificially generate additional data points from existing data, i.e. synthetic data) to check the results generated by AI technologies for possible biases towards individuals based on sex, age, racial or ethnic origin, disability, religion or belief, sexual orientation
|
|
|
(vii)
|
for enterprises which did not use any AI technologies, referring specifically to mandatory variables (21) to (28):
|
|
|
(32)
|
consideration of using any of AI technologies, referring specifically to mandatory variables (21) to (28)
|
|
|
(viii)
|
for enterprises which did not use but considered to use AI technologies, referring specifically to mandatory variables (21) to (28):
|
|
|
(33)
|
AI technologies not used because the costs seem too high
|
|
(34)
|
AI technologies not used because there is a lack of relevant expertise in the enterprise
|
|
(35)
|
AI technologies not used because of incompatibility with existing equipment, software or systems
|
|
(36)
|
AI technologies not used because of difficulties with availability or quality of the necessary data
|
|
(37)
|
AI technologies not used because of concerns regarding violation of data protection and privacy
|
|
(38)
|
AI technologies not used because of lack of clarity about the legal consequences (such as liability in case of damage caused by the use of Artificial Intelligence)
|
|
(39)
|
AI technologies not used because of ethical considerations
|
|
(40)
|
AI technologies not used because they are not useful for the enterprise
|
|
|
|
|
(ix)
|
for enterprises having sent invoices in electronic form, in a standard structure suitable for automated processing (e-invoices), excluding the transmission of PDF files, in the previous calendar year:
|
|
|
(41)
|
percentage of e-invoices out of all invoices sent, or percentage of e-invoices out of all invoices sent in the following ranges: [0,< 10], [10,< 25], [25,< 50], [50,< 75], [>=75], in the previous calendar year
|
|
Date of entry into force unknown (pending notification) or not yet in force., Date of effect: 24/07/2025