|
Mandatory/optional
|
Scope (filter)
|
Variable
|
|
Mandatory variables
|
|
|
(1)
|
main economic activity of the enterprise, in the previous calendar year
|
|
(2)
|
average number of employees and self-employed persons, in the previous calendar year
|
|
(3)
|
total value of turnover (in monetary terms, excluding VAT), in the previous calendar year
|
|
(4)
|
number of employees and self-employed persons or percentage of the total number of employees and self-employed persons who have access to the internet for business purposes
|
|
(5)
|
employment of ICT specialists
|
|
(6)
|
provision of any type of training to develop ICT-related skills for ICT specialists employed by the enterprise, in the previous calendar year
|
|
(7)
|
provision of any type of training to develop ICT-related skills for other persons employed, in the previous calendar year
|
|
(8)
|
recruitment of or the attempt to recruit ICT specialists in the previous calendar year
|
|
(9)
|
performance of ICT functions (such as maintenance of ICT infrastructure, support for office software, development or support of business management software/systems and/or web solutions, security and data protection) by own employees (including those employed in parent or affiliate enterprises), in the previous calendar year
|
|
(10)
|
performance of ICT functions (such as maintenance of ICT infrastructure, support for office software, development or support of business management software/systems and/or web solutions, security and data protection) by external suppliers, in the previous calendar year
|
|
|
(ii)
|
for enterprises with employees and self-employed persons who have access to the internet for business purposes
|
|
|
(11)
|
use of any type of fixed connection to the internet
|
|
(12)
|
having remote access (via computers or portable devices such as smartphones) of persons employed to email system of the enterprise
|
|
(13)
|
having remote access (via computers or portable devices such as smartphones) of persons employed to documents of the enterprise (such as files, spreadsheets, presentations, charts, photos)
|
|
(14)
|
having remote access (via computers or portable devices such as smartphones) of persons employed to business applications or software of the enterprise (such as access to accounting, sales, orders, Customer Relationship Management (CRM)), excluding applications used for internal communication
|
|
(15)
|
conduct of remote meetings
|
|
(16)
|
having web sales of goods or services via the enterprise’s websites or apps (including extranets), in the previous calendar year
|
|
(17)
|
having web sales of goods or services via e-commerce marketplace websites or apps used by several enterprises for trading goods or services, in the previous calendar year
|
|
(18)
|
having Electronic Data Interchange (EDI)-type sales (receipt of orders placed via EDI-type messages) of goods or services, in the previous calendar year
|
|
(19)
|
application of the ICT security measures on enterprise’s ICT systems: authentication via strong password (such as minimum length, use of numbers and special characters, changed periodically)
|
|
(20)
|
application of the ICT security measures on enterprise’s ICT systems: authentication via biometric methods used to access the enterprise’s ICT system (such as authentication based on fingerprints, voice, face)
|
|
(21)
|
application of the ICT security measures on enterprise’s ICT systems: authentication based on a combination of at least two authentication mechanisms (i.e. combination of for example user-defined password, one-time password (OTP), code generated via a security token or received via a smartphone, biometric method (such as based on fingerprints, voice, face))
|
|
(22)
|
application of the ICT security measures on enterprise’s ICT systems: encryption of data, documents or e-mails
|
|
(23)
|
application of the ICT security measures on enterprise’s ICT systems: data backup to a separate location (including backup to the cloud)
|
|
(24)
|
application of the ICT security measures on enterprise’s ICT systems: network access control (management of user rights in enterprise’s network)
|
|
(25)
|
application of the ICT security measures on enterprise’s ICT systems: Virtual Private Network (VPN), which extends the private network across a public network to enable secure exchange of data over public network
|
|
(26)
|
application of the ICT security measures on enterprise’s ICT systems: ICT security monitoring system used to detect suspicious activity (such as intrusion detection or prevention systems that monitors users’ or devices’ behaviour, network traffic), excluding anti-virus software and default firewall solution included in the operating system of personal computers and routers
|
|
(27)
|
application of the ICT security measures on enterprise’s ICT systems: maintaining log files that enable analysis after ICT security incidents
