After our bank was affected by a significant cyber attack that disrupted our core services, I'm in charge of managing the situation. As the chief risk officer, what specific steps do I need to take to comply with DORA's incident reporting and what are the deadlines for these actions?
In the wake of a cyber incident at your bank, aligning with the Digital Operational Resilience Act (DORA) is crucial for compliance and risk management. Here are the key actions you must take as the chief risk officer:
Acting swiftly and efficiently on these points is imperative to satisfy DORA’s requirements and maintain operational resilience.
I have completed the analysis according to the plan laid out by the senior lawyer, utilizing various AI agents as directed. The analysis has led to an understanding of the specific obligations posed by the Digital Operational Resilience Act (DORA) in response to a significant cyber attack. Here is the summary of the legal findings:
’ICT-related incident’ means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;
Article 3(8)→
The term “ICT-related incident” entails unplanned events that undermine the network and information systems’ security, impacting the data and services offered by the bank. Accordingly, the chief risk officer must engage in an incident response mechanism that meets the requirements of DORA.
‘major ICT-related incident’ means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;
Article 3(10)→
A “major ICT-related incident” categorization is based on the high adverse impact on critical operational functions. The chief risk officer must evaluate the cyber attack against this definition to establish the reporting urgency.
Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.
Article 17(1)→
A mandated comprehensive management process for ICT-related incidents is required, covering all aspects from detection through to notification.
Financial entities shall record all ICT-related incidents and significant cyber threats… to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents.
Article 17(2)→
Recording incidents and threats is crucial, with a strategy that emphasizes preventing reoccurrences.
- (a) put in place early warning indicators;
- …
- (f) establish ICT-related incident response procedures to mitigate impacts…
Article 17(3)→
A detailed framework has been outlined that the bank must follow, which includes provisions for early detection, response plans, and communication strategies.
Financial entities shall classify ICT-related incidents and shall determine their impact based on the following criteria: …
Article 18(1)→
Incidents must be classified methodically as ‘major’ based on a range of factors, from client impact to the economic ramifications.
Financial entities shall report major ICT-related incidents…
Article 19(1)→
A structured response and reporting process is mandatory for classified ‘major’ incidents.
Upon receipt of the initial notification … the competent authority shall, in a timely manner…
Article 19(6)→
Reporting to competent authorities may extend to other entities, emphasizing the necessity for a broad communication plan.
The direct reporting should enable financial supervisors…
Recital 52→
Reporting should be immediate and direct, facilitating the rapid response of financial supervisors.
Indeed, relevant materiality thresholds, as well as reporting timelines, should be duly adjusted…
Recital 53→
There is room for specificity in compliance obligations, indicating that reports should be tailored to the significance of the incident.
In conclusion, the chief risk officer is obliged to assess the cyber attack severity, establish its classification, record and manage the incident, and report to the competent authorities within prescribed deadlines. Establishing an incident reporting protocol, adhering to classification criteria, and remaining in ongoing communication with relevant authorities form the guiding pillars for DORA compliance in this scenario.
We have searched through the PDF repository of draft EBA and ESMA guidelines, draft technical standards, and other documents to provide this supplemental answer.
In follow-up to our initial analysis, this supplemental answer delves into further specifics as informed by related regulatory technical standards (RTS) under the Digital Operational Resilience Act (DORA). These details elaborate on the classification and reporting of major ICT-related incidents, as well as the management of incidents with significant cyber threats. This targeted information will provide a refined understanding and enhance the decision-making framework necessary for effective compliance.
An incident shall be considered a major incident for the purposes of Article 19 of Regulation (EU) 2022/2554 where it has had any impact on critical services as referred to in Article 6 and where one of the following is met: a) the materiality threshold of Article 13(b) has been met; or b) two or more materiality thresholds specified in this Section have been met.
(Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 26→
The above quote specifies the definitive conditions that elevate an ICT-related incident to a ‘major incident’ status, in line with Article 19 of Regulation (EU) 2022/2554. It clarifies that a significant impact on critical services, in conjunction with meeting one or more materiality thresholds, dictates the requisite level of response and reporting sophistication expected of your institution.
The materiality threshold for the criterion ‘clients, financial counterparts and transactions’ shall be met where any of the following conditions is met: a) the number of affected clients is higher than 10% of all clients using the affected service; or b) the number of affected clients is higher than 100,000 clients using the affected service; […]
(Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 26→
This excerpt emphasizes the significance of client impact in quantifying a cyber incident, outlining specific thresholds that must be considered when determining a major ICT-related incident. It enables your bank to discern whether the cyber attack’s scope necessitates reporting, an essential step in aligning with DORA’s incident response procedures.
The materiality threshold of the economic impact criterion in accordance with Article 7 shall be met where the costs and losses incurred by the financial entity from the major incident have exceeded or are likely to exceed EUR 100,000.
(Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 28→
This directive provides an economic perspective on incident materiality, where financial losses exceeding EUR 100,000 trigger major incident classification. It equips your institution with a clear financial benchmark for evaluating and potentially reporting the incident’s ramifications under DORA.
Any impact set out in Article 2 a) to d) shall be considered as meeting the threshold of the reputational impact criterion.
(Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 27→
Reputational impact is a nuanced but critical aspect of incident assessment. This provision stresses the need to appreciate a broad range of effects beyond mere operational and economic outcomes. It is a reminder of the importance of considering reputation within the bank’s overall incident reporting process.
Recurring incidents that individually do not constitute a major incident shall be considered as one major incident where the incidents meet all of the following conditions: a) the incidents have occurred at least twice within 6 months; […]
(Final Report on Draft) Regulatory Technical Standards specifying the criteria for the classification of ICT related incidents, materiality thresholds for major incidents and significant cyber threats under DORA, page 28→
The repetition of smaller-scale incidents can collectively equal a major incident, according to the above criterion. This informs your ongoing risk assessment strategies by highlighting the need to monitor and possibly report recurring ICT-related issues that could escalate in significance when viewed in aggregate.
Understanding precise criteria and applying specific materiality thresholds is critical when reporting cyber incidents. The provisions offer a legal backbone for meticulous incident documentation and reporting, a fundamental aspect of adherence to DORA’s mandates. Each step of the reporting protocol must be executed with precision, ensuring that every reported incident meets the stipulated conditions.
The details derived from the aforementioned regulatory technical standards supplement the initial DORA-related guidance by stipulating explicit thresholds and criteria for major incident classification and reporting. These additional insights fortify the bank’s incident response plan and aid in cultivating a structured, compliant approach to managing and disclosing significant cyber threats.
2021/0106 (COD)
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
LAYING DOWN HARMONISED RULES ON ARTIFICIAL INTELLIGENCE (ARTIFICIAL INTELLIGENCE ACT) AND AMENDING CERTAIN UNION LEGISLATIVE ACTS
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16 and 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee 31 ,
Having regard to the opinion of the Committee of the Regions 32 ,
Acting in accordance with the ordinary legislative procedure,
Whereas:
The purpose of this Regulation is to improve the functioning of the internal market by laying down a uniform legal framework in particular for the development, marketing and use of artificial intelligence in conformity with Union values. This Regulation pursues a number of overriding reasons of public interest, such as a high level of protection of health, safety and fundamental rights, and it ensures the free movement of AI-based goods and services cross-border, thus preventing Member States from imposing restrictions on the development, marketing and use of AI systems, unless explicitly authorised by this Regulation.
Artificial intelligence systems (AI systems) can be easily deployed in multiple sectors of the economy and society, including cross border, and circulate throughout the Union. Certain Member States have already explored the adoption of national rules to ensure that artificial intelligence is safe and is developed and used in compliance with fundamental rights obligations. Differing national rules may lead to fragmentation of the internal market and decrease legal certainty for operators that develop or use AI systems. A consistent and high level of protection throughout the Union should therefore be ensured, while divergences hampering the free circulation of AI systems and related products and services within the internal market should be prevented, by laying down uniform obligations for operators and guaranteeing the uniform protection of overriding reasons of public interest and of rights of persons throughout the internal market based on Article 114 of the Treaty on the Functioning of the European Union (TFEU). To the extent that this Regulation contains specific rules on the protection of individuals with regard to the processing of personal data concerning restrictions of the use of AI systems for ‘real-time’ remote biometric identification in publicly accessible spaces for the purpose of law enforcement, it is appropriate to base this Regulation, in as far as those specific rules are concerned, on Article 16 of the TFEU. In light of those specific rules and the recourse to Article 16 TFEU, it is appropriate to consult the European Data Protection Board.
Artificial intelligence is a fast evolving family of technologies that can contribute to a wide array of economic and societal benefits across the entire spectrum of industries and social activities. By improving prediction, optimising operations and resource allocation, and personalising digital solutions available for individuals and organisations, the use of artificial intelligence can provide key competitive advantages to companies and support socially and environmentally beneficial outcomes, for example in healthcare, farming, education and training, infrastructure management, energy, transport and logistics, public services, security, justice, resource and energy efficiency, and climate change mitigation and adaptation.
At the same time, depending on the circumstances regarding its specific application and use, artificial intelligence may generate risks and cause harm to public interests and rights that are protected by Union law. Such harm might be material or immaterial.
A Union legal framework laying down harmonised rules on artificial intelligence is therefore needed to foster the development, use and uptake of artificial intelligence in the internal market that at the same time meets a high level of protection of public interests, such as health and safety and the protection of fundamental rights, as recognised and protected by Union law. To achieve that objective, rules regulating the placing on the market and putting into service of certain AI systems should be laid down, thus ensuring the smooth functioning of the internal market and allowing those systems to benefit from the principle of free movement of goods and services. By laying down those rules, this Regulation supports the objective of the Union of being a global leader in the development of secure, trustworthy and ethical artificial intelligence, as stated by the European Council 33 , and it ensures the protection of ethical principles, as specifically requested by the European Parliament 34 .
The notion of AI system should be clearly defined to ensure legal certainty, while providing the flexibility to accommodate future technological developments. The definition should be based on the key functional characteristics of the software, in particular the ability, for a given set of human-defined objectives, to generate outputs such as content, predictions, recommendations, or decisions which influence the environment with which the system interacts, be it in a physical or digital dimension. AI systems can be designed to operate with varying levels of autonomy and be used on a stand-alone basis or as a component of a product, irrespective of whether the system is physically integrated into the product (embedded) or serve the functionality of the product without being integrated therein (non-embedded). The definition of AI system should be complemented by a list of specific techniques and approaches used for its development, which should be kept up-to—date in the light of market and technological developments through the adoption of delegated acts by the Commission to amend that list.
The notion of biometric data used in this Regulation is in line with and should be interpreted consistently with the notion of biometric data as defined in Article 4(14) of Regulation (EU) 2016/679 of the European Parliament and of the Council 35 , Article 3(18) of Regulation (EU) 2018/1725 of the European Parliament and of the Council 36 and Article 3(13) of Directive (EU) 2016/680 of the European Parliament and of the Council 37 .
The notion of remote biometric identification system as used in this Regulation should be defined functionally, as an AI system intended for the identification of natural persons at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database, and without prior knowledge whether the targeted person will be present and can be identified, irrespectively of the particular technology, processes or types of biometric data used. Considering their different characteristics and manners in which they are used, as well as the different risks involved, a distinction should be made between ‘real-time’ and ‘post’ remote biometric identification systems. In the case of ‘real-time’ systems, the capturing of the biometric data, the comparison and the identification occur all instantaneously, near-instantaneously or in any event without a significant delay. In this regard, there should be no scope for circumventing the rules of this Regulation on the ‘real-time’ use of the AI systems in question by providing for minor delays. ‘Real-time’ systems involve the use of ‘live’ or ‘near-‘live’ material, such as video footage, generated by a camera or other device with similar functionality. In the case of ‘post’ systems, in contrast, the biometric data have already been captured and the comparison and identification occur only after a significant delay. This involves material, such as pictures or video footage generated byclosed circuit television cameras or private devices, which has been generated before the use of the system in respect of the natural persons concerned.
For the purposes of this Regulation the notion of publicly accessible space should be understood as referring to any physical place that is accessible to the public, irrespective of whether the place in question is privately or publicly owned. Therefore, the notion does not cover places that are private in nature and normally not freely accessible for third parties, including law enforcement authorities, unless those parties have been specifically invited or authorised, such as homes, private clubs, offices, warehouses and factories. Online spaces are not covered either, as they are not physical spaces. However, the mere fact that certain conditions for accessing a particular space may apply, such as admission tickets or age restrictions, does not mean that the space is not publicly accessible within the meaning of this Regulation. Consequently, in addition to public spaces such as streets, relevant parts of government buildings and most transport infrastructure, spaces such as cinemas, theatres, shops and shopping centres are normally also publicly accessible. Whether a given space is accessible to the public should however be determined on a case-by-case basis, having regard to the specificities of the individual situation at hand.
In order to ensure a level playing field and an effective protection of rights and freedoms of individuals across the Union, the rules established by this Regulation should apply to providers of AI systems in a non-discriminatory manner, irrespective of whether they are established within the Union or in a third country, and to users of AI systems established within the Union.
In light of their digital nature, certain AI systems should fall within the scope of this Regulation even when they are neither placed on the market, nor put into service, nor used in the Union. This is the case for example of an operator established in the Union that contracts certain services to an operator established outside the Union in relation to an activity to be performed by an AI system that would qualify as high-risk and whose effects impact natural persons located in the Union. In those circumstances, the AI system used by the operator outside the Union could process data lawfully collected in and transferred from the Union, and provide to the contracting operator in the Union the output of that AI system resulting from that processing, without that AI system being placed on the market, put into service or used in the Union. To prevent the circumvention of this Regulation and to ensure an effective protection of natural persons located in the Union, this Regulation should also apply to providers and users of AI systems that are established in a third country, to the extent the output produced by those systems is used in the Union. Nonetheless, to take into account existing arrangements and special needs for cooperation with foreign partners with whom information and evidence is exchanged, this Regulation should not apply to public authorities of a third country and international organisations when acting in the framework of international agreements concluded at national or European level for law enforcement and judicial cooperation with the Union or with its Member States. Such agreements have been concluded bilaterally between Member States and third countries or between the European Union, Europol and other EU agencies and third countries and international organisations.
This Regulation should also apply to Union institutions, offices, bodies and agencies when acting as a provider or user of an AI system. AI systems exclusively developed or used for military purposes should be excluded from the scope of this Regulation where that use falls under the exclusive remit of the Common Foreign and Security Policy regulated under Title V of the Treaty on the European Union (TEU).This Regulation should be without prejudice to the provisions regarding the liability of intermediary service providers set out in Directive 2000/31/EC of the European Parliament and of the Council [as amended by the Digital Services Act].
In order to ensure a consistent and high level of protection of public interests as regards health, safety and fundamental rights, common normative standards for all high-risk AI systems should be established. Those standards should be consistent with the Charter of fundamental rights of the European Union (the Charter) and should be non-discriminatory and in line with the Union’s international trade commitments.
In order to introduce a proportionate and effective set of binding rules for AI systems, a clearly defined risk-based approach should be followed. That approach should tailor the type and content of such rules to the intensity and scope of the risks that AI systems can generate. It is therefore necessary to prohibit certain artificial intelligence practices, to lay down requirements for high-risk AI systems and obligations for the relevant operators, and to lay down transparency obligations for certain AI systems.
Aside from the many beneficial uses of artificial intelligence, that technology can also be misused and provide novel and powerful tools for manipulative, exploitative and social control practices. Such practices are particularly harmful and should be prohibited because they contradict Union values of respect for human dignity, freedom, equality, democracy and the rule of law and Union fundamental rights, including the right to non-discrimination, data protection and privacy and the rights of the child.
The placing on the market, putting into service or use of certain AI systems intended to distort human behaviour, whereby physical or psychological harms are likely to occur, should be forbidden. Such AI systems deploy subliminal components individuals cannot perceive or exploit vulnerabilities of children and people due to their age, physical or mental incapacities. They do so with the intention to materially distort the behaviour of a person and in a manner that causes or is likely to cause harm to that or another person. The intention may not be presumed if the distortion of human behaviour results from factors external to the AI system which are outside of the control of the provider or the user. Research for legitimate purposes in relation to such AI systems should not be stifled by the prohibition, if such research does not amount to use of the AI system in human-machine relations that exposes natural persons to harm and such research is carried out in accordance with recognised ethical standards for scientific research.
AI systems providing social scoring of natural persons for general purpose by public authorities or on their behalf may lead to discriminatory outcomes and the exclusion of certain groups. They may violate the right to dignity and non-discrimination and the values of equality and justice. Such AI systems evaluate or classify the trustworthiness of natural persons based on their social behaviour in multiple contexts or known or predicted personal or personality characteristics. The social score obtained from such AI systems may lead to the detrimental or unfavourable treatment of natural persons or whole groups thereof in social contexts, which are unrelated to the context in which the data was originally generated or collected or to a detrimental treatment that is disproportionate or unjustified to the gravity of their social behaviour.Such AI systems should be therefore prohibited.
The use of AI systems for ‘real-time’ remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement is considered particularly intrusive in the rights and freedoms of the concerned persons, to the extent that it may affect the private life of a large part of the population, evoke a feeling of constant surveillance and indirectly dissuade the exercise of the freedom of assembly and other fundamental rights. In addition, the immediacy of the impact and the limited opportunities for further checks or correctionsin relation to the use of such systems operating in ‘real-time’ carry heightened risks for the rights and freedoms of the persons that are concerned by law enforcement activities.
The use of those systems for the purpose of law enforcement should therefore be prohibited, except in three exhaustively listed and narrowly defined situations, where the use is strictly necessary to achieve a substantial public interest, the importance of which outweighs the risks. Those situations involve the search for potential victims of crime, including missing children; certain threats to the life or physical safety of natural persons or of a terrorist attack; and the detection, localisation, identification or prosecution of perpetrators or suspects of the criminal offences referred to in Council Framework Decision 2002/584/JHA 38 if those criminal offences are punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least three years and as they are defined in the law of that Member State. Such threshold for the custodial sentence or detention order in accordance with national law contributes to ensure that the offence should be serious enough to potentially justify the use of ‘real-time’ remote biometric identification systems. Moreover, of the 32 criminal offences listed in the Council Framework Decision 2002/584/JHA, some are in practice likely to be more relevant than others, in that the recourse to ‘real-time’ remote biometric identification will foreseeably be necessary and proportionate to highly varying degrees for the practical pursuit of the detection, localisation, identification or prosecution of a perpetrator or suspect of the different criminal offences listed and having regard to the likely differences inthe seriousness, probability and scale of the harm or possible negative consequences.
In order to ensure that those systems are used in a responsible and proportionate manner, it is also important to establish that, in each of those three exhaustively listed and narrowly defined situations, certain elements should be taken into account, in particular as regards the nature of the situation giving rise to the request and the consequences of the use for the rights and freedoms of all persons concerned and the safeguards and conditions provided for with the use. In addition, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement should be subject to appropriate limits in time and space, having regard in particular to the evidence or indications regarding the threats, the victims or perpetrator.The reference database of persons should be appropriate for each use case in each of the three situations mentioned above.
Each use of a ‘real-time’ remote biometric identification system in publicly accessible spaces for the purpose of law enforcement should be subject to an express and specific authorisation by a judicial authority or by an independent administrative authority of a Member State. Such authorisation should in principle be obtained prior to the use, except in duly justified situations of urgency, that is, situations where the need to use the systems in question is such as to make it effectively and objectively impossible to obtain an authorisation before commencing the use. In such situations of urgency, the use should be restricted to the absolute minimum necessary and be subject to appropriate safeguards and conditions, as determined in national law and specified in the context of each individual urgent use case by the law enforcement authority itself. In addition, the law enforcement authority should in such situations seek to obtain an authorisation as soon as possible, whilst providing the reasons for not having been able to request it earlier.
Furthermore, it is appropriate to provide, within the exhaustive framework set by this Regulation that such use in the territory of a Member State in accordance with this Regulation should only be possible where and in as far as the Member State in question has decided to expressly provide for the possibility to authorise such use in its detailed rules of national law. Consequently, Member States remain free under this Regulation not to provide for such a possibility at all or to only provide for such a possibility in respect of some of the objectives capable of justifying authorised use identified in this Regulation.
The use of AI systems for ‘real-time’ remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement necessarily involves the processing of biometric data. The rules of this Regulation that prohibit, subject to certain exceptions, such use, which are based on Article 16 TFEU, should apply as lex specialis in respect of the rules on the processing of biometric data contained in Article 10 of Directive (EU) 2016/680, thus regulating such use and the processing of biometric data involved in an exhaustive manner. Therefore, such use and processing should only be possible in as far as it is compatible with the framework set by this Regulation, without there being scope, outside that framework, for the competent authorities, where they act for purpose of law enforcement, to use such systems and process such data in connection thereto on the grounds listed in Article 10 of Directive (EU) 2016/680. In this context, this Regulation is not intended to provide the legal basis for the processing of personal data under Article 8 of Directive 2016/680. However, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for purposes other than law enforcement, including by competent authorities, should not be covered by the specific framework regarding such use for the purpose of law enforcement set by this Regulation. Such use for purposes other than law enforcement should therefore not be subject to the requirement of an authorisation under this Regulationand the applicable detailed rules of national law that may give effect to it.
Any processing of biometric data and other personal data involved in the use of AI systems for biometric identification, other than in connection to the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement as regulated by this Regulation, including where those systems are used by competent authorities in publicly accessible spaces for other purposes than law enforcement, should continue to comply with all requirements resulting from Article 9(1) of Regulation (EU) 2016/679, Article 10(1) of Regulation (EU) 2018/1725 and Article 10 of Directive (EU) 2016/680, as applicable.
In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, as annexed to the TEU and to the TFEU, Ireland is not bound by the rules laid down in Article 5(1), point (d), (2) and (3) of this Regulation adopted on the basis of Article 16 of the TFEU which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU, where Ireland is not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16 of the TFEU.
In accordance with Articles 2 and 2a of Protocol No 22 on the position of Denmark, annexed to the TEU and TFEU, Denmark is not bound by rules laid down in Article 5(1), point (d), (2) and (3) of this Regulation adopted on the basis of Article 16 of the TFEU, or subject to their application, which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU.
High-risk AI systems should only be placed on the Union market or put into service if they comply with certain mandatory requirements. Those requirements should ensure that high-risk AI systems available in the Union or whose output is otherwise used in the Union do not pose unacceptable risks to important Union public interests as recognised and protected by Union law. AI systems identified as high-risk should be limited to those that have a significant harmful impact on the health, safety and fundamental rights of persons in the Union and such limitation minimises any potential restriction to international trade, if any.
AI systems could produce adverse outcomes to health and safety of persons, in particular when such systems operate as components of products. Consistently with the objectives of Union harmonisation legislation to facilitate the free movement of products in the internal market and to ensure that only safe and otherwise compliant products find their way into the market, it is important that the safety risks that may be generated by a product as a whole due to its digital components, including AI systems, are duly prevented and mitigated. For instance, increasingly autonomous robots, whether in the context of manufacturing or personal assistance and care should be able to safely operate and performs their functions in complex environments. Similarly, in the health sector where the stakes for life and health are particularly high, increasingly sophisticated diagnostics systems and systems supporting human decisions should be reliable and accurate. The extent of the adverse impact caused by the AI system on the fundamental rights protected by the Charter is of particular relevance when classifying an AI system as high-risk. Those rights include the right to human dignity, respect for private and family life, protection of personal data, freedom of expression and information, freedom of assembly and of association, and non-discrimination, consumer protection, workers’ rights,rights of persons with disabilities, right to an effective remedy and to a fair trial, right of defence and the presumption of innocence, right to good administration. In addition to those rights, it is important to highlight that children have specific rights as enshrined in Article 24 of the EU Charter and in the United Nations Convention on the Rights of the Child (further elaborated in the UNCRC General Comment No. 25 as regards the digital environment), both of which require consideration of the children’s vulnerabilities and provision of such protection and care as necessary for their well-being. The fundamental right to a high level of environmental protection enshrined in the Charter and implemented in Union policies should also be considered when assessing the severity of the harm that an AI system can cause, including in relation to the health and safety of persons.
As regards high-risk AI systems that are safety components of products or systems, or which are themselves products or systems falling within the scope of Regulation (EC) No 300/2008 of the European Parliament and of the Council 39 , Regulation (EU) No 167/2013of the European Parliament and of the Council 40 , Regulation (EU) No 168/2013of the European Parliament and of the Council 41 , Directive 2014/90/EUof the European Parliament and of the Council 42 , Directive (EU) 2016/797of the European Parliament and of the Council 43 , Regulation (EU) 2018/858of the European Parliament and of the Council 44 , Regulation (EU) 2018/1139 of the European Parliament and of the Council 45 , and Regulation (EU) 2019/2144of the European Parliament and of the Council 46 , it is appropriate to amend those acts to ensure that the Commission takes into account, on the basis of the technical and regulatory specificities of each sector, and without interfering with existing governance, conformity assessment and enforcement mechanisms and authorities established therein, the mandatory requirements for high-risk AI systems laid down in this Regulation when adopting any relevant future delegated or implementing acts on the basis of those acts.
As regards AI systems that are safety components of products, or which are themselves products, falling within the scope of certain Union harmonisation legislation, it is appropriate to classify them as high-risk under this Regulation if the product in question undergoes the conformity assessment procedure with a third-party conformity assessment body pursuant to that relevant Union harmonisation legislation. In particular, such products are machinery, toys, lifts, equipment and protective systems intended for use in potentially explosive atmospheres, radio equipment, pressure equipment, recreational craft equipment, cableway installations,appliances burning gaseous fuels, medical devices, and in vitro diagnostic medical devices.
The classification of an AI system as high-risk pursuant to this Regulation should not necessarily mean that the product whose safety component is the AI system, or the AI system itself as a product, is considered ‘high-risk’ under the criteria established in the relevant Union harmonisation legislation that applies to the product. This is notably the case for Regulation (EU) 2017/745 of the European Parliament and of the Council 47 and Regulation (EU) 2017/746 of the European Parliament and of the Council 48 , where a third-party conformity assessment is provided for medium-risk and high-risk products.
As regards stand-alone AI systems, meaning high-risk AI systems other than those that are safety components of products, or which are themselves products, it is appropriate to classify them as high-risk if, in the light of their intended purpose, they pose a high risk of harm to the health and safety or the fundamental rights of persons, taking into account both the severity of the possible harm and its probability of occurrence and they are used in a number of specifically pre-defined areas specified in the Regulation. The identification of those systems is based on the same methodology and criteria envisaged also for any future amendments of the list of high-risk AI systems.
Technical inaccuracies of AI systems intended for the remote biometric identification of natural persons can lead to biased results and entail discriminatory effects. This is particularly relevant when it comes to age, ethnicity, sex or disabilities. Therefore, ‘real-time’ and ‘post’ remote biometric identification systems should be classified as high-risk. In view of the risks that they pose, both types of remote biometric identification systems should be subject to specific requirements on logging capabilities and human oversight.
As regards the management and operation of critical infrastructure, it is appropriate to classify as high-risk the AI systems intended to be used as safety components in the management and operation of road traffic and the supply of water, gas, heating and electricity, since their failure or malfunctioning may put at risk the life and health of persons at large scale and lead to appreciable disruptions in the ordinary conduct of social and economic activities.
AI systems used in education or vocational training, notably for determining access or assigning persons to educational and vocational training institutions or to evaluate persons on tests as part of or as a precondition for their education should be considered high-risk, since they may determine the educational and professional course of a person’s life and therefore affect their ability to secure their livelihood. When improperly designed and used, such systems may violate the right to education and training as well as the right not to be discriminated against and perpetuate historical patterns of discrimination.
AI systems used in employment, workers management and access to self-employment, notably for the recruitment and selection of persons, for making decisions on promotion and termination and for task allocation, monitoring or evaluation of persons in work-related contractual relationships, should also be classified as high-risk, since those systems may appreciably impact future career prospects and livelihoods of these persons. Relevant work-related contractual relationships should involve employees and persons providing services through platforms as referred to in the Commission Work Programme 2021. Such persons should in principle not be considered users within the meaning of this Regulation. Throughout the recruitment process and in the evaluation, promotion, or retention of persons in work-related contractual relationships, such systems may perpetuate historical patterns of discrimination, for example against women, certain age groups, persons with disabilities, or persons of certain racial or ethnic origins or sexual orientation. AI systems used to monitor the performance and behaviour of these persons may also impact their rights to data protection and privacy.
Another area in which the use of AI systems deserves special consideration is the access to and enjoyment of certain essential private and public services and benefits necessary for people to fully participate in society or to improve one’s standard of living. In particular, AI systems used to evaluate the credit score or creditworthiness of natural persons should be classified as high-risk AI systems, since they determine those persons’ access to financial resources or essential services such as housing, electricity, and telecommunication services. AI systems used for this purpose may lead to discrimination of persons or groups and perpetuate historical patterns of discrimination, for example based on racial or ethnic origins, disabilities, age, sexual orientation, or create new forms of discriminatory impacts. Considering the very limited scale of the impact and the available alternatives on the market, it is appropriate to exempt AI systems for the purpose of creditworthiness assessment and credit scoring when put into service by small-scale providers for their own use. Natural persons applying for or receiving public assistance benefits and services from public authorities are typically dependent on those benefits and services and in a vulnerable position in relation to the responsible authorities. If AI systems are used for determining whether such benefits and services should be denied, reduced, revoked or reclaimed by authorities, they may have a significant impact on persons’ livelihood and may infringe their fundamental rights, such as the right to social protection, non-discrimination, human dignity or an effective remedy. Those systems should therefore be classified as high-risk. Nonetheless, this Regulation should not hamper the development and use of innovative approaches in the public administration, which would stand to benefit from a wider use of compliant and safe AI systems, provided that those systems do not entail a high risk to legal and natural persons. Finally, AI systems used to dispatch or establish priority in the dispatching of emergency first response services should also be classified as high-risk since they make decisions in very critical situations for the life and health of persons and their property.
Actions by law enforcement authorities involving certain uses of AI systems are characterised by a significant degree of power imbalance and may lead to surveillance, arrest or deprivation of a natural person’s liberty as well as other adverse impacts on fundamental rights guaranteed in the Charter. In particular, if the AI system is not trained with high quality data, does not meet adequate requirements in terms of its accuracy or robustness, or is not properly designed and tested before being put on the market or otherwise put into service, it may single out people in a discriminatory or otherwise incorrect or unjust manner. Furthermore, the exercise of important procedural fundamental rights, such as the right to an effective remedy and to a fair trial as well as the right of defence and the presumption of innocence, could be hampered, in particular, where such AI systems are not sufficiently transparent, explainable and documented.It is therefore appropriate to classify as high-risk a number of AI systems intended to be used in the law enforcement context where accuracy, reliability and transparency is particularly important to avoid adverse impacts, retain public trust and ensure accountability and effective redress. In view of the nature of the activities in question and the risks relating thereto, those high-risk AI systems should include in particular AI systems intended to be used by law enforcement authorities for individual risk assessments, polygraphs and similar tools or to detect the emotional state of natural person, to detect ‘deep fakes’, for the evaluation of the reliability of evidence in criminal proceedings, for predicting the occurrence or reoccurrence of an actual or potential criminal offence based on profiling of natural persons, or assessing personality traits and characteristics or past criminal behaviour of natural persons or groups, for profiling in the course of detection, investigation or prosecution of criminal offences, as well as for crime analytics regarding natural persons. AI systems specifically intended to be used for administrative proceedings by tax and customs authorities should not be considered high-risk AI systems used by law enforcement authorities for the purposes of prevention, detection, investigation and prosecution of criminal offences.
AI systems used in migration, asylum and border control management affect people who are often in particularly vulnerable position and who are dependent on the outcome of the actions of the competent public authorities. The accuracy, non-discriminatory nature and transparency of the AI systems used in those contexts are therefore particularly important to guarantee the respect of the fundamental rights of the affected persons, notably their rights to free movement, non-discrimination, protection of private life and personal data, international protection and good administration. It is therefore appropriate to classify as high-risk AI systems intended to be used by the competent public authorities charged with tasks in the fields of migration, asylum and border control management as polygraphs and similar tools or to detect the emotional state of a natural person; for assessing certain risks posed by natural persons entering the territory of a Member State or applying for visa or asylum;for verifying the authenticity of the relevant documents of natural persons; for assisting competent public authorities for the examination of applications for asylum, visa and residence permits and associated complaints with regard to the objective to establish the eligibility of the natural persons applying for a status.AI systems in the area of migration, asylum and border control management covered by this Regulation should comply with the relevant procedural requirements set by the Directive 2013/32/EU of the European Parliament and of the Council 49 , the Regulation (EC) No 810/2009 of the European Parliament and of the Council 50 and other relevant legislation.
Certain AI systemsintended for the administration of justice and democratic processesshould be classified as high-risk, considering their potentially significant impact on democracy, rule of law, individual freedoms as well as the right to an effective remedy and to a fair trial. In particular, to address the risks of potential biases, errors and opacity, it is appropriate to qualify as high-risk AI systems intended to assist judicial authorities in researching and interpreting facts and the law and in applying the law to a concrete set of facts. Such qualification should not extend, however, to AI systems intended for purely ancillary administrative activities that do not affect the actual administration of justice in individual cases, such as anonymisation or pseudonymisation of judicial decisions, documents or data, communication between personnel, administrative tasks or allocation of resources.
The fact that an AI system is classified as high risk under this Regulation should not be interpreted as indicating that the use of the system is necessarily lawful under other acts of Union law or under national law compatible with Union law, such as on the protection of personal data, on the use of polygraphs and similar tools or other systems to detect the emotional state of natural persons. Any such use should continue to occur solely in accordance with the applicable requirements resulting from the Charter and from the applicable acts of secondary Union law and national law. This Regulation should not be understood as providing for the legal ground for processing of personal data, including special categories of personal data, where relevant.
To mitigate the risks from high-risk AI systems placed or otherwise put into service on the Union market for users and affected persons, certain mandatory requirements should apply, taking into account the intended purpose of the use of the system and according to the risk management system to be established by the provider.
Requirements should apply to high-risk AI systems as regards the quality of data sets used, technical documentation and record-keeping, transparency and the provision of information to users, human oversight, and robustness, accuracy and cybersecurity. Those requirements are necessary to effectively mitigate the risks for health, safety and fundamental rights, as applicable in the light of the intended purpose of the system, and no other less trade restrictive measures are reasonably available, thus avoiding unjustified restrictions to trade.
High data quality is essential for the performance of many AI systems, especially when techniques involving the training of models are used, with a view to ensure that the high-risk AI system performs as intended and safely and it does not become the source of discrimination prohibited by Union law. High quality training, validation and testing data sets require the implementation of appropriate data governance and management practices. Training, validation and testing data sets should be sufficiently relevant, representative and free of errors and complete in view of the intended purpose of the system. They should also have the appropriate statistical properties, including as regards the persons or groups of persons on which the high-risk AI system is intended to be used. In particular, training, validation and testing data sets should take into account, to the extent required in the light of their intended purpose, the features, characteristics or elements that are particular to the specific geographical, behavioural or functional setting or context within which the AI system is intended to be used. In order to protect the right of others from the discrimination that might result from the bias in AI systems, the providers shouldbe able to process also special categories of personal data, as a matter of substantial public interest, in order to ensure the bias monitoring, detection and correction in relation to high-risk AI systems.
For the development of high-risk AI systems, certain actors, such as providers, notified bodies and other relevant entities, such as digital innovation hubs, testing experimentation facilities and researchers, should be able to access and use high quality datasets within their respective fields of activities which are related to this Regulation. European common data spaces established by the Commission and the facilitation of data sharing between businesses and with government in the public interest will be instrumental to provide trustful, accountable and non-discriminatory access to high quality data for the training, validation and testing of AI systems. For example, in health, the European health data space will facilitate non-discriminatory access to health data and the training of artificial intelligence algorithms on those datasets, in a privacy-preserving, secure, timely, transparent and trustworthy manner, and with an appropriate institutional governance. Relevant competent authorities, including sectoral ones, providing or supporting the access to data may also support the provision of high-quality data for the training, validation and testing of AI systems.
