Maintaining a living glossary

*As EU legislation, autonomous agent architectures, and cross-border case law converge on the same transactions, the vocabulary used to describe them is fracturing, and the cost of that fracture is no longer theoretical.*

Context

The Vocabulary Problem in Agentic Commerce

Context

The EU regulatory stack governing digital finance and artificial intelligence has grown by accretion rather than design. MiCA [13] introduced a taxonomy of crypto-assets calibrated to 2020-era instruments; the AI Act [16] defined AI systems with reference to machine learning and statistical approaches; DORA addressed ICT risk without resolving how autonomous agents relate to the third-party providers it governs. Each instrument used the vocabulary available to its drafters at the time of passage, and no cross-instrument harmonisation body held the pen on shared definitions.

Agentic commerce has since introduced a further layer of complexity. The distinction between a modular AI agent executing a discrete task and a multi-agent system coordinating persistent, goal-directed behaviour across payment rails is architecturally significant [5], but neither category maps cleanly onto any current EU legal definition. The term "autonomous payment agent" does not appear in the legislative record. "Agentic AI" is absent from ESMA and EBA technical standards. This is a structural vacancy, and it is being filled ad hoc by national competent authorities applying the closest available analogue, which produces the definitional divergence the glossary must close [11][17].

Why a Living Glossary Matters

UNCOORDINATED DEFINITIONS MiCA, the AI Act, and DORA were each drafted without a shared definitional ancestor: the observed consequence is that supervisory bodies in different member states are already applying divergent readings to the same technical constructs [13][16].
TECHNICAL OBSOLESCENCE Static legislative definitions lag autonomous agent architectures by years: emergent multi-agent coordination, persistent memory, and delegated payment authority have no settled legal counterparts in existing instruments [5][16]. The absence of a settled definition for delegated payment authority is developed in the mechanism and implications sections below.
JURISDICTIONAL ARBITRAGE Where definitions diverge across borders, sophisticated operators route transactions through the gap. A canonical vocabulary removes the definitional surface area that arbitrage requires.
CITATION FAILURE Courts, contracts, and compliance filings reference terms that have no fixed version; when legislation amends a definition, prior instruments citing the earlier text are silently destabilised [21].

How a Canonical Glossary Stays Current

A living glossary requires two interdependent structural components: a version-control architecture and a trigger-governed review cycle.

On the version-control side, each definition is assigned a URI-based persistent identifier that resolves to the exact text in force at a specified date. Semantic versioning distinguishes between a major revision (a change in legal scope or definitional boundary), a minor revision (a clarification that does not alter scope), and a patch (a correction of drafting error). Prior versions remain resolvable at their original URIs, so a contract or regulatory filing that cites a definition by version number retains a stable referent regardless of subsequent amendments [21]. This is the same property that software dependency management requires of package registries, and the legal vocabulary application preserves the core property while differing from the software case in one respect: a deprecated definition cannot be removed from the registry, because historical contracts and enforcement records depend on its continued resolvability.

On the review-cycle side, specific events serve as mandatory triggers: the entry into force of an EU legislative instrument affecting the defined domain; the publication of a CJEU ruling that interprets or distinguishes a covered term; the issuance of EBA, ESMA, or ENISA guidelines that employ the term in a context the current definition did not anticipate; and detected supervisory divergence across two or more member states within a defined observation window. Each trigger initiates a structured amendment process: a proposing body submits a redline against the current version, a defined consultation period follows, and the final amendment record attributes the change to its initiating instrument, the proposing body, and any formally registered dissent.

The amendment record is designed to function as a divergence register rather than a settlement instrument. This distinction is structural, not merely rhetorical. A settlement instrument would resolve an interpretive dispute by replacing the competing readings with a single canonical text and closing the record. A divergence register records that a dispute exists, attributes each competing reading to its source authority, and leaves the underlying interpretive question visible to courts, compliance teams, and supervisory bodies that must later engage with it. When a national authority departs from the canonical text, the departure is logged as a registered dissent rather than absorbed into supervisory practice without trace. Downstream compliance systems can subscribe to definition updates as structured data rather than monitoring legislative publications manually [11].

The glossary must also carry a definition for delegated payment authority, the condition in which an autonomous agent holds authority, granted by a human principal, to initiate payment instructions without per-transaction human confirmation. This construct sits at the boundary of existing PSD2 authentication requirements and the AI Act's classification of high-risk systems, and its absence from current regulatory vocabulary is the mechanism by which the compliance gap described in the TECHNICAL OBSOLESCENCE bullet above propagates into enforcement [5][16].

Essential Reference Points

Pavlidis (2024) on the EU AI Act's explainability framework [16]: establishes that the Act's definitional choices carry direct compliance consequences and that ambiguous scope boundaries already generate supervisory uncertainty.
Van der Linden & Shirazi (2023) on MiCA and legal certainty [13]: demonstrates that a regulation's capacity to reduce compliance costs depends heavily on the precision and stability of its definitional architecture.
Boella et al. (2016) on the Eunomos legal knowledge management system [11]: provides a working technical model for maintaining versioned, cross-referenced legal definitions with machine-readable update trails.
Spinellis (2005) on version control principles [21]: the foundational technical reference for persistent-identifier versioning as applied to any artefact requiring stable historical citation.

What Changes With a Canonical Vocabulary

A canonical agentic commerce vocabulary with version-controlled, publicly citable definitions produces changes across at least three operational planes.