|
|
(28)
|
application of the ICT security measures on enterprise’s ICT systems: ICT risk assessment, i.e. periodical assessment of probability and consequences of ICT security incidents
|
|
(29)
|
application of the ICT security measures on enterprise’s ICT systems: ICT security tests (such as performing penetration tests, testing security alert system, reviewing security measures, testing of backup systems)
|
|
(30)
|
making persons employed aware of their obligations in ICT security related issues through voluntary training or internally available information (such as information on the intranet)
|
|
(31)
|
making persons employed aware of their obligations in ICT security related issues through compulsory training courses or viewing compulsory material
|
|
(32)
|
making persons employed aware of their obligations in ICT security related issues through a contract (such as contract of employment)
|
|
(33)
|
having document(s) on measures, practices or procedures on ICT security, such as documents on ICT security and confidentiality of data covering employee training in ICT use, ICT security measures, the evaluation of ICT security measures, plans for updating ICT security documents
|
|
(34)
|
ICT related security incidents experienced in the previous calendar year leading to the following consequences: unavailability of ICT services due to hardware or software failures
|
|
(35)
|
ICT related security incidents experienced in the previous calendar year leading to the following consequences: unavailability of ICT services due to attack from outside, such as ransomware attacks, Denial of Service attacks
|
|
(36)
|
ICT related security incidents experienced in the previous calendar year leading to the following consequences: destruction or corruption of data due to hardware or software failures
|
|
(37)
|
ICT related security incidents experienced in the previous calendar year leading to the following consequences: destruction or corruption of data due to infection of malicious software or unauthorised intrusion
|
|
(38)
|
ICT related security incidents experienced in the previous calendar year leading to the following consequences: disclosure of confidential data due to intrusion, pharming, phishing attack, intentional actions by own employees
|
|
(39)
|
ICT related security incidents experienced in the previous calendar year leading to the following consequences: disclosure of confidential data due to unintentional actions by own employees
|
|
(40)
|
use of Artificial Intelligence technologies performing analysis of written language (such as text mining)
|
|
(41)
|
use of Artificial Intelligence technologies converting spoken language into machine-readable format (speech recognition)
|
|
(42)
|
use of Artificial Intelligence technologies generating written or spoken language (natural language generation, speech synthesis)
|
|
(43)
|
use of Artificial Intelligence technologies identifying objects or persons based on images or videos (image recognition, image processing)
|
|
(44)
|
use of machine learning (such as deep learning) for data analysis
|
|
(45)
|
use of Artificial Intelligence technologies automating different workflows or assisting in decision-making (such as Artificial Intelligence based software robotic process automation)
|
|
(46)
|
use of Artificial Intelligence technologies enabling physical movement of machines via autonomous decisions based on observation of surroundings (autonomous robots, self-driving vehicles, autonomous drones)
|
|
|
(iii)
|
for enterprises using any type of fixed internet connection
|
|
|
(47)
|
maximum contracted download speed of the fastest fixed internet connection in the ranges: [0 Mbit/s, < 30 Mbit/s], [30 Mbit/s, < 100 Mbit/s], [100 Mbit/s, < 500 Mbit/s], [500 Mbit/s, < 1 Gbit/s], [≥ 1 Gbit/s]
|
|
(48)
|
sufficiency of the speed of fixed connection(s) to the internet for the actual needs of the enterprise
|
|
|
(iv)
|
for enterprises which had web sales of goods and services via the enterprise’s websites or apps or via e-commerce marketplace websites or apps used by several enterprises for trading goods or services, in the previous calendar year:
|
|
|
(49)
|
value of web sales of goods or services, or percentage of total turnover generated by web sales of goods and services, in the previous calendar year
|
|
(50)
|
percentage of value of web sales generated by web sales to private consumers (Business to Consumers: B2C), in the previous calendar year
|
|
(51)
|
percentage of value of web sales generated by web sales to other enterprises (Business to Business: B2B) and to public sector (Business to Government: B2G), in the previous calendar year
|
|
(52)
|
web sales to customers located in the enterprise’s own country, in the previous calendar year
|
|
(53)
|
web sales to customers located in other Member States, in the previous calendar year