Having information on how high-risk AI systems have been developed and how they perform throughout their lifecycle is essential to verify compliance with the requirements under this Regulation. This requires keeping records and the availability of a technical documentation, containing information which is necessary to assess the compliance of the AI system with the relevant requirements. Such information should include the general characteristics, capabilities and limitations of the system, algorithms, data, training, testing and validation processes used as well as documentation on the relevant risk management system. The technical documentation should be kept up to date.
To address the opacity that may make certain AI systems incomprehensible to or too complex for natural persons, a certain degree of transparency should be required for high-risk AI systems. Users should be able to interpret the system output and use it appropriately. High-risk AI systems should therefore be accompanied by relevant documentation and instructions of use and include concise and clear information, including in relation to possible risks to fundamental rights and discrimination, where appropriate.
High-risk AI systems should be designed and developed in such a way that natural persons can oversee their functioning. For this purpose, appropriate human oversight measures should be identified by the provider of the system before its placing on the market or putting into service. In particular, where appropriate, such measures should guarantee that the system is subject to in-built operational constraints that cannot be overridden by the system itself and is responsive to the human operator, and that the natural persons to whom human oversight has been assigned have the necessary competence, training and authority to carry out that role.
High-risk AI systems should perform consistently throughout their lifecycle and meet an appropriate level of accuracy, robustness and cybersecurity in accordance with the generally acknowledged state of the art. The level of accuracy and accuracy metrics should be communicated to the users.
The technical robustness is a key requirement for high-risk AI systems. They should be resilient against risks connected to the limitations of the system (e.g. errors, faults, inconsistencies, unexpected situations) as well as against malicious actions that may compromise the security of the AI system and result in harmful or otherwise undesirable behaviour. Failure to protect against these risks could lead to safety impacts or negatively affect the fundamental rights, for example due to erroneous decisions or wrong or biased outputs generated by the AI system.
Cybersecurity plays a crucial role in ensuring that AI systems are resilient against attempts to alter their use, behaviour, performance or compromise their security properties by malicious third parties exploiting the system’s vulnerabilities. Cyberattacks against AI systems can leverage AI specific assets, such as training data sets (e.g. data poisoning) or trained models (e.g. adversarial attacks), or exploit vulnerabilities in the AI system’s digital assets or the underlying ICT infrastructure. To ensure a level of cybersecurity appropriate to the risks, suitable measures should therefore be taken by the providers of high-risk AI systems, also taking into account as appropriate the underlying ICT infrastructure.
As part of Union harmonisation legislation, rules applicable to the placing on the market, putting into service and use of high-risk AI systems should be laid down consistently with Regulation (EC) No 765/2008 of the European Parliament and of the Council 51 setting out the requirements for accreditation and the market surveillance of products, Decision No 768/2008/EC of the European Parliament and of the Council 52 on a common framework for the marketing of products and Regulation (EU) 2019/1020 of the European Parliament and of the Council 53 on market surveillance and compliance of products (‘New Legislative Framework for the marketing of products’).
It is appropriate that a specific natural or legal person, defined as the provider, takes the responsibility for the placing on the market or putting into service of a high-risk AI system, regardless of whether that natural or legal person is the person who designed or developed the system.
The provider should establish a sound quality management system, ensure the accomplishment of the required conformity assessment procedure, draw up the relevant documentation and establish a robust post-market monitoring system. Public authorities which put into service high-risk AI systems for their own use may adopt and implement the rules for the quality management system as part of the quality management system adopted at a national or regional level, as appropriate, taking into account the specificities of the sector and the competences and organisation of the public authority in question.
Where a high-risk AI system that is a safety component of a product which is covered by a relevant New Legislative Framework sectorial legislation is not placed on the market or put into service independently from the product, the manufacturer of the final product as defined under the relevant New Legislative Framework legislation should comply with the obligations of the provider established in this Regulation and notably ensure that the AI system embedded in the final product complies with the requirements of this Regulation.
To enable enforcement of this Regulation and create a level-playing field for operators, and taking into account the different forms of making available of digital products, it is important to ensure that, under all circumstances, a person established in the Union can provide authorities with all the necessary information on the compliance of an AI system. Therefore, prior to making their AI systems available in the Union, where an importer cannot be identified, providers established outside the Union shall, by written mandate, appoint an authorised representative established in the Union.
In line with New Legislative Framework principles, specific obligations for relevant economic operators, such as importers and distributors, should be set to ensure legal certainty and facilitate regulatory compliance by those relevant operators.
Given the nature of AI systems and the risks to safety and fundamental rights possibly associated with their use, including as regard the need to ensure proper monitoring of the performance of an AI system in a real-life setting, it is appropriate to set specific responsibilities for users. Users should in particular use high-risk AI systems in accordance with the instructions of use and certain other obligations should be provided for with regard to monitoring of the functioning of the AI systems and with regard to record-keeping, as appropriate.
It is appropriate to envisage that the user of the AI system should be the natural or legal person, public authority, agency or other body under whose authority the AI system is operated except where the use is made in the course of a personal non-professional activity.
In the light of the complexity of the artificial intelligence value chain, relevant third parties, notably the ones involved in the sale and the supply of software, software tools and components, pre-trained models and data, or providers of network services, should cooperate, as appropriate, with providers and users to enable their compliance with the obligations under this Regulation and with competent authorities established under this Regulation.
Standardisation should play a key role to provide technical solutions to providers to ensure compliance with this Regulation. Compliance with harmonised standards as defined in Regulation (EU) No 1025/2012 of the European Parliament and of the Council 54 should be a means for providers to demonstrate conformity with the requirements of this Regulation. However, the Commission could adopt common technical specifications in areas where no harmonised standards exist or where they are insufficient.
In order to ensure a high level of trustworthiness of high-risk AI systems, those systems should be subject to a conformity assessment prior to their placing on the market or putting into service.
It is appropriate that, in order to minimise the burden on operators and avoid any possible duplication, for high-risk AI systems related to products which are covered by existing Union harmonisation legislation following the New Legislative Framework approach, the compliance of those AI systems with the requirements of this Regulation should be assessed as part of the conformity assessment already foreseen under that legislation. The applicability of the requirements of this Regulation should thus not affect the specific logic, methodology or general structure of conformity assessment under the relevant specific New Legislative Framework legislation. This approach is fully reflected in the interplay between this Regulation and the [Machinery Regulation]. While safety risks of AI systems ensuring safety functions in machinery are addressed by the requirements of this Regulation, certain specific requirements in the [Machinery Regulation] will ensure the safe integration of the AI system into the overall machinery, so as not to compromise the safety of the machinery as a whole. The [Machinery Regulation] applies the same definition of AI system as this Regulation.
Given the more extensive experience of professional pre-market certifiers in the field of product safety and the different nature of risks involved, it is appropriate to limit, at least in an initial phase of application of this Regulation, the scope of application of third-party conformity assessment for high-risk AI systems other than those related to products. Therefore, the conformity assessment of such systems should be carried out as a general rule by the provider under its own responsibility, with the only exception of AI systems intended to be used for the remote biometric identification of persons, for which the involvement of a notified body in the conformity assessment should be foreseen, to the extent they are not prohibited.
In order to carry out third-party conformity assessment for AI systems intended to be used for the remote biometric identification of persons, notified bodies should be designated under this Regulation by the national competent authorities, provided they are compliant with a set of requirements, notably on independence, competence and absence of conflicts of interests.
In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, it is appropriate that an AI system undergoes a new conformity assessment whenever a change occurs which may affect the compliance of the system with this Regulation or when the intended purpose of the system changes. In addition, as regards AI systems which continue to ‘learn’ after being placed on the market or put into service (i.e. they automatically adapt how functions are carried out), it is necessary to provide rules establishing that changes to the algorithm and its performance that have been pre-determined by the provider and assessed at the moment of the conformity assessment should not constitute a substantial modification.
High-risk AI systems should bear the CE marking to indicate their conformity with this Regulation so that they can move freely within the internal market. Member States should not create unjustified obstacles to the placing on the market or putting into service of high-risk AI systems that comply with the requirements laid down in this Regulation and bear the CE marking.
Under certain conditions, rapid availability of innovative technologies may be crucial for health and safety of persons and for society as a whole. It is thus appropriate that under exceptional reasons of public security or protection of life and health of natural persons and the protection of industrial and commercial property, Member States could authorise the placing on the market or putting into service of AI systems which have not undergone a conformity assessment.
In order to facilitate the work of the Commission and the Member States in the artificial intelligence field as well as to increase the transparency towards the public, providers of high-risk AI systems other than those related to products falling within the scope of relevant existing Union harmonisation legislation, should be required to register their high-risk AI system in a EU database, to be established and managed by the Commission. The Commission should be the controller of that database, in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council 55 . In order to ensure the full functionality of the database, when deployed, the procedure for setting the database should include the elaboration of functional specifications by the Commission and an independent audit report.
Certain AI systems intended to interact with natural persons or to generate content may pose specific risks of impersonation or deception irrespective of whether they qualify as high-risk or not. In certain circumstances, the use of these systems should therefore be subject to specific transparency obligations without prejudice to the requirements and obligations for high-risk AI systems. In particular, natural persons should be notified that they are interacting with an AI system, unless this is obvious from the circumstances and the context of use. Moreover, natural persons should be notified when they are exposed to an emotion recognition system or a biometric categorisation system. Such information and notifications should be provided in accessible formats for persons with disabilities. Further, users, who use an AI system to generate or manipulate image, audio or video content that appreciably resembles existing persons, places or events and would falsely appear to a person to be authentic, should disclose that the content has been artificially created or manipulated by labelling the artificial intelligence output accordingly and disclosing its artificial origin.
Artificial intelligence is a rapidly developing family of technologies that requires novel forms of regulatory oversight and a safe space for experimentation, while ensuring responsible innovation and integration of appropriate safeguards and risk mitigation measures. To ensure a legal framework that is innovation-friendly, future-proof and resilient to disruption, national competent authorities from one or more Member States should be encouraged to establish artificial intelligence regulatory sandboxes to facilitate the development and testing of innovative AI systems under strict regulatory oversight before these systems are placed on the market or otherwise put into service.
The objectives of the regulatory sandboxes should be to foster AI innovation by establishing a controlled experimentation and testing environment in the development and pre-marketing phase with a view to ensuring compliance of the innovative AI systems with this Regulation and other relevant Union and Member States legislation; to enhance legal certainty for innovators and the competent authorities’ oversight and understanding of the opportunities, emerging risks and the impacts of AI use, and to accelerate access to markets, including by removing barriers for small and medium enterprises (SMEs) and start-ups. To ensure uniform implementation across the Union and economies of scale, it is appropriate to establish common rules for the regulatory sandboxes’ implementation and a framework for cooperation between the relevant authorities involved in the supervision of the sandboxes. This Regulation should provide the legal basis for the use of personal data collected for other purposes for developing certain AI systems in the public interest within the AI regulatory sandbox, in line with Article 6(4) of Regulation (EU) 2016/679, and Article 6 of Regulation (EU) 2018/1725, and without prejudice to Article 4(2) of Directive (EU) 2016/680. Participants in the sandbox should ensure appropriate safeguards and cooperate with the competent authorities, including by following their guidance and acting expeditiously and in good faith to mitigate any high-risks to safety and fundamental rights that may arise during the development and experimentation in the sandbox. The conduct of the participants in the sandbox should be taken into account when competent authorities decide whether to impose an administrative fine under Article 83(2) of Regulation 2016/679 and Article 57 of Directive 2016/680.
In order to promote and protect innovation, it is important that the interests of small-scale providers and users of AI systems are taken into particular account. To this objective, Member States should develop initiatives, which are targeted at those operators, including on awareness raising and information communication. Moreover, the specific interests and needs of small-scale providers shall be taken into account when Notified Bodies set conformity assessment fees. Translation costs related to mandatory documentation and communication with authorities may constitute a significant cost for providers and other operators, notably those of a smaller scale. Member States should possibly ensure that one of the languages determined and accepted by them for relevant providers’ documentation and for communication with operators is one which is broadly understood by the largest possible number of cross-border users.
In order to minimise the risks to implementation resulting from lack of knowledge and expertise in the market as well as to facilitate compliance of providers and notified bodies with their obligations under this Regulation, the AI-on demand platform, the European Digital Innovation Hubs and the Testing and Experimentation Facilities established by the Commission and the Member States at national or EU level should possibly contribute to the implementation of this Regulation. Within their respective mission and fields of competence, they may provide in particular technical and scientific support to providers and notified bodies.
It is appropriate that the Commission facilitates, to the extent possible, access to Testing and Experimentation Facilities to bodies, groups or laboratories established or accredited pursuant to any relevant Union harmonisation legislation and which fulfil tasks in the context of conformity assessment of products or devices covered by that Union harmonisation legislation. This is notably the case for expert panels, expert laboratories and reference laboratories in the field of medical devices pursuant to Regulation (EU) 2017/745 and Regulation (EU) 2017/746.
In order to facilitate a smooth, effective and harmonised implementation of this Regulation a European Artificial Intelligence Board should be established. The Board should be responsible for a number of advisory tasks, including issuing opinions, recommendations, advice or guidance on matters related to the implementation of this Regulation, including on technical specifications or existing standards regarding the requirements established in this Regulation and providing advice to and assisting the Commission on specific questions related to artificial intelligence.
Member States hold a key role in the application and enforcement of this Regulation. In this respect, each Member State should designate one or more national competent authorities for the purpose of supervising the application and implementation of this Regulation. In order to increase organisation efficiency on the side of Member States and to set an official point of contact vis-à-vis the public and other counterparts at Member State and Union levels, in each Member State one national authority should be designated as national supervisory authority.
In order to ensure that providers of high-risk AI systems can take into account the experience on the use of high-risk AI systems for improving their systems and the design and development process or can take any possible corrective action in a timely manner, all providers should have a post-market monitoring system in place. This system is also key to ensure that the possible risks emerging from AI systems which continue to ‘learn’ after being placed on the market or put into service can be more efficiently and timely addressed. In this context, providers should also be required to have a system in place to report to the relevant authorities any serious incidents or any breaches to national and Union law protecting fundamental rights resulting from the use of their AI systems.
In order to ensure an appropriate and effective enforcement of the requirements and obligations set out by this Regulation, which is Union harmonisation legislation, the system of market surveillance and compliance of products established by Regulation (EU) 2019/1020 should apply in its entirety. Where necessary for their mandate, national public authorities or bodies, which supervise the application of Union law protecting fundamental rights, including equality bodies, should also have access to any documentation created under this Regulation.
Union legislation on financial services includes internal governance and risk management rules and requirements which are applicable to regulated financial institutions in the course of provision of those services, including when they make use of AI systems. In order to ensure coherent application and enforcement of the obligations under this Regulation and relevant rules and requirements of the Union financial services legislation, the authorities responsible for the supervision and enforcement of the financial services legislation,including where applicable the European Central Bank, should be designated as competent authorities for the purpose of supervising the implementation of this Regulation, including for market surveillance activities, as regards AI systems provided or used by regulated and supervised financial institutions. To further enhance the consistency between this Regulation and the rules applicable to credit institutions regulated under Directive 2013/36/EU of the European Parliament and of the Council 56 , it is also appropriate to integrate the conformity assessment procedure and some of the providers’ procedural obligations in relation to risk management, post marketing monitoring and documentation into the existing obligations and procedures under Directive 2013/36/EU. In order to avoid overlaps, limited derogations should also be envisaged in relation to the quality management system of providers and the monitoring obligation placed on users of high-risk AI systems to the extent that these apply to credit institutions regulated by Directive 2013/36/EU.
The development of AI systems other than high-risk AI systems in accordance with the requirements of this Regulation may lead to a larger uptake of trustworthy artificial intelligence in the Union. Providers of non-high-risk AI systems should be encouraged to create codes of conduct intended to foster the voluntary application of the mandatory requirements applicable to high-risk AI systems. Providers should also be encouraged to apply on a voluntary basis additional requirements related, for example, to environmental sustainability, accessibility to persons with disability, stakeholders’ participation in the design and development of AI systems, and diversity of the development teams. The Commission may develop initiatives, including of a sectorial nature, to facilitate the lowering of technical barriers hindering cross-border exchange of data for AI development, including on data access infrastructure, semantic and technical interoperability of different types of data.
It is important that AI systems related to products that are not high-risk in accordance with this Regulation and thus are not required to comply with the requirements set out herein are nevertheless safe when placed on the market or put into service. To contribute to this objective,the Directive 2001/95/EC of the European Parliament and of the Council 57 would apply as a safety net.
In order to ensure trustful and constructive cooperation of competent authorities on Union and national level, all parties involved in the application of this Regulation should respect the confidentiality of information and data obtained in carrying out their tasks.
Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement. For certain specific infringements, Member States should take into account the margins and criteria set out in this Regulation. The European Data Protection Supervisor should have the power to impose fines on Union institutions, agencies and bodies falling within the scope of this Regulation.
In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to amend the techniques and approaches referred to in Annex I to define AI systems, the Union harmonisation legislation listed in Annex II, the high-risk AI systems listed in Annex III, the provisions regarding technical documentation listed in Annex IV, the content of the EU declaration of conformity in Annex V, the provisions regarding the conformity assessment procedures in Annex VI and VII and the provisions establishing the high-risk AI systems to which the conformity assessment procedure based on assessment of the quality management system and assessment of the technical documentation should apply. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making 58 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council 59 .
Since the objective of this Regulation cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
This Regulation should apply from … [OP — please insert the date established in Art. 85]. However, the infrastructure related to the governance and the conformity assessment system should be operational before that date, therefore the provisions on notified bodies and governance structure should apply from … [OP — please insert the date — three months following the entry into force of this Regulation]. In addition, Member States should lay down and notify to the Commission the rules on penalties, including administrative fines, and ensure that they are properly and effectively implemented by the date of application of this Regulation. Therefore the provisions on penalties should apply from [OP — please insert the date — twelve months following the entry into force of this Regulation].
The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(2) of Regulation (EU) 2018/1725 and delivered an opinion on […]“.
HAVE ADOPTED THIS REGULATION:
This Regulation lays down:
(a) harmonised rules for the placing on the market, the putting into service and the use of artificial intelligence systems (‘AI systems’) in the Union;
(a) prohibitions of certain artificial intelligence practices;
(b) specific requirements for high-risk AI systems and obligations for operators of such systems;
(c) harmonised transparency rules for AI systems intended to interact with natural persons, emotion recognition systems and biometric categorisation systems, and AI systems used to generate or manipulate image, audio or video content;
(d) rules on market monitoring and surveillance.
(a) providers placing on the market or putting into service AI systems in the Union, irrespective of whether those providers are established within the Union or in a third country;
(b) users of AI systems located within the Union;
(c) providers and users of AI systems that are located in a third country, where the output produced by the system is used in the Union;
(a) Regulation (EC) 300/2008;
(b) Regulation (EU) No 167/2013;
(c) Regulation (EU) No 168/2013;
(d) Directive 2014/90/EU;
(e) Directive (EU) 2016/797;
(f) Regulation (EU) 2018/858;
(g) Regulation (EU) 2018/1139;
(h) Regulation (EU) 2019/2144.
This Regulation shall not apply to AI systems developed or used exclusively for military purposes.
This Regulation shall not apply to public authorities in a third country nor to international organisations falling within the scope of this Regulation pursuant to paragraph 1, where those authorities or organisations use AI systems in the framework of international agreements for law enforcement and judicial cooperation with the Union or with one or more Member States.
This Regulation shall not affect the application of the provisions on the liability of intermediary service providers set out in Chapter II, Section IV of Directive 2000/31/EC of the European Parliament and of the Council 60 [as to be replaced bythe corresponding provisions of the Digital Services Act].
For the purpose of this Regulation, the following definitions apply:
(1) ‘artificial intelligence system’ (AI system) means software that is developed with one or more of the techniques and approaches listed in Annex I and can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with;
(2) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or that has an AI system developed with a view to placing it on the market or putting it into service under its own name or trademark, whether for payment or free of charge;
(3) ‘small-scale provider’ means a provider that is a micro or small enterprise within the meaning of Commission Recommendation 2003/361/EC 61 ;
(4) ‘user’ means any natural or legal person, public authority, agency or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity;
(5) ‘authorised representative’ means any natural or legal person established in the Union who has received a written mandate from a provider of an AI system to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation;
(6) ‘importer’ means any natural or legal person established in the Union that places on the market or puts into service an AI system that bears the name or trademark of a natural or legal person established outside the Union;
(7) ‘distributor’ means any natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market without affecting its properties;
(8) ‘operator’ means the provider, the user, the authorised representative, the importer and the distributor;
(9) ‘placing on the market’ means the first making available of an AI system on the Union market;
(10) ‘making available on the market’ means any supply of an AI system for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
(11) ‘putting into service’ means the supply of an AI system for first use directly to the user or for own use on the Union market for its intended purpose;
(12) ‘intended purpose’ means the use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;
(13) ‘reasonably foreseeable misuse’ means the use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;
(14) ‘safety component of a product or system’ means a component of a product or of a system which fulfils a safety function for that product or system or the failure or malfunctioning of which endangers the health and safety of persons or property;
(15) ‘instructions for use’ means the information provided by the provider to inform the user of in particular an AI system’s intended purpose and proper use, inclusive of the specific geographical, behavioural or functional setting within which the high-risk AI system is intended to be used;
(16) ‘recall of an AI system’ means any measure aimed at achieving the return to the provider of an AI system made available to users;
(17) ‘withdrawal of an AI system’ means any measure aimed at preventing the distribution, display and offer of an AI system;
(18) ‘performance of an AI system’ means the ability of an AI system to achieve its intended purpose;
(19) ‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;
(20) ‘conformity assessment’ means the process of verifying whether the requirements set out in Title III, Chapter 2 of this Regulation relating to an AI system have been fulfilled;
(21) ‘conformity assessment body’ means a body that performs third-party conformity assessment activities, including testing, certification and inspection;
(22) ‘notified body’ means a conformity assessment body designated in accordance with this Regulation and other relevant Union harmonisation legislation;
(23) ‘substantial modification’ means a change to the AI system following its placing on the market or putting into service which affects the compliance of the AI system with the requirements set out in Title III, Chapter 2 of this Regulation or results in a modification to the intended purpose for which the AI system has been assessed;
(24) ‘CE marking of conformity’ (CE marking) means a marking by which a provider indicates that an AI system is in conformity with the requirements set out in Title III, Chapter 2 of this Regulation and other applicable Union legislation harmonising the conditions for the marketing of products (‘Union harmonisation legislation’) providing for its affixing;
(25) ‘post-market monitoring’ means all activities carried out by providers of AI systems to proactively collect and review experience gained from the use of AI systems they place on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions;
(26) ‘market surveillance authority’ means the national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020;
(27) ‘harmonised standard’ means a European standard as defined in Article 2(1)(c) of Regulation (EU) No 1025/2012;
(28) ‘common specifications’ means a document, other than a standard, containing technical solutions providing a means to, comply with certain requirements and obligations established under this Regulation;
(29) ‘training data’ means data used for training an AI system through fitting its learnable parameters, including the weights of a neural network;
(30) ‘validation data’ means data used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process, among other things, in order to prevent overfitting; whereas the validation dataset can be a separate dataset or part of the training dataset, either as a fixed or variable split;
(31) ‘testing data’ means data used for providing an independent evaluation of the trained and validated AI system in order to confirm the expected performance of that system before its placing on the market or putting into service;
(32) ‘input data’ means data provided to or directly acquired by an AI system on the basis of which the system produces an output;
(33) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
(34) ‘emotion recognition system’ means an AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric data;
(35) ‘biometric categorisation system’ means an AI system for the purpose of assigning natural persons to specific categories, such as sex, age, hair colour, eye colour, tattoos, ethnic origin or sexual or political orientation, on the basis of their biometric data;
(36) ‘remote biometric identification system’ means an AI system for the purpose of identifying natural persons at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database, and without prior knowledge of the user of the AI system whether the person will be present and can be identified ;
(37) ”real-time’ remote biometric identification system’ means a remote biometric identification system whereby the capturing of biometric data, the comparison and the identification all occur without a significant delay. This comprises not only instant identification, but also limited short delays in order to avoid circumvention.
(38) ”post’ remote biometric identification system’ means a remote biometric identification system other than a ‘real-time’ remote biometric identification system;
(39) ‘publicly accessible space’ means any physical place accessible to the public, regardless of whether certain conditions for access may apply;
(40) ‘law enforcement authority’ means:
(a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or
(b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(41) ‘law enforcement’ means activities carried out by law enforcement authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(42) ‘national supervisory authority’ means the authority to which a Member State assigns the responsibility for the implementation and application of this Regulation, for coordinating the activities entrusted to that Member State, for acting as the single contact point for the Commission, and for representing the Member State at the European Artificial Intelligence Board;
(43) ‘national competent authority’ means the national supervisory authority, the notifying authority and the market surveillance authority;
(44) ‘serious incident’ means any incident that directly or indirectly leads, might have led or might lead to any of the following:
(a) the death of a person or serious damage to a person’s health, to property or the environment,
(b) a serious and irreversible disruption of the management and operation of critical infrastructure.
The Commission is empowered to adopt delegated acts in accordance with Article 73 to amend the list of techniques and approaches listed in Annex I, in order to update that list to market and technological developments on the basis of characteristics that are similar to the techniques and approaches listed therein.
(a) the placing on the market, putting into service or use of an AI system that deploys subliminal techniques beyond a person’s consciousness in order to materially distort a person’s behaviour in a manner that causes or is likely to cause that person or another person physical or psychological harm;
(b) the placing on the market, putting into service or use of an AI system that exploits any of the vulnerabilities of a specific group of persons due to their age, physical or mental disability, in order to materially distort the behaviour of a person pertaining to that group in a manner that causes or is likely to cause that person or another person physical or psychological harm;
(c) the placing on the market, putting into service or use of AI systems by public authorities or on their behalf for the evaluation or classification of the trustworthiness of natural persons over a certain period of time based on their social behaviour or known or predicted personal or personality characteristics, with the social score leading to either or both of the following:
(i) detrimental or unfavourable treatment of certain natural persons or whole groups thereof in social contexts which are unrelated to the contexts in which the data was originally generated or collected;
(ii) detrimental or unfavourable treatment of certain natural persons or whole groups thereof that is unjustified or disproportionate to their social behaviour or its gravity;
(d) the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement, unless and in as far as such use is strictly necessary for one of the following objectives:
(i) the targeted search for specific potential victims of crime, including missing children;
(ii) the prevention of a specific, substantial and imminentthreat to the life or physical safety of natural persons or of a terrorist attack;
(iii) the detection, localisation, identification or prosecution of a perpetrator or suspect of a criminal offence referred to in Article 2(2) of Council Framework Decision 2002/584/JHA 62 and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least three years, as determined by the law of that Member State.
(a) the nature of the situation giving rise to the possible use, in particular the seriousness, probability and scale of the harm caused in the absence of the use of the system;
(b) the consequences of the use of the system for the rights and freedoms of all persons concerned, in particular the seriousness, probability and scale of those consequences.
In addition, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement for any of the objectives referred to in paragraph 1 point d) shall comply with necessary and proportionate safeguards and conditions in relation to the use, in particular as regards the temporal, geographic and personal limitations.
The competent judicial or administrative authority shall only grant the authorisation where it is satisfied, based on objective evidence or clear indications presented to it, that the use of the ‘real-time’ remote biometric identification system at issue is necessary for and proportionate to achieving one of the objectives specified in paragraph 1, point (d), as identified in the request. In deciding on the request, the competent judicial or administrative authority shall take into account the elements referred to in paragraph 2.
(a) the AI system is intended to be used as a safety component of a product, or is itself a product, covered by the Union harmonisation legislation listed in Annex II;
(b) the product whose safety component is the AI system, or the AI system itself as a product, is required to undergo a third-party conformity assessment with a view to the placing on the market or putting into service of that product pursuant to the Union harmonisation legislation listed in Annex II.
(a) the AI systems are intended to be used in any of the areas listed in points 1 to 8 of Annex III;
(b) the AI systems pose a risk of harm to the health and safety, or a risk of adverse impact on fundamental rights, that is, in respect of its severity and probability of occurrence, equivalent to or greater than the risk of harm or of adverse impact posed by the high-risk AI systems already referred to in Annex III.
(a) the intended purpose of the AI system;
(b) the extent to which an AI system has been used or is likely to be used;
(c) the extent to which the use of an AI system has already caused harm to the health and safety or adverse impact on the fundamental rights or has given rise to significant concerns in relation to the materialisation of such harm or adverse impact, as demonstrated by reports or documented allegations submitted to national competent authorities;
(d) the potential extent of such harm or such adverse impact, in particular in terms of its intensity and its ability to affect a plurality of persons;
(e) the extent to which potentially harmed or adversely impacted persons are dependent on the outcome produced with an AI system, in particular because for practical or legal reasons it is not reasonably possible to opt-out from that outcome;
(f) the extent to which potentially harmed or adversely impacted persons are in a vulnerable position in relation to the user of an AI system, in particular due to an imbalance of power, knowledge, economic or social circumstances, or age;
(g) the extent to which the outcome produced with an AI system is easily reversible, whereby outcomes having an impact on the health or safety of persons shall not be considered as easily reversible;
(h) the extent to which existing Union legislation provides for:
(i) effective measures of redress in relation to the risks posed by an AI system, with the exclusion of claims for damages;
(ii) effective measures to prevent or substantially minimise those risks.
High-risk AI systems shall comply with the requirements established in this Chapter.
The intended purpose of the high-risk AI system and the risk management system referred to in Article 9 shall be taken into account when ensuring compliance with those requirements.
A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.
The risk management system shall consist of a continuous iterative process run throughout the entire lifecycle of a high-risk AI system, requiring regular systematic updating. It shall comprise the following steps:
(a) identification and analysis of the known and foreseeable risks associated with each high-risk AI system;
(b) estimation and evaluation of the risks that may emerge when the high-risk AI system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse;
(c) evaluation of other possibly arising risks based on the analysis of data gathered from the post-market monitoring system referred to in Article 61;
(d) adoption of suitable risk management measures in accordance with the provisions of the following paragraphs.
The risk management measures referred to in paragraph 2, point (d) shall give due consideration to the effects and possible interactions resulting from the combined application of the requirements set out in this Chapter 2. They shall take into account the generally acknowledged state of the art, including as reflected in relevant harmonised standards or common specifications.
The risk management measures referred to in paragraph 2, point (d) shall be such that any residual risk associated with each hazard as well as the overall residual risk of the high-risk AI systems is judged acceptable, provided that the high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse. Those residual risks shall be communicated to the user.
In identifying the most appropriate risk management measures, the following shall be ensured:
(a) elimination or reduction of risks as far as possible through adequate design and development;
(b) where appropriate, implementation of adequate mitigation and control measures in relation to risks that cannot be eliminated;
(c) provision of adequate information pursuant to Article 13, in particular as regards the risks referred to in paragraph 2, point (b) of this Article, and, where appropriate, training to users.
In eliminating or reducing risks related to the use of the high-risk AI system, due consideration shall be given to the technical knowledge, experience, education, training to be expected by the user and the environment in which the system is intended to be used.
High-risk AI systems shall be tested for the purposes of identifying the most appropriate risk management measures. Testing shall ensure that high-risk AI systems perform consistently for their intended purpose and they are in compliance with the requirements set out in this Chapter.
Testing procedures shall be suitable to achieve the intended purpose of the AI system and do not need to go beyond what is necessary to achieve that purpose.
The testing of the high-risk AI systems shall be performed, as appropriate, at any point in time throughout the development process, and, in any event, prior to the placing on the market or the putting into service. Testing shall be made against preliminarily defined metrics and probabilistic thresholds that are appropriate to the intended purpose of the high-risk AI system.
When implementing the risk management system described in paragraphs 1 to 7, specific consideration shall be given to whether the high-risk AI system is likely to be accessed by or have an impact on children.
For credit institutions regulated by Directive 2013/36/EU, the aspects described in paragraphs 1 to 8 shall be part of the risk management procedures established by those institutions pursuant to Article 74 of that Directive.
High-risk AI systems which make use of techniques involving the training of models with data shall be developed on the basis of training, validation and testing data sets that meet the quality criteria referred to in paragraphs 2 to 5.
Training, validation and testing data sets shall be subject to appropriate data governance and management practices. Those practices shall concern in particular,
(a) the relevant design choices;
(b) data collection;
(c) relevant data preparation processing operations, such as annotation, labelling, cleaning, enrichment and aggregation;
(d) the formulation of relevant assumptions, notably with respect to the information that the data are supposed to measure and represent;
(e) a prior assessment of the availability, quantity and suitability of the data sets that are needed;
(f) examination in view of possible biases;
(g) the identification of any possible data gaps or shortcomings, and how those gaps and shortcomings can be addressed.
Training, validation and testing data sets shall be relevant, representative, free of errors and complete. They shall have the appropriate statistical properties, including, where applicable, as regards the persons or groups of persons on which the high-risk AI system is intended to be used. These characteristics of the data sets may be met at the level of individual data sets or a combination thereof.
Training, validation and testing data sets shall take into account, to the extent required by the intended purpose, the characteristics or elements that are particular to the specific geographical, behavioural or functional setting within which the high-risk AI system is intended to be used.
To the extent that it is strictly necessary for the purposes of ensuring bias monitoring, detection and correction in relation to the high-risk AI systems, the providers of such systems may process special categories of personal datareferred to in Article 9(1) of Regulation (EU) 2016/679, Article 10 of Directive (EU) 2016/680 and Article 10(1) of Regulation (EU) 2018/1725, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons, including technical limitations on the re-use and use of state-of-the-art security and privacy-preserving measures, such as pseudonymisation, or encryption where anonymisation may significantly affect the purpose pursued.
Appropriate data governance and management practices shall apply for the development of high-risk AI systems other than those which make use of techniques involving the training of models in order to ensure that those high-risk AI systems comply with paragraph 2.
The technical documentation shall be drawn up in such a way to demonstrate that the high-risk AI system complies with the requirements set out in this Chapter and provide national competent authorities and notified bodies with all the necessary information to assess the compliance of the AI system with those requirements. It shall contain, at a minimum, the elements set out in Annex IV.
Where a high-risk AI system related to a product, to which the legal acts listed in Annex II, section A apply, is placed on the market or put into service one single technical documentation shall be drawn up containing all the information set out in Annex IV as well as the information required under those legal acts.
The Commission is empowered to adopt delegated acts in accordance with Article 73 to amend Annex IV where necessary to ensure that, in the light of technical progress, the technical documentation provides all the necessary information to assess the compliance of the system with the requirements set out in this Chapter.
High-risk AI systems shall be designed and developed with capabilities enabling the automatic recording of events (‘logs’) while the high-risk AI systems is operating. Those logging capabilities shall conform to recognised standards or common specifications.
The logging capabilities shall ensure a level of traceability of the AI system’s functioning throughout its lifecycle that is appropriate to the intended purpose of the system.
In particular, logging capabilities shall enable the monitoring of the operation of the high-risk AI system with respect to the occurrence of situations that may result in the AI system presenting a risk within the meaning of Article 65(1) or lead to a substantial modification, and facilitate the post-market monitoring referred to in Article 61.
For high-risk AI systems referred to in paragraph 1, point (a) of Annex III, the logging capabilities shall provide, at a minimum:
(a) recording of the period of each use of the system (start date and time and end date and time of each use);
(b) the reference database against which input data has been checked by the system;
(c) the input data for which the search has led to a match;
(d) the identification of the natural persons involved in the verification of the results, as referred to in Article 14 (5).
High-risk AI systems shall be designed and developed in such a way to ensure that their operation is sufficiently transparent to enable users to interpret the system’s output and use it appropriately. An appropriate type and degree of transparency shall be ensured, with a view to achieving compliance with the relevant obligations of the user and of the provider set out in Chapter 3 of this Title.
High-risk AI systems shall be accompanied by instructions for use in an appropriate digital format or otherwise that include concise, complete, correct and clear information that is relevant, accessible and comprehensible to users.
The information referred to in paragraph 2 shall specify:
(a) the identity and the contact details of the provider and, where applicable, of its authorised representative;
(b) the characteristics, capabilities and limitations of performance of the high-risk AI system, including:
(i) its intended purpose;
(ii) the level of accuracy, robustness and cybersecurity referred to in Article 15 against which the high-risk AI system has been tested and validated and which can be expected, and any known and foreseeable circumstances that may have an impact on that expected level of accuracy, robustness and cybersecurity;
(iii) any known or foreseeable circumstance, related to the use of the high-risk AI system in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to risks to the health and safety or fundamental rights;
(iv) its performance as regards the persons or groups of persons on which the system is intended to be used;
(v) when appropriate, specifications for the input data, or any other relevant information in terms of the training, validation and testing data sets used, taking into account the intended purpose of the AI system.