For compliance and audit functions, the change is one of traceability. When a supervisory filing must demonstrate that a payment instruction was initiated by an "autonomous agent" within the meaning of the applicable instrument, the filing can cite a specific definition version in force on the transaction date. This applies with particular force to delegated payment authority: where an agent holds standing authorisation to initiate payments without per-transaction confirmation, the compliance record must establish which version of that definition governed the authorisation at the moment it was granted, and which version governed each payment event during the authorisation's duration. Version-controlled definitions close that gap between the legal text and the technical system log, and give internal audit teams a fixed referent against which to assess historical conduct, a referent that does not retroactively shift when the glossary is subsequently updated [11][21].

For cross-border harmonisation, the change operates on the divergence problem directly. National competent authorities in France, Germany, and Estonia cannot interpret the same term differently if that term resolves to a single versioned URI accepted as the authoritative definition under the relevant regulatory technical standard. Divergence becomes detectable and attributable: when a national authority departs from the canonical definition, the departure is recorded in the amendment register rather than absorbed silently into supervisory practice [13]. This makes regulatory arbitrage structurally harder to sustain, because the definitional surface area it requires is narrowed and monitored.

For risk modelling, the implication is temporal. Models that price compliance risk across jurisdictions currently carry implicit assumptions about which version of a definition governs a given transaction. Version-controlled definitions make those assumptions explicit and auditable, reducing a source of model uncertainty that is currently unquantifiable.

Counterpoint

The Case Against Centralised Definition

The strongest objection to a canonical glossary is that it converts a legitimate, ongoing interpretive dispute into a settled administrative fact prematurely. Definitional disputes about what constitutes an "AI agent" or an "autonomous payment instruction" are not merely terminological: they encode substantive disagreements about liability allocation, supervisory perimeter, and the boundary between software tool and legal actor. A single canonical vocabulary, maintained by any single body or consortium, resolves those disputes by institutional fiat rather than by legal process, and then presents the resolution as technical infrastructure rather than as a policy choice [15][16].

The concern is compounded by the governance question. Whoever holds amendment authority over the glossary holds, in practice, the power to expand or contract regulatory perimeter by adjusting a definition. If that authority sits with a body not subject to the full accountability architecture of EU legislative procedure (no co-decision, no formal Member State veto), the glossary becomes the instrument through which regulatory perimeter shifts without legislative sanction. This risk is real but bounded: where a glossary definition is embedded in a regulatory technical standard adopted by EBA or ESMA, a national court or supervised institution could refer questions of interpretation to the CJEU under Article 267 TFEU, and preliminary reference jurisdiction would reach the definition's substantive effect even if not the amendment act itself. That pathway provides a check, but it is slower and less systematic than the co-decision procedure it would be substituting for [16].

The appropriate remedy is to ensure that the amendment record functions as a divergence register rather than a settlement instrument, in the structural sense described in the mechanism section: recording competing readings from named source authorities, attributing every change to a named initiating instrument, preserving formally registered dissent, and leaving the underlying interpretive dispute visible rather than closing it by administrative resolution.

Unresolved Questions

The precise legal status of the glossary remains unresolved: whether it constitutes soft law, a CEN/ISO technical standard, an EBA/ESMA regulatory technical standard, or a novel instrument, that classification will determine its binding force across member states.
The body holding amendment authority has not been definitively identified, and the scope of override or veto rights retained by national competent authorities when a proposed revision conflicts with established national supervisory practice requires formal clarification.
The specific temporal thresholds calibrating the trigger mechanism remain undefined, including the number of documented instances of supervisory divergence across member states required to initiate a mandatory review cycle.
A structural tension exists between technology-neutral legal definitions and the precise technical definitions that compliance systems and engineers require to implement them. The mechanism section's semantic versioning architecture addresses this partially by separating scope changes from clarifications, but the question of which body has authority to determine that a technical clarification has crossed into scope change has not been resolved.
A measurable baseline of cross-instrument definitional conflicts drawn from existing EBA and ESMA enforcement decisions has not been confirmed, leaving the basis from which to assess the glossary's eventual impact uncertain.

Before courts can adjudicate, before compliance teams can audit, and before supervisory authorities can enforce consistently across borders, the words used to describe autonomous agents, their principals, and their transactions must carry a fixed address in time: a version, a date, and a publicly auditable record of every change made to them and why.

Sources

[5] Díaz-Rodríguez, N., Del Ser, J., Coeckelbergh, M., López de Prado, M., Herrera-Viedma, E., & Herrera, F. (2023). Connecting the dots in trustworthy Artificial Intelligence: From AI principles, ethics, and key requirements to responsible AI systems and regulation.

[11] Boella, G., Di, L., Humphreys, L., Robaldo, L., Rossi, P., & van der Torre, L. (2016). Eunomos, a legal document and knowledge management system for the Web to provide relevant, reliable and up-to-date information on the law.

[13] van der Linden, M., & Shirazi, T. (2023). Markets in crypto-assets regulation: Does it provide legal certainty and increase adoption of crypto-assets?.

[15] Finck, M. (2018). Blockchains: Regulating the Unknown.

[16] Pavlidis, G. (2024). Unlocking the black box: analysing the EU artificial intelligence act's framework for explainability in AI.

[17] Cappai, M. (2023). The role of private and public regulation in the case study of crypto-assets: The Italian move towards participatory regulation.

[21] Spinellis, D. (2005). Version Control, Part I. IEEE Software.