|
|
(54)
|
web sales to customers located in the rest of the world, in the previous calendar year
|
|
|
(v)
|
for enterprises which had web sales of goods and services via the enterprise’s websites or apps and via e-commerce marketplace websites or apps used by several enterprises for trading goods or services, in the previous calendar year
|
|
|
(55)
|
percentage of value of web sales of goods or services generated by sales via the enterprise’s websites or apps (including extranets), in the previous calendar year
|
|
(56)
|
percentage of value of web sales of goods or services generated by sales via e-commerce marketplace websites or apps used by several enterprises for trading goods or services, in the previous calendar year
|
|
|
(vi)
|
for enterprises which had EDI-type sales of goods and services, in the previous calendar year:
|
|
|
(57)
|
value of EDI-type sales of goods or services or percentage of the total turnover generated by EDI-type sales of goods or services, in the previous calendar year
|
|
|
(vii)
|
for enterprises which have recruited or tried to recruit ICT specialists in the previous calendar year
|
|
|
(58)
|
having vacancies for ICT specialists that were difficult to fill
|
|
|
(viii)
|
for enterprises using Artificial Intelligence technologies, referring specifically to mandatory variables (40) to (46)
|
|
|
(59)
|
use of Artificial Intelligence software or systems for marketing or sales (such as customer profiling, price optimisation, personalised marketing offers, market analysis based on machine learning, chatbots based on natural language processing for customer support, autonomous robots for orders processing)
|
|
(60)
|
use of Artificial Intelligence software or systems for production or service processes (such as predictive maintenance or process optimization based on machine learning, tools to classify products or find defects in products based on computer vision, autonomous drones for production surveillance, security or inspection tasks, assembly works performed by autonomous robots)
|
|
(61)
|
use of Artificial Intelligence software or systems for organisation of business administration processes or management (such as business virtual assistants based on machine learning and/or natural language processing (for example for document drafting), data analysis or strategic decision making based on machine learning (for example risk assessment), planning or business forecasting based on machine learning, human resources management based on machine learning or natural language processing (for example candidates pre-selection screening, employee profiling or performance analysis)
|
|
(62)
|
use of Artificial Intelligence software or systems for logistics (such as autonomous robots for pick-and-pack solutions in warehouses for parcel shipping, tracing, distribution or sorting, route optimization based on machine learning)
|
|
(63)
|
use of Artificial Intelligence software or systems for ICT security (such as face recognition based on computer vision for authentication of ICT users, detection and prevention of cyber-attacks based on machine learning)
|
|
(64)
|
use of Artificial Intelligence software or systems for accounting, controlling or finance management (such as machine learning to analyse data that helps to make financial decisions, invoice processing based on machine learning, machine learning or natural language processing used for bookkeeping tasks)
|
|
(65)
|
use of Artificial Intelligence software or systems for research and development (R & D) or innovation activity, excluding research on Artificial Intelligence (such as analysis of data for conducting research, solving research problems, developing a new or significantly improved product/service based on machine learning)
|
|
|
Optional variables
|
|
(i)
|
for enterprises with employees and self-employed persons who have access to the internet for business purposes
|
|
|
(1)
|
number of persons employed, or percentage of the total number of persons employed, using a portable device provided by the enterprise that allows connection to the internet via mobile telephone networks for business purposes
|
|
(2)
|
pay to advertise on the internet (such as adverts on search engines, on social media, on other websites or apps)
|
|
|
(ii)
|
for enterprises paying to advertise on the internet
|
|
|
(3)
|
use of targeted advertising based on content or keywords searched by internet users
|
|
(4)
|
use of targeted advertising based on the tracking of internet users’ past activities or profile
|
|
(5)
|
use of targeted advertising based on the geolocation of internet users
|
|
(6)
|
use of any other method of targeted advertising on the internet than the ones specified in optional variables (3), (4) or (5)
|
|
|
(iii)
|