(c) the changes to the high-risk AI system and its performance which have been pre-determined by the provider at the moment of the initial conformity assessment, if any;
(d) the human oversight measures referred to in Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the users;
(e) the expected lifetime of the high-risk AI system and any necessary maintenance and care measures to ensure the proper functioning of that AI system, including as regards software updates.
High-risk AI systems shall be designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural persons during the period in which the AI system is in use.
Human oversight shall aim at preventing or minimising the risks to health, safety or fundamental rights that may emerge when a high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, in particular when such risks persist notwithstanding the application of other requirements set out in this Chapter.
Human oversight shall be ensured through either one or all of the following measures:
(a) identified and built, when technically feasible, into the high-risk AI system by the provider before it is placed on the market or put into service;
(b) identified by the providerbefore placing the high-risk AI system on the market or putting it into service and that are appropriate to be implemented by the user.
(a) fully understand the capacities and limitations of the high-risk AI system and be able to duly monitor its operation, so that signs of anomalies, dysfunctions and unexpected performance can be detected and addressed as soon as possible;
(b) remain aware of the possible tendency of automatically relying or over-relying on the output produced by a high-risk AI system (‘automation bias’), in particular for high-risk AI systems used to provide information or recommendations for decisions to be taken by natural persons;
(c) be able to correctly interpret the high-risk AI system’s output, taking into account in particular the characteristics of the system and the interpretation tools and methods available;
(d) be able to decide, in any particular situation, not to use the high-risk AI system or otherwise disregard, override or reverse the output of the high-risk AI system;
(e) be able to intervene on the operation of the high-risk AI system or interrupt the system through a “stop” button or a similar procedure.
High-risk AI systems shall be designed and developed in such a way that they achieve, in the light of their intended purpose, an appropriate level of accuracy, robustness and cybersecurity, and perform consistently in those respects throughout their lifecycle.
The levels of accuracy and the relevant accuracy metrics of high-risk AI systems shall be declared in the accompanying instructions of use.
High-risk AI systems shall be resilient as regards errors, faults or inconsistencies that may occur within the system or the environment in which the system operates, in particular due to their interaction with natural persons or other systems.
The robustness of high-risk AI systems may be achieved through technical redundancy solutions, which may include backup or fail-safe plans.
High-risk AI systems that continue to learn after being placed on the market or put into service shall be developed in such a way to ensure that possibly biased outputs due to outputs used as an input for future operations (‘feedback loops’) are duly addressed with appropriate mitigation measures.
The technical solutions aimed at ensuring the cybersecurity of high-risk AI systems shall be appropriate to the relevant circumstances and the risks.
The technical solutions to address AI specific vulnerabilities shall include, where appropriate, measures to prevent and control for attacks trying to manipulate the training dataset (‘data poisoning’), inputs designed to cause the model to make a mistake (‘adversarial examples’), or model flaws.
Providers of high-risk AI systems shall:
(a) ensure that their high-risk AI systems are compliant with the requirements set out in Chapter 2 of this Title;
(b) have a quality management system in place which complies with Article 17;
(c) draw-up the technical documentation of the high-risk AI system;
(d) when under their control, keep the logs automatically generated by their high-risk AI systems;
(e) ensure that the high-risk AI system undergoes the relevant conformity assessment procedure, prior to its placing on the market or putting into service;
(f) comply with the registration obligations referred to in Article 51;
(g) take the necessary corrective actions, if the high-risk AI system is not in conformity with the requirements set out in Chapter 2 of this Title;
(h) inform the national competent authorities of the Member States in which they made the AI system available or put it into service and, where applicable, the notified body of the non-compliance and of any corrective actions taken;
(i) to affix the CE marking to their high-risk AI systems to indicate the conformity with this Regulation in accordance with Article 49;
(j) upon request of a national competent authority, demonstrate the conformity of the high-risk AI system with the requirements set out in Chapter 2 of this Title.
(a) a strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the high-risk AI system;
(b) techniques, procedures and systematic actions to be used for the design, design control and design verification of the high-risk AI system;
(c) techniques, procedures and systematic actions to be used for the development, quality control and quality assurance of the high-risk AI system;
(d) examination, test and validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out;
(e) technical specifications, including standards, to be applied and, where the relevant harmonised standards are not applied in full, the means to be used to ensure that the high-risk AI system complies with the requirements set out in Chapter 2 of this Title;
(f) systems and procedures for data management, including data collection, data analysis, data labelling, data storage, data filtration, data mining, data aggregation, data retention and any other operation regarding the data that is performed before and for the purposes of the placing on the market or putting into service of high-risk AI systems;
(g) the risk management system referred to in Article 9;
(h) the setting-up, implementation and maintenance of a post-market monitoring system, in accordance with Article 61;
(i) procedures related to the reporting of serious incidents and of malfunctioning in accordance with Article 62;
(j) the handling of communication with national competent authorities, competent authorities, including sectoral ones, providing or supporting the access to data, notified bodies, other operators, customers or other interested parties;
(k) systems and procedures for record keeping of all relevant documentation and information;
(l) resource management, including security of supply related measures;
(m) an accountability framework setting out the responsibilities of the management and other staff with regard to all aspects listed in this paragraph.
The implementation of aspects referred to in paragraph 1 shall be proportionate to the size of the provider’s organisation.
For providers that are credit institutions regulated by Directive 2013/36/ EU, the obligation to put a quality management system in place shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive. In that context, any harmonised standards referred to in Article 40 of this Regulation shall be taken into account.
Providers of high-risk AI systems shall draw up the technical documentation referred to in Article 11 in accordance with Annex IV.
Providers that are credit institutions regulated by Directive 2013/36/EU shall maintain the technical documentation as part of the documentation concerning internal governance, arrangements, processes and mechanisms pursuant to Article 74 of that Directive.
Providers of high-risk AI systems shall ensure that their systems undergo the relevant conformity assessment procedure in accordance with Article 43, prior to their placing on the market or putting into service. Where the compliance of the AI systems with the requirements set out in Chapter 2 of this Title has been demonstrated following that conformity assessment, the providers shall draw up an EU declaration of conformity in accordance with Article 48 and affix the CE marking of conformity in accordance with Article 49.
For high-risk AI systems referred to in point 5(b) of Annex III that are placed on the market or put into service by providers that are credit institutions regulated by Directive 2013/36/EU, the conformity assessment shall be carried out as part of the procedure referred to in Articles 97 to101 of that Directive.
Providers of high-risk AI systems shall keep the logs automatically generated by their high-risk AI systems, to the extent such logs are under their control by virtue of a contractual arrangement with the user or otherwise by law. The logs shall be kept for a period that is appropriate in the light of the intended purpose of high-risk AI system and applicable legal obligations under Union or national law.
Providers that are credit institutions regulated by Directive 2013/36/EU shall maintain the logs automatically generated by their high-risk AI systems as part of the documentation under Articles 74 of that Directive.
Providers of high-risk AI systems which consider or have reason to consider that a high-risk AI system which they have placed on the market or put into service is not in conformity with this Regulation shall immediately take the necessary corrective actions to bring that system into conformity, to withdraw it or to recall it, as appropriate. They shall inform the distributors of the high-risk AI system in question and, where applicable, the authorised representative and importers accordingly.
Where the high-risk AI system presents a risk within the meaning of Article 65(1) and that risk is known to the provider of the system, that provider shall immediately inform the national competent authorities of the Member States in which it made the system available and, where applicable, the notified body that issued a certificate for the high-risk AI system, in particular of the non-compliance and of any corrective actions taken.
Providers of high-risk AI systems shall, upon request by a national competent authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the high-risk AI system with the requirements set out in Chapter 2 of this Title, in an official Union language determined by the Member State concerned. Upon a reasoned request from a national competent authority, providers shall also give that authority access to the logs automatically generated by the high-risk AI system, to the extent such logs are under their control by virtue of a contractual arrangement with the user or otherwise by law.
Where a high-risk AI system related to products to which the legal acts listed in Annex II, section A, apply, is placed on the market or put into service together with the product manufactured in accordance with those legal acts and under the name of the product manufacturer, the manufacturer of the product shall take the responsibility of the compliance of the AI system with this Regulation and, as far as the AI system is concerned, have the same obligations imposed by the present Regulation on the provider.
Prior to making their systems available on the Union market, where an importer cannot be identified, providers established outside the Union shall, by written mandate, appoint an authorised representative which is established in the Union.
The authorised representative shall perform the tasks specified in the mandate received from the provider. The mandate shall empower the authorised representative to carry out the following tasks:
(a) keep a copy of the EU declaration of conformity and the technical documentation at the disposal of the national competent authorities and national authorities referred to in Article 63(7);
(b) provide a national competent authority, upon a reasoned request, with all the information and documentation necessary to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title, including access to the logs automatically generated by the high-risk AI system to the extent such logs are under the control of the provider by virtue of a contractual arrangement with the user or otherwise by law;
(c) cooperate with competent national authorities, upon a reasoned request, on any action the latter takes in relation to the high-risk AI system.
(a) the appropriate conformity assessment procedure has been carried out by the provider of that AI system
(b) the provider has drawn up the technical documentation in accordance with Annex IV;
(c) the system bears the required conformity marking and is accompanied by the required documentation and instructions of use.
Where an importer considers or has reason to consider that a high-risk AI system is not in conformity with this Regulation, it shall not place that system on the market until that AI system has been brought into conformity. Where the high-risk AI system presents a risk within the meaning of Article 65(1), the importer shall inform the provider of the AI system and the market surveillance authorities to that effect.
Importers shall indicate their name, registered trade name or registered trade mark, and the address at which they can be contacted on the high-risk AI system or, where that is not possible, on its packaging or its accompanying documentation, as applicable.
Importers shall ensure that, while a high-risk AI system is under their responsibility, where applicable, storage or transport conditions do not jeopardise its compliance with the requirements set out in Chapter 2 of this Title.
Importers shall provide national competent authorities, upon a reasoned request, with all necessary information and documentation to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title in a language which can be easily understood by that national competent authority, including access to the logs automatically generated by the high-risk AI system to the extent such logs are under the control of the provider by virtue of a contractual arrangement with the user or otherwise by law. They shall also cooperate with those authorities on any action national competent authority takes in relation to that system.
Before making a high-risk AI system available on the market, distributors shall verify that the high-risk AI system bears the required CE conformity marking, that it is accompanied by the required documentation and instruction of use, and that the provider and the importer of the system, as applicable, have complied with the obligations set out in this Regulation.
Where a distributor considers or has reason to consider that a high-risk AI system is not in conformity with the requirements set out in Chapter 2 of this Title, it shall not make the high-risk AI system available on the market until that system has been brought into conformity with those requirements. Furthermore, where the system presents a risk within the meaning of Article 65(1), the distributor shall inform the provider or the importer of the system, as applicable, to that effect.
Distributors shall ensure that, while a high-risk AI system is under their responsibility, where applicable, storage or transport conditions do not jeopardise the compliance of the system with the requirements set out in Chapter 2 of this Title.
A distributor that considers or has reason to consider that a high-risk AI system which it has made available on the market is not in conformity with the requirements set out in Chapter 2 of this Title shall take the corrective actions necessary to bring that system into conformity with those requirements, to withdraw it or recall it or shall ensure that the provider, the importer or any relevant operator, as appropriate, takes those corrective actions. Where the high-risk AI system presents a risk within the meaning of Article 65(1), the distributor shall immediately inform the national competent authorities of the Member States in which it has made the product available to that effect, giving details, in particular, of the non-compliance and of any corrective actions taken.
Upon a reasoned request from a national competent authority, distributors of high-risk AI systems shall provide that authority with all the information and documentation necessary to demonstrate the conformity of a high-risk system with the requirements set out in Chapter 2 of this Title. Distributors shall also cooperate with that national competent authority on any action taken by that authority.
(a) they place on the market or put into service a high-risk AI system under their name or trademark;
(b) they modify the intended purpose of a high-risk AI system already placed on the market or put into service;
(c) they make a substantial modification to the high-risk AI system.
Users of high-risk AI systems shall use such systems in accordance with the instructions of use accompanying the systems, pursuant to paragraphs 2 and 5.
The obligations in paragraph 1 are without prejudice to other user obligations under Union or national law and to the user’s discretionin organising its own resources and activities for the purpose of implementing the human oversight measures indicated by the provider.
Without prejudice to paragraph 1, to the extent the user exercises control over the input data, that user shall ensure that input data is relevant in view of the intended purpose of the high-risk AI system.
Users shall monitor the operation of the high-risk AI system on the basis of the instructions of use. When they have reasons to consider that the use in accordance with the instructions of use may result in the AI system presenting a risk within the meaning of Article 65(1) they shall inform the provider or distributor and suspend the use of the system. They shall also inform the provider or distributor when they have identified any serious incident or any malfunctioning within the meaning of Article 62 and interrupt the use of the AI system. In case the user is not able to reach the provider, Article 62 shall apply mutatis mutandis.
For users that are credit institutions regulated by Directive 2013/36/EU, the monitoring obligation set out in the first subparagraph shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive.
Users that are credit institutions regulated by Directive 2013/36/EU shall maintain the logs as part of the documentation concerning internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive.
Each Member State shall designate or establish a notifying authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring.
Member States may designate a national accreditation body referred to in Regulation (EC) No 765/2008 as a notifying authority.
Notifying authorities shall be established, organised and operated in such a way that no conflict of interest arises with conformity assessment bodies and the objectivity and impartiality of their activities are safeguarded.
Notifying authorities shall be organised in such a way that decisions relating to the notification of conformity assessment bodies are taken by competent persons different from those who carried out the assessment of those bodies.
Notifying authorities shall not offer or provide any activities that conformity assessment bodies perform or any consultancy services on a commercial or competitive basis.
Notifying authorities shall safeguard the confidentiality of the information they obtain.
Notifying authorities shall have a sufficient number of competent personnel at their disposal for the proper performance of their tasks.
Notifying authorities shall make sure that conformity assessments are carried out in a proportionate manner, avoiding unnecessary burdens for providers and that notified bodies perform their activities taking due account of the size of an undertaking, the sector in which it operates, its structure and the degree of complexity of the AI system in question.
Conformity assessment bodies shall submit an application for notification to the notifying authority of the Member State in which they are established.
The application for notification shall be accompanied by a description of the conformity assessment activities, the conformity assessment module or modules and the artificial intelligence technologies for which the conformity assessment body claims to be competent, as well as by an accreditation certificate, where one exists, issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 33. Any valid document related to existing designations of the applicant notified body under any other Union harmonisation legislation shall be added.
Where the conformity assessment body concerned cannot provide an accreditation certificate, it shall provide the notifying authority with the documentary evidence necessary for the verification, recognition and regular monitoring of its compliance with the requirements laid down in Article 33. For notified bodies which are designated under any other Union harmonisation legislation, all documents and certificates linked to those designations may be used to support their designation procedure under this Regulation, as appropriate.
Notifying authorities may notify only conformity assessment bodies which have satisfied the requirements laid down in Article 33.
Notifying authorities shall notify the Commission and the other Member States using the electronic notification tool developed and managed by the Commission.
The notification shall include full details of the conformity assessment activities, the conformity assessment module or modules and the artificial intelligence technologies concerned.
The conformity assessment body concerned may perform the activities of a notified body only where no objections are raised by the Commission or the other Member States within one month of a notification.
Notifying authorities shall notify the Commission and the other Member States of any subsequent relevant changes to the notification.
Notified bodies shall verify the conformity of high-risk AI system in accordance with the conformity assessment procedures referred to in Article 43.
Notified bodies shall satisfy the organisational, quality management, resources and process requirements that are necessary to fulfil their tasks.
The organisational structure, allocation of responsibilities, reporting lines and operation of notified bodies shall be such as to ensure that there is confidence in the performance by and in the results of the conformity assessment activities that the notified bodies conduct.
Notified bodies shall be independent of the provider of a high-risk AI system in relation to which it performs conformity assessment activities. Notified bodies shall also be independent of any other operator having an economic interest in the high-risk AI system that is assessed, as well as of any competitors of the provider.
Notified bodies shall be organised and operated so as to safeguard the independence, objectivity and impartiality of their activities. Notified bodies shall document and implement a structure and procedures to safeguard impartiality and to promote and apply the principles of impartiality throughout their organisation, personnel and assessment activities.
Notified bodies shall have documented procedures in place ensuring that their personnel, committees, subsidiaries, subcontractors and any associated body or personnel of external bodies respect the confidentiality of the information which comes into their possession during the performance of conformity assessment activities, except when disclosure is required by law. The staff of notified bodies shall be bound to observe professional secrecy with regard to all information obtained in carrying out their tasks under this Regulation, except in relation to the notifying authorities of the Member State in which their activities are carried out.
Notified bodies shall have procedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the AI system in question.
Notified bodies shall take out appropriate liability insurance for their conformity assessment activities, unless liability is assumed by the Member State concerned in accordance with national law or that Member State is directly responsible for the conformity assessment.
Notified bodies shall be capable of carrying out all the tasks falling to them under this Regulation with the highest degree of professional integrity and the requisite competence in the specific field, whether those tasks are carried out by notified bodies themselves or on their behalf and under their responsibility.
Notified bodies shall have sufficient internal competences to be able to effectively evaluate the tasks conducted by external parties on their behalf. To that end, at all times and for each conformity assessment procedure and each type of high-risk AI system in relation to which they have been designated, the notified body shall have permanent availability of sufficient administrative, technical and scientific personnel who possess experience and knowledge relating to the relevant artificial intelligence technologies, data and data computing and to the requirements set out in Chapter 2 of this Title.
Notified bodies shall participate in coordination activities as referred to in Article 38. They shall also take part directly or be represented in European standardisation organisations, or ensure that they are aware and up to date in respect of relevant standards.
Notified bodies shall make available and submit upon request all relevant documentation, including the providers’ documentation, to the notifying authority referred to in Article 30 to allow it to conduct its assessment, designation, notification, monitoring and surveillance activities and to facilitate the assessment outlined in this Chapter.
Where a notified body subcontracts specific tasks connected with the conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements laid down in Article 33 and shall inform the notifying authority accordingly.
Notified bodies shall take full responsibility for the tasks performed by subcontractors or subsidiaries wherever these are established.
Activities may be subcontracted or carried out by a subsidiary only with the agreement of the provider.
Notified bodies shall keep at the disposal of the notifying authority the relevant documents concerning the assessment of the qualifications of the subcontractor or the subsidiary and the work carried out by them under this Regulation.
The Commission shall assign an identification number to notified bodies. It shall assign a single number, even where a body is notified under several Union acts.
The Commission shall make publicly available the list of the bodies notified under this Regulation, including the identification numbers that have been assigned to them and the activities for which they have been notified. The Commission shall ensure that the list is kept up to date.
Where a notifying authority has suspicions or has been informed that a notified body no longer meets the requirements laid down in Article 33, or that it is failing to fulfil its obligations, that authority shall without delay investigate the matter with the utmost diligence. In that context, it shall inform the notified body concerned about the objections raised and give it the possibility to make its views known. If the notifying authority comes to the conclusion that the notified body investigation no longer meets the requirements laid down in Article 33 or that it is failing to fulfil its obligations, it shall restrict, suspend or withdraw the notification as appropriate, depending on the seriousness of the failure. It shall also immediately inform the Commission and the other Member States accordingly.
In the event of restriction, suspension or withdrawal of notification, or where the notified body has ceased its activity, the notifying authority shall take appropriate steps to ensure that the files of that notified body are either taken over by another notified body or kept available for the responsible notifying authorities at their request.
The Commission shall, where necessary, investigate all cases where there are reasons to doubt whether a notified body complies with the requirementslaid down in Article 33.
The Notifying authority shall provide the Commission, on request, with all relevant information relating to the notification of the notified body concerned.
The Commission shall ensure that all confidential information obtained in the course of its investigations pursuant to this Article is treated confidentially.
Where the Commission ascertains that a notified body does not meet or no longer meets the requirementslaid down in Article 33, it shall adopt a reasoned decision requesting the notifying Member State to take the necessary corrective measures, including withdrawal of notification if necessary. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 74(2).
The Commission shall ensure that, with regard to the areas covered by this Regulation, appropriate coordination and cooperation between notified bodies active in the conformity assessment procedures of AI systems pursuant to this Regulation are put in place and properly operated in the form of a sectoral group of notified bodies.
Member States shall ensure that the bodies notified by them participate in the work of that group, directly or by means of designated representatives.
Conformity assessment bodies established under the law of a third country with which the Union has concluded an agreement may be authorised to carry out the activities of notified Bodies under this Regulation.
High-risk AI systems which are in conformity with harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union shall be presumed to be in conformity with the requirements set out in Chapter 2 of this Title, to the extent those standards cover those requirements.
Where harmonised standards referred to in Article 40 do not exist or where the Commission considers that the relevant harmonised standards are insufficient or that there is a need to address specific safety or fundamental right concerns, the Commission may, by means of implementing acts, adopt common specifications in respect of the requirements set out in Chapter 2 of this Title. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).
The Commission, when preparing the common specifications referred to in paragraph 1, shall gather the views of relevant bodies or expert groups established under relevant sectorial Union law.
High-risk AI systems which are in conformity with the common specifications referred to in paragraph 1 shall be presumed to be in conformity with the requirements set out in Chapter 2 of this Title, to the extent those common specifications cover those requirements.
Where providers do not comply with the common specifications referred to in paragraph 1, they shall duly justify that they have adopted technical solutions that are at least equivalent thereto.
Taking into account their intended purpose, high-risk AI systems that have been trained and tested on data concerning the specific geographical, behavioural and functional setting within which they are intended to be used shall be presumed to be in compliance with the requirement set out in Article 10(4).
High-risk AI systems that have been certified or for which a statement of conformity has been issued under a cybersecurity scheme pursuant to Regulation (EU) 2019/881 of the European Parliament and of the Council 63 and the references of which have been published in the Official Journal of the European Union shall be presumed to be in compliance with the cybersecurity requirements set out in Article 15 of this Regulation in so far as the cybersecurity certificate or statement of conformity or parts thereof cover those requirements.
(a) the conformity assessment procedure based on internal control referred to in Annex VI;
(b) the conformity assessment procedure based on assessment of the quality management system and assessment of the technical documentation, with the involvement of a notified body, referred to in Annex VII.
Where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Chapter 2 of this Title, the provider has not applied or has applied only in part harmonised standards referred to in Article 40, or where such harmonised standards do not exist and common specifications referred to in Article 41 are not available, the provider shall follow the conformity assessment procedure set out in Annex VII.
For the purpose of the conformity assessment procedure referred to in Annex VII, the provider may choose any of the notified bodies. However, when the system is intended to be put into service by law enforcement, immigration or asylum authorities as well as EU institutions, bodies or agencies, the market surveillance authority referred to in Article 63(5) or (6), as applicable, shall act as a notified body.
For high-risk AI systems referred to in points 2 to 8 of Annex III, providers shall follow the conformity assessment procedure based on internal control as referred to in Annex VI, which does not provide for the involvement of a notified body. For high-risk AI systems referred to in point 5(b) of Annex III, placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU, the conformity assessment shall be carried out as part of the procedure referred to in Articles 97 to101 of that Directive.
For high-risk AI systems, to which legal acts listed in Annex II, section A, apply, the provider shall follow the relevant conformity assessment as required under those legal acts. The requirements set out in Chapter 2 of this Title shall apply to those high-risk AI systems and shall be part of that assessment. Points 4.3., 4.4., 4.5. and the fifth paragraph of point 4.6 of Annex VII shall also apply.
For the purpose of that assessment, notified bodies which have been notified under those legal acts shall be entitled to control the conformity of the high-risk AI systems with the requirements set out in Chapter 2 of this Title, provided that the compliance of those notified bodies with requirements laid down in Article 33(4), (9) and (10) has been assessed in the context of the notification procedure under those legal acts.
Where the legal acts listed in Annex II, section A, enable the manufacturer of the product to opt out from a third-party conformity assessment, provided that that manufacturer has applied all harmonised standards covering all the relevant requirements, that manufacturer may make use of that option only if he has also applied harmonised standards or, where applicable, common specifications referred to in Article 41, covering the requirements set out in Chapter 2 of this Title.
For high-risk AI systems that continue to learn after being placed on the market or put into service, changes to the high-risk AI system and its performance that have been pre-determined by the provider at the moment of the initial conformity assessment and are part of the information contained in the technical documentation referred to in point 2(f) of Annex IV, shall not constitute a substantial modification.
The Commission is empowered to adopt delegated acts in accordance with Article 73 for the purpose of updating Annexes VI and Annex VII in order to introduce elements of the conformity assessment procedures that become necessary in light of technical progress.
The Commission is empowered to adopt delegated acts to amend paragraphs 1 and 2 in order to subject high-risk AI systems referred to in points 2 to 8 of Annex III to the conformity assessment procedure referred to in Annex VII or parts thereof. The Commission shall adopt such delegated acts taking into account the effectiveness of the conformity assessment procedure based on internal control referred to in Annex VI in preventing or minimizing the risks to health and safety and protection of fundamental rights posed by such systems as well as the availability of adequate capacities and resources among notified bodies.
Certificates issued by notified bodies in accordance with Annex VII shall be drawn-up in an official Union language determined by the Member State in which the notified body is established or in an official Union language otherwise acceptable to the notified body.
Certificates shall be valid for the period they indicate, which shall not exceed five years. On application by the provider, the validity of a certificate may be extended for further periods, each not exceeding five years, based on a re-assessment in accordance with the applicable conformity assessment procedures.
Where a notified body finds that an AI system no longer meets the requirements set out in Chapter 2 of this Title, it shall, taking account of the principle of proportionality, suspend or withdraw the certificate issued or impose any restrictions on it, unless compliance with those requirements is ensured by appropriate corrective action taken by the provider of the system within an appropriate deadline set by the notified body. The notified body shall give reasons for its decision.
Member States shall ensure that an appeal procedure against decisions of the notified bodies is available to parties having a legitimate interest in that decision.
(a) any Union technical documentation assessment certificates, any supplements to those certificates, quality management system approvals issued in accordance with the requirements of Annex VII;
(b) any refusal, restriction, suspension or withdrawal of a Union technical documentation assessment certificate or a quality management system approval issued in accordance with the requirements of Annex VII;
(c) any circumstances affecting the scope of or conditions for notification;
(d) any request for information which they have received from market surveillance authorities regarding conformity assessment activities;
(e) on request, conformity assessment activities performed within the scope of their notification and any other activity performed, including cross-border activities and subcontracting.
(a) quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued;
(b) EU technical documentation assessment certificates or any supplements thereto which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, of the certificates and/or supplements thereto which it has issued.
By way of derogation from Article 43, any market surveillance authority may authorise the placing on the market or putting into service of specific high-risk AI systems within the territory of the Member State concerned, for exceptional reasons of public security or the protection of life and health of persons, environmental protection and the protection of key industrial and infrastructural assets. That authorisation shall be for a limited period of time, while the necessary conformity assessment procedures are being carried out, and shall terminate once those procedures have been completed. The completion of those procedures shall be undertaken without undue delay.
The authorisation referred to in paragraph 1 shall be issued only if the market surveillance authority concludes that the high-risk AI system complies with the requirements of Chapter 2 of this Title. The market surveillance authority shall inform the Commission and the other Member States of any authorisation issued pursuant to paragraph 1.
Where, within 15 calendar days of receipt of the information referred to in paragraph 2, no objection has been raised by either a Member State or the Commission in respect of an authorisation issued by a market surveillance authority of a Member State in accordance with paragraph 1, that authorisation shall be deemed justified.
Where, within 15 calendar days of receipt of the notification referred to in paragraph 2, objections are raised by a Member State against an authorisation issued by a market surveillance authority of another Member State, or where the Commission considers the authorisation to be contrary to Union law or the conclusion of the Member States regarding the compliance of the system as referred to in paragraph 2 to be unfounded, the Commission shall without delay enter into consultation with the relevant Member State; the operator(s) concerned shall be consulted and have the possibility to present their views. In view thereof, the Commission shall decide whether the authorisation is justified or not. The Commission shall address its decision to the Member State concerned and the relevant operator or operators.
If the authorisation is considered unjustified, this shall be withdrawn by the market surveillance authority of the Member State concerned.
By way of derogation from paragraphs 1 to 5, for high-risk AI systems intended to be used as safety components of devices, or which are themselves devices, covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746, Article 59 of Regulation (EU) 2017/745 and Article 54 of Regulation (EU) 2017/746 shall apply also with regard to the derogation from the conformity assessment of the compliance with the requirements set out in Chapter 2 of this Title.
The provider shall draw up a written EU declaration of conformity for each AI system and keep it at the disposal of the national competent authorities for 10 years after the AI system has been placed on the market or put into service. The EU declaration of conformity shall identify the AI system for which it has been drawn up. A copy of the EU declaration of conformity shall be given to the relevant national competent authorities upon request.
The EU declaration of conformity shall state that the high-risk AI system in question meets the requirements set out in Chapter 2 of this Title. The EU declaration of conformity shall contain the information set out in Annex V and shall be translated into an official Union language or languages required by the Member State(s) in which the high-risk AI system is made available.
Where high-risk AI systems are subject to other Union harmonisation legislation which also requires an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all Union legislations applicable to the high-risk AI system. The declaration shall contain all the information required for identification of the Union harmonisation legislation to which the declaration relates.
By drawing up the EU declaration of conformity, the provider shall assume responsibility for compliance with the requirements set out in Chapter 2 of this Title. The provider shall keep the EU declaration of conformity up-to-date as appropriate.
The Commission shall be empowered to adopt delegated acts in accordance with Article 73 for the purpose of updating the content of the EU declaration of conformity set out in Annex V in order to introduce elements that become necessary in light of technical progress.
The CE marking shall be affixed visibly, legibly and indelibly for high-risk AI systems. Where that is not possible or not warranted on account of the nature of the high-risk AI system, it shall be affixed to the packaging or to the accompanying documentation, as appropriate.
The CE marking referred to in paragraph 1 of this Article shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008.
Where applicable, the CE marking shall be followed by the identification number of the notified body responsible for the conformity assessment procedures set out in Article 43. The identification number shall also be indicated in any promotional material which mentions that the high-risk AI system fulfils the requirements for CE marking.
The provider shall, for a period ending 10 years after the AI system has been placed on the market or put into service, keep at the disposal of the national competent authorities:
(a) the technical documentation referred to in Article 11;
(b) the documentation concerning the quality management system referred to Article 17;
(c) the documentation concerning the changes approved by notified bodies where applicable;
(d) the decisions and other documents issued by the notified bodies where applicable;
(e) the EU declaration of conformity referred to in Article 48.
Before placing on the market or putting into service a high-risk AI system referred to in Article 6(2), the provider or, where applicable, the authorised representative shall register that system in the EU database referred to in Article 60.
Providers shall ensure that AI systems intended to interact with natural persons are designed and developed in such a way that natural persons are informed that they are interacting with an AI system, unless this is obvious from the circumstances and the context of use. This obligation shall not apply to AI systems authorised by law to detect, prevent, investigate and prosecute criminal offences, unless those systems are available for the public to report a criminal offence.
Users of an emotion recognition system or a biometric categorisation system shall inform of the operation of the system the natural persons exposed thereto. This obligation shall not apply to AI systems used for biometric categorisation, which are permitted by law to detect, prevent and investigate criminal offences.
Users of an AI system that generates or manipulates image, audio or video content that appreciably resembles existing persons, objects, places or other entities or events and would falsely appear to a person to be authentic or truthful (‘deep fake’), shall disclose that the content has been artificially generated or manipulated.
However, the first subparagraph shall not apply where the use is authorised by law to detect, prevent, investigate and prosecute criminal offences or it is necessary for the exercise of the right to freedom of expression and the right to freedom of the arts and sciences guaranteed in the Charter of Fundamental Rights of the EU, and subject to appropriate safeguards for the rights and freedoms of third parties.
AI regulatory sandboxes established by one or more Member States competent authorities or the European Data Protection Supervisor shall provide a controlled environment that facilitates the development, testing and validation of innovative AI systems for a limited time before their placement on the market or putting into servicepursuant to a specific plan. This shall take place under the direct supervision and guidance by the competent authorities with a view to ensuring compliance with the requirements of this Regulation and, where relevant, other Union and Member States legislation supervised within the sandbox.
Member States shall ensure that to the extent the innovative AI systems involve the processing of personal data or otherwise fall under the supervisory remit of other national authorities or competent authorities providing or supporting access to data, the national data protection authorities and those other national authorities are associated to the operation of the AI regulatory sandbox.
The AI regulatory sandboxes shall not affect the supervisory and corrective powers of the competent authorities. Any significant risks to health and safety and fundamental rights identified during the development and testing of such systems shall result in immediate mitigation and, failing that, in the suspension of the development and testing process until such mitigation takes place.
Participants in the AI regulatory sandbox shall remain liable under applicable Union and Member States liability legislation for any harm inflicted on third parties as a result from the experimentation taking place in the sandbox.
Member States’ competent authorities that have established AI regulatory sandboxes shall coordinate their activities and cooperate within the framework of the European Artificial Intelligence Board. They shall submit annual reports to the Board and the Commission on the results from the implementation of those scheme, including good practices, lessons learnt and recommendations on their setup and, where relevant, on the application of this Regulation and other Union legislation supervised within the sandbox.
The modalities and the conditions of the operation of the AI regulatory sandboxes, including the eligibility criteria and the procedure for the application, selection, participation and exiting from the sandbox, and the rights and obligations of the participants shall be set out in implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).
(a) the innovative AI systems shall be developed for safeguarding substantial public interest in one or more of the following areas:
(i) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, under the control and responsibility of the competent authorities. The processing shall be based on Member State or Union law;
(ii) public safety and public health, including disease prevention, control and treatment;
(iii) a high level of protection and improvement of the quality of the environment;
(b) the data processed are necessary for complying with one or more of the requirements referred to in Title III, Chapter 2 where those requirements cannot be effectively fulfilled by processing anonymised, synthetic or other non-personal data;
(c) there are effective monitoring mechanisms to identify if any high risks to the fundamental rights of the data subjects may arise during the sandbox experimentation as well as response mechanism to promptly mitigate those risks and, where necessary, stop the processing;
(d) any personal data to be processed in the context of the sandbox are in a functionally separate, isolated and protected data processing environment under the control of the participants and only authorised persons have access to that data;
(e) any personal data processed are not be transmitted, transferred or otherwise accessed by other parties;
(f) any processing of personal data in the context of the sandbox do not lead to measures or decisions affecting the data subjects;
(g) any personal data processed in the context of the sandbox are deleted once the participation in the sandbox has terminated or the personal data has reached the end of its retention period;
(h) the logs of the processing of personal data in the context of the sandbox are kept for the duration of the participation in the sandbox and 1 year after its termination, solely for the purpose of and only as long as necessary for fulfilling accountability and documentation obligations under this Article or other application Union or Member States legislation;
(i) complete and detailed description of the process and rationale behind the training, testing and validation of the AI system is kept together with the testing results as part of the technical documentation in Annex IV;
(j) a short summary of the AI project developed in the sandbox, its objectives and expected results published on the website of the competent authorities.
(a) provide small-scale providers and start-ups with priority access to the AI regulatory sandboxes to the extent that they fulfil the eligibility conditions;
(b) organise specific awareness raising activities about the application of this Regulation tailored to the needs of the small-scale providers and users;
(c) where appropriate, establish a dedicated channel for communication with small-scale providers and user and other innovators to provide guidance and respond to queries about the implementation of this Regulation.
A ‘European Artificial Intelligence Board’ (the ‘Board’) is established.
The Board shall provide advice and assistance to the Commission in order to:
(a) contribute to the effective cooperation of the national supervisory authorities and the Commission with regard to matters covered by this Regulation;
(b) coordinate and contribute to guidance and analysis by the Commission and the national supervisory authorities and other competent authorities on emerging issues across the internal market with regard to matters covered by this Regulation;
(c) assist the national supervisory authorities and the Commission in ensuring the consistent application of this Regulation.
The Board shall be composed of the national supervisory authorities, who shall be represented by the head or equivalent high-level official of that authority, and the European Data Protection Supervisor. Other national authorities may be invited to the meetings, where the issues discussed are of relevance for them.
The Board shall adopt its rules of procedure by a simple majority of its members, following the consent of the Commission. The rules of procedure shall also contain the operational aspects related to the execution of the Board’s tasks as listed in Article 58. The Board may establish sub-groups as appropriatefor the purpose of examining specific questions.
The Board shall be chaired by the Commission. The Commission shall convene the meetings and prepare the agenda in accordance with the tasks of the Board pursuant to this Regulation and with its rules of procedure. The Commission shall provide administrative and analytical support for the activities of the Board pursuant to this Regulation.
The Board may invite external experts and observers to attend its meetings and may hold exchanges with interested third parties to inform its activities to an appropriate extent. To that end the Commission may facilitate exchanges between the Board and other Union bodies, offices, agencies and advisory groups.
When providing advice and assistance to the Commission in the context of Article 56(2), the Board shall in particular:
(a) collect and share expertise and best practices among Member States;
(b) contribute to uniform administrative practices in the Member States, including for the functioning of regulatory sandboxes referred to in Article 53;
(c) issue opinions, recommendations or written contributions on matters related to the implementation of this Regulation, in particular
(i) on technical specifications or existing standards regarding the requirements set out in Title III, Chapter 2,
(ii) on the use of harmonised standards or common specifications referred to in Articles 40 and 41,
(iii) on the preparation of guidance documents, including the guidelines concerning the setting of administrative fines referred to in Article 71.
National competent authorities shall be established or designated by each Member State for the purpose of ensuring the application and implementation of this Regulation. National competent authorities shall be organised so as to safeguard the objectivity and impartiality of their activities and tasks.
Each Member State shall designate a national supervisory authority among the national competent authorities. The national supervisory authority shall act as notifying authority and market surveillance authority unless a Member State has organisational and administrative reasons to designate more than one authority.
Member States shall inform the Commission of their designation or designations and, where applicable, the reasons for designating more than one authority.
Member States shall ensure that national competent authorities are provided with adequate financial and human resources to fulfil their tasks under this Regulation. In particular, national competent authorities shall have a sufficient number of personnel permanently available whose competences and expertise shall include an in-depth understanding of artificial intelligence technologies, data and data computing, fundamental rights, health and safety risks and knowledge of existing standards and legal requirements.
Member States shall report to the Commission on an annual basis on the status of the financial and human resources of the national competent authorities with an assessment of their adequacy. The Commission shall transmit that information to the Board for discussion and possible recommendations.
The Commission shall facilitate the exchange of experience between national competent authorities.
National competent authorities may provide guidance and advice on the implementation of this Regulation, including to small-scale providers. Whenever national competent authorities intend to provide guidance and advice with regard to an AI system in areas covered by other Union legislation, the competent national authorities under that Union legislation shall be consulted, as appropriate. Member States may also establish one central contact point for communication with operators.
When Union institutions, agencies and bodies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as the competent authority for their supervision.
The Commission shall, in collaboration with the Member States, set up and maintain a EU database containing information referred to in paragraph 2 concerning high-risk AI systems referred to in Article 6(2) which are registered in accordance with Article 51.
The data listed in Annex VIII shall be entered into the EU database by the providers. The Commission shall provide them with technical and administrative support.
Information contained in the EU database shall be accessible to the public.
The EU database shall contain personal data only insofar as necessary for collecting and processing information in accordance with this Regulation. That information shall include the names and contact details of natural persons who are responsible for registering the system and have the legal authority to represent the provider.
The Commission shall be the controller of the EU database. It shall also ensure to providers adequate technical and administrative support.
Providers shall establish and document a post-market monitoring system in a manner that is proportionate to the nature of the artificial intelligence technologies and the risks of the high-risk AI system.
The post-market monitoring system shall actively and systematically collect, document and analyse relevant data provided by users or collected through other sources on the performance of high-risk AI systems throughout their lifetime, and allow the provider to evaluate the continuous compliance of AI systems with the requirements set out in Title III, Chapter 2.
The post-market monitoring system shall be based on a post-market monitoring plan. The post-market monitoring plan shall be part of the technical documentation referred to in Annex IV. The Commission shall adopt an implementing act laying down detailed provisions establishing a template for the post-market monitoring plan and the list of elements to be included in the plan.
For high-risk AI systems covered by the legal acts referred to in Annex II, where a post-market monitoring system and plan is already established under that legislation, the elements described in paragraphs 1, 2 and 3 shall be integrated into that system and plan as appropriate.
The first subparagraph shall also apply to high-risk AI systems referred to in point 5(b) of Annex III placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU.
Such notification shall be made immediately after the provider has established a causal link between the AI system and the incident or malfunctioning or the reasonable likelihood of such a link, and, in any event, not later than 15 days after the providers becomes aware of the serious incident or of the malfunctioning.
Upon receiving a notification related to a breach of obligations under Union law intended to protect fundamental rights, the market surveillance authority shall inform the national public authorities or bodies referred to in Article 64(3). The Commission shall develop dedicated guidance to facilitate compliance with the obligations set out in paragraph 1. That guidance shall be issued 12 months after the entry into force of this Regulation, at the latest.
For high-risk AI systems referred to in point 5(b) of Annex III which are placed on the market or put into service by providers that are credit institutions regulated by Directive 2013/36/EU and for high-risk AI systems which are safety components of devices, or are themselves devices, covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746, the notification of serious incidents or malfunctioning shall be limited to those that that constitute a breach of obligations under Union law intended to protect fundamental rights.
(a) any reference to an economic operator under Regulation (EU) 2019/1020 shall be understood as including all operators identified in Title III, Chapter 3 of this Regulation;
(b) any reference to a product under Regulation (EU) 2019/1020 shall be understood as including all AI systems falling within the scope of this Regulation.
The national supervisory authority shall report to the Commission on a regular basis the outcomes of relevant market surveillance activities. The national supervisory authority shall report, without delay, to the Commission and relevant national competition authorities any information identified in the course of market surveillance activities that may be of potential interest for the application of Union law on competition rules.
For high-risk AI systems, related to products to which legal acts listed in Annex II, section A apply, the market surveillance authority for the purposes of this Regulation shall be the authority responsible for market surveillance activities designated under those legal acts.
For AI systems placed on the market, put into service or used by financial institutions regulated by Union legislation on financial services, the market surveillance authority for the purposes of this Regulation shall be the relevant authority responsible for the financial supervision of those institutions under that legislation.
For AI systems listed in point 1(a) in so far as the systems are used for law enforcement purposes, points 6 and 7 of Annex III, Member States shall designate as market surveillance authorities for the purposes of this Regulation either the competent data protection supervisory authorities under Directive (EU) 2016/680, or Regulation 2016/679 or the national competent authorities supervising the activities of the law enforcement, immigration or asylum authorities putting into service or using those systems.
Where Union institutions, agencies and bodies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as their market surveillance authority.
Member States shall facilitate the coordination between market surveillance authorities designated under this Regulation and other relevant national authorities or bodies which supervise the application of Union harmonisation legislation listed in Annex II or other Union legislation that might be relevant for the high-risk AI systems referred to in Annex III.
Access to data and documentation in the context of their activities, the market surveillance authorities shall be granted full access to the training, validation and testing datasets used by the provider, including through application programming interfaces (‘API’) or other appropriate technical means and tools enabling remote access.
Where necessary to assess the conformity of the high-risk AI system with the requirements set out in Title III, Chapter 2 and upon a reasoned request, the market surveillance authorities shall be granted access to the source code of the AI system.
National public authorities or bodies which supervise or enforce the respect of obligations under Union law protecting fundamental rights in relation to the use of high-risk AI systems referred to in Annex III shall have the power to request and access any documentation created or maintained under this Regulation when access to that documentation is necessary for the fulfilment of the competences under their mandate within the limits of their jurisdiction. The relevant public authority or body shall inform the market surveillance authority of the Member State concerned of any such request.
By 3 months after the entering into force of this Regulation, each Member State shall identify the public authorities or bodies referred to in paragraph 3 and make a list publicly available on the website of the national supervisory authority. Member States shall notify the list to the Commission and all other Member States and keep the list up to date.
Where the documentation referred to in paragraph 3 is insufficient to ascertain whether a breach of obligations under Union law intended to protect fundamental rights has occurred, the public authority or body referred to paragraph 3 may make a reasoned request to the market surveillance authority to organise testing of the high-risk AI system through technical means. The market surveillance authority shall organise the testing with the close involvement of the requesting public authority or body within reasonable time following the request.
Any information and documentation obtained by the national public authorities or bodies referred to in paragraph 3 pursuant to the provisions of this Article shall be treated in compliance with the confidentiality obligations set out in Article 70.
AI systems presenting a risk shall be understood as a product presenting a risk defined in Article 3, point 19 of Regulation (EU) 2019/1020 insofar as risks to the health or safety or to the protection of fundamental rights of persons are concerned.
Where the market surveillance authority of a Member State has sufficient reasons to consider that an AI system presents a risk as referred to in paragraph 1, they shall carry out an evaluation of the AI system concerned in respect of its compliance with all the requirements and obligations laid down in this Regulation. When risks to the protection of fundamental rights are present, the market surveillance authority shall also inform the relevant national public authorities or bodies referred to in Article 64(3). The relevant operators shall cooperate as necessary with the market surveillance authorities and the other national public authorities or bodies referred to in Article 64(3).
Where, in the course of that evaluation, the market surveillance authority finds that the AI system does not comply with the requirements and obligations laid down in this Regulation, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the AI system into compliance, to withdraw the AI system from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.
The market surveillance authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the measures referred to in the second subparagraph.
Where the market surveillance authority considers that non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States of the results of the evaluation and of the actions which it has required the operator to take.
The operator shall ensure that all appropriate corrective action is taken in respect of all the AI systems concerned that it has made available on the market throughout the Union.
Where the operator of an AI system does not take adequate corrective action within the period referred to in paragraph 2, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict the AI system’s being made available on its national market, to withdraw the product from that market or to recall it. That authority shall inform the Commission and the other Member States, without delay, of those measures.
The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non-compliant AI system, the origin of the AI system, the nature of the non-compliance alleged and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant operator. In particular, the market surveillance authorities shall indicate whether the non-compliance is due to one or more of the following:
(a) a failure of the AI system to meet requirements set out in Title III, Chapter 2;
(b) shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 conferring a presumption of conformity.
The market surveillance authorities of the Member States other than the market surveillance authority of the Member State initiating the procedure shall without delay inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the AI system concerned, and, in the event of disagreement with the notified national measure, of their objections.
Where, within three months of receipt of the information referred to in paragraph 5, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. This is without prejudice to the procedural rights of the concerned operator in accordance with Article 18 of Regulation (EU) 2019/1020.
The market surveillance authorities of all Member States shall ensure that appropriate restrictive measures are taken in respect of the product concerned, such as withdrawal of the product from their market, without delay.
Where, within three months of receipt of the notification referred to in Article 65(5), objections are raised by a Member State against a measure taken by another Member State, or where the Commission considers the measure to be contrary to Union law, the Commission shall without delay enter into consultation with the relevant Member State and operator or operators and shall evaluate the national measure. On the basis of the results of that evaluation, the Commission shall decide whether the national measure is justified or not within 9 months from the notification referred to in Article 65(5) and notify such decision to the Member State concerned.
If the national measure is considered justified, all Member States shall take the measures necessary to ensure that the non-compliant AI system is withdrawn from their market, and shall inform the Commission accordingly. If the national measure is considered unjustified, the Member State concerned shall withdraw the measure.
Where the national measure is considered justified and the non-compliance of the AI system is attributed to shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 of this Regulation, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012.
Where, having performed an evaluation under Article 65, the market surveillance authority of a Member State finds that although an AI system is in compliance with this Regulation, it presents a risk to the health or safety of persons, to the compliance with obligations under Union or national law intended to protect fundamental rights or to other aspects of public interest protection, it shall require the relevant operator to take all appropriate measures to ensure that the AI system concerned, when placed on the market or put into service, no longer presents that risk, to withdraw the AI system from the market or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.
The provider or other relevant operators shall ensure that corrective action is taken in respect of all the AI systems concerned that they have made available on the market throughout the Union within the timeline prescribed by the market surveillance authority of the Member State referred to in paragraph 1.
The Member State shall immediately inform the Commission and the other Member States. That information shall include all available details, in particular the data necessary for the identification of the AI system concerned, the origin and the supply chain of the AI system, the nature of the risk involved and the nature and duration of the national measures taken.
The Commission shall without delay enter into consultation with the Member States and the relevant operator and shall evaluate the national measures taken. On the basis of the results of that evaluation, the Commission shall decide whether the measure is justified or not and, where necessary, propose appropriate measures.
The Commission shall address its decision to the Member States.
(a) the conformity marking has been affixed in violation of Article 49;
(b) the conformity marking has not been affixed;
(c) the EU declaration of conformity has not been drawn up;
(d) the EU declaration of conformity has not been drawn up correctly;
(e) the identification number of the notified body, which is involved in the conformity assessment procedure, where applicable, has not been affixed;
The Commission and the Member States shall encourage and facilitate the drawing up of codes of conduct intended to foster the voluntary application to AI systems other than high-risk AI systems of the requirements set out in Title III, Chapter 2 on the basis of technical specifications and solutions that are appropriate means of ensuring compliance with such requirements in light of the intended purpose of the systems.
The Commission and the Board shall encourage and facilitate the drawing up of codes of conduct intended to foster the voluntary application to AI systems of requirements related for example to environmental sustainability, accessibility for persons with a disability, stakeholders participation in the design and development of the AI systems and diversity of development teams on the basis of clear objectives and key performance indicators to measure the achievement of those objectives.
Codes of conduct may be drawn up by individual providers of AI systems or by organisations representing them or by both, including with the involvement of users and any interested stakeholders and their representative organisations. Codes of conduct may cover one or more AI systems taking into account the similarity of the intended purpose of the relevant systems.
The Commission and the Board shall take into account the specific interests and needs of the small-scale providers and start-ups when encouraging and facilitating the drawing up of codes of conduct.
(a) intellectual property rights, and confidential business information or trade secrets of a natural or legal person, including source code, except the cases referred to in Article 5 of Directive 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure apply.
(b) the effective implementation of this Regulation, in particular for the purpose of inspections, investigations or audits;(c) public and national security interests;
(c) integrity of criminal or administrative proceedings.
When the law enforcement, immigration or asylum authorities are providers of high-risk AI systems referred to in points 1, 6 and 7 of Annex III, the technical documentation referred to in Annex IV shall remain within the premises of those authorities. Those authorities shall ensure that the market surveillance authorities referred to in Article 63(5) and (6), as applicable, can, upon request, immediately access the documentation or obtain a copy thereof. Only staff of the market surveillance authority holding the appropriate level of security clearance shall be allowed to access that documentation or any copy thereof.
Paragraphs 1 and 2 shall not affect the rights and obligations of the Commission, Member States and notified bodies with regard to the exchange of information and the dissemination of warnings, nor the obligations of the parties concerned to provide information under criminal law of the Member States.
The Commission and Member States may exchange, where necessary, confidential information with regulatory authorities of third countries with which they have concluded bilateral or multilateral confidentiality arrangements guaranteeing an adequate level of confidentiality.
In compliance with the terms and conditions laid down in this Regulation, Member States shall lay down the rules on penalties, including administrative fines, applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are properly and effectively implemented. The penalties provided for shall be effective, proportionate, and dissuasive. They shall take into particular account the interests of small-scale providers and start-up and their economic viability.
The Member States shall notify the Commission of those rules and of those measures and shall notify it, without delay, of any subsequent amendment affecting them.
The following infringements shall be subject to administrative fines of up to 30 000 000 EUR or, if the offender is company, up to 6 % of its total worldwide annual turnover for the preceding financial year, whichever is higher:
(a) non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5;
(b) non-compliance of the AI system with the requirements laid down in Article 10.
The non-compliance of the AI system with any requirements or obligations under this Regulation, other than those laid down in Articles 5 and 10, shall be subject to administrative fines of up to 20 000 000 EUR or, if the offender is a company, up to 4 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
The supply of incorrect, incomplete or misleading information to notified bodies and national competent authorities in reply to a request shall be subject to administrative fines of up to 10 000 000 EUR or, if the offender is a company, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement and of its consequences;
(b) whether administrative fines have been already applied by other market surveillance authorities to the same operator for the same infringement.
(c) the size and market share of the operator committing the infringement;
Each Member State shall lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts of other bodies as applicable in those Member States. The application of such rules in those Member States shall have an equivalent effect.
(a) the nature, gravity and duration of the infringement and of its consequences;
(b) the cooperation with the European Data Protection Supervisor in order to remedy the infringement and mitigate the possible adverse effects of the infringement, including compliance with any of the measures previously ordered by the European Data Protection Supervisor against the Union institution or agency or body concerned with regard to the same subject matter;
(c) any similar previous infringements by the Union institution, agency or body;
(a) non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5;
(b) non-compliance of the AI system with the requirements laid down in Article 10.
The non-compliance of the AI system with any requirements or obligations under this Regulation, other than those laid down in Articles 5 and 10, shall be subject to administrative fines of up to 250 000 EUR.
Before taking decisions pursuant to this Article, the European Data Protection Supervisor shall give the Union institution, agency or body which is the subject of the proceedings conducted by the European Data Protection Supervisor the opportunity of being heard on the matter regarding the possible infringement. The European Data Protection Supervisor shall base his or her decisions only on elements and circumstances on which the parties concerned have been able to comment. Complainants, if any, shall be associated closely with the proceedings.
The rights of defense of the parties concerned shall be fully respected in the proceedings. They shall be entitled to have access to the European Data Protection Supervisor’s file, subject to the legitimate interest of individuals or undertakings in the protection of their personal data or business secrets.
Funds collected by imposition of fines in this Article shall be the income of the general budget of the Union.
The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
The delegation of power referred to in Article 4, Article 7(1), Article 11(3), Article 43(5) and (6) and Article 48(5) shall be conferred on the Commission for an indeterminate period of time from [entering into force of the Regulation].
The delegation of power referred to in Article 4, Article 7(1), Article 11(3), Article 43(5) and (6) and Article 48(5) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
Any delegated act adopted pursuant to Article 4, Article 7(1), Article 11(3), Article 43(5) and (6) and Article 48(5) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.
The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
In Article 4(3) of Regulation (EC) No 300/2008, the following subparagraph is added:
“When adopting detailed measures related to technical specifications and procedures for approval and use of security equipment concerning Artificial Intelligence systems in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Chapter 2, Title III of that Regulation shall be taken into account.”
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”
In Article 17(5) of Regulation (EU) No 167/2013, the following subparagraph is added:
“When adopting delegated acts pursuant to the first subparagraph concerning artificial intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”
In Article 22(5) of Regulation (EU) No 168/2013, the following subparagraph is added:
“When adopting delegated acts pursuant to the first subparagraph concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX on [Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”
In Article 8 of Directive 2014/90/EU, the following paragraph is added:
“4. For Artificial Intelligence systemswhich are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, when carrying out its activities pursuant to paragraph 1 and when adopting technical specifications and testing standards in accordance with paragraphs 2 and 3, the Commission shall take into account the requirements set out in Title III, Chapter 2 of that Regulation.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).“.
In Article 5 of Directive (EU) 2016/797, the following paragraph is added:
“12. When adopting delegated acts pursuant to paragraph 1 and implementing acts pursuant to paragraph 11 concerning Artificial Intelligence systemswhich are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).“.
In Article 5 of Regulation (EU) 2018/858 the following paragraph is added:
“4. When adopting delegated acts pursuant to paragraph 3 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council *, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).“.
Regulation (EU) 2018/1139 is amended as follows:
“3. Without prejudice to paragraph 2, when adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”
“4. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”
“4. When adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”
“3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”
“When adopting those implementing acts concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”
“3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] , the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”.
In Article 11 of Regulation (EU) 2019/2144, the following paragraph is added:
“3. When adopting the implementing acts pursuant to paragraph 2, concerning artificial intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).“.
The requirements laid down in this Regulation shall be taken into account, where applicable, in the evaluation of each large-scale IT systems established by the legal acts listed in Annex IX to be undertaken as provided for in those respective acts.
The Commission shall assess the need for amendment of the list in Annex III once a year following the entry into force of this Regulation.
By [three years after the date of application of this Regulation referred to in Article 85(2)] and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.
The reports referred to in paragraph 2 shall devote specific attention to the following:
(a) the status of the financial and human resources of the national competent authorities in order to effectively perform the tasks assigned to them under this Regulation;
(b) the state of penalties, and notably administrative fines as referred to in Article 71(1), applied by Member States to infringements of the provisions of this Regulation.
Within [three years after the date of application of this Regulation referred to in Article 85(2)] and every four years thereafter, the Commission shall evaluate the impact and effectiveness of codes of conduct to foster the application of the requirements set out in Title III, Chapter 2 and possibly other additional requirements for AI systems other than high-risk AI systems.
For the purpose of paragraphs 1 to 4 the Board, the Member States and national competent authorities shall provide the Commission with information on its request.
In carrying out the evaluations and reviews referred to in paragraphs 1 to 4 the Commission shall take into account the positions and findings of the Board, of the European Parliament, of the Council, and of other relevant bodies or sources.
The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, in particular taking into account developments in technology and in the light of the state of progress in the information society.
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall apply from [24 months following the entering into force of the Regulation].
By way of derogation from paragraph 2:
(a) Title III, Chapter 4 and Title VI shall apply from [three months following the entry into force of this Regulation];
(b) Article 71 shall apply from [twelve months following the entry into force of this Regulation].
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels,
For the European Parliament For the Council
The President The President
referred to in Article 3, point 1
(a) Machine learning approaches, including supervised, unsupervised and reinforcement learning, using a wide variety of methods including deep learning;
(b) Logic- and knowledge-based approaches, including knowledge representation, inductive (logic) programming, knowledge bases, inference and deductive engines, (symbolic) reasoning and expert systems;
(c) Statistical approaches, Bayesian estimation, search and optimization methods.
Section A — List of Union harmonisation legislation based on the New Legislative Framework
Directive 2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery, and amending Directive 95/16/EC (OJ L 157, 9.6.2006, p. 24) [as repealed by the Machinery Regulation];
Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (OJ L 170, 30.6.2009, p. 1);
Directive 2013/53/EU of the European Parliament and of the Council of 20 November 2013 on recreational craft and personal watercraft and repealing Directive 94/25/EC (OJ L 354, 28.12.2013, p. 90);
Directive 2014/33/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to lifts and safety components for lifts (OJ L 96, 29.3.2014, p. 251);
Directive 2014/34/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to equipment and protective systems intended for use in potentially explosive atmospheres (OJ L 96, 29.3.2014, p. 309);
Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62);
Directive 2014/68/EU of the European Parliament and of the Council of 15 May 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of pressure equipment (OJ L 189, 27.6.2014, p. 164);
Regulation (EU) 2016/424 of the European Parliament and of the Council of 9 March 2016 on cableway installations and repealing Directive 2000/9/EC (OJ L 81, 31.3.2016, p. 1);
Regulation (EU) 2016/425 of the European Parliament and of the Council of 9 March 2016 on personal protective equipment and repealing Council Directive 89/686/EEC (OJ L 81, 31.3.2016, p. 51);
Regulation (EU) 2016/426 of the European Parliament and of the Council of 9 March 2016 on appliances burning gaseous fuels and repealing Directive 2009/142/EC (OJ L 81, 31.3.2016, p. 99);
Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1;
Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).
Section B. List of other Union harmonisation legislation
Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).
Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52);
Regulation (EU) No 167/2013 of the European Parliament and of the Council of 5 February 2013 on the approval and market surveillance of agricultural and forestry vehicles (OJ L 60, 2.3.2013, p. 1);
Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146);
Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union (OJ L 138, 26.5.2016, p. 44).
Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1); 3. Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1);
Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1), in so far as the design, production and placing on the market of aircrafts referred to in points (a) and (b) of Article 2(1) thereof, where it concerns unmanned aircraft and their engines, propellers, parts and equipment to control them remotely, are concerned.
High-risk AI systems pursuant to Article 6(2) are the AI systems listed in any of the following areas:
(a) AI systems intended to be used for the purpose of determining access or assigning natural persons to educational and vocational training institutions;
(b) AI systems intended to be used for the purpose of assessing students in educational and vocational training institutions and for assessing participants in tests commonly required for admission to educational institutions.
(a) AI systems intended to be used for recruitment or selection of natural persons, notably for advertising vacancies, screening or filtering applications, evaluating candidates in the course of interviews or tests;
(b) AI intended to be used for making decisions on promotion and termination of work-related contractual relationships, for task allocation and for monitoring and evaluating performance and behavior of persons in such relationships.
(a) AI systems intended to be used by public authorities or on behalf of public authorities to evaluate the eligibility of natural persons for public assistance benefits and services, as well as to grant, reduce, revoke, or reclaim such benefits and services;
(b) AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems put into service by small scale providers for their own use;
(c) AI systems intended to be used to dispatch, or to establish priority in the dispatching of emergency first response services, including by firefighters and medical aid.
(a) AI systems intended to be used by law enforcement authorities for making individual risk assessments of natural persons in order to assess the risk of a natural person for offending or reoffending or the risk for potential victims of criminal offences;
(b) AI systems intended to be used by law enforcement authorities as polygraphs and similar tools or to detect the emotional state of a natural person;
(c) AI systems intended to be used by law enforcement authorities to detect deep fakes as referred to in article 52(3);
(d) AI systems intended to be used by law enforcement authorities for evaluation of the reliability of evidence in the course of investigation or prosecution of criminal offences;
(e) AI systems intended to be used by law enforcement authorities for predicting the occurrence or reoccurrence of an actual or potential criminal offence based on profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 or assessing personality traits and characteristics or past criminal behaviour of natural persons or groups;
(f) AI systems intended to be used by law enforcement authorities for profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 in the course of detection, investigation or prosecution of criminal offences;
(g) AI systems intended to be used for crime analytics regarding natural persons, allowing law enforcement authorities to search complex related and unrelated large data sets available in different data sources or in different data formats in order to identify unknown patterns or discover hidden relationships in the data.
(a) AI systems intended to be used by competent public authorities as polygraphs and similar tools or to detect the emotional state of a natural person;
(b) AI systems intended to be used by competent public authorities to assess a risk, including a security risk, a risk of irregular immigration, or a health risk, posed by a natural person who intends to enter or has entered into the territory of a Member State;
(c) AI systems intended to be used by competent public authorities for the verification of the authenticity of travel documents and supporting documentation of natural persons and detect non-authentic documents by checking their security features;
(d) AI systems intended to assist competent public authorities for the examination of applications for asylum, visa and residence permits and associated complaints with regard to the eligibility of the natural persons applying for a status.
The technical documentation referred to in Article 11(1) shall contain at least the following information, as applicable to the relevant AI system:
(a) its intended purpose, the person/s developing the system the date and the version of the system;
(b) how the AI system interacts or can be used to interact with hardware or software that is not part of the AI system itself, where applicable;
(c) the versions of relevant software or firmware and any requirement related to version update;
(d) the description of all forms in which the AI system is placed on the market or put into service;
(e) the description of hardware on which the AI system is intended to run;
(f) where the AI system is a component of products, photographs or illustrations showing external features, marking and internal layout of those products;
(g) instructions of use for the user and, where applicable installation instructions;
(a) the methods and steps performed for the development of the AI system, including, where relevant, recourse to pre-trained systems or tools provided by third parties and how these have been used, integrated or modified by the provider;
(b) the design specifications of the system, namely the general logic of the AI system and of the algorithms; the key design choices including the rationale and assumptions made, also with regard to persons or groups of persons on which the system is intended to be used; the main classification choices; what the system is designed to optimise for and the relevance of the different parameters; the decisions about any possible trade-off made regarding the technical solutions adopted to comply with the requirements set out in Title III, Chapter 2;
(c) the description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; the computational resources used to develop, train, test and validate the AI system;
(d) where relevant, the data requirements in terms of datasheets describing the training methodologies and techniques and the training data sets used, including information about the provenance of those data sets, their scope and main characteristics; how the data was obtained and selected; labelling procedures (e.g. for supervised learning), data cleaning methodologies (e.g. outliers detection);
(e) assessment of the human oversight measures needed in accordance with Article 14, including an assessment of the technical measures needed to facilitate the interpretation of the outputs of AI systems by the users, in accordance with Articles 13(3)(d);
(f) where applicable, a detailed description of pre-determined changes to the AI system and its performance, together with all the relevant information related to the technical solutions adopted to ensure continuous compliance of the AI system with the relevant requirements set out in Title III, Chapter 2;
(g) the validation and testing procedures used, including information about the validation and testing data used and their main characteristics; metrics used to measure accuracy, robustness, cybersecurity and compliance with other relevant requirements set out in Title III, Chapter 2 as well as potentially discriminatory impacts; test logs and all test reports dated and signed by the responsible persons, including with regard to pre-determined changes as referred to under point (f).
Detailed information about the monitoring, functioning and control of the AI system, in particular with regard to: its capabilities and limitations in performance, including the degrees of accuracy for specific persons or groups of persons on which the system is intended to be used and the overall expected level of accuracy in relation to its intended purpose; the foreseeable unintended outcomes and sources of risks to health and safety, fundamental rights and discrimination in view of the intended purpose of the AI system; the human oversight measures needed in accordance with Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the users; specifications on input data, as appropriate;
A detailed description of the risk management system in accordance with Article 9;
A description of any change made to the system through its lifecycle;
A list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union; where no such harmonised standards have been applied, a detailed description of the solutions adopted to meet the requirements set out in Title III, Chapter 2, including a list of other relevant standards and technical specifications applied;
A copy of the EU declaration of conformity;
A detailed description of the system in place to evaluate the AI system performance in the post-market phase in accordance with Article 61, including the post-market monitoring plan referred to in Article 61(3).
The EU declaration of conformity referred to in Article 48, shall contain all of the following information:
AI system name and type and any additional unambiguous reference allowing identification and traceability of the AI system;
Name and address of the provider or, where applicable, their authorised representative;
A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;
A statement that the AI system in question is in conformity with this Regulation and, if applicable, with any other relevant Union legislation that provides for the issuing of an EU declaration of conformity;
References to any relevant harmonised standards used or any other common specification in relation to which conformity is declared;
Where applicable, the name and identification number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;
Place and date of issue of the declaration, name and function of the person who signed it as well as an indication for, and on behalf of whom, that person signed, signature.
The conformity assessment procedure based on internal control is the conformity assessment procedure based on points 2 to 4.
The provider verifies that the established quality management system is in compliance with the requirements of Article 17.
The provider examines the information contained in the technical documentation in order to assess the compliance of the AI system with the relevant essential requirements set out in Title III, Chapter 2.
The provider also verifies that the design and development process of the AI system and its post-market monitoring as referred to in Article 61 is consistent with the technical documentation.
Conformity based on assessment of quality management system and assessment of the technical documentation is the conformity assessment procedure based on points 2 to 5.
The approved quality management system for the design, development and testing of AI systems pursuant to Article 17 shall be examined in accordance with point 3 and shall be subject to surveillance as specified in point 5. The technical documentation of the AI system shall be examined in accordance with point 4.
3.1. The application of the provider shall include:
(a) the name and address of the provider and, if the application is lodged by the authorised representative, their name and address as well;
(b) the list of AI systems covered under the same quality management system;
(c) the technical documentation for each AI system covered under the same quality management system;
(d) the documentation concerning the quality management system which shall cover all the aspects listed under Article 17;
(e) a description of the procedures in place to ensure that the quality management system remains adequate and effective;
(f) a written declaration that the same application has not been lodged with any other notified body.
3.2. The quality management system shall be assessed by the notified body, which shall determine whether it satisfies the requirements referred to in Article 17.
The decision shall be notified to the provider or its authorised representative.
The notification shall contain the conclusions of the assessment of the quality management system and the reasoned assessment decision.
3.3. The quality management system as approved shall continue to be implemented and maintained by the provider so that it remains adequate and efficient.
3.4. Any intended change to the approved quality management system or the list of AI systems covered by the latter shall be brought to the attention of the notified body by the provider.
The proposed changes shall be examined by the notified body, which shall decide whether the modified quality management system continues to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary.
The notified body shall notify the provider of its decision. The notification shall contain the conclusions of the examination of the changes and the reasoned assessment decision.
4.1. In addition to the application referred to in point 3, an application with a notified body of their choice shall be lodged by the provider for the assessment of the technical documentation relating to the AI system which the provider intends to place on the market or put into service and which is covered by the quality management system referred to under point 3.
4.2. The application shall include:
(a) the name and address of the provider;
(b) a written declaration that the same application has not been lodged with any other notified body;
(c) the technical documentation referred to in Annex IV.
4.3. The technical documentation shall be examined by the notified body. To this purpose, the notified body shall be granted full access to the training and testing datasets used by the provider, including through application programming interfaces (API) or other appropriate means and tools enabling remote access.
4.4. In examining the technical documentation, the notified body may require that the provider supplies further evidence or carries out further tests so as to enable a proper assessment of conformity of the AI system with the requirements set out in Title III, Chapter 2. Whenever the notified body is not satisfied with the tests carried out by the provider, the notified body shall directly carry out adequate tests, as appropriate.
4.5. Where necessary to assess the conformity of the high-risk AI system with the requirements set out in Title III, Chapter 2 and upon a reasoned request, the notified body shall also be granted access to the source code of the AI system.
4.6. The decision shall be notified to the provider or its authorised representative. The notification shall contain the conclusions of the assessment of the technical documentation and the reasoned assessment decision.
Where the AI system is in conformity with the requirements set out in Title III, Chapter 2, an EU technical documentation assessment certificate shall be issued by the notified body. The certificate shall indicate the name and address of the provider, the conclusions of the examination, the conditions (if any) for its validity and the data necessary for the identification of the AI system.
The certificate and its annexes shall contain all relevant information to allow the conformity of the AI system to be evaluated, and to allow for control of the AI system while in use, where applicable.
Where the AI system is not in conformity with the requirements set out in Title III, Chapter 2, the notified body shall refuse to issue an EU technical documentation assessment certificate and shall inform the applicant accordingly, giving detailed reasons for its refusal.
Where the AI system does not meet the requirement relating to the data used to train it, re-training of the AI system will be needed prior to the application for a new conformity assessment. In this case, the reasoned assessment decision of the notified body refusing to issue the EU technical documentation assessment certificate shall contain specific considerations on the quality data used to train the AI system, notably on the reasons for non-compliance.
4.7. Any change to the AI system that could affect the compliance of the AI system with the requirements or its intended purpose shall be approved by the notified body which issued the EU technical documentation assessment certificate. The provider shall inform such notified body of its intention to introduce any of the above-mentioned changes or if it becomes otherwise aware of the occurrence of such changes. The intended changes shall be assessed by the notified body which shall decide whether those changes require a new conformity assessment in accordance with Article 43(4) or whether they could be addressed by means of a supplement to the EU technical documentation assessment certificate. In the latter case, the notified body shall assess the changes, notify the provider of its decision and, where the changes are approved, issue to the provider a supplement to the EU technical documentation assessment certificate.
5.1. The purpose of the surveillance carried out by the notified body referred to in Point 3 is to make sure that the provider duly fulfils the terms and conditions of the approved quality management system.
5.2. For assessment purposes, the provider shall allow the notified body to access the premises where the design, development, testing of the AI systems is taking place. The provider shall further share with the notified body all necessary information.
5.3. The notified body shall carry out periodic audits to make sure that the provider maintains and applies the quality management system and shall provide the provider with an audit report. In the context of those audits, the notified body may carry out additional tests of the AI systems for which an EU technical documentation assessment certificate was issued.
The following information shall be provided and thereafter kept up to date with regard to high-risk AI systems to be registered in accordance with Article 51.
Name, address and contact details of the provider;
Where submission of information is carried out by another person on behalf of the provider, the name, address and contact details of that person;
Name, address and contact details of the authorised representative, where applicable;
AI system trade name and any additional unambiguous reference allowing identification and traceability of the AI system;
Description of the intended purpose of the AI system;
Status of the AI system (on the market, or in service; no longer placed on the market/in service, recalled);
Type, number and expiry date of the certificate issued by the notified body and the name or identification number of that notified body, when applicable;
A scanned copy of the certificate referred to in point 7, when applicable;
Member States in which the AI system is or has been placed on the market, put into service or made available in the Union;
A copy of the EU declaration of conformity referred to in Article 48;
Electronic instructions for use; this information shall not be provided for high-risk AI systems in the areas of law enforcement and migration, asylum and border control management referred to in Annex III, points 1, 6 and 7.
URL for additional information (optional).
(a) Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (OJ L 312, 7.12.2018, p. 1).
(b) Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14)
(c) Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).
(a) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1).
(b) Regulation (EU) 2018/1241 of the European Parliament and of the Council of 12 September 2018 amending Regulation (EU) 2016/794 for the purpose of establishing a European Travel Information and Authorisation System (ETIAS) (OJ L 236, 19.9.2018, p. 72).
(a) Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa (OJ L 135, 22.5.2019, p. 27).
(b) Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration (OJ L 135, 22.5.2019, p. 85).
REGULATION (EU) 2022/1925 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 September 2022
on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION, Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof, Having regard to the proposal from the European Commission, After transmission of the draft legislative act to the national parliaments, Having regard to the opinion of the European Economic and Social Committee [^1], Having regard to the opinion of the Committee of the Regions [^2], Acting in accordance with the ordinary legislative procedure [^3], Whereas:
Digital services in general and online platforms in particular play an increasingly important role in the economy, in particular in the internal market, by enabling businesses to reach users throughout the Union, by facilitating cross-border trade and by opening entirely new business opportunities to a large number of companies in the Union to the benefit of consumers in the Union.
At the same time, among those digital services, core platform services feature a number of characteristics that can be exploited by the undertakings providing them. An example of such characteristics of core platform services is extreme scale economies, which often result from nearly zero marginal costs to add business users or end users. Other such characteristics of core platform services are very strong network effects, an ability to connect many business users with many end users through the multisidedness of these services, a significant degree of dependence of both business users and end users, lock-in effects, a lack of multi-homing for the same purpose by end users, vertical integration, and data driven-advantages. All these characteristics, combined with unfair practices by undertakings providing the core platform services, can have the effect of substantially undermining the contestability of the core platform services, as well as impacting the fairness of the commercial relationship between undertakings providing such services and their business users and end users. In practice, this leads to rapid and potentially far-reaching decreases in business users’ and end users’ choice, and therefore can confer on the provider of those services the position of a so-called gatekeeper. At the same time, it should be recognised that services which act in a non-commercial purpose capacity such as collaborative projects should not be considered as core platform services for the purpose of this Regulation.
A small number of large undertakings providing core platform services have emerged with considerable economic power that could qualify them to be designated as gatekeepers pursuant to this Regulation. Typically, they feature an ability to connect many business users with many end users through their services, which, in turn, enables them to leverage their advantages, such as their access to large amounts of data, from one area of activity to another. Some of those undertakings exercise control over whole platform ecosystems in the digital economy and are structurally extremely difficult to challenge or contest by existing or new market operators, irrespective of how innovative and efficient those market operators may be. Contestability is reduced in particular due to the existence of very high barriers to entry or exit, including high investment costs, which cannot, or not easily, be recuperated in case of exit, and the absence of, or reduced access to, some key inputs in the digital economy, such as data. As a result, the likelihood increases that the underlying markets do not function well, or will soon fail to function well.
The combination of those features of gatekeeper is likely to lead, in many cases, to serious imbalances in bargaining power and, consequently, to unfair practices and conditions for business users, as well as for end users of core platform services provided by gatekeepers, to the detriment of prices, quality, fair competition, choice and innovation in the digital sector.
It follows that the market processes are often incapable of ensuring fair economic outcomes with regard to core platform services. Although Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) apply to the conduct of gatekeepers, the scope of those provisions is limited to certain instances of market power, for example dominance on specific markets and of anti-competitive behaviour, and enforcement occurs ex post and requires an extensive investigation of often very complex facts on a case by case basis. Moreover, existing Union law does not address, or does not address effectively, the challenges to the effective functioning of the internal market posed by the conduct of gatekeepers that are not necessarily dominant in competition-law terms.
Gatekeepers have a significant impact on the internal market, providing gateways for a large number of business users to reach end users everywhere in the Union and on different markets. The adverse impact of unfair practices on the internal market and the particularly weak contestability of core platform services, including the negative societal and economic implications of such unfair practices, have led national legislators and sectoral regulators to act. A number of regulatory solutions have already been adopted at national level or proposed to address unfair practices and the contestability of digital services or at least with regard to some of them. This has created divergent regulatory solutions which results in the fragmentation of the internal market, thus raising the risk of increased compliance costs due to different sets of national regulatory requirements.
Therefore, the purpose of this Regulation is to contribute to the proper functioning of the internal market by laying down rules to ensure contestability and fairness for the markets in the digital sector in general, and for business users and end users of core platform services provided by gatekeepers in particular. Business users and end users of core platform services provided by gatekeepers should be afforded appropriate regulatory safeguards throughout the Union against the unfair practices of gatekeepers, in order to facilitate cross-border business within the Union and thereby improve the proper functioning of the internal market, and to eliminate existing or likely emerging fragmentation in the specific areas covered by this Regulation. Moreover, while gatekeepers tend to adopt global or at least pan-European business models and algorithmic structures, they can adopt, and in some cases have adopted, different business conditions and practices in different Member States, which is liable to create disparities between the competitive conditions for the users of core platform services provided by gatekeepers, to the detriment of integration of the internal market.
By approximating diverging national laws, it is possible to eliminate obstacles to the freedom to provide and receive services, including retail services, within the internal market. A targeted set of harmonised legal obligations should therefore be established at Union level to ensure contestable and fair digital markets featuring the presence of gatekeepers within the internal market to the benefit of the Union’s economy as a whole and ultimately of the Union’s consumers.
Fragmentation of the internal market can only effectively be averted if Member States are prevented from applying national rules which are within the scope of and pursue the same objectives as this Regulation. That does not preclude the possibility of applying to gatekeepers within the meaning of this Regulation other national rules which pursue other legitimate public interest objectives as set out in the TFEU or which pursue overriding reasons of public interest as recognised by the case law of the Court of Justice of the European Union (‘the Court of Justice’).
At the same time, since this Regulation aims to complement the enforcement of competition law, it should apply without prejudice to Articles 101 and 102 TFEU, to the corresponding national competition rules and to other national competition rules regarding unilateral conduct that are based on an individualised assessment of market positions and behaviour, including its actual or potential effects and the precise scope of the prohibited behaviour, and which provide for the possibility of undertakings to make efficiency and objective justification arguments for the behaviour in question, and to national rules concerning merger control. However, the application of those rules should not affect the obligations imposed on gatekeepers under this Regulation and their uniform and effective application in the internal market.
Articles 101 and 102 TFEU and the corresponding national competition rules concerning anticompetitive multilateral and unilateral conduct as well as merger control have as their objective the protection of undistorted competition on the market. This Regulation pursues an objective that is complementary to, but different from that of protecting undistorted competition on any given market, as defined in competition-law terms, which is to ensure that markets where gatekeepers are present are and remain contestable and fair, independently from the actual, potential or presumed effects of the conduct of a given gatekeeper covered by this Regulation on competition on a given market. This Regulation therefore aims to protect a different legal interest from that protected by those rules and it should apply without prejudice to their application.
This Regulation should also apply without prejudice to the rules resulting from other acts of Union law regulating certain aspects of the provision of services covered by this Regulation, in particular Regulations (EU) 2016/679 [^4] and (EU) 2019/1150 [^5] of the European Parliament and of the Council and a Regulation on a single market for digital services, and Directives 2002/58/EC [^6], 2005/29/EC [^7], 2010/13/EU [^8], (EU) 2015/2366 [^9], (EU) 2019/790 [^10] and (EU) 2019/882 [^11] of the European Parliament and of the Council, and Council Directive 93/13/EEC [^12], as well as national rules aimed at enforcing or implementing those Union legal acts.
Weak contestability and unfair practices in the digital sector are more frequent and pronounced for certain digital services than for others. This is the case in particular for widespread and commonly used digital services that mostly directly intermediate between business users and end users and where features such as extreme scale economies, very strong network effects, an ability to connect many business users with many end users through the multisidedness of these services, lock-in effects, a lack of multi-homing or vertical integration are the most prevalent. Often, there is only one or very few large undertakings providing those digital services. Those undertakings have emerged most frequently as gatekeepers for business users and end users, with far-reaching impacts. In particular, they have gained the ability to easily set commercial conditions and terms in a unilateral and detrimental manner for their business users and end users. Accordingly, it is necessary to focus only on those digital services that are most broadly used by business users and end users and where concerns about weak contestability and unfair practices by gatekeepers are more apparent and pressing from an internal market perspective.
In particular, online intermediation services, online search engines, operating systems, online social networking, video sharing platform services, number-independent interpersonal communication services, cloud computing services, virtual assistants, web browsers and online advertising services, including advertising intermediation services, all have the capacity to affect a large number of end users and businesses, which entails a risk of unfair business practices. Therefore, they should be included in the definition of core platform services and fall into the scope of this Regulation. Online intermediation services can also be active in the field of financial services, and they can intermediate or be used to provide such services as listed non-exhaustively in Annex II to Directive (EU) 2015/1535 of the European Parliament and of the Council [^13]. For the purposes of this Regulation, the definition of core platform services should be technology neutral and should be understood to encompass those provided on or through various means or devices, such as connected TV or embedded digital services in vehicles. In certain circumstances, the notion of end users should encompass users that are traditionally considered business users, but in a given situation do not use the core platform services to provide goods or services to other end users, such as for example businesses relying on cloud computing services for their own purposes.
The fact that a digital service qualifies as a core platform service does not in itself give rise to sufficiently serious concerns of contestability or unfair practices. It is only when a core platform service constitutes an important gateway and is operated by an undertaking with a significant impact in the internal market and an entrenched and durable position, or by an undertaking that will foreseeably enjoy such a position in the near future, that such concerns arise. Accordingly, the targeted set of harmonised rules in this Regulation should apply only to undertakings designated on the basis of those three objective criteria, and they should only apply to those of their core platform services that individually constitute an important gateway for business users to reach end users. The fact that it is possible that an undertaking providing core platform services not only intermediates between business users and end users, but also between end users and end users, for example in the case of number-independent interpersonal communications services, should not preclude the conclusion that such an undertaking is or could be an important gateway for business users to reach end users.
In order to ensure the effective application of this Regulation to undertakings providing core platform services which are most likely to satisfy those objective requirements, and where unfair practices weakening contestability are most prevalent and have the most impact, the Commission should be able to directly designate as gatekeepers those undertakings providing core platform services which meet certain quantitative thresholds. Such undertakings should in any event be subject to a fast designation process which should start once this Regulation becomes applicable.
The fact that an undertaking has a very significant turnover in the Union and provides a core platform service in at least three Member States constitutes compelling indication that that undertaking has a significant impact on the internal market. This is equally true where an undertaking providing a core platform service in at least three Member States has a very significant market capitalisation or equivalent fair market value. Therefore, an undertaking providing a core platform service should be presumed to have a significant impact on the internal market where it provides a core platform service in at least three Member States and where either its group turnover realised in the Union is equal to or exceeds a specific, high threshold, or the market capitalisation of the group is equal to or exceeds a certain high absolute value. For undertakings providing core platform services that belong to undertakings that are not publicly listed, the equivalent fair market value should be used as the reference. It should be possible for the Commission to use its power to adopt delegated acts to develop an objective methodology to calculate that value. A high group turnover realised in the Union in conjunction with the threshold number of users in the Union of core platform services reflects a relatively strong ability to monetise those users. A high market capitalisation relative to the same threshold number of users in the Union reflects a relatively significant potential to monetise those users in the near future. This monetisation potential in turn reflects, in principle, the gateway position of the undertakings concerned. Both indicators, in addition, reflect the financial capacity of the undertakings concerned, including their ability to leverage their access to financial markets to reinforce their position. This can, for example, happen where this superior access is used to acquire other undertakings, an ability which has in turn been shown to have potential negative effects on innovation. Market capitalisation can also reflect the expected future position and effect on the internal market of the undertakings concerned, despite a potentially relatively low current turnover. The market capitalisation value should be based on a level that reflects the average market capitalisation of the largest publicly listed undertakings in the Union over an appropriate period.
Whereas a market capitalisation at or above the threshold in the last financial year should give rise to a presumption that an undertaking providing core platform services has a significant impact on the internal market, a sustained market capitalisation of the undertaking providing core platform services at or above the threshold over three or more years should be considered as further strengthening that presumption.
By contrast, there could be a number of factors concerning market capitalisation that would require an in-depth assessment in determining whether an undertaking providing core platform services should be deemed to have a significant impact on the internal market. This could be the case where the market capitalisation of the undertaking providing core platform services in preceding financial years was significantly lower than the threshold and the volatility of its market capitalisation over the observed period was disproportionate to overall equity market volatility or its market capitalisation trajectory relative to market trends was inconsistent with a rapid and unidirectional growth.
Having a very high number of business users that depend on a core platform service to reach a very high number of monthly active end users enables the undertaking providing that service to influence the operations of a substantial part of business users to its advantage and indicate, in principle, that that undertaking is an important gateway. The respective relevant levels for those numbers should be set representing a substantive percentage of the entire population of the Union when it comes to end users and of the entire population of businesses using core platform services to determine the threshold for business users. Active end users and business users should be identified and calculated in such a way as to adequately represent the role and reach of the specific core platform service in question. In order to provide legal certainty for gatekeepers, the elements to determine the number of active end users and business users per core platform service should be set out in an Annex to this Regulation. Such elements can be affected by technological and other developments. The Commission should therefore be empowered to adopt delegated acts to amend this Regulation by updating the methodology and the list of indicators used to determine the number of active end users and active business users.
An entrenched and durable position in its operations or the foreseeability of enjoying such a position in the future occurs notably where the contestability of the position of the undertaking providing the core platform service is limited. This is likely to be the case where that undertaking has provided a core platform service in at least three Member States to a very high number of business users and end users over a period of at least 3 years.
Such thresholds can be affected by market and technical developments. The Commission should therefore be empowered to adopt delegated acts to specify the methodology for determining whether the quantitative thresholds are met, and to regularly adjust it to market and technological developments where necessary. Such delegated acts should not amend the quantitative thresholds set out in this Regulation.
An undertaking providing core platform services should be able, in exceptional circumstances, to rebut the presumption that the undertaking has a significant impact on the internal market by demonstrating that, although it meets the quantitative thresholds set out in this Regulation, it does not fulfil the requirements for designation as a gatekeeper. The burden of adducing evidence that the presumption deriving from the fulfilment of the quantitative thresholds should not apply should be borne by that undertaking. In its assessment of the evidence and arguments produced, the Commission should take into account only those elements which directly relate to the quantitative criteria, namely the impact of the undertaking providing core platform services on the internal market beyond revenue or market cap, such as its size in absolute terms, and the number of Member States in which it is present; by how much the actual business user and end user numbers exceed the thresholds and the importance of the undertaking’s core platform service considering the overall scale of activities of the respective core platform service; and the number of years for which the thresholds have been met. Any justification on economic grounds seeking to enter into market definition or to demonstrate efficiencies deriving from a specific type of behaviour by the undertaking providing core platform services should be discarded, as it is not relevant to the designation as a gatekeeper. If the arguments submitted are not sufficiently substantiated because they do not manifestly put into question the presumption, it should be possible for the Commission to reject the arguments within the timeframe of 45 working days provided for the designation. The Commission should be able to take a decision by relying on information available on the quantitative thresholds where the undertaking providing core platform services obstructs the investigation by failing to comply with the investigative measures taken by the Commission.
Provision should also be made for the assessment of the gatekeeper role of undertakings providing core platform services which do not satisfy all of the quantitative thresholds, in light of the overall objective requirements that they have a significant impact on the internal market, act as an important gateway for business users to reach end users and benefit from an entrenched and durable position in their operations or it is foreseeable that they will do so in the near future. When the undertaking providing core platform services is a medium-sized, small or micro enterprise, the assessment should carefully take into account whether such an undertaking would be able to substantially undermine the contestability of the core platform services, since this Regulation primarily targets large undertakings with considerable economic power rather than medium-sized, small or micro enterprises.
Such an assessment can only be done in light of a market investigation, while taking into account the quantitative thresholds. In its assessment the Commission should pursue the objectives of preserving and fostering innovation and the quality of digital products and services, the degree to which prices are fair and competitive, and the degree to which quality or choice for business users and for end users is or remains high. Elements can be taken into account that are specific to the undertakings providing core platform services concerned, such as extreme scale or scope economies, very strong network effects, data-driven advantages, an ability to connect many business users with many end users through the multisidedness of those services, lock-in effects, lack of multi-homing, conglomerate corporate structure or vertical integration. In addition, a very high market capitalisation, a very high ratio of equity value over profit or a very high turnover derived from end users of a single core platform service can be used as indicators of the leveraging potential of such undertakings and of the tipping of the market in their favour. Together with market capitalisation, high relative growth rates are examples of dynamic parameters that are particularly relevant to identifying such undertakings providing core platform services for which it is foreseeable that they will become entrenched and durable. The Commission should be able to take a decision by drawing adverse inferences from facts available where the undertaking providing core platform services significantly obstructs the investigation by failing to comply with the investigative measures taken by the Commission.
A particular subset of rules should apply to those undertakings providing core platform services for which it is foreseeable that they will enjoy an entrenched and durable position in the near future. The same specific features of core platform services make them prone to tipping: once an undertaking providing the core platform service has obtained a certain advantage over rivals or potential challengers in terms of scale or intermediation power, its position could become unassailable and the situation could evolve to the point that it is likely to become entrenched and durable in the near future. Undertakings can try to induce this tipping and emerge as gatekeeper by using some of the unfair conditions and practices regulated under this Regulation. In such a situation, it appears appropriate to intervene before the market tips irreversibly.
However, such early intervention should be limited to imposing only those obligations that are necessary and appropriate to ensure that the services in question remain contestable and enable the qualified risk of unfair conditions and practices to be avoided. Obligations that prevent the undertaking providing core platform services concerned from enjoying an entrenched and durable position in its operations, such as those preventing leveraging, and those that facilitate switching and multi-homing are more directly geared towards this purpose. To ensure proportionality, the Commission should moreover apply from that subset of obligations only those that are necessary and proportionate to achieve the objectives of this Regulation and should regularly review whether such obligations should be maintained, suppressed or adapted.
Applying only those obligations that are necessary and proportionate to achieve the objectives of this Regulation should allow the Commission to intervene in time and effectively, while fully respecting the proportionality of the measures considered. It should also reassure actual or potential market participants about the contestability and fairness of the services concerned.
Gatekeepers should comply with the obligations laid down in this Regulation in respect of each of the core platform services listed in the relevant designation decision. The obligations should apply taking into account the conglomerate position of gatekeepers, where applicable. Furthermore, it should be possible for the Commission to impose implementing measures on the gatekeeper by decision. Those implementing measures should be designed in an effective manner, having regard to the features of core platform services and the possible circumvention risks, and in compliance with the principle of proportionality and the fundamental rights of the undertakings concerned, as well as those of third parties.
The very rapidly changing and complex technological nature of core platform services requires a regular review of the status of gatekeepers, including those that it is foreseen will enjoy an entrenched and durable position in their operations in the near future. To provide all of the market participants, including the gatekeepers, with the required certainty as to the applicable legal obligations, a time limit for such regular reviews is necessary. It is also important to conduct such reviews on a regular basis and at least every 3 years. Furthermore, it is important to clarify that not every change in the facts on the basis of which an undertaking providing core platform services was designated as a gatekeeper should require amendment of the designation decision. Amendment will only be necessary if the change in the facts also leads to a change in the assessment. Whether or not that is the case should be based on a case-by-case assessment of the facts and circumstances.
To safeguard the contestability and fairness of core platform services provided by gatekeepers, it is necessary to provide in a clear and unambiguous manner for a set of harmonised rules with regard to those services. Such rules are needed to address the risk of harmful effects of practices by gatekeepers, to the benefit of the business environment in the services concerned, of users and ultimately of society as a whole. The obligations correspond to those practices that are considered as undermining contestability or as being unfair, or both, when taking into account the features of the digital sector and which have a particularly negative direct impact on business users and end users. It should be possible for the obligations laid down by this Regulation to specifically take into account the nature of the core platform services provided. The obligations in this Regulation should not only ensure contestability and fairness with respect to core platform services listed in the designation decision, but also with respect to other digital products and services into which gatekeepers leverage their gateway position, which are often provided together with, or in support of, the core platform services.
For the purpose of this Regulation, contestability should relate to the ability of undertakings to effectively overcome barriers to entry and expansion and challenge the gatekeeper on the merits of their products and services. The features of core platform services in the digital sector, such as network effects, strong economies of scale, and benefits from data have limited the contestability of those services and the related ecosystems. Such a weak contestability reduces the incentives to innovate and improve products and services for the gatekeeper, its business users, its challengers and customers and thus negatively affects the innovation potential of the wider online platform economy. Contestability of the services in the digital sector can also be limited if there is more than one gatekeeper for a core platform service. This Regulation should therefore ban certain practices by gatekeepers that are liable to increase barriers to entry or expansion, and impose certain obligations on gatekeepers that tend to lower those barriers. The obligations should also address situations where the position of the gatekeeper may be entrenched to such an extent that inter-platform competition is not effective in the short term, meaning that intra-platform competition needs to be created or increased.
For the purpose of this Regulation, unfairness should relate to an imbalance between the rights and obligations of business users where the gatekeeper obtains a disproportionate advantage. Market participants, including business users of core platform services and alternative providers of services provided together with, or in support of, such core platform services, should have the ability to adequately capture the benefits resulting from their innovative or other efforts. Due to their gateway position and superior bargaining power, it is possible that gatekeepers engage in behaviour that does not allow others to capture fully the benefits of their own contributions, and unilaterally set unbalanced conditions for the use of their core platform services or services provided together with, or in support of, their core platform services. Such imbalance is not excluded by the fact that the gatekeeper offers a particular service free of charge to a specific group of users, and may also consist in excluding or discriminating against business users, in particular if the latter compete with the services provided by the gatekeeper. This Regulation should therefore impose obligations on gatekeepers addressing such behaviour.
Contestability and fairness are intertwined. The lack of, or weak, contestability for a certain service can enable a gatekeeper to engage in unfair practices. Similarly, unfair practices by a gatekeeper can reduce the possibility of business users or others to contest the gatekeeper’s position. A particular obligation in this Regulation may, therefore, address both elements.
The obligations laid down in this Regulation are therefore necessary to address identified public policy concerns, there being no alternative and less restrictive measures that would effectively achieve the same result, having regard to the need to safeguard public order, protect privacy and fight fraudulent and deceptive commercial practices.
Gatekeepers often directly collect personal data of end users for the purpose of providing online advertising services when end users use third-party websites and software applications. Third parties also provide gatekeepers with personal data of their end users in order to make use of certain services provided by the gatekeepers in the context of their core platform services, such as custom audiences. The processing, for the purpose of providing online advertising services, of personal data from third parties using core platform services gives gatekeepers potential advantages in terms of accumulation of data, thereby raising barriers to entry. This is because gatekeepers process personal data from a significantly larger number of third parties than other undertakings. Similar advantages result from the conduct of (i) combining end user personal data collected from a core platform service with data collected from other services; (ii) cross-using personal data from a core platform service in other services provided separately by the gatekeeper, notably services which are not provided together with, or in support of, the relevant core platform service, and vice versa; or (iii) signing-in end users to different services of gatekeepers in order to combine personal data. To ensure that gatekeepers do not unfairly undermine the contestability of core platform services, gatekeepers should enable end users to freely choose to opt-in to such data processing and sign-in practices by offering a less personalised but equivalent alternative, and without making the use of the core platform service or certain functionalities thereof conditional upon the end user’s consent. This should be without prejudice to the gatekeeper processing personal data or signing in end users to a service, relying on the legal basis under Article 6(1), points (c), (d) and (e), of Regulation (EU) 2016/679, but not on Article 6(1), points (b) and (f) of that Regulation.
The less personalised alternative should not be different or of degraded quality compared to the service provided to the end users who provide consent, unless a degradation of quality is a direct consequence of the gatekeeper not being able to process such personal data or signing in end users to a service. Not giving consent should not be more difficult than giving consent. When the gatekeeper requests consent, it should proactively present a user-friendly solution to the end user to provide, modify or withdraw consent in an explicit, clear and straightforward manner. In particular, consent should be given by a clear affirmative action or statement establishing a freely given, specific, informed and unambiguous indication of agreement by the end user, as defined in Regulation (EU) 2016/679. At the time of giving consent, and only where applicable, the end user should be informed that not giving consent can lead to a less personalised offer, but that otherwise the core platform service will remain unchanged and that no functionalities will be suppressed. Exceptionally, if consent cannot be given directly to the gatekeeper’s core platform service, end users should be able to give consent through each third-party service that makes use of that core platform service, to allow the gatekeeper to process personal data for the purposes of providing online advertising services. Lastly, it should be as easy to withdraw consent as to give it. Gatekeepers should not design, organise or operate their online interfaces in a way that deceives, manipulates or otherwise materially distorts or impairs the ability of end users to freely give consent. In particular, gatekeepers should not be allowed to prompt end users more than once a year to give consent for the same processing purpose in respect of which they initially did not give consent or withdrew their consent. This Regulation is without prejudice to Regulation (EU) 2016/679, including its enforcement framework, which remains fully applicable with respect to any claims by data subjects relating to an infringement of their rights under that Regulation.
Children merit specific protection with regard to their personal data, in particular as regards the use of their personal data for the purposes of commercial communication or creating user profiles. The protection of children online is an important objective of the Union and should be reflected in the relevant Union law. In this context, due regard should be given to a Regulation on a single market for digital services. Nothing in this Regulation exempts gatekeepers from the obligation to protect children laid down in applicable Union law.
In certain cases, for instance through the imposition of contractual terms and conditions, gatekeepers can restrict the ability of business users of their online intermediation services to offer products or services to end users under more favourable conditions, including price, through other online intermediation services or through direct online sales channels. Where such restrictions relate to third-party online intermediation services, they limit inter-platform contestability, which in turn limits choice of alternative online intermediation services for end users. Where such restrictions relate to direct online sales channels, they unfairly limit the freedom of business users to use such channels. To ensure that business users of online intermediation services of gatekeepers can freely choose alternative online intermediation services or direct online sales channels and differentiate the conditions under which they offer their products or services to end users, it should not be accepted that gatekeepers limit business users from choosing to differentiate commercial conditions, including price. Such a restriction should apply to any measure with equivalent effect, such as increased commission rates or de-listing of the offers of business users.
To prevent further reinforcing their dependence on the core platform services of gatekeepers, and in order to promote multi-homing, the business users of those gatekeepers should be free to promote and choose the distribution channel that they consider most appropriate for the purpose of interacting with any end users that those business users have already acquired through core platform services provided by the gatekeeper or through other channels. This should apply to the promotion of offers, including through a software application of the business user, and any form of communication and conclusion of contracts between business users and end users. An acquired end user is an end user who has already entered into a commercial relationship with the business user and, where applicable, the gatekeeper has been directly or indirectly remunerated by the business user for facilitating the initial acquisition of the end user by the business user. Such commercial relationships can be on either a paid or a free basis, such as free trials or free service tiers, and can have been entered into either on the core platform service of the gatekeeper or through any other channel. Conversely, end users should also be free to choose offers of such business users and to enter into contracts with them either through core platform services of the gatekeeper, if applicable, or from a direct distribution channel of the business user or another indirect channel that such business user uses.
The ability of end users to acquire content, subscriptions, features or other items outside the core platform services of the gatekeeper should not be undermined or restricted. In particular, a situation should be avoided whereby gatekeepers restrict end users from access to, and use of, such services via a software application running on their core platform service. For example, subscribers to online content purchased outside a software application, software application store or virtual assistant should not be prevented from accessing such online content on a software application on the core platform service of the gatekeeper simply because it was purchased outside such software application, software application store or virtual assistant.
To safeguard a fair commercial environment and protect the contestability of the digital sector it is important to safeguard the right of business users and end users, including whistleblowers, to raise concerns about unfair practices by gatekeepers raising any issue of non-compliance with the relevant Union or national law with any relevant administrative or other public authorities, including national courts. For example, it is possible that business users or end users will want to complain about different types of unfair practices, such as discriminatory access conditions, unjustified closing of business user accounts or unclear grounds for product de-listings. Any practice that would in any way inhibit or hinder those users in raising their concerns or in seeking available redress, for instance by means of confidentiality clauses in agreements or other written terms, should therefore be prohibited. This prohibition should be without prejudice to the right of business users and gatekeepers to lay down in their agreements the terms of use including the use of lawful complaints-handling mechanisms, including any use of alternative dispute resolution mechanisms or of the jurisdiction of specific courts in compliance with respective Union and national law. This should also be without prejudice to the role gatekeepers play in the fight against illegal content online.
Certain services provided together with, or in support of, relevant core platform services of the gatekeeper, such as identification services, web browser engines, payment services or technical services that support the provision of payment services, such as payment systems for in-app purchases, are crucial for business users to conduct their business and allow them to optimise services. In particular, each browser is built on a web browser engine, which is responsible for key browser functionality such as speed, reliability and web compatibility. When gatekeepers operate and impose web browser engines, they are in a position to determine the functionality and standards that will apply not only to their own web browsers, but also to competing web browsers and, in turn, to web software applications. Gatekeepers should therefore not use their position to require their dependent business users to use any of the services provided together with, or in support of, core platform services by the gatekeeper itself as part of the provision of services or products by those business users. In order to avoid a situation in which gatekeepers indirectly impose on business users their own services provided together with, or in support of, core platform services, gatekeepers should also be prohibited from requiring end users to use such services, when that requirement would be imposed in the context of the service provided to end users by the business user using the core platform service of the gatekeeper. That prohibition aims to protect the freedom of the business user to choose alternative services to the ones of the gatekeeper, but should not be construed as obliging the business user to offer such alternatives to its end users.
The conduct of requiring business users or end users to subscribe to, or register with, any other core platform services of gatekeepers listed in the designation decision or which meet the thresholds of active end users and business users set out in this Regulation, as a condition for using, accessing, signing up for or registering with a core platform service gives the gatekeepers a means of capturing and locking-in new business users and end users for their core platform services by ensuring that business users cannot access one core platform service without also at least registering or creating an account for the purposes of receiving a second core platform service. That conduct also gives gatekeepers a potential advantage in terms of accumulation of data. As such, this conduct is liable to raise barriers to entry and should be prohibited.
The conditions under which gatekeepers provide online advertising services to business users, including both advertisers and publishers, are often non-transparent and opaque. This opacity is partly linked to the practices of a few platforms, but is also due to the sheer complexity of modern day programmatic advertising. That sector is considered to have become less transparent after the introduction of new privacy legislation. This often leads to a lack of information and knowledge for advertisers and publishers about the conditions of the online advertising services they purchase and undermines their ability to switch between undertakings providing online advertising services. Furthermore, the costs of online advertising services under these conditions are likely to be higher than they would be in a fairer, more transparent and contestable platform environment. Those higher costs are likely to be reflected in the prices that end users pay for many daily products and services relying on the use of online advertising services. Transparency obligations should therefore require gatekeepers to provide advertisers and publishers to whom they supply online advertising services, when requested, with free of charge information that allows both sides to understand the price paid for each of the different online advertising services provided as part of the relevant advertising value chain. This information should be provided, upon request, to an advertiser at the level of an individual advertisement in relation to the price and fees charged to that advertiser and, subject to an agreement by the publisher owning the inventory where the advertisement is displayed, the remuneration received by that consenting publisher. The provision of this information on a daily basis will allow advertisers to receive information that has a sufficient level of granularity necessary to compare the costs of using the online advertising services of gatekeepers with the costs of using online advertising services of alternative undertakings. Where some publishers do not provide their consent to the sharing of the relevant information with the advertiser, the gatekeeper should provide the advertiser with the information about the daily average remuneration received by those publishers for the relevant advertisements. The same obligation and principles of sharing the relevant information concerning the provision of online advertising services should apply in respect of requests by publishers. Since gatekeepers can use different pricing models for the provision of online advertising services to advertisers and publishers, for instance a price per impression, per view or any other criterion, gatekeepers should also provide the method with which each of the prices and remunerations are calculated.
In certain circumstances, a gatekeeper has a dual role as an undertaking providing core platform services, whereby it provides a core platform service, and possibly other services provided together with, or in support of, that core platform service to its business users, while also competing or intending to compete with those same business users in the provision of the same or similar services or products to the same end users. In those circumstances, a gatekeeper can take advantage of its dual role to use data, generated or provided by its business users in the context of activities by those business users when using the core platform services or the services provided together with, or in support of, those core platform services, for the purpose of its own services or products. The data of the business user can also include any data generated by or provided during the activities of its end users. This can be the case, for instance, where a gatekeeper provides an online marketplace or a software application store to business users, and at the same time provides services as an undertaking providing online retail services or software applications. To prevent gatekeepers from unfairly benefitting from their dual role, it is necessary to ensure that they do not use any aggregated or non-aggregated data, which could include anonymised and personal data that is not publicly available to provide similar services to those of their business users. That obligation should apply to the gatekeeper as a whole, including but not limited to its business unit that competes with the business users of a core platform service.
Business users can also purchase online advertising services from an undertaking providing core platform services for the purpose of providing goods and services to end users. In this case, it can happen that the data are not generated on the core platform service, but are provided to the core platform service by the business user or are generated based on its operations through the core platform service concerned. In certain instances, that core platform service providing advertising can have a dual role as both an undertaking providing online advertising services and an undertaking providing services competing with business users. Accordingly, the obligation prohibiting a dual role gatekeeper from using data of business users should apply also with respect to the data that a core platform service has received from businesses for the purpose of providing online advertising services related to that core platform service.
In relation to cloud computing services, the obligation not to use the data of business users should extend to data provided or generated by business users of the gatekeeper in the context of their use of the cloud computing service of the gatekeeper, or through its software application store that allows end users of cloud computing services access to software applications. That obligation should not affect the right of the gatekeeper to use aggregated data for providing other services provided together with, or in support of, its core platform service, such as data analytics services, subject to compliance with Regulation (EU) 2016/679 and Directive 2002/58/EC, as well as with the relevant obligations in this Regulation concerning such services.
A gatekeeper can use different means to favour its own or third-party services or products on its operating system, virtual assistant or web browser, to the detriment of the same or similar services that end users could obtain through other third parties. This can for instance happen where certain software applications or services are pre-installed by a gatekeeper. To enable end user choice, gatekeepers should not prevent end users from un-installing any software applications on their operating system. It should be possible for the gatekeeper to restrict such un-installation only when such software applications are essential to the functioning of the operating system or the device. Gatekeepers should also allow end users to easily change the default settings on the operating system, virtual assistant and web browser when those default settings favour their own software applications and services. This includes prompting a choice screen, at the moment of the users’ first use of an online search engine, virtual assistant or web browser of the gatekeeper listed in the designation decision, allowing end users to select an alternative default service when the operating system of the gatekeeper directs end users to those online search engine, virtual assistant or web browser and when the virtual assistant or the web browser of the gatekeeper direct the user to the online search engine listed in the designation decision.
The rules that a gatekeeper sets for the distribution of software applications can, in certain circumstances, restrict the ability of end users to install and effectively use third-party software applications or software application stores on hardware or operating systems of that gatekeeper and restrict the ability of end users to access such software applications or software application stores outside the core platform services of that gatekeeper. Such restrictions can limit the ability of developers of software applications to use alternative distribution channels and the ability of end users to choose between different software applications from different distribution channels and should be prohibited as unfair and liable to weaken the contestability of core platform services. To ensure contestability, the gatekeeper should furthermore allow the third-party software applications or software application stores to prompt the end user to decide whether that service should become the default and enable that change to be carried out easily. In order to ensure that third-party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by the gatekeeper, it should be possible for the gatekeeper concerned to implement proportionate technical or contractual measures to achieve that goal if the gatekeeper demonstrates that such measures are necessary and justified and that there are no less-restrictive means to safeguard the integrity of the hardware or operating system. The integrity of the hardware or the operating system should include any design options that need to be implemented and maintained in order for the hardware or the operating system to be protected against unauthorised access, by ensuring that security controls specified for the hardware or the operating system concerned cannot be compromised. Furthermore, in order to ensure that third-party software applications or software application stores do not undermine end users’ security, it should be possible for the gatekeeper to implement strictly necessary and proportionate measures and settings, other than default settings, enabling end users to effectively protect security in relation to third-party software applications or software application stores if the gatekeeper demonstrates that such measures and settings are strictly necessary and justified and that there are no less-restrictive means to achieve that goal. The gatekeeper should be prevented from implementing such measures as a default setting or as pre-installation.