for enterprises which had web sales to customers located in at least two of the following geographic areas: own country, other Member State or rest of the world, in the previous calendar year
|
|
|
(7)
|
percentage of value of web sales generated by web sales to customers located in enterprise’s own country, in the previous calendar year
|
|
(8)
|
percentage of value of web sales generated by web sales to customers located in other Member States, in the previous calendar year
|
|
(9)
|
percentage of value of web sales generated by web sales to customers located in the rest of the world, in the previous calendar year
|
|
|
(iv)
|
for enterprises with vacancies for ICT specialists that were difficult to fill, when trying to recruit ICT specialists in the previous calendar year
|
|
|
(10)
|
difficulties to recruit ICT specialists due to lack of applications, in the previous calendar year
|
|
(11)
|
difficulties to recruit ICT specialists due to applicants’ lack of relevant ICT related qualifications from education and/or training, in the previous calendar year
|
|
(12)
|
difficulties to recruit ICT specialists due to applicants’ lack of relevant work experience, in the previous calendar year
|
|
(13)
|
difficulties to recruit ICT specialists due to applicants’ too high salary expectations, in the previous calendar year
|
|
|
(v)
|
for enterprises which have document(s) on measures, practices or procedures on ICT security
|
|
|
(14)
|
time of definition or most recent review of enterprise’s document(s) on measures, practices or procedures on ICT security: within the last 12 months, more than 12 months and up to twenty-four months ago, more than twenty-four months ago
|
|
|
(vi)
|
for enterprises using Artificial Intelligence technologies, referring specifically to mandatory variables (40) to (46)
|
|
|
(15)
|
Artificial Intelligence software and systems were developed by own employees (including those employed in parent or affiliate enterprise)
|
|
(16)
|
commercial Artificial Intelligence software or systems were modified by own employees (including those employed in parent or affiliate enterprise)
|
|
(17)
|
open-source Artificial Intelligence software or systems were modified by own employees (including those employed in parent or affiliate enterprise)
|
|
(18)
|
commercial Artificial Intelligence software or systems ready to use were purchased (including examples where they were already incorporated in a purchased item or system)
|
|
(19)
|
external providers were contracted to develop or modify Artificial Intelligence software and systems
|
|
(20)
|
processing data (such as sex, age, racial or ethnic origin, disability, religion or belief, sexual orientation, facial images, record of purchases, occupation or address) on individuals (such as employees, job applicants or customers) using Artificial Intelligence technologies
|
|
|
(vii)
|
for enterprises which used Artificial Intelligence technologies to process data on individuals
|
|
|
(21)
|
having measures (such as analysing the results of various machine learning models, examining the dataset that was used to train the machine learning model, data augmentation which involves techniques to artificially generate additional data points from existing data, i.e. synthetic data) to check the results generated by Artificial Intelligence technologies for possible biases towards individuals based on sex, age, racial or ethnic origin, disability, religion or belief, sexual orientation
|
|
|
(viii)
|
for enterprises which did not use any Artificial Intelligence technologies, referring specifically to mandatory variables (40) to (46)
|
|
|
(22)
|
consideration of using any of Artificial Intelligence technologies, referring specifically to mandatory variables (40) to (46)
|
|
|
(ix)
|
for enterprises which did not use but considered to use Artificial Intelligence technologies, referring specifically to mandatory variables (40) to (46)
|
|
|
(23)
|
Artificial Intelligence technologies not used because the costs seem too high
|
|
(24)
|
Artificial Intelligence technologies not used because there is a lack of relevant expertise in the enterprise
|
|
(25)
|
Artificial Intelligence technologies not used because of incompatibility with existing equipment, software or systems
|
|
(26)
|
Artificial Intelligence technologies not used because of difficulties with availability or quality of the necessary data
|
|
(27)
|
Artificial Intelligence technologies not used because of concerns regarding violation of data protection and privacy
|
|
(28)
|
Artificial Intelligence technologies not used because of lack of clarity about the legal consequences (such as liability in case of damage caused by the use of Artificial Intelligence)
|
|
(29)
|
Artificial Intelligence technologies not used because of ethical considerations
|
|
(30)
|
Artificial Intelligence technologies not used because they are not useful for the enterprise
|
|
In force