Gatekeepers are often vertically integrated and offer certain products or services to end users through their own core platform services, or through a business user over which they exercise control which frequently leads to conflicts of interest. This can include the situation whereby a gatekeeper provides its own online intermediation services through an online search engine. When offering those products or services on the core platform service, gatekeepers can reserve a better position, in terms of ranking, and related indexing and crawling, for their own offering than that of the products or services of third parties also operating on that core platform service. This can occur for instance with products or services, including other core platform services, which are ranked in the results communicated by online search engines, or which are partly or entirely embedded in online search engines results, groups of results specialised in a certain topic, displayed along with the results of an online search engine, which are considered or used by certain end users as a service distinct or additional to the online search engine. Other instances are those of software applications which are distributed through software application stores, or videos distributed through a video-sharing platform, or products or services that are given prominence and display in the newsfeed of an online social networking service, or products or services ranked in search results or displayed on an online marketplace, or products or services offered through a virtual assistant. Such reserving of a better position of gatekeeper’s own offering can take place even before ranking following a query, such as during crawling and indexing. For example, already during crawling, as a discovery process by which new and updated content is being found, as well as indexing, which entails storing and organising of the content found during the crawling process, the gatekeeper can favour its own content over that of third parties. In those circumstances, the gatekeeper is in a dual-role position as intermediary for third-party undertakings and as undertaking directly providing products or services. Consequently, such gatekeepers have the ability to undermine directly the contestability for those products or services on those core platform services, to the detriment of business users which are not controlled by the gatekeeper.
In such situations, the gatekeeper should not engage in any form of differentiated or preferential treatment in ranking on the core platform service, and related indexing and crawling, whether through legal, commercial or technical means, in favour of products or services it offers itself or through a business user which it controls. To ensure that this obligation is effective, the conditions that apply to such ranking should also be generally fair and transparent. Ranking should in this context cover all forms of relative prominence, including display, rating, linking or voice results and should also include instances where a core platform service presents or communicates only one result to the end user. To ensure that this obligation is effective and cannot be circumvented, it should also apply to any measure that has an equivalent effect to the differentiated or preferential treatment in ranking. The guidelines adopted pursuant to Article 5 of Regulation (EU) 2019/1150 should also facilitate the implementation and enforcement of this obligation.
Gatekeepers should not restrict or prevent the free choice of end users by technically or otherwise preventing switching between or subscription to different software applications and services. This would allow more undertakings to offer their services, thereby ultimately providing greater choice to the end users. Gatekeepers should ensure a free choice irrespective of whether they are the manufacturer of any hardware by means of which such software applications or services are accessed and should not raise artificial technical or other barriers so as to make switching impossible or ineffective. The mere offering of a given product or service to consumers, including by means of pre-installation, as well as the improvement of the offering to end users, such as price reductions or increased quality, should not be construed as constituting a prohibited barrier to switching.
Gatekeepers can hamper the ability of end users to access online content and services, including software applications. Therefore, rules should be established to ensure that the rights of end users to access an open internet are not compromised by the conduct of gatekeepers. Gatekeepers can also technically limit the ability of end users to effectively switch between different undertakings providing internet access service, in particular through their control over hardware or operating systems. This distorts the level playing field for internet access services and ultimately harms end users. It should therefore be ensured that gatekeepers do not unduly restrict end users in choosing the undertaking providing their internet access service.
A gatekeeper can provide services or hardware, such as wearable devices, that access hardware or software features of a device accessed or controlled via an operating system or virtual assistant in order to offer specific functionalities to end users. In that case, competing service or hardware providers, such as providers of wearable devices, require equally effective interoperability with, and access for the purposes of interoperability to, the same hardware or software features to be able to provide a competitive offering to end users.
Gatekeepers can also have a dual role as developers of operating systems and device manufacturers, including any technical functionality that such a device may have. For example, a gatekeeper that is a manufacturer of a device can restrict access to some of the functionalities in that device, such as near-field-communication technology, secure elements and processors, authentication mechanisms and the software used to operate those technologies, which can be required for the effective provision of a service provided together with, or in support of, the core platform service by the gatekeeper as well as by any potential third-party undertaking providing such service.
If dual roles are used in a manner that prevents alternative service and hardware providers from having access under equal conditions to the same operating system, hardware or software features that are available or used by the gatekeeper in the provision of its own complementary or supporting services or hardware, this could significantly undermine innovation by such alternative providers, as well as choice for end users. The gatekeepers should, therefore, be required to ensure, free of charge, effective interoperability with, and access for the purposes of interoperability to, the same operating system, hardware or software features that are available or used in the provision of its own complementary and supporting services and hardware. Such access can equally be required by software applications related to the relevant services provided together with, or in support of, the core platform service in order to effectively develop and provide functionalities interoperable with those provided by gatekeepers. The aim of the obligations is to allow competing third parties to interconnect through interfaces or similar solutions to the respective features as effectively as the gatekeeper’s own services or hardware.
The conditions under which gatekeepers provide online advertising services to business users, including both advertisers and publishers, are often non-transparent and opaque. This often leads to a lack of information for advertisers and publishers about the effect of a given advertisement. To further enhance fairness, transparency and contestability of online advertising services listed in the designation decision, as well as those that are fully integrated with other core platform services of the same undertaking, gatekeepers should provide advertisers and publishers, and third parties authorised by advertisers and publishers, when requested, with free of charge access to the gatekeepers’ performance measuring tools and the data, including aggregated and non-aggregated data, necessary for advertisers, authorised third parties such as advertising agencies acting on behalf of a company placing advertising, as well as for publishers to carry out their own independent verification of the provision of the relevant online advertising services.
Gatekeepers benefit from access to vast amounts of data that they collect while providing the core platform services, as well as other digital services. To ensure that gatekeepers do not undermine the contestability of core platform services, or the innovation potential of the dynamic digital sector, by restricting switching or multi-homing, end users, as well as third parties authorised by an end user, should be granted effective and immediate access to the data they provided or that was generated through their activity on the relevant core platform services of the gatekeeper. The data should be received in a format that can be immediately and effectively accessed and used by the end user or the relevant third party authorised by the end user to which the data is ported. Gatekeepers should also ensure, by means of appropriate and high quality technical measures, such as application programming interfaces, that end users or third parties authorised by end users can freely port the data continuously and in real time. This should apply also to any other data at different levels of aggregation necessary to effectively enable such portability. For the avoidance of doubt, the obligation on the gatekeeper to ensure effective portability of data under this Regulation complements the right to data portability under the Regulation (EU) 2016/679. Facilitating switching or multi-homing should lead, in turn, to an increased choice for end users and acts as an incentive for gatekeepers and business users to innovate.
Business users that use core platform services provided by gatekeepers, and end users of such business users provide and generate a vast amount of data. In order to ensure that business users have access to the relevant data thus generated, the gatekeeper should, upon their request, provide effective access, free of charge, to such data. Such access should also be given to third parties contracted by the business user, who are acting as processors of this data for the business user. The access should include access to data provided or generated by the same business users and the same end users of those business users in the context of other services provided by the same gatekeeper, including services provided together with or in support of core platform services, where this is inextricably linked to the relevant request. To this end, a gatekeeper should not use any contractual or other restrictions to prevent business users from accessing relevant data and should enable business users to obtain consent of their end users for such data access and retrieval, where such consent is required under Regulation (EU) 2016/679 and Directive 2002/58/EC. Gatekeepers should also ensure the continuous and real time access to such data by means of appropriate technical measures, for example by putting in place high quality application programming interfaces or integrated tools for small volume business users.
The value of online search engines to their respective business users and end users increases as the total number of such users increases. Undertakings providing online search engines collect and store aggregated datasets containing information about what users searched for, and how they interacted with, the results with which they were provided. Undertakings providing online search engines collect these data from searches undertaken on their own online search engine and, where applicable, searches undertaken on the platforms of their downstream commercial partners. Access by gatekeepers to such ranking, query, click and view data constitutes an important barrier to entry and expansion, which undermines the contestability of online search engines. Gatekeepers should therefore be required to provide access, on fair, reasonable and non-discriminatory terms, to those ranking, query, click and view data in relation to free and paid search generated by consumers on online search engines to other undertakings providing such services, so that those third-party undertakings can optimise their services and contest the relevant core platform services. Such access should also be given to third parties contracted by a provider of an online search engine, who are acting as processors of this data for that online search engine. When providing access to its search data, a gatekeeper should ensure the protection of the personal data of end users, including against possible re-identification risks, by appropriate means, such as anonymisation of such personal data, without substantially degrading the quality or usefulness of the data. The relevant data is anonymised if personal data is irreversibly altered in such a way that information does not relate to an identified or identifiable natural person or where personal data is rendered anonymous in such a manner that the data subject is not or is no longer identifiable.
For software application stores, online search engines and online social networking services listed in the designation decision, gatekeepers should publish and apply general conditions of access that should be fair, reasonable and non-discriminatory. Those general conditions should provide for a Union based alternative dispute settlement mechanism that is easily accessible, impartial, independent and free of charge for the business user, without prejudice to the business user’s own cost and proportionate measures aimed at preventing the abuse of the dispute settlement mechanism by business users. The dispute settlement mechanism should be without prejudice to the right of business users to seek redress before judicial authorities in accordance with Union and national law. In particular, gatekeepers which provide access to software application stores are an important gateway for business users that seek to reach end users. In view of the imbalance in bargaining power between those gatekeepers and business users of their software application stores, those gatekeepers should not be allowed to impose general conditions, including pricing conditions, that would be unfair or lead to unjustified differentiation. Pricing or other general access conditions should be considered unfair if they lead to an imbalance of rights and obligations imposed on business users or confer an advantage on the gatekeeper which is disproportionate to the service provided by the gatekeeper to business users or lead to a disadvantage for business users in providing the same or similar services as the gatekeeper. The following benchmarks can serve as a yardstick to determine the fairness of general access conditions: prices charged or conditions imposed for the same or similar services by other providers of software application stores; prices charged or conditions imposed by the provider of the software application store for different related or similar services or to different types of end users; prices charged or conditions imposed by the provider of the software application store for the same service in different geographic regions; prices charged or conditions imposed by the provider of the software application store for the same service the gatekeeper provides to itself. This obligation should not establish an access right and it should be without prejudice to the ability of providers of software application stores, online search engines and online social networking services to take the required responsibility in the fight against illegal and unwanted content as set out in a Regulation on a single market for digital services.
Gatekeepers can hamper the ability of business users and end users to unsubscribe from a core platform service that they have previously subscribed to. Therefore, rules should be established to avoid a situation in which gatekeepers undermine the rights of business users and end users to freely choose which core platform service they use. To safeguard free choice of business users and end users, a gatekeeper should not be allowed to make it unnecessarily difficult or complicated for business users or end users to unsubscribe from a core platform service. Closing an account or un-subscribing should not be made be more complicated than opening an account or subscribing to the same service. Gatekeepers should not demand additional fees when terminating contracts with their end users or business users. Gatekeepers should ensure that the conditions for terminating contracts are always proportionate and can be exercised without undue difficulty by end users, such as, for example, in relation to the reasons for termination, the notice period, or the form of such termination. This is without prejudice to national legislation applicable in accordance with the Union law laying down rights and obligations concerning conditions of termination of provision of core platform services by end users.
The lack of interoperability allows gatekeepers that provide number-independent interpersonal communications services to benefit from strong network effects, which contributes to the weakening of contestability. Furthermore, regardless of whether end users ‘multi-home’, gatekeepers often provide number-independent interpersonal communications services as part of their platform ecosystem, and this further exacerbates entry barriers for alternative providers of such services and increases costs for end users to switch. Without prejudice to Directive (EU) 2018/1972 of the European Parliament and of the Council [^14] and, in particular, the conditions and procedures laid down in Article 61 thereof, gatekeepers should therefore ensure, free of charge and upon request, interoperability with certain basic functionalities of their number-independent interpersonal communications services that they provide to their own end users, to third-party providers of such services. Gatekeepers should ensure interoperability for third-party providers of number-independent interpersonal communications services that offer or intend to offer their number-independent interpersonal communications services to end users and business users in the Union. To facilitate the practical implementation of such interoperability, the gatekeeper concerned should be required to publish a reference offer laying down the technical details and general terms and conditions of interoperability with its number-independent interpersonal communications services. It should be possible for the Commission, if applicable, to consult the Body of European Regulators for Electronic Communications, in order to determine whether the technical details and the general terms and conditions published in the reference offer that the gatekeeper intends to implement or has implemented ensures compliance with this obligation. In all cases, the gatekeeper and the requesting provider should ensure that interoperability does not undermine a high level of security and data protection in line with their obligations laid down in this Regulation and applicable Union law, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC. The obligation related to interoperability should be without prejudice to the information and choices to be made available to end users of the number-independent interpersonal communication services of the gatekeeper and the requesting provider under this Regulation and other Union law, in particular Regulation (EU) 2016/679.
To ensure the effectiveness of the obligations laid down by this Regulation, while also making certain that those obligations are limited to what is necessary to ensure contestability and tackling the harmful effects of the unfair practices by gatekeepers, it is important to clearly define and circumscribe them so as to allow the gatekeeper to fully comply with them, whilst fully complying with applicable law, and in particular Regulation (EU) 2016/679 and Directive 2002/58/EC and legislation on consumer protection, cyber security, product safety and accessibility requirements, including Directive (EU) 2019/882 and Directive (EU) 2016/2102 of the European Parliament and of the Council [^15]. The gatekeepers should ensure the compliance with this Regulation by design. Therefore, the necessary measures should be integrated as much as possible into the technological design used by the gatekeepers. It may in certain cases be appropriate for the Commission, following a dialogue with the gatekeeper concerned and after enabling third parties to make comments, to further specify some of the measures that the gatekeeper concerned should adopt in order to effectively comply with obligations that are susceptible of being further specified or, in the event of circumvention, with all obligations. In particular, such further specification should be possible where the implementation of an obligation susceptible to being further specified can be affected by variations of services within a single category of core platform services. For this purpose, it should be possible for the gatekeeper to request the Commission to engage in a process whereby the Commission can further specify some of the measures that the gatekeeper concerned should adopt in order to effectively comply with those obligations. The Commission should have discretion as to whether and when such further specification should be provided, while respecting the principles of equal treatment, proportionality, and good administration. In this respect, the Commission should provide the main reasons underlying its assessment, including any enforcement priorities. This process should not be used to undermine the effectiveness of this Regulation. Furthermore, this process is without prejudice to the powers of the Commission to adopt a decision establishing non-compliance with any of the obligations laid down in this Regulation by a gatekeeper, including the possibility to impose fines or periodic penalty payments. The Commission should be able to reopen proceedings, including where the specified measures turn out not to be effective. A reopening due to an ineffective specification adopted by decision should enable the Commission to amend the specification prospectively. The Commission should also be able to set a reasonable time period within which the proceedings can be reopened if the specified measures turn out not to be effective.
As an additional element to ensure proportionality, gatekeepers should be given an opportunity to request the suspension, to the extent necessary, of a specific obligation in exceptional circumstances that lie beyond the control of the gatekeeper, such as an unforeseen external shock that has temporarily eliminated a significant part of end user demand for the relevant core platform service, where compliance with a specific obligation is shown by the gatekeeper to endanger the economic viability of the Union operations of the gatekeeper concerned. The Commission should identify the exceptional circumstances justifying the suspension and review it on a regular basis in order to assess whether the conditions for granting it are still viable.
In exceptional circumstances, justified on the limited grounds of public health or public security laid down in Union law and interpreted by the Court of Justice, the Commission should be able to decide that a specific obligation does not apply to a specific core platform service. If harm is caused to such public interests that could indicate that the cost to society as a whole of enforcing a certain obligation is, in a specific exceptional case, too high and thus disproportionate. Where appropriate, the Commission should be able to facilitate compliance by assessing whether a limited and duly justified suspension or exemption is justified. This should ensure the proportionality of the obligations in this Regulation without undermining the intended ex ante effects on fairness and contestability. Where such an exemption is granted, the Commission should review its decision every year.
Within the timeframe for complying with their obligations under this Regulation, gatekeepers should inform the Commission, through mandatory reporting, about the measures they intend to implement or have implemented in order to ensure effective compliance with those obligations, including those measures concerning compliance with Regulation (EU) 2016/679, to the extent they are relevant for compliance with the obligations provided under this Regulation, which should allow the Commission to fulfil its duties under this Regulation. In addition, a clear and comprehensible non-confidential summary of such information should be made publicly available while taking into account the legitimate interest of gatekeepers in the protection of their business secrets and other confidential information. This non-confidential publication should enable third parties to assess whether the gatekeepers comply with the obligations laid down in this Regulation. Such reporting should be without prejudice to any enforcement action by the Commission at any time following the reporting. The Commission should publish online a link to the non-confidential summary of the report, as well as all other public information based on information obligations under this Regulation, in order to ensure accessibility of such information in a usable and comprehensive manner, in particular for small and medium enterprises (SMEs).
The obligations of gatekeepers should only be updated after a thorough investigation into the nature and impact of specific practices that may be newly identified, following an in-depth investigation, as unfair or limiting contestability in the same manner as the unfair practices laid down in this Regulation while potentially escaping the scope of the current set of obligations. The Commission should be able to launch an investigation with a view to determining whether the existing obligations need to be updated, either on its own initiative or following a justified request of at least three Member States. When presenting such justified requests, it should be possible for Member States to include information on newly introduced offers of products, services, software or features which raise concerns of contestability or fairness, whether implemented in the context of existing core platform services or otherwise. Where, following a market investigation, the Commission deems it necessary to modify essential elements of this Regulation, such as the inclusion of new obligations that depart from the same contestability or fairness issues addressed by this Regulation, the Commission should advance a proposal to amend this Regulation.
Given the substantial economic power of gatekeepers, it is important that the obligations are applied effectively and are not circumvented. To that end, the rules in question should apply to any practice by a gatekeeper, irrespective of its form and irrespective of whether it is of a contractual, commercial, technical or any other nature, insofar as the practice corresponds to the type of practice that is the subject of one of the obligations laid down by this Regulation. Gatekeepers should not engage in behaviour that would undermine the effectiveness of the prohibitions and obligations laid down in this Regulation. Such behaviour includes the design used by the gatekeeper, the presentation of end-user choices in a non-neutral manner, or using the structure, function or manner of operation of a user interface or a part thereof to subvert or impair user autonomy, decision-making, or choice. Furthermore, the gatekeeper should not be allowed to engage in any behaviour undermining interoperability as required under this Regulation, such as for example by using unjustified technical protection measures, discriminatory terms of service, unlawfully claiming a copyright on application programming interfaces or providing misleading information. Gatekeepers should not be allowed to circumvent their designation by artificially segmenting, dividing, subdividing, fragmenting or splitting their core platform services to circumvent the quantitative thresholds laid down in this Regulation.
To ensure the effectiveness of the review of gatekeeper status, as well as the possibility to adjust the list of core platform services provided by a gatekeeper, the gatekeepers should inform the Commission of all of their intended acquisitions, prior to their implementation, of other undertakings providing core platform services or any other services provided within the digital sector or other services that enable the collection of data. Such information should not only serve the review process regarding the status of individual gatekeepers, but will also provide information that is crucial to monitoring broader contestability trends in the digital sector and can therefore be a useful factor for consideration in the context of the market investigations provided for by this Regulation. Furthermore, the Commission should inform Member States of such information, given the possibility of using the information for national merger control purposes and as, under certain circumstances, it is possible for the national competent authority to refer those acquisitions to the Commission for the purposes of merger control. The Commission should also publish annually a list of acquisitions of which it has been informed by the gatekeeper. To ensure the necessary transparency and usefulness of such information for different purposes provided for by this Regulation, gatekeepers should provide at least information about the undertakings concerned by the concentration, their Union and worldwide annual turnover, their field of activity, including activities directly related to the concentration, the transaction value or an estimation thereof, a summary of the concentration, including its nature and rationale, as well as a list of the Member States concerned by the operation.
The data protection and privacy interests of end users are relevant to any assessment of potential negative effects of the observed practice of gatekeepers to collect and accumulate large amounts of data from end users. Ensuring an adequate level of transparency of profiling practices employed by gatekeepers, including, but not limited to, profiling within the meaning of Article 4, point (4), of Regulation (EU) 2016/679, facilitates contestability of core platform services. Transparency puts external pressure on gatekeepers not to make deep consumer profiling the industry standard, given that potential entrants or start-ups cannot access data to the same extent and depth, and at a similar scale. Enhanced transparency should allow other undertakings providing core platform services to differentiate themselves better through the use of superior privacy guarantees. To ensure a minimum level of effectiveness of this transparency obligation, gatekeepers should at least provide an independently audited description of the basis upon which profiling is performed, including whether personal data and data derived from user activity in line with Regulation (EU) 2016/679 is relied on, the processing applied, the purpose for which the profile is prepared and eventually used, the duration of the profiling, the impact of such profiling on the gatekeeper’s services, and the steps taken to effectively enable end users to be aware of the relevant use of such profiling, as well as steps to seek their consent or provide them with the possibility of denying or withdrawing consent. The Commission should transfer the audited description to the European Data Protection Board to inform the enforcement of Union data protection rules. The Commission should be empowered to develop the methodology and procedure for the audited description, in consultation with the European Data Protection Supervisor, the European Data Protection Board, civil society and experts, in line with Regulations (EU) No 182/2011 [^16] and (EU) 2018/1725 [^17] of the European Parliament and of the Council.
In order to ensure the full and lasting achievement of the objectives of this Regulation, the Commission should be able to assess whether an undertaking providing core platform services should be designated as a gatekeeper without meeting the quantitative thresholds laid down in this Regulation; whether systematic non-compliance by a gatekeeper warrants imposing additional remedies; whether more services within the digital sector should be added to the list of core platform services; and whether additional practices that are similarly unfair and limiting the contestability of digital markets need to be investigated. Such assessment should be based on market investigations to be carried out in an appropriate timeframe, by using clear procedures and deadlines, in order to support the ex ante effect of this Regulation on contestability and fairness in the digital sector, and to provide the requisite degree of legal certainty.
The Commission should be able to find, following a market investigation, that an undertaking providing a core platform service fulfils all of the overarching qualitative criteria for being identified as a gatekeeper. That undertaking should then, in principle, comply with all of the relevant obligations laid down by this Regulation. However, for gatekeepers that have been designated by the Commission because it is foreseeable that they will enjoy an entrenched and durable position in the near future, the Commission should only impose those obligations that are necessary and appropriate to prevent that the gatekeeper concerned achieves an entrenched and durable position in its operations. With respect to such emerging gatekeepers, the Commission should take into account that this status is in principle of a temporary nature, and it should therefore be decided at a given moment whether such an undertaking providing core platform services should be subjected to the full set of gatekeeper obligations because it has acquired an entrenched and durable position, or the conditions for designation are ultimately not met and therefore all previously imposed obligations should be waived.
The Commission should investigate and assess whether additional behavioural, or, where appropriate, structural remedies are justified, in order to ensure that the gatekeeper cannot frustrate the objectives of this Regulation by systematic non-compliance with one or several of the obligations laid down in this Regulation. This is the case where the Commission has issued against a gatekeeper at least three non-compliance decisions within the period of 8 years, which can concern different core platform services and different obligations laid down in this Regulation, and if the gatekeeper has maintained, extended or further strengthened its impact in the internal market, the economic dependency of its business users and end users on the gatekeeper’s core platform services or the entrenchment of its position. A gatekeeper should be deemed to have maintained, extended or strengthened its gatekeeper position where, despite the enforcement actions taken by the Commission, that gatekeeper still holds or has further consolidated or entrenched its importance as a gateway for business users to reach end users. The Commission should in such cases have the power to impose any remedy, whether behavioural or structural, having due regard to the principle of proportionality. In this context, the Commission should have the power to prohibit, to the extent that such remedy is proportionate and necessary in order to maintain or restore fairness and contestability as affected by the systematic non-compliance, during a limited time-period, the gatekeeper from entering into a concentration regarding those core platform services or the other services provided in the digital sector or services enabling the collection of data that are affected by the systematic non-compliance. In order to enable effective involvement of third parties and the possibility to test remedies before its application, the Commission should publish a detailed non-confidential summary of the case and the measures to be taken. The Commission should be able to reopen proceedings, including where the specified remedies turn out not to be effective. A reopening due to ineffective remedies adopted by decision should enable the Commission to amend the remedies prospectively. The Commission should also be able to set a reasonable time period within which it should be possible to reopen the proceedings if the remedies prove not to be effective.
Where, in the course of an investigation into systematic non-compliance, a gatekeeper offers commitments to the Commission, the latter should be able to adopt a decision making these commitments binding on the gatekeeper concerned, where it finds that the commitments ensure effective compliance with the obligations set out in this Regulation. That decision should also find that there are no longer grounds for action by the Commission as regards the systematic non-compliance under investigation. In assessing whether the commitments offered by the gatekeeper are sufficient to ensure effective compliance with the obligations under this Regulation, the Commission should be allowed to take into account tests undertaken by the gatekeeper to demonstrate the effectiveness of the offered commitments in practice. The Commission should verify that the commitments decision is fully respected and reaches its objectives, and should be entitled to reopen the decision if it finds that the commitments are not effective.
The services in the digital sector and the types of practices relating to these services can change quickly and to a significant extent. To ensure that this Regulation remains up to date and constitutes an effective and holistic regulatory response to the problems posed by gatekeepers, it is important to provide for a regular review of the lists of core platform services, as well as of the obligations provided for in this Regulation. This is particularly important to ensure that a practice that is likely to limit the contestability of core platform services or is unfair is identified. While it is important to conduct a review on a regular basis, given the dynamically changing nature of the digital sector, in order to ensure legal certainty as to the regulatory conditions, any reviews should be conducted within a reasonable and appropriate timeframe. Market investigations should also ensure that the Commission has a solid evidentiary basis on which it can assess whether it should propose to amend this Regulation in order to review, expand, or further detail, the lists of core platform services. They should equally ensure that the Commission has a solid evidentiary basis on which it can assess whether it should propose to amend the obligations laid down in this Regulation or whether it should adopt a delegated act updating such obligations.
With regard to conduct by gatekeepers that is not covered by the obligations set out in this Regulation, the Commission should have the possibility to open a market investigation into new services and new practices for the purposes of identifying whether the obligations set out in this Regulation are to be supplemented by means of a delegated act falling within the scope of the empowerment set out for such delegated acts in this Regulation, or by presenting a proposal to amend this Regulation. This is without prejudice to the possibility for the Commission to, in appropriate cases, open proceedings under Article 101 or 102 TFEU. Such proceedings should be conducted in accordance with Council Regulation (EC) No 1/2003 [^18]. In cases of urgency due to the risk of serious and irreparable damage to competition, the Commission should consider adopting interim measures in accordance with Article 8 of Regulation (EC) No 1/2003.
In the event that gatekeepers engage in a practice that is unfair or that limits the contestability of the core platform services that are already designated under this Regulation but without such practices being explicitly covered by the obligations laid down by this Regulation, the Commission should be able to update this Regulation through delegated acts. Such updates by way of delegated act should be subject to the same investigatory standard and therefore should be preceded by a market investigation. The Commission should also apply a predefined standard in identifying such types of practices. This legal standard should ensure that the type of obligations that gatekeepers could at any time face under this Regulation are sufficiently predictable.
In order to ensure effective implementation and compliance with this Regulation, the Commission should have strong investigative and enforcement powers, to allow it to investigate, enforce and monitor the rules laid down in this Regulation, while at the same time ensuring the respect for the fundamental right to be heard and to have access to the file in the context of the enforcement proceedings. The Commission should dispose of these investigative powers also for the purpose of carrying out market investigations, including for the purpose of updating and reviewing this Regulation.
The Commission should be empowered to request information necessary for the purpose of this Regulation. In particular, the Commission should have access to any relevant documents, data, database, algorithm and information necessary to open and conduct investigations and to monitor the compliance with the obligations laid down in this Regulation, irrespective of who possesses such information, and regardless of their form or format, their storage medium, or the place where they are stored.
The Commission should be able to directly request that undertakings or associations of undertakings provide any relevant evidence, data and information. In addition, the Commission should be able to request any relevant information from competent authorities within the Member State, or from any natural person or legal person for the purpose of this Regulation. When complying with a decision of the Commission, undertakings are obliged to answer factual questions and to provide documents.
The Commission should also be empowered to conduct inspections of any undertaking or association of undertakings and to interview any persons who could be in possession of useful information and to record the statements made.
Interim measures can be an important tool to ensure that, while an investigation is ongoing, the infringement being investigated does not lead to serious and irreparable damage for business users or end users of gatekeepers. This tool is important to avoid developments that could be very difficult to reverse by a decision taken by the Commission at the end of the proceedings. The Commission should therefore have the power to order interim measures in the context of proceedings opened in view of the possible adoption of a non-compliance decision. This power should apply in cases where the Commission has made a prima facie finding of infringement of obligations by gatekeepers and where there is a risk of serious and irreparable damage for business users or end users of gatekeepers. Interim measures should only apply for a specified period, either one ending with the conclusion of the proceedings by the Commission, or for a fixed period which can be renewed insofar as it is necessary and appropriate.
The Commission should be able to take the necessary actions to monitor the effective implementation of and compliance with the obligations laid down in this Regulation. Such actions should include the ability of the Commission to appoint independent external experts and auditors to assist the Commission in this process, including, where applicable, from competent authorities of the Member States, such as data or consumer protection authorities. When appointing auditors, the Commission should ensure sufficient rotation.
Compliance with the obligations imposed by this Regulation should be enforceable by means of fines and periodic penalty payments. To that end, appropriate levels of fines and periodic penalty payments should also be laid down for non-compliance with the obligations and breach of the procedural rules subject to appropriate limitation periods, in accordance with the principles of proportionality and ne bis in idem. The Commission and the relevant national authorities should coordinate their enforcement efforts in order to ensure that those principles are respected. In particular, the Commission should take into account any fines and penalties imposed on the same legal person for the same facts through a final decision in proceedings relating to an infringement of other Union or national rules, so as to ensure that the overall fines and penalties imposed correspond to the seriousness of the infringements committed.
In order to ensure effective recovery of fines imposed on associations of undertakings for infringements that they have committed, it is necessary to lay down the conditions on which it should be possible for the Commission to require payment of the fine from the members of that association of undertakings where it is not solvent.
In the context of proceedings carried out under this Regulation, the undertaking concerned should be accorded the right to be heard by the Commission and the decisions taken should be widely publicised. While ensuring the rights to good administration, the right of access to the file and the right to be heard, it is essential to protect confidential information. Furthermore, while respecting the confidentiality of the information, the Commission should ensure that any information on which the decision is based is disclosed to an extent that allows the addressee of the decision to understand the facts and considerations that led to the decision. It is also necessary to ensure that the Commission only uses information collected pursuant to this Regulation for the purposes of this Regulation, except where specifically envisaged otherwise. Finally, it should be possible, under certain conditions, for certain business records, such as communication between lawyers and their clients, to be considered confidential if the relevant conditions are met.
When preparing non-confidential summaries for publication in order to effectively enable interested third parties to provide comments, the Commission should give due regard to the legitimate interest of undertakings in the protection of their business secrets and other confidential information.
The coherent, effective and complementary enforcement of available legal instruments applied to gatekeepers requires cooperation and coordination between the Commission and national authorities within the remit of their competences. The Commission and national authorities should cooperate and coordinate their actions necessary for the enforcement of the available legal instruments applied to gatekeepers within the meaning of this Regulation and respect the principle of sincere cooperation laid down in Article 4 of the Treaty on European Union (TEU). It should be possible for the support from national authorities to the Commission to include providing the Commission with all necessary information in their possession or assisting the Commission, at its request, with the exercise of its powers so that the Commission is better able to carry out its duties under this Regulation.
The Commission is the sole authority empowered to enforce this Regulation. In order to support the Commission, it should be possible for Member States to empower their national competent authorities enforcing competition rules to conduct investigations into possible non-compliance by gatekeepers with certain obligations under this Regulation. This could in particular be relevant for cases where it cannot be determined from the outset whether a gatekeeper’s behaviour is capable of infringing this Regulation, the competition rules which the national competent authority is empowered to enforce, or both. The national competent authority enforcing competition rules should report on its findings on possible non-compliance by gatekeepers with certain obligations under this Regulation to the Commission in view of the Commission opening proceedings to investigate any non-compliance as the sole enforcer of the provisions laid down by this Regulation. The Commission should have full discretion to decide whether to open such proceedings. In order to avoid overlapping investigations under this Regulation, the national competent authority concerned should inform the Commission before taking its first investigative measure into a possible non-compliance by gatekeepers with certain obligations under this Regulation. The national competent authorities should also closely cooperate and coordinate with the Commission when enforcing national competition rules against gatekeepers, including with regard to the setting of fines. To that end, they should inform the Commission when initiating proceedings based on national competition rules against gatekeepers, as well as prior to imposing obligations on gatekeepers in such proceedings. In order to avoid duplication, it should be possible for information of the draft decision pursuant to Article 11 of Regulation (EC) No 1/2003, where applicable, to serve as notification under this Regulation.
In order to safeguard the harmonised application and enforcement of this Regulation, it is important to ensure that national authorities, including national courts, have all necessary information to ensure that their decisions do not run counter to a decision adopted by the Commission under this Regulation. National courts should be allowed to ask the Commission to send them information or opinions on questions concerning the application of this Regulation. At the same time, the Commission should be able to submit oral or written observations to national courts. This is without prejudice to the ability of national courts to request a preliminary ruling under Article 267 TFEU.
In order to ensure coherence and effective complementarity in the implementation of this Regulation and of other sectoral regulations applicable to gatekeepers, the Commission should benefit from the expertise of a dedicated high-level group. It should be possible for that high-level group to also assist the Commission by means of advice, expertise and recommendations, when relevant, in general matters relating to the implementation or enforcement of this Regulation. The high-level group should be composed of the relevant European bodies and networks, and its composition should ensure a high level of expertise and a geographical balance. The members of the high-level group should regularly report to the bodies and networks they represent regarding the tasks performed in the context of the group, and consult them in that regard.
Since the decisions taken by the Commission under this Regulation are subject to review by the Court of Justice in accordance with the TFEU, in accordance with Article 261 TFEU, the Court of Justice should have unlimited jurisdiction in respect of fines and penalty payments.
It should be possible for the Commission to develop guidelines to provide further guidance on different aspects of this Regulation or to assist undertakings providing core platform services in the implementation of the obligations under this Regulation. It should be possible for such guidance to be based in particular on the experience that the Commission obtains through the monitoring of compliance with this Regulation. The issuing of any guidelines under this Regulation is a prerogative and at the sole discretion of the Commission and should not be considered to be a constitutive element in ensuring that the undertakings or associations of undertakings concerned comply with the obligations under this Regulation.
The implementation of some of the gatekeepers’ obligations, such as those related to data access, data portability or interoperability could be facilitated by the use of technical standards. In this respect, it should be possible for the Commission, where appropriate and necessary, to request European standardisation bodies to develop them.
In order to ensure contestable and fair markets in the digital sector across the Union where gatekeepers are present, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of amending the methodology for determining whether the quantitative thresholds regarding active end users and active business users for the designation of gatekeepers are met, which is contained in an Annex to this Regulation, in respect of further specifying the additional elements of the methodology not falling in that Annex for determining whether the quantitative thresholds regarding the designation of gatekeepers are met, and in respect of supplementing the existing obligations laid down in this Regulation where, based on a market investigation, the Commission has identified the need for updating the obligations addressing practices that limit the contestability of core platform services or are unfair, and the update considered falls within the scope of the empowerment set out for such delegated acts in this Regulation.
When adopting delegated acts under this Regulation, it is of particular importance that the Commission carries out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making [^19]. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to specify measures to be implemented by gatekeepers in order to effectively comply with the obligations under this Regulation; to suspend, in whole or in part, a specific obligation imposed on a gatekeeper; to exempt a gatekeeper, in whole or in part, from a specific obligation; to specify the measures to be implemented by a gatekeeper when it circumvents the obligations under this Regulation; to conclude a market investigation for designating gatekeepers; to impose remedies in the case of systematic non-compliance; to order interim measures against a gatekeeper; to make commitments binding on a gatekeeper; to set out its finding of a non-compliance; to set the definitive amount of the periodic penalty payment; to determine the form, content and other details of notifications, submissions of information, reasoned requests and regulatory reports transmitted by gatekeepers; to lay down operational and technical arrangements in view of implementing interoperability and the methodology and procedure for the audited description of techniques used for profiling consumers; to provide for practical arrangements for proceedings, extensions of deadlines, exercising rights during proceedings, terms of disclosure, as well as for the cooperation and coordination between the Commission and national authorities. Those powers should be exercised in accordance with Regulation (EU) No 182/2011.
The examination procedure should be used for the adoption of an implementing act on the practical arrangements for the cooperation and coordination between the Commission and Member States. The advisory procedure should be used for the remaining implementing acts envisaged by this Regulation. This is justified by the fact that those remaining implementing acts relate to practical aspects of the procedures laid down in this Regulation, such as form, content and other details of various procedural steps, to practical arrangements of different procedural steps, such as, for example, extension of procedural deadlines or right to be heard, as well as to individual implementing decisions addressed to a gatekeeper.
In accordance with Regulation (EU) No 182/2011, each Member State should be represented in the advisory committee and decide on the composition of its delegation. Such delegation can include, inter alia, experts from the competent authorities within the Member States, which hold the relevant expertise for a specific issue presented to the advisory committee.
Whistleblowers can bring new information to the attention of competent authorities which can help the competent authorities detect infringements of this Regulation and enable them to impose penalties. It should be ensured that adequate arrangements are in place to enable whistleblowers to alert the competent authorities to actual or potential infringements of this Regulation and to protect the whistleblowers from retaliation. For that purpose, it should be provided in this Regulation that Directive (EU) 2019/1937 of the European Parliament and of the Council [^20] is applicable to the reporting of breaches of this Regulation and to the protection of persons reporting such breaches.
To enhance legal certainty, the applicability, pursuant to this Regulation, of Directive (EU) 2019/1937 to reports of breaches of this Regulation and to the protection of persons reporting such breaches should be reflected in that Directive. The Annex to Directive (EU) 2019/1937 should therefore be amended accordingly. It is for the Member States to ensure that that amendment is reflected in their transposition measures adopted in accordance with Directive (EU) 2019/1937, although the adoption of national transposition measures is not a condition for the applicability of that Directive to the reporting of breaches of this Regulation and to the protection of reporting persons from the date of application of this Regulation.
Consumers should be entitled to enforce their rights in relation to the obligations imposed on gatekeepers under this Regulation through representative actions in accordance with Directive (EU) 2020/1828 of the European Parliament and of the Council [^21]. For that purpose, this Regulation should provide that Directive (EU) 2020/1828 is applicable to the representative actions brought against infringements by gatekeepers of provisions of this Regulation that harm or can harm the collective interests of consumers. The Annex to that Directive should therefore be amended accordingly. It is for the Member States to ensure that that amendment is reflected in their transposition measures adopted in accordance with Directive (EU) 2020/1828, although the adoption of national transposition measures in this regard is not a condition for the applicability of that Directive to those representative actions. The applicability of Directive (EU) 2020/1828 to the representative actions brought against infringements by gatekeepers of provisions of this Regulation that harm or can harm the collective interests of consumers should start from the date of application of Member States’ laws, regulations and administrative provisions necessary to transpose that Directive, or from the date of application of this Regulation, whichever is the later.
The Commission should periodically evaluate this Regulation and closely monitor its effects on the contestability and fairness of commercial relationships in the online platform economy, in particular with a view to determining the need for amendments in light of relevant technological or commercial developments. That evaluation should include the regular review of the list of core platform services and the obligations addressed to gatekeepers, as well as their enforcement, in view of ensuring that digital markets across the Union are contestable and fair. In that context, the Commission should also evaluate the scope of the obligation concerning the interoperability of number-independent electronic communications services. In order to obtain a broad view of developments in the digital sector, the evaluation should take into account the experiences of Member States and relevant stakeholders. It should be possible for the Commission in this regard also to consider the opinions and reports presented to it by the Observatory on the Online Platform Economy that was first established by Commission Decision C(2018)2393 of 26 April 2018. Following the evaluation, the Commission should take appropriate measures. The Commission should maintain a high level of protection and respect for the common rights and values, particularly equality and non-discrimination, as an objective when conducting the assessments and reviews of the practices and obligations provided in this Regulation.
Without prejudice to the budgetary procedure and through existing financial instruments, adequate human, financial and technical resources should be allocated to the Commission to ensure that it can effectively perform its duties and exercise its powers in respect of the enforcement of this Regulation.
Since the objective of this Regulation, namely to ensure a contestable and fair digital sector in general and core platform services in particular, with a view to promoting innovation, high quality of digital products and services, fair and competitive prices, as well as a high quality and choice for end users in the digital sector, cannot be sufficiently achieved by the Member States, but can rather, by reason of the business model and operations of the gatekeepers and the scale and effects of their operations, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered an opinion on 10 February 2021 [^22].
This Regulation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, in particular Articles 16, 47 and 50 thereof. Accordingly, the interpretation and application of this Regulation should respect those rights and principles, HAVE ADOPTED THIS REGULATION:
For the purposes of this Regulation, the following definitions apply:
(b) there is an imbalance between the rights and obligations of business users and the gatekeeper obtains an advantage from business users that is disproportionate to the service provided by that gatekeeper to those business users.
In case of urgency due to the risk of serious and irreparable damage for business users or end users of gatekeepers, the Commission may adopt an implementing act ordering interim measures against a gatekeeper on the basis of a prima facie finding of an infringement of Article 5, 6 or 7. That implementing act shall be adopted only in the context of proceedings opened with a view to the possible adoption of a non-compliance decision pursuant to Article 29(1). It shall apply only for a specified period of time and may be renewed in so far this is necessary and appropriate. That implementing act shall be adopted in accordance with the advisory procedure referred to in Article 50(2).
Directive (EU) 2020/1828 shall apply to the representative actions brought against infringements by gatekeepers of provisions of this Regulation that harm or may harm the collective interests of consumers.
Directive (EU) 2019/1937 shall apply to the reporting of all breaches of this Regulation and the protection of persons reporting such breaches.
In accordance with Article 261 TFEU, the Court of Justice has unlimited jurisdiction to review decisions by which the Commission has imposed fines or periodic penalty payments. It may cancel, reduce or increase the fine or periodic penalty payment imposed.
The Commission may adopt guidelines on any of the aspects of this Regulation in order to facilitate its effective implementation and enforcement.
Where appropriate and necessary, the Commission may mandate European standardisation bodies to facilitate the implementation of the obligations set out in this Regulation by developing appropriate standards.
In Point J of Part I of the Annex to Directive (EU) 2019/1937, the following point is added: ‘(iv) Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (OJ L 265, 21.9.2022, p. 1).’
In Annex I to Directive (EU) 2020/1828, the following point is added: ‘(67) Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (OJ L 265, 21.9.2022, p. 1).’
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from 2 May 2023.
However, Article 3(6) and (7) and Articles 40, 46, 47, 48, 49 and 50 shall apply from 1 November 2022 and Article 42 and Article 43 shall apply from 25 June 2023. Nevertheless, if the date of 25 June 2023 precedes the date of application referred to in the second paragraph of this Article, the application of Article 42 and Article 43 shall be postponed until the date of application referred to in the second paragraph of this Article.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Strasbourg, 14 September 2022.
For the European Parliament The President R. METSOLA For the Council The President M. BEK
[^1] OJ C 286, 16.7.2021, p. 64. [^2] OJ C 440, 29.10.2021, p. 67. [^3] Position of the European Parliament of 5 July 2022 (not yet published in the Official Journal) and decision of the Council of 18 July 2022. [^4] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). [^5] Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). [^6] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ L 201, 31.7.2002, p. 37). [^7] Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ L 149, 11.6.2005, p. 22). [^8] Directive 2010/13/EU of the European Parliament and of the Council of 10 March 2010 on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive) (OJ L 95, 15.4.2010, p. 1). [^9] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35). [^10] Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (OJ L 130, 17.5.2019, p. 92). [^11] Directive (EU) 2019/882 of the European Parliament and of the Council of 17 April 2019 on the accessibility requirements for products and services (OJ L 151, 7.6.2019, p. 70). [^12] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). [^13] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1). [^14] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (OJ L 321, 17.12.2018, p. 36). [^15] Directive (EU) 2016/2102 of the European Parliament and of the Council of 26 October 2016 on the accessibility of the websites and mobile applications of public sector bodies (OJ L 327, 2.12.2016, p. 1). [^16] Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13). [^17] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). [^18] Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty (OJ L 1, 4.1.2003, p. 1). [^19] OJ L 123, 12.5.2016, p. 1. [^20] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (OJ L 305, 26.11.2019, p. 17). [^21] Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1). [^22] OJ C 147, 26.4.2021, p. 4. [^23] Council Regulation (EC) No 139/2004 of 20 January 2004 on the control of concentrations between undertakings (the EC Merger Regulation) (OJ L 24, 29.1.2004, p. 1). [^24] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).
A. ‘General’
This Annex aims at specifying the methodology for identifying and calculating the ‘active end users’ and the ‘active business users’ for each core platform service listed in Article 2, point (2). It provides a reference to enable an undertaking to assess whether its core platform services meet the quantitative thresholds set out in Article 3(2), point (b) and would therefore be presumed to meet the requirement in Article 3(1), point (b). Such reference will therefore equally be of relevance to any broader assessment under Article 3(8). It is the responsibility of the undertaking to come to the best approximation possible in line with the common principles and specific methodology set out in this Annex. Nothing in this Annex precludes the Commission, within the time limits laid down in the relevant provisions of this Regulation, from requiring the undertaking providing core platform services to provide any information necessary to identify and calculate the ‘active end users’ and the ‘active business users’. Nothing in this Annex should constitute a legal basis for tracking users. The methodology contained in this Annex is also without prejudice to any of the obligations laid down in this Regulation, notably in Article 3(3) and (8) and Article 13(3). In particular, the required compliance with Article 13(3) also means identifying and calculating ‘active end users’ and ‘active business users’ based either on a precise measurement or on the best approximation available, in line with the actual identification and calculation capacities that the undertaking providing core platform services possesses at the relevant point in time. Those measurements or the best approximation available shall be consistent with, and include, those reported under Article 15.
Article 2, points (20) and (21) set out the definitions of ‘end user’ and ‘business user’, which are common to all core platform services.
In order to identify and calculate the number of ‘active end users’ and ‘active business users’, this Annex refers to the concept of ‘unique users’. The concept of ‘unique users’ encompasses ‘active end users’ and ‘active business users’ counted only once, for the relevant core platform service, over the course of a specified time period (i.e. month in case of ‘active end users’ and year in case of ‘active business users’), no matter how many times they engaged with the relevant core platform service over that period. This is without prejudice to the fact that the same natural or legal person can simultaneously constitute an ‘active end user’ or an ‘active business user’ for different core platform services. B. ‘Active end users’
The number of ‘unique users’ as regards ‘active end users’ shall be identified according to the most accurate metric reported by the undertaking providing any of the core platform services, specifically: a. It is considered that collecting data about the use of core platform services from signed-in or logged-in environments would prima facie present the lowest risk of duplication, for example in relation to user behaviour across devices or platforms. Hence, the undertaking shall submit aggregate anonymized data on the number of unique end users per respective core platform service based on signed-in or logged-in environments, if such data exists. b. In the case of core platform services which are also accessed by end users outside signed-in or logged-in environments, the undertaking shall additionally submit aggregate anonymized data on the number of unique end users of the respective core platform service based on an alternate metric capturing also end users outside signed-in or logged-in environments, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags, provided that those addresses or identifiers are objectively necessary for the provision of the core platform services.
The number of ‘monthly active end users’ is based on the average number of monthly active end users throughout the largest part of the financial year. The notion ‘the largest part of the financial year’ is intended to allow an undertaking providing core platform services to discount outlier figures in a given year. Outlier figures inherently mean figures that fall significantly outside the normal and foreseeable figures. An unforeseen peak or drop in user engagement that occurred during a single month of the financial year is an example of what could constitute such outlier figures. Figures related to annually recurring occurrences, such as annual sales promotions, are not outlier figures. C. ‘Active business users’ The number of ‘unique users’ as regards ‘active business users’ is to be determined, where applicable, at the account level with each distinct business account associated with the use of a core platform service provided by the undertaking constituting one unique business user of that respective core platform service. If the notion of ‘business account’ does not apply to a given core platform service, the relevant undertaking providing core platform services shall determine the number of unique business users by referring to the relevant undertaking. D. ‘Submission of information’
The undertaking submitting to the Commission pursuant to Article 3(3) information concerning the number of active end users and active business users per core platform service shall be responsible for ensuring the completeness and accuracy of that information. In that regard: a. The undertaking shall be responsible for submitting data for a respective core platform service that avoids under-counting and over-counting the number of active end users and active business users (for example, where users access the core platform services across different platforms or devices). b. The undertaking shall be responsible for providing precise and succinct explanations about the methodology used to arrive at the information and for any risk of under-counting or over-counting of the number of active end users and active business users for a respective core platform service and for the solutions adopted to address that risk. c. The undertaking shall provide data that is based on an alternative metric when the Commission has concerns about the accuracy of data provided by the undertaking providing core platform services.
For the purpose of calculating the number of ‘active end users’ and ‘active business users’: a. The undertaking providing core platform service(s) shall not identify core platform services that belong to the same category of core platform services pursuant to Article 2, point (2) as distinct mainly on the basis that they are provided using different domain names, whether country code top-level domains (ccTLDs) or generic top-level domains (gTLDs), or any geographic attributes. b. The undertaking providing core platform service(s) shall consider as distinct core platform services those core platform services, which are used for different purposes by either their end users or their business users, or both, even if their end users or business users may be the same and even if they belong to the same category of core platform services pursuant to Article 2, point (2). c. The undertaking providing core platform service(s) shall consider as distinct core platform services those services which the relevant undertaking offers in an integrated way, but which: (i) do not belong to the same category of core platform services pursuant to Article 2, point (2); or (ii) are used for different purposes by either their end users or their business users, or both, even if their end users and business users may be the same and even if they belong to the same category of core platform services pursuant to Article 2, point (2).
E. ‘Specific definitions’ The table below sets out specific definitions of ‘active end users’ and ‘active business users’ for each core platform service. Core platform services Active end users Active business users Online intermediation services Number of unique end users who engaged with the online intermediation service at least once in the month for example through actively logging-in, making a query, clicking or scrolling or concluded a transaction through the online intermediation service at least once in the month. Number of unique business users who had at least one item listed in the online intermediation service during the whole year or concluded a transaction enabled by the online intermediation service during the year. Online search engines Number of unique end users who engaged with the online search engine at least once in the month, for example through making a query. Number of unique business users with business websites (i.e. website used in commercial or professional capacity) indexed by or part of the index of the online search engine during the year. Online social networking services Number of unique end users who engaged with the online social networking service at least once in the month, for example through actively logging-in, opening a page, scrolling, clicking, liking, making a query, posting or commenting. Number of unique business users who have a business listing or business account in the online social networking service and have engaged in any way with the service at least once during the year, for example through actively logging-in, opening a page, scrolling, clicking, liking, making a query, posting, commenting or using its tools for businesses. Video-sharing platform services Number of unique end users who engaged with the video-sharing platform service at least once in the month, for example through playing a segment of audiovisual content, making a query or uploading a piece of audiovisual content, notably including user-generated videos. Number of unique business users who provided at least one piece of audiovisual content uploaded or played on the video-sharing platform service during the year. Number-independent interpersonal communication services Number of unique end users who initiated or participated in any way in a communication through the number-independent interpersonal communication service at least once in the month. Number of unique business users who used a business account or otherwise initiated or participated in any way in a communication through the number-independent interpersonal communication service to communicate directly with an end user at least once during the year. Operating systems Number of unique end users who utilised a device with the operating system, which has been activated, updated or used at least once in the month. Number of unique developers who published, updated or offered at least one software application or software program using the programming language or any software development tools of, or running in any way on, the operating system during the year. Virtual assistant Number of unique end users who engaged with the virtual assistant in any way at least once in the month, such as for example through activating it, asking a question, accessing a service through a command or controlling a smart home device. Number of unique developers who offered at least one virtual assistant software application or a functionality to make an existing software application accessible through the virtual assistant during the year. Web browsers Number of unique end users who engaged with the web browser at least once in the month, for example through inserting a query or website address in the URL line of the web browser. Number of unique business users whose business websites (i.e. website used in commercial or professional capacity) have been accessed via the web browser at least once during the year or who offered a plug-in, extension or add-ons used on the web browser during the year. Cloud computing services Number of unique end users who engaged with any cloud computing services from the relevant provider of cloud computing services at least once in the month, in return for any type of remuneration, regardless of whether this remuneration occurs in the same month. Number of unique business users who provided any cloud computing services hosted in the cloud infrastructure of the relevant provider of cloud computing services during the year. Online advertising services For proprietary sales of advertising space: Number of unique end users who were exposed to an advertisement impression at least once in the month. For advertising intermediation services (including advertising networks, advertising exchanges and any other advertising intermediation services): Number of unique end users who were exposed to an advertisement impression which triggered the advertising intermediation service at least once in the month. For proprietary sales of advertising space:
Number of unique advertisers who had at least one advertisement impression displayed during the year.
For advertising intermediation services (including advertising networks, advertising exchanges and any other advertising intermediation services): Number of unique business users (including advertisers, publishers or other intermediators) who interacted via or were served by the advertising intermediation service during the year.
27.12.2022
EN
Official Journal of the European Union
L 333/1
REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 14 December 2022
on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Central Bank (1),
Having regard to the opinion of the European Economic and Social Committee (2),
Acting in accordance with the ordinary legislative procedure (3),
Whereas:
In the digital age, information and communication technology (ICT) supports complex systems used for everyday activities. It keeps our economies running in key sectors, including the financial sector, and enhances the functioning of the internal market. Increased digitalisation and interconnectedness also amplify ICT risk, making society as a whole, and the financial system in particular, more vulnerable to cyber threats or ICT disruptions. While the ubiquitous use of ICT systems and high digitalisation and connectivity are today core features of the activities of Union financial entities, their digital resilience has yet to be better addressed and integrated into their broader operational frameworks.
The use of ICT has in the past decades gained a pivotal role in the provision of financial services, to the point where it has now acquired a critical importance in the operation of typical daily functions of all financial entities. Digitalisation now covers, for instance, payments, which have increasingly moved from cash and paper-based methods to the use of digital solutions, as well as securities clearing and settlement, electronic and algorithmic trading, lending and funding operations, peer-to-peer finance, credit rating, claim management and back-office operations. The insurance sector has also been transformed by the use of ICT, from the emergence of insurance intermediaries offering their services online operating with InsurTech, to digital insurance underwriting. Finance has not only become largely digital throughout the whole sector, but digitalisation has also deepened interconnections and dependencies within the financial sector and with third-party infrastructure and service providers.
The European Systemic Risk Board (ESRB) reaffirmed in a 2020 report addressing systemic cyber risk how the existing high level of interconnectedness across financial entities, financial markets and financial market infrastructures, and particularly the interdependencies of their ICT systems, could constitute a systemic vulnerability because localised cyber incidents could quickly spread from any of the approximately 22 000 Union financial entities to the entire financial system, unhindered by geographical boundaries. Serious ICT breaches that occur in the financial sector do not merely affect financial entities taken in isolation. They also smooth the way for the propagation of localised vulnerabilities across the financial transmission channels and potentially trigger adverse consequences for the stability of the Union’s financial system, such as generating liquidity runs and an overall loss of confidence and trust in financial markets.
In recent years, ICT risk has attracted the attention of international, Union and national policy makers, regulators and standard-setting bodies in an attempt to enhance digital resilience, set standards and coordinate regulatory or supervisory work. At international level, the Basel Committee on Banking Supervision, the Committee on Payments and Market Infrastructures, the Financial Stability Board, the Financial Stability Institute, as well as the G7 and G20 aim to provide competent authorities and market operators across various jurisdictions with tools to bolster the resilience of their financial systems. That work has also been driven by the need to duly consider ICT risk in the context of a highly interconnected global financial system and to seek more consistency of relevant best practices.
Despite Union and national targeted policy and legislative initiatives, ICT risk continues to pose a challenge to the operational resilience, performance and stability of the Union financial system. The reforms that followed the 2008 financial crisis primarily strengthened the financial resilience of the Union financial sector and aimed to safeguard the competitiveness and stability of the Union from economic, prudential and market conduct perspectives. Although ICT security and digital resilience are part of operational risk, they have been less in the focus of the post-financial crisis regulatory agenda and have developed in only some areas of the Union’s financial services policy and regulatory landscape, or in only a few Member States.
In its Communication of 8 March 2018 entitled ‘FinTech Action plan: For a more competitive and innovative European financial sector’, the Commission highlighted the paramount importance of making the Union financial sector more resilient, including from an operational perspective to ensure its technological safety and good functioning, its quick recovery from ICT breaches and incidents, ultimately enabling the effective and smooth provision of financial services across the whole Union, including under situations of stress, while also preserving consumer and market trust and confidence.
In April 2019, the European Supervisory Authority (European Banking Authority), (EBA) established by Regulation (EU) No 1093/2010 of the European Parliament and of the Council (4), the European Supervisory Authority (European Insurance and Occupational Pensions Authority), (‘EIOPA’) established by Regulation (EU) No 1094/2010 of the European Parliament and of the Council (5) and the European Supervisory Authority (European Securities and Markets Authority), (‘ESMA’) established by Regulation (EU) No 1095/2010 of the European Parliament and of the Council (6) (known collectively as ‘European Supervisory Authorities’ or ‘ESAs’) jointly issued technical advice calling for a coherent approach to ICT risk in finance and recommending to strengthen, in a proportionate way, the digital operational resilience of the financial services industry through a sector-specific initiative of the Union.
The Union financial sector is regulated by a Single Rulebook and governed by a European system of financial supervision. Nonetheless, provisions tackling digital operational resilience and ICT security are not yet fully or consistently harmonised, despite digital operational resilience being vital for ensuring financial stability and market integrity in the digital age, and no less important than, for example, common prudential or market conduct standards. The Single Rulebook and system of supervision should therefore be developed to also cover digital operational resilience, by strengthening the mandates of competent authorities to enable them to supervise the management of ICT risk in the financial sector in order to protect the integrity and efficiency of the internal market, and to facilitate its orderly functioning.
Legislative disparities and uneven national regulatory or supervisory approaches with regard to ICT risk trigger obstacles to the functioning of the internal market in financial services, impeding the smooth exercise of the freedom of establishment and the provision of services for financial entities operating on a cross-border basis. Competition between the same type of financial entities operating in different Member States could also be distorted. This is the case, in particular, for areas where Union harmonisation has been very limited, such as digital operational resilience testing, or absent, such as the monitoring of ICT third-party risk. Disparities stemming from developments envisaged at national level could generate further obstacles to the functioning of the internal market to the detriment of market participants and financial stability.
To date, due to the ICT risk related provisions being only partially addressed at Union level, there are gaps or overlaps in important areas, such as ICT-related incident reporting and digital operational resilience testing, and inconsistencies as a result of emerging divergent national rules or cost-ineffective application of overlapping rules. This is particularly detrimental for an ICT-intensive user such as the financial sector since technology risks have no borders and the financial sector deploys its services on a wide cross-border basis within and outside the Union. Individual financial entities operating on a cross-border basis or holding several authorisations (e.g. one financial entity can have a banking, an investment firm, and a payment institution licence, each issued by a different competent authority in one or several Member States) face operational challenges in addressing ICT risk and mitigating adverse impacts of ICT incidents on their own and in a coherent cost-effective way.
As the Single Rulebook has not been accompanied by a comprehensive ICT or operational risk framework, further harmonisation of key digital operational resilience requirements for all financial entities is required. The development of ICT capabilities and overall resilience by financial entities, based on those key requirements, with a view to withstanding operational outages, would help preserve the stability and integrity of the Union financial markets and thus contribute to ensuring a high level of protection of investors and consumers in the Union. Since this Regulation aims to contribute to the smooth functioning of the internal market, it should be based on the provisions of Article 114 of the Treaty on the Functioning of the European Union (TFEU) as interpreted in accordance with the consistent case law of the Court of Justice of the European Union (Court of Justice).
This Regulation aims to consolidate and upgrade ICT risk requirements as part of the operational risk requirements that have, up to this point, been addressed separately in various Union legal acts. While those acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they did not comprehensively tackle, at the time of their adoption, all components of operational resilience. The operational risk rules, when further developed in those Union legal acts, often favoured a traditional quantitative approach to addressing risk (namely setting a capital requirement to cover ICT risk) rather than targeted qualitative rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents, or for reporting and digital testing capabilities. Those acts were primarily meant to cover and update essential rules on prudential supervision, market integrity or conduct. By consolidating and upgrading the different rules on ICT risk, all provisions addressing digital risk in the financial sector should for the first time be brought together in a consistent manner in one single legislative act. Therefore, this Regulation fills in the gaps or remedies inconsistencies in some of the prior legal acts, including in relation to the terminology used therein, and explicitly refers to ICT risk via targeted rules on ICT risk-management capabilities, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation should thus also raise awareness of ICT risk and acknowledge that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of financial entities.
Financial entities should follow the same approach and the same principle-based rules when addressing ICT risk taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations. Consistency contributes to enhancing confidence in the financial system and preserving its stability especially in times of high reliance on ICT systems, platforms and infrastructures, which entails increased digital risk. Observing basic cyber hygiene should also avoid imposing heavy costs on the economy by minimising the impact and costs of ICT disruptions.
A Regulation helps reduce regulatory complexity, fosters supervisory convergence and increases legal certainty, and also contributes to limiting compliance costs, especially for financial entities operating across borders, and to reducing competitive distortions. Therefore, the choice of a Regulation for the establishment of a common framework for the digital operational resilience of financial entities is the most appropriate way to guarantee a homogenous and coherent application of all components of ICT risk management by the Union financial sector.
Directive (EU) 2016/1148 of the European Parliament and of the Council (7) was the first horizontal cybersecurity framework enacted at Union level, applying also to three types of financial entities, namely credit institutions, trading venues and central counterparties. However, since Directive (EU) 2016/1148 set out a mechanism of identification at national level of operators of essential services, only certain credit institutions, trading venues and central counterparties that were identified by the Member States, have been brought into its scope in practice, and hence required to comply with the ICT security and incident notification requirements laid down in it. Directive (EU) 2022/2555 of the European Parliament and of the Council (8) sets a uniform criterion to determine the entities falling within its scope of application (size-cap rule) while also keeping the three types of financial entities in its scope.
However, as this Regulation increases the level of harmonisation of the various digital resilience components, by introducing requirements on ICT risk management and ICT-related incident reporting that are more stringent in comparison to those laid down in the current Union financial services law, this higher level constitutes an increased harmonisation also in comparison with the requirements laid down in Directive (EU) 2022/2555. Consequently, this Regulation constitutes lex specialis with regard to Directive (EU) 2022/2555. At the same time, it is crucial to maintain a strong relationship between the financial sector and the Union horizontal cybersecurity framework as currently laid out in Directive (EU) 2022/2555 to ensure consistency with the cyber security strategies adopted by Member States and to allow financial supervisors to be made aware of cyber incidents affecting other sectors covered by that Directive.
In accordance with Article 4(2) of the Treaty on European Union and without prejudice to the judicial review by the Court of Justice, this Regulation should not affect the responsibility of Member States with regard to essential State functions concerning public security, defence and the safeguarding of national security, for example concerning the supply of information which would be contrary to the safeguarding of national security.
To enable cross-sector learning and to effectively draw on experiences of other sectors in dealing with cyber threats, the financial entities referred to in Directive (EU) 2022/2555 should remain part of the ‘ecosystem’ of that Directive (for example, Cooperation Group and computer security incident response teams (CSIRTs)).The ESAs and national competent authorities should be able to participate in the strategic policy discussions and the technical workings of the Cooperation Group under that Directive, and to exchange information and further cooperate with the single points of contact designated or established in accordance with that Directive. The competent authorities under this Regulation should also consult and cooperate with the CSIRTs. The competent authorities should also be able to request technical advice from the competent authorities designated or established in accordance with Directive (EU) 2022/2555 and establish cooperation arrangements that aim to ensure effective and fast-response coordination mechanisms.
Given the strong interlinkages between the digital resilience and the physical resilience of financial entities, a coherent approach with regard to the resilience of critical entities is necessary in this Regulation and Directive (EU) 2022/2557 of the European Parliament and the Council (9). Given that the physical resilience of financial entities is addressed in a comprehensive manner by the ICT risk management and reporting obligations covered by this Regulation, the obligations laid down in Chapters III and IV of Directive (EU) 2022/2557 should not apply to financial entities falling within the scope of that Directive.
Cloud computing service providers are one category of digital infrastructure covered by Directive (EU) 2022/2555. The Union Oversight Framework (‘Oversight Framework’) established by this Regulation applies to all critical ICT third-party service providers, including cloud computing service providers providing ICT services to financial entities, and should be considered complementary to the supervision carried out pursuant to Directive (EU) 2022/2555. Moreover, the Oversight Framework established by this Regulation should cover cloud computing service providers in the absence of a Union horizontal framework establishing a digital oversight authority.
In order to maintain full control over ICT risk, financial entities need to have comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents. Likewise, financial entities should have policies in place for the testing of ICT systems, controls and processes, as well as for managing ICT third-party risk. The digital operational resilience baseline for financial entities should be increased while also allowing for a proportionate application of requirements for certain financial entities, particularly microenterprises, as well as financial entities subject to a simplified ICT risk management framework. To facilitate an efficient supervision of institutions for occupational retirement provision that is proportionate and addresses the need to reduce administrative burdens on the competent authorities, the relevant national supervisory arrangements in respect of such financial entities should take into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations even when the relevant thresholds established in Article 5 of Directive (EU) 2016/2341 of the European Parliament and of the Council (10) are exceeded. In particular, supervisory activities should focus primarily on the need to address serious risks associated with the ICT risk management of a particular entity.
Competent authorities should also maintain a vigilant but proportionate approach in relation to the supervision of institutions for occupational retirement provision which, in accordance with Article 31 of Directive (EU) 2016/2341, outsource a significant part of their core business, such as asset management, actuarial calculations, accounting and data management, to service providers.
ICT-related incident reporting thresholds and taxonomies vary significantly at national level. While common ground may be achieved through the relevant work undertaken by the European Union Agency for Cybersecurity (ENISA) established by Regulation (EU) 2019/881 of the European Parliament and of the Council (11) and the Cooperation Group under Directive (EU) 2022/2555, divergent approaches on setting the thresholds and use of taxonomies still exist, or can emerge, for the remainder of financial entities. Due to those divergences, there are multiple requirements that financial entities must comply with, especially when operating across several Member States and when part of a financial group. Moreover, such divergences have the potential to hinder the creation of further uniform or centralised Union mechanisms that speed up the reporting process and support a quick and smooth exchange of information between competent authorities, which is crucial for addressing ICT risk in the event of large-scale attacks with potentially systemic consequences.
To reduce the administrative burden and potentially duplicative reporting obligations for certain financial entities, the requirement for the incident reporting pursuant to Directive (EU) 2015/2366 of the European Parliament and of the Council (12) should cease to apply to payment service providers that fall within the scope of this Regulation. Consequently, credit institutions, e-money institutions, payment institutions and account information service providers, as referred to in Article 33(1) of that Directive, should, from the date of application of this Regulation, report pursuant to this Regulation, all operational or security payment-related incidents which have been previously reported pursuant to that Directive, irrespective of whether such incidents are ICT-related.
To enable competent authorities to fulfil supervisory roles by acquiring a complete overview of the nature, frequency, significance and impact of ICT-related incidents and to enhance the exchange of information between relevant public authorities, including law enforcement authorities and resolution authorities, this Regulation should lay down a robust ICT-related incident reporting regime whereby the relevant requirements address current gaps in financial services law, and remove existing overlaps and duplications to alleviate costs. It is essential to harmonise the ICT-related incident reporting regime by requiring all financial entities to report to their competent authorities through a single streamlined framework as set out in this Regulation. In addition, the ESAs should be empowered to further specify relevant elements for the ICT-related incident reporting framework, such as taxonomy, timeframes, data sets, templates and applicable thresholds. To ensure full consistency with Directive (EU) 2022/2555, financial entities should be allowed, on a voluntary basis, to notify significant cyber threats to the relevant competent authority, when they consider that the cyber threat is of relevance to the financial system, service users or clients.
Digital operational resilience testing requirements have been developed in certain financial subsectors setting out frameworks that are not always fully aligned. This leads to a potential duplication of costs for cross-border financial entities and makes the mutual recognition of the results of digital operational resilience testing complex which, in turn, can fragment the internal market.
In addition, where no ICT testing is required, vulnerabilities remain undetected and result in exposing a financial entity to ICT risk and ultimately create a higher risk to the stability and integrity of the financial sector. Without Union intervention, digital operational resilience testing would continue to be inconsistent and would lack a system of mutual recognition of ICT testing results across different jurisdictions. In addition, as it is unlikely that other financial subsectors would adopt testing schemes on a meaningful scale, they would miss out on the potential benefits of a testing framework, in terms of revealing ICT vulnerabilities and risks, and testing defence capabilities and business continuity, which contributes to increasing the trust of customers, suppliers and business partners. To remedy those overlaps, divergences and gaps, it is necessary to lay down rules for a coordinated testing regime and thereby facilitate the mutual recognition of advanced testing for financial entities meeting the criteria set out in this Regulation.
Financial entities’ reliance on the use of ICT services is partly driven by their need to adapt to an emerging competitive digital global economy, to boost their business efficiency and to meet consumer demand. The nature and extent of such reliance has been continuously evolving in recent years, driving cost reduction in financial intermediation, enabling business expansion and scalability in the deployment of financial activities while offering a wide range of ICT tools to manage complex internal processes.
The extensive use of ICT services is evidenced by complex contractual arrangements, whereby financial entities often encounter difficulties in negotiating contractual terms that are tailored to the prudential standards or other regulatory requirements to which they are subject, or otherwise in enforcing specific rights, such as access or audit rights, even when the latter are enshrined in their contractual arrangements. Moreover, many of those contractual arrangements do not provide for sufficient safeguards allowing for the fully-fledged monitoring of subcontracting processes, thus depriving the financial entity of its ability to assess the associated risks. In addition, as ICT third-party service providers often provide standardised services to different types of clients, such contractual arrangements do not always cater adequately for the individual or specific needs of financial industry actors.
Even though Union financial services law contains certain general rules on outsourcing, monitoring of the contractual dimension is not fully anchored into Union law. In the absence of clear and bespoke Union standards applying to the contractual arrangements concluded with ICT third-party service providers, the external source of ICT risk is not comprehensively addressed. Consequently, it is necessary to set out certain key principles to guide financial entities’ management of ICT third-party risk, which are of particular importance when financial entities resort to ICT third-party service providers to support their critical or important functions. Those principles should be accompanied by a set of core contractual rights in relation to several elements in the performance and termination of contractual arrangements with a view to providing certain minimum safeguards in order to strengthen financial entities’ ability to effectively monitor all ICT risk emerging at the level of third-party service providers. Those principles are complementary to the sectoral law applicable to outsourcing.
A certain lack of homogeneity and convergence regarding the monitoring of ICT third-party risk and ICT third-party dependencies is evident today. Despite efforts to address outsourcing, such as EBA Guidelines on outsourcing of 2019 and ESMA Guidelines on outsourcing to cloud service providers of 2021 the broader issue of counteracting systemic risk which may be triggered by the financial sector’s exposure to a limited number of critical ICT third-party service providers is not sufficiently addressed by Union law. The lack of rules at Union level is compounded by the absence of national rules on mandates and tools that allow financial supervisors to acquire a good understanding of ICT third-party dependencies and to monitor adequately risks arising from the concentration of ICT third-party dependencies.
Taking into account the potential systemic risk entailed by increased outsourcing practices and by the ICT third-party concentration, and mindful of the insufficiency of national mechanisms in providing financial supervisors with adequate tools to quantify, qualify and redress the consequences of ICT risk occurring at critical ICT third-party service providers, it is necessary to establish an appropriate Oversight Framework allowing for a continuous monitoring of the activities of ICT third-party service providers that are critical ICT third-party service providers to financial entities, while ensuring that the confidentiality and security of customers other than financial entities is preserved. While intra-group provision of ICT services entails specific risks and benefits, it should not be automatically considered less risky than the provision of ICT services by providers outside of a financial group and should therefore be subject to the same regulatory framework. However, when ICT services are provided from within the same financial group, financial entities might have a higher level of control over intra-group providers, which ought to be taken into account in the overall risk assessment.
With ICT risk becoming more and more complex and sophisticated, good measures for the detection and prevention of ICT risk depend to a great extent on the regular sharing between financial entities of threat and vulnerability intelligence. Information sharing contributes to creating increased awareness of cyber threats. In turn, this enhances the capacity of financial entities to prevent cyber threats from becoming real ICT-related incidents and enables financial entities to more effectively contain the impact of ICT-related incidents and to recover faster. In the absence of guidance at Union level, several factors seem to have inhibited such intelligence sharing, in particular uncertainty about its compatibility with data protection, anti-trust and liability rules.
In addition, doubts about the type of information that can be shared with other market participants, or with non-supervisory authorities (such as ENISA, for analytical input, or Europol, for law enforcement purposes) lead to useful information being withheld. Therefore, the extent and quality of information sharing currently remains limited and fragmented, with relevant exchanges mostly being local (by way of national initiatives) and with no consistent Union-wide information-sharing arrangements tailored to the needs of an integrated financial system. It is therefore important to strengthen those communication channels.
Financial entities should be encouraged to exchange among themselves cyber threat information and intelligence, and to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhancing their capabilities to adequately assess, monitor, defend against, and respond to cyber threats, by participating in information sharing arrangements. It is therefore necessary to enable the emergence at Union level of mechanisms for voluntary information-sharing arrangements which, when conducted in trusted environments, would help the community of the financial industry to prevent and collectively respond to cyber threats by quickly limiting the spread of ICT risk and impeding potential contagion throughout the financial channels. Those mechanisms should comply with the applicable competition law rules of the Union set out in the Communication from the Commission of 14 January 2011 entitled ‘Guidelines on the applicability of Article 101 of the Treaty on the Functioning of the European Union to horizontal cooperation agreements’, as well as with Union data protection rules, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (13). They should operate based on the use of one or more of the legal bases that are laid down in Article 6 of that Regulation, such as in the context of the processing of personal data that is necessary for the purposes of the legitimate interest pursued by the controller or by a third party, as referred to in Article 6(1), point (f), of that Regulation, as well as in the context of the processing of personal data necessary for compliance with a legal obligation to which the controller is subject, necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, as referred to in Article 6(1), points (c) and (e), respectively, of that Regulation.
In order to maintain a high level of digital operational resilience for the whole financial sector, and at the same time to keep pace with technological developments, this Regulation should address risk stemming from all types of ICT services. To that end, the definition of ICT services in the context of this Regulation should be understood in a broad manner, encompassing digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis. That definition should, for instance, include so called ‘over the top’ services, which fall within the category of electronic communications services. It should exclude only the limited category of traditional analogue telephone services qualifying as Public Switched Telephone Network (PSTN) services, landline services, Plain Old Telephone Service (POTS), or fixed-line telephone services.
Notwithstanding the broad coverage envisaged by this Regulation, the application of the digital operational resilience rules should take into account the significant differences between financial entities in terms of their size and overall risk profile. As a general principle, when distributing resources and capabilities for the implementation of the ICT risk management framework, financial entities should duly balance their ICT-related needs to their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations, while competent authorities should continue to assess and review the approach of such distribution.
Account information service providers, referred to in Article 33(1) of Directive (EU) 2015/2366, are explicitly included in the scope of this Regulation, taking into account the specific nature of their activities and the risks arising therefrom. In addition, electronic money institutions and payment institutions exempted pursuant to Article 9(1) of Directive 2009/110/EC of the European Parliament and of the Council (14) and Article 32(1) of Directive (EU) 2015/2366 are included in the scope of this Regulation even if they have not been granted authorisation in accordance Directive 2009/110/EC to issue electronic money, or if they have not been granted authorisation in accordance with Directive (EU) 2015/2366 to provide and execute payment services. However, post office giro institutions, referred to in Article 2(5), point (3), of Directive 2013/36/EU of the European Parliament and of the Council (15), are excluded from the scope of this Regulation. The competent authority for payment institutions exempted pursuant to Directive (EU) 2015/2366, electronic money institutions exempted pursuant to Directive 2009/110/EC and account information service providers as referred to in Article 33(1) of Directive (EU) 2015/2366, should be the competent authority designated in accordance with Article 22 of Directive (EU) 2015/2366.
As larger financial entities might enjoy wider resources and can swiftly deploy funds to develop governance structures and set up various corporate strategies, only financial entities that are not microenterprises in the sense of this Regulation should be required to establish more complex governance arrangements. Such entities are better equipped in particular to set up dedicated management functions for supervising arrangements with ICT third-party service providers or for dealing with crisis management, to organise their ICT risk management according to the three lines of defence model, or to set up an internal risk management and control model, and to submit their ICT risk management framework to internal audits.
Some financial entities benefit from exemptions or are subject to a very light regulatory framework under the relevant sector-specific Union law. Such financial entities include managers of alternative investment funds referred to in Article 3(2) of Directive 2011/61/EU of the European Parliament and of the Council (16), insurance and reinsurance undertakings referred to in Article 4 of Directive 2009/138/EC of the European Parliament and of the Council (17), and institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total. In light of those exemptions it would not be proportionate to include such financial entities in the scope of this Regulation. In addition, this Regulation acknowledges the specificities of the insurance intermediation market structure, with the result that insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries qualifying as microenterprises or as small or medium-sized enterprises should not be subject to this Regulation.
Since the entities referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU are excluded from the scope of that Directive, Member States should consequently be able to choose to exempt from the application of this Regulation such entities located within their respective territories.
Similarly, in order to align this Regulation to the scope of Directive 2014/65/EU of the European Parliament and of the Council (18), it is also appropriate to exclude from the scope of this Regulation natural and legal persons referred in Articles 2 and 3 of that Directive which are allowed to provide investment services without having to obtain an authorisation under Directive 2014/65/EU. However, Article 2 of Directive 2014/65/EU also excludes from the scope of that Directive entities which qualify as financial entities for the purposes of this Regulation such as, central securities depositories, collective investment undertakings or insurance and reinsurance undertakings. The exclusion from the scope of this Regulation of the persons and entities referred to in Articles 2 and 3 of that Directive should not encompass those central securities depositories, collective investment undertakings or insurance and reinsurance undertakings.
Under sector-specific Union law, some financial entities are subject to lighter requirements or exemptions for reasons associated with their size or the services they provide. That category of financial entities includes small and non-interconnected investment firms, small institutions for occupational retirement provision which may be excluded from the scope of Directive (EU) 2016/2341 under the conditions laid down in Article 5 of that Directive by the Member State concerned and operate pension schemes which together do not have more than 100 members in total, as well as institutions exempted pursuant to Directive 2013/36/EU. Therefore, in accordance with the principle of proportionality and to preserve the spirit of sector-specific Union law, it is also appropriate to subject those financial entities to a simplified ICT risk management framework under this Regulation. The proportionate character of the ICT risk management framework covering those financial entities should not be altered by the regulatory technical standards that are to be developed by the ESAs. Moreover, in accordance with the principle of proportionality, it is appropriate to also subject payment institutions referred to in Article 32(1) of Directive (EU) 2015/2366 and electronic money institutions referred to in Article 9 of Directive 2009/110/EC exempted in accordance with national law transposing those Union legal acts to a simplified ICT risk management framework under this Regulation, while payment institutions and electronic money institutions which have not been exempted in accordance with their respective national law transposing sectoral Union law should comply with the general framework laid down by this Regulation.
Similarly, financial entities which qualify as microenterprises or are subject to the simplified ICT risk management framework under this Regulation should not be required to establish a role to monitor their arrangements concluded with ICT third-party service providers on the use of ICT services; or to designate a member of senior management to be responsible for overseeing the related risk exposure and relevant documentation; to assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest; to document and review at least once a year the ICT risk management framework; to subject to internal audit on a regular basis the ICT risk management framework; to perform in-depth assessments after major changes in their network and information system infrastructures and processes; to regularly conduct risk analyses on legacy ICT systems; to subject the implementation of the ICT Response and Recovery plans to independent internal audit reviews; to have a crisis management function, to expand the testing of business continuity and response and recovery plans to capture switchover scenarios between primary ICT infrastructure and redundant facilities; to report to competent authorities, upon their request, an estimation of aggregated annual costs and losses caused by major ICT-related incidents, to maintain redundant ICT capacities; to communicate to national competent authorities implemented changes following post ICT-related incident reviews; to monitor on a continuous basis relevant technological developments, to establish a comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework provided for in this Regulation, or to adopt and regularly review a strategy on ICT third-party risk. In addition, microenterprises should only be required to assess the need to maintain such redundant ICT capacities based on their risk profile. Microenterprises should benefit from a more flexible regime as regards digital operational resilience testing programmes. When considering the type and frequency of testing to be performed, they should properly balance the objective of maintaining a high digital operational resilience, the available resources and their overall risk profile. Microenterprises and financial entities subject to the simplified ICT risk management framework under this Regulation should be exempted from the requirement to perform advanced testing of ICT tools, systems and processes based on threat-led penetration testing (TLPT), as only financial entities meeting the criteria set out in this Regulation should be required to carry out such testing. In light of their limited capabilities, microenterprises should be able to agree with the ICT third-party service provider to delegate the financial entity’s rights of access, inspection and audit to an independent third-party, to be appointed by the ICT third-party service provider, provided that the financial entity is able to request, at any time, all relevant information and assurance on the ICT third-party service provider’s performance from the respective independent third-party.
As only those financial entities identified for the purposes of the advanced digital resilience testing should be required to conduct threat-led penetration tests, the administrative processes and financial costs entailed in the performance of such tests should be borne by a small percentage of financial entities.
To ensure full alignment and overall consistency between financial entities’ business strategies, on the one hand, and the conduct of ICT risk management, on the other hand, the financial entities’ management bodies should be required to maintain a pivotal and active role in steering and adapting the ICT risk management framework and the overall digital operational resilience strategy. The approach to be taken by management bodies should not only focus on the means of ensuring the resilience of the ICT systems, but should also cover people and processes through a set of policies which cultivate, at each corporate layer, and for all staff, a strong sense of awareness about cyber risks and a commitment to observe a strict cyber hygiene at all levels. The ultimate responsibility of the management body in managing a financial entity’s ICT risk should be an overarching principle of that comprehensive approach, further translated into the continuous engagement of the management body in the control of the monitoring of the ICT risk management.
Moreover, the principle of the management body’s full and ultimate responsibility for the management of the ICT risk of the financial entity goes hand in hand with the need to secure a level of ICT-related investments and an overall budget for the financial entity that would enable the financial entity to achieve a high level of digital operational resilience.
Inspired by relevant international, national and industry best practices, guidelines, recommendations and approaches to the management of cyber risk, this Regulation promotes a set of principles that facilitate the overall structure of ICT risk management. Consequently, as long as the main capabilities which financial entities put in place address the various functions in the ICT risk management (identification, protection and prevention, detection, response and recovery, learning and evolving and communication) set out in this Regulation, financial entities should remain free to use ICT risk management models that are differently framed or categorised.
To keep pace with an evolving cyber threat landscape, financial entities should maintain updated ICT systems that are reliable and capable, not only for guaranteeing the processing of data required for their services, but also for ensuring sufficient technological resilience to allow them to deal adequately with additional processing needs due to stressed market conditions or other adverse situations.
Efficient business continuity and recovery plans are necessary to allow financial entities to promptly and quickly resolve ICT-related incidents, in particular cyber-attacks, by limiting damage and giving priority to the resumption of activities and recovery actions in accordance with their back-up policies. However, such resumption should in no way jeopardise the integrity and security of the network and information systems or the availability, authenticity, integrity or confidentiality of data.
While this Regulation allows financial entities to determine their recovery time and recovery point objectives in a flexible manner and hence to set such objectives by fully taking into account the nature and the criticality of the relevant functions and any specific business needs, it should nevertheless require them to carry out an assessment of the potential overall impact on market efficiency when determining such objectives.
The propagators of cyber-attacks tend to pursue financial gains directly at the source, thus exposing financial entities to significant consequences. To prevent ICT systems from losing integrity or becoming unavailable, and hence to avoid data breaches and damage to physical ICT infrastructure, the reporting of major ICT-related incidents by financial entities should be significantly improved and streamlined. ICT-related incident reporting should be harmonised through the introduction of a requirement for all financial entities to report directly to their relevant competent authorities. Where a financial entity is subject to supervision by more than one national competent authority, Member States should designate a single competent authority as the addressee of such reporting. Credit institutions classified as significant in accordance with Article 6(4) of Council Regulation (EU) No 1024/2013 (19) should submit such reporting to the national competent authorities, which should subsequently transmit the report to the European Central Bank (ECB).
The direct reporting should enable financial supervisors to have immediate access to information about major ICT-related incidents. Financial supervisors should in turn pass on details of major ICT-related incidents to public non-financial authorities (such as competent authorities and single points of contact under Directive (EU) 2022/2555, national data protection authorities, and to law enforcement authorities for major ICT-related incidents of a criminal nature) in order to enhance such authorities awareness of such incidents and, in the case of CSIRTs, to facilitate prompt assistance that may be given to financial entities, as appropriate. Member States should, in addition, be able to determine that financial entities themselves should provide such information to public authorities outside the financial services area. Those information flows should allow financial entities to swiftly benefit from any relevant technical input, advice about remedies, and subsequent follow-up from such authorities. The information on major ICT-related incidents should be mutually channelled: financial supervisors should provide all necessary feedback or guidance to the financial entity, while the ESAs should share anonymised data on cyber threats and vulnerabilities relating to an incident, to aid wider collective defence.
While all financial entities should be required to carry out incident reporting, that requirement is not expected to affect all of them in the same manner. Indeed, relevant materiality thresholds, as well as reporting timelines, should be duly adjusted, in the context of delegated acts based on the regulatory technical standards to be developed by the ESAs, with a view to covering only major ICT-related incidents. In addition, the specificities of financial entities should be taken into account when setting timelines for reporting obligations.
This Regulation should require credit institutions, payment institutions, account information service providers and electronic money institutions to report all operational or security payment-related incidents — previously reported under Directive (EU) 2015/2366 — irrespective of the ICT nature of the incident.
The ESAs should be tasked with assessing the feasibility and conditions for a possible centralisation of ICT-related incident reports at Union level. Such centralisation could consist of a single EU Hub for major ICT-related incident reporting either directly receiving relevant reports and automatically notifying national competent authorities, or merely centralising relevant reports forwarded by the national competent authorities and thus fulfilling a coordination role. The ESAs should be tasked with preparing, in consultation with the ECB and ENISA, a joint report exploring the feasibility of setting up a single EU Hub.
In order to achieve a high level of digital operational resilience, and in line with both the relevant international standards (e.g. the G7 Fundamental Elements for Threat-Led Penetration Testing) and with the frameworks applied in the Union, such as the TIBER-EU, financial entities should regularly test their ICT systems and staff having ICT-related responsibilities with regard to the effectiveness of their preventive, detection, response and recovery capabilities, to uncover and address potential ICT vulnerabilities. To reflect differences that exist across, and within, the various financial subsectors as regards financial entities’ level of cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from the assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing by means of TLPT. Such advanced testing should be required only of financial entities that are mature enough from an ICT perspective to reasonably carry it out. The digital operational resilience testing required by this Regulation should thus be more demanding for those financial entities meeting the criteria set out in this Regulation (for example, large, systemic and ICT-mature credit institutions, stock exchanges, central securities depositories and central counterparties) than for other financial entities. At the same time, the digital operational resilience testing by means of TLPT should be more relevant for financial entities operating in core financial services subsectors and playing a systemic role (for example, payments, banking, and clearing and settlement), and less relevant for other subsectors (for example, asset managers and credit rating agencies).
Financial entities involved in cross-border activities and exercising the freedoms of establishment, or of provision of services within the Union, should comply with a single set of advanced testing requirements (i.e. TLPT) in their home Member State, which should include the ICT infrastructures in all jurisdictions where the cross-border financial group operates within the Union, thus allowing such cross-border financial groups to incur related ICT testing costs in one jurisdiction only.
To draw on the expertise already acquired by certain competent authorities, in particular with regard to implementing the TIBER-EU framework, this Regulation should allow Member States to designate a single public authority as responsible in the financial sector, at national level, for all TLPT matters, or competent authorities, to delegate, in the absence of such designation, the exercise of TLPT related tasks to another national financial competent authority.
Since this Regulation does not require financial entities to cover all critical or important functions in one single threat-led penetration test, financial entities should be free to determine which and how many critical or important functions should be included in the scope of such a test.
Pooled testing within the meaning of this Regulation — involving the participation of several financial entities in a TLPT and for which an ICT third-party service provider can directly enter into contractual arrangements with an external tester — should be allowed only where the quality or security of services delivered by the ICT third-party service provider to customers that are entities falling outside the scope of this Regulation, or the confidentiality of the data related to such services, are reasonably expected to be adversely impacted. Pooled testing should also be subject to safeguards (direction by one designated financial entity, calibration of the number of participating financial entities) to ensure a rigorous testing exercise for the financial entities involved which meet the objectives of the TLPT pursuant to this Regulation.
In order to take advantage of internal resources available at corporate level, this Regulation should allow the use of internal testers for the purposes of carrying out TLPT, provided there is supervisory approval, no conflicts of interest, and periodical alternation of the use of internal and external testers (every three tests), while also requiring the provider of the threat intelligence in the TLPT to always be external to the financial entity. The responsibility for conducting TLPT should remain fully with the financial entity. Attestations provided by authorities should be solely for the purpose of mutual recognition and should not preclude any follow-up action needed to address the ICT risk to which the financial entity is exposed, nor should they be seen as a supervisory endorsement of a financial entity’s ICT risk management and mitigation capabilities.
To ensure a sound monitoring of ICT third-party risk in the financial sector, it is necessary to lay down a set of principle-based rules to guide financial entities’ when monitoring risk arising in the context of functions outsourced to ICT third-party service providers, particularly for ICT services supporting critical or important functions, as well as more generally in the context of all ICT third-party dependencies.
To address the complexity of the various sources of ICT risk, while taking into account the multitude and diversity of providers of technological solutions which enable a smooth provision of financial services, this Regulation should cover a wide range of ICT third-party service providers, including providers of cloud computing services, software, data analytics services and providers of data centre services. Similarly, since financial entities should effectively and coherently identify and manage all types of risk, including in the context of ICT services procured within a financial group, it should be clarified that undertakings which are part of a financial group and provide ICT services predominantly to their parent undertaking, or to subsidiaries or branches of their parent undertaking, as well as financial entities providing ICT services to other financial entities, should also be considered as ICT third-party service providers under this Regulation. Lastly, in light of the evolving payment services market becoming increasingly dependent on complex technical solutions, and in view of emerging types of payment services and payment-related solutions, participants in the payment services ecosystem, providing payment-processing activities, or operating payment infrastructures, should also be considered to be ICT third-party service providers under this Regulation, with the exception of central banks when operating payment or securities settlement systems, and public authorities when providing ICT related services in the context of fulfilling State functions.
A financial entity should at all times remain fully responsible for complying with its obligations set out in this Regulation. Financial entities should apply a proportionate approach to the monitoring of risks emerging at the level of the ICT third-party service providers, by duly considering the nature, scale, complexity and importance of their ICT-related dependencies, the criticality or importance of the services, processes or functions subject to the contractual arrangements and, ultimately, on the basis of a careful assessment of any potential impact on the continuity and quality of financial services at individual and at group level, as appropriate.
The conduct of such monitoring should follow a strategic approach to ICT third-party risk formalised through the adoption by the financial entity’s management body of a dedicated ICT third-party risk strategy, rooted in a continuous screening of all ICT third-party dependencies. To enhance supervisory awareness of ICT third-party dependencies, and with a view to further supporting the work in the context of the Oversight Framework established by this Regulation, all financial entities should be required to maintain a register of information with all contractual arrangements about the use of ICT services provided by ICT third-party service providers. Financial supervisors should be able to request the full register, or to ask for specific sections thereof, and thus to obtain essential information for acquiring a broader understanding of the ICT dependencies of financial entities.
A thorough pre-contracting analysis should underpin and precede the formal conclusion of contractual arrangements, in particular by focusing on elements such as the criticality or importance of the services supported by the envisaged ICT contract, the necessary supervisory approvals or other conditions, the possible concentration risk entailed, as well as applying due diligence in the process of selection and assessment of ICT third-party service providers and assessing potential conflicts of interest. For contractual arrangements concerning critical or important functions, financial entities should take into consideration the use by ICT third-party service providers of the most up-to-date and highest information security standards. Termination of contractual arrangements could be prompted at least by a series of circumstances showing shortfalls at the ICT third-party service provider level, in particular significant breaches of laws or contractual terms, circumstances revealing a potential alteration of the performance of the functions provided for in the contractual arrangements, evidence of weaknesses of the ICT third-party service provider in its overall ICT risk management, or circumstances indicating the inability of the relevant competent authority to effectively supervise the financial entity.
To address the systemic impact of ICT third-party concentration risk, this Regulation promotes a balanced solution by means of taking a flexible and gradual approach to such concentration risk since the imposition of any rigid caps or strict limitations might hinder the conduct of business and restrain the contractual freedom. Financial entities should thoroughly assess their envisaged contractual arrangements to identify the likelihood of such risk emerging, including by means of in-depth analyses of subcontracting arrangements, in particular when concluded with ICT third-party service providers established in a third country. At this stage, and with a view to striking a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to set out rules on strict caps and limits to ICT third-party exposures. In the context of the Oversight Framework, a Lead Overseer, appointed pursuant to this Regulation, should, in respect to critical ICT third-party service providers, pay particular attention to fully grasp the magnitude of interdependences, discover specific instances where a high degree of concentration of critical ICT third-party service providers in the Union is likely to put a strain on the Union financial system’s stability and integrity and maintain a dialogue with critical ICT third-party service providers where that specific risk is identified.
To evaluate and monitor on a regular basis the ability of an ICT third party service provider to securely provide services to a financial entity without adverse effects on a financial entity’s digital operational resilience, several key contractual elements with ICT third-party service providers should be harmonised. Such harmonisation should cover minimum areas which are crucial for enabling a full monitoring by the financial entity of the risks that could emerge from the ICT third-party service provider, from the perspective of a financial entity’s need to secure its digital resilience because it is deeply dependent on the stability, functionality, availability and security of the ICT services received.
When renegotiating contractual arrangements to seek alignment with the requirements of this Regulation, financial entities and ICT third-party service providers should ensure the coverage of the key contractual provisions as provided for in this Regulation.
The definition of ‘critical or important function’ provided for in this Regulation encompasses the ‘critical functions’ as defined in Article 2(1), point (35), of Directive 2014/59/EU of the European Parliament and of the Council (20). Accordingly, functions deemed to be critical pursuant to Directive 2014/59/EU are included in the definition of critical functions within the meaning of this Regulation.
Irrespective of the criticality or importance of the function supported by the ICT services, contractual arrangements should, in particular, provide for a specification of the complete descriptions of functions and services, of the locations where such functions are provided and where data is to be processed, as well as an indication of service level descriptions. Other essential elements to enable a financial entity’s monitoring of ICT third party risk are: contractual provisions specifying how the accessibility, availability, integrity, security and protection of personal data are ensured by the ICT third-party service provider, provisions laying down the relevant guarantees for enabling the access, recovery and return of data in the case of insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, as well as provisions requiring the ICT third-party service provider to provide assistance in case of ICT incidents in connection with the services provided, at no additional cost or at a cost determined ex-ante; provisions on the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and resolution authorities of the financial entity; and provisions on termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities.
In addition to such contractual provisions, and with a view to ensuring that financial entities remain in full control of all developments occurring at third-party level which may impair their ICT security, the contracts for the provision of ICT services supporting critical or important functions should also provide for the following: the specification of the full service level descriptions, with precise quantitative and qualitative performance targets, to enable without undue delay appropriate corrective actions when the agreed service levels are not met; the relevant notice periods and reporting obligations of the ICT third-party service provider in the event of developments with a potential material impact on the ICT third-party service provider’s ability to effectively provide their respective ICT services; a requirement upon the ICT third-party service provider to implement and test business contingency plans and have ICT security measures, tools and policies allowing for the secure provision of services, and to participate and fully cooperate in the TLPT carried out by the financial entity.
Contracts for the provision of ICT services supporting critical or important functions should also contain provisions enabling the rights of access, inspection and audit by the financial entity, or an appointed third party, and the right to take copies as crucial instruments in the financial entities’ ongoing monitoring of the ICT third-party service provider’s performance, coupled with the service provider’s full cooperation during inspections. Similarly, the competent authority of the financial entity should have the right, based on notices, to inspect and audit the ICT third-party service provider, subject to the protection of confidential information.
Such contractual arrangements should also provide for dedicated exit strategies to enable, in particular, mandatory transition periods during which ICT third-party service providers should continue providing the relevant services with a view to reducing the risk of disruptions at the level of the financial entity, or to allow the latter effectively to switch to the use of other ICT third-party service providers or, alternatively, to change to in-house solutions, consistent with the complexity of the provided ICT service. Moreover, financial entities within the scope of Directive 2014/59/EU should ensure that the relevant contracts for ICT services are robust and fully enforceable in the event of resolution of those financial entities. Therefore, in line with the expectations of the resolution authorities, those financial entities should ensure that the relevant contracts for ICT services are resolution resilient. As long as they continue meeting their payment obligations, those financial entities should ensure, among other requirements, that the relevant contracts for ICT services contain clauses for non-termination, non-suspension and non-modification on grounds of restructuring or resolution.
Moreover, the voluntary use of standard contractual clauses developed by public authorities or Union institutions, in particular the use of contractual clauses developed by the Commission for cloud computing services could provide further comfort to the financial entities and ICT third-party service providers, by enhancing their level of legal certainty regarding the use of cloud computing services in the financial sector, in full alignment with the requirements and expectations set out by the Union financial services law. The development of standard contractual clauses builds on measures already envisaged in the 2018 Fintech Action Plan that announced the Commission’s intention to encourage and facilitate the development of standard contractual clauses for the use of cloud computing services outsourcing by financial entities, drawing on cross-sectorial cloud computing services stakeholders’ efforts, which the Commission has facilitated with the help of the financial sector’s involvement.
With a view to promoting convergence and efficiency in relation to supervisory approaches when addressing ICT third-party risk in the financial sector, as well as to strengthening the digital operational resilience of financial entities which rely on critical ICT third-party service providers for the provision of ICT services that support the supply of financial services, and thereby to contributing to the preservation of the Union’s financial system stability and the integrity of the internal market for financial services, critical ICT third-party service providers should be subject to a Union Oversight Framework. While the set-up of the Oversight Framework is justified by the added value of taking action at Union level and by virtue of the inherent role and specificities of the use of ICT services in the provision of financial services, it should be recalled, at the same time, that this solution appears suitable only in the context of this Regulation specifically dealing with digital operational resilience in the financial sector. However, such Oversight Framework should not be regarded as a new model for Union supervision in other areas of financial services and activities.
The Oversight Framework should apply only to critical ICT third-party service providers. There should therefore be a designation mechanism to take into account the dimension and nature of the financial sector’s reliance on such ICT third-party service providers. That mechanism should involve a set of quantitative and qualitative criteria to set the criticality parameters as a basis for inclusion in the Oversight Framework. In order to ensure the accuracy of that assessment, and regardless of the corporate structure of the ICT third-party service provider, such criteria should, in the case of a ICT third-party service provider that is part of a wider group, take into consideration the entire ICT third-party service provider’s group structure. On the one hand, critical ICT third-party service providers, which are not automatically designated by virtue of the application of those criteria, should have the possibility to opt in to the Oversight Framework on a voluntary basis, on the other hand, ICT third-party service providers, that are already subject to oversight mechanism frameworks supporting the fulfilment of the tasks of the European System of Central Banks as referred to in Article 127(2) TFEU, should be exempted.
Similarly, financial entities providing ICT services to other financial entities, while belonging to the category of ICT third-party service providers under this Regulation, should also be exempted from the Oversight Framework since they are already subject to supervisory mechanisms established by the relevant Union financial services law. Where applicable, competent authorities should take into account, in the context of their supervisory activities, the ICT risk posed to financial entities by financial entities providing ICT services. Likewise, due to the existing risk monitoring mechanisms at group level, the same exemption should be introduced for ICT third-party service providers delivering services predominantly to the entities of their own group. ICT third-party service providers providing ICT services solely in one Member State to financial entities that are active only in that Member State should also be exempted from the designation mechanism because of their limited activities and lack of cross-border impact.
The digital transformation experienced in financial services has brought about an unprecedented level of use of, and reliance upon, ICT services. Since it has become inconceivable to provide financial services without the use of cloud computing services, software solutions and data-related services, the Union financial ecosystem has become intrinsically co-dependent on certain ICT services provided by ICT service suppliers. Some of those suppliers, innovators in developing and applying ICT-based technologies, play a significant role in the delivery of financial services, or have become integrated into the financial services value chain. They have thus become critical to the stability and integrity of the Union financial system. This widespread reliance on services supplied by critical ICT third-party service providers, combined with the interdependence of the information systems of various market operators, create a direct, and potentially severe, risk to the Union financial services system and to the continuity of delivery of financial services if critical ICT third-party service providers were to be affected by operational disruptions or major cyber incidents. Cyber incidents have a distinctive ability to multiply and propagate throughout the financial system at a considerably faster pace than other types of risk monitored in the financial sector and can extend across sectors and beyond geographical borders. They have the potential to evolve into a systemic crisis, where trust in the financial system has been eroded due to the disruption of functions supporting the real economy, or to substantial financial losses, reaching a level which the financial system is unable to withstand, or which requires the deployment of heavy shock absorption measures. To prevent these scenarios from taking place and thereby endangering the financial stability and integrity of the Union, it is essential to provide the convergence of supervisory practices relating to ICT third-party risk in finance, in particular through new rules enabling the Union oversight of critical ICT third-party service providers.
The Oversight Framework largely depends on the degree of collaboration between the Lead Overseer and the critical ICT third-party service provider delivering to financial entities services affecting the supply of financial services. Successful oversight is predicated, inter alia, upon the ability of the Lead Overseer to effectively conduct monitoring missions and inspections to assess the rules, controls and processes used by the critical ICT third-party service providers, as well as to assess the potential cumulative impact of their activities on financial stability and the integrity of the financial system. At the same time, it is crucial that critical ICT third-party service providers follow the Lead Overseer’s recommendations and address its concerns. Since a lack of cooperation by a critical ICT third-party service provider providing services that affect the supply of financial services, such as the refusal to grant access to its premises or to submit information, would ultimately deprive the Lead Overseer of its essential tools in appraising ICT third-party risk, and could adversely impact the financial stability and the integrity of the financial system, it is necessary to also provide for a commensurate sanctioning regime.
Against this background, the need of the Lead Overseer to impose penalty payments to compel critical ICT third-party service providers to comply with the transparency and access-related obligations set out in this Regulation should not be jeopardised by difficulties raised by the enforcement of those penalty payments in relation to critical ICT third-party service providers established in third countries. In order to ensure the enforceability of such penalties, and to allow a swift roll out of procedures upholding the critical ICT third-party service providers’ rights of defence in the context of the designation mechanism and the issuance of recommendations, those critical ICT third-party service providers, providing services to financial entities that affect the supply of financial services, should be required to maintain an adequate business presence in the Union. Due to the nature of the oversight, and the absence of comparable arrangements in other jurisdictions, there are no suitable alternative mechanisms ensuring this objective by way of effective cooperation with financial supervisors in third countries in relation to the monitoring of the impact of digital operational risks posed by systemic ICT third-party service providers, qualifying as critical ICT third-party service providers established in third countries. Therefore, in order to continue its provision of ICT services to financial entities in the Union, an ICT third-party service provider established in a third country which has been designated as critical in accordance with this Regulation should undertake, within 12 months of such designation, all necessary arrangements to ensure its incorporation within the Union, by means of establishing a subsidiary, as defined throughout the Union acquis, namely in Directive 2013/34/EU of the European Parliament and of the Council (21).
The requirement to set up a subsidiary in the Union should not prevent the critical ICT third-party service provider from supplying ICT services and related technical support from facilities and infrastructure located outside the Union. This Regulation does not impose a data localisation obligation as it does not require data storage or processing to be undertaken in the Union.
Critical ICT third-party service providers should be able to provide ICT services from anywhere in the world, not necessarily or not only from premises located in the Union. Oversight activities should be first conducted on premises located in the Union and by interacting with entities located in the Union, including the subsidiaries established by critical ICT third-party service providers pursuant to this Regulation. However, such actions within the Union might be insufficient to allow the Lead Overseer to fully and effectively perform its duties under this Regulation. The Lead Overseer should therefore also be able to exercise its relevant oversight powers in third countries. Exercising those powers in third countries should allow the Lead Overseer to examine the facilities from which the ICT services or the technical support services are actually provided or managed by the critical ICT third-party service provider, and should give the Lead Overseer a comprehensive and operational understanding of the ICT risk management of the critical ICT third-party service provider. The possibility for the Lead Overseer, as a Union agency, to exercise powers outside the territory of the Union should be duly framed by relevant conditions, in particular the consent of the critical ICT third-party service provider concerned. Similarly, the relevant authorities of the third country should be informed of, and not have objected to, the exercise on their own territory of the activities of the Lead Overseer. However, in order to ensure efficient implementation, and without prejudice to the respective competences of the Union institutions and the Member States, such powers also need to be fully anchored in the conclusion of administrative cooperation arrangements with the relevant authorities of the third country concerned. This Regulation should therefore enable the ESAs to conclude administrative cooperation arrangements with the relevant authorities of third countries, which should not otherwise create legal obligations in respect of the Union and its Member States.
To facilitate communication with the Lead Overseer and to ensure adequate representation, critical ICT third-party service providers which are part of a group should designate one legal person as their coordination point.
The Oversight Framework should be without prejudice to Member States’ competence to conduct their own oversight or monitoring missions in respect to ICT third-party service providers which are not designated as critical under this Regulation, but which are regarded as important at national level.
To leverage the multi-layered institutional architecture in the financial services area, the Joint Committee of the ESAs should continue to ensure overall cross-sectoral coordination in relation to all matters pertaining to ICT risk, in accordance with its tasks on cybersecurity. It should be supported by a new Subcommittee (the ‘Oversight Forum’) carrying out preparatory work both for the individual decisions addressed to critical ICT third-party service providers, and for the issuing of collective recommendations, in particular in relation to benchmarking the oversight programmes for critical ICT third-party service providers, and identifying best practices for addressing ICT concentration risk issues.
To ensure that critical ICT third-party service providers are appropriately and effectively overseen on a Union level, this Regulation provides that any of the three ESAs could be designated as a Lead Overseer. The individual assignment of a critical ICT third-party service provider to one of the three ESAs should result from an assessment of the preponderance of financial entities operating in the financial sectors for which that ESA has responsibilities. This approach should lead to a balanced allocation of tasks and responsibilities between the three ESAs, in the context of exercising the oversight functions, and should make the best use of the human resources and technical expertise available in each of the three ESAs.
Lead Overseers should be granted the necessary powers to conduct investigations, to carry out onsite and offsite inspections at the premises and locations of critical ICT third-party service providers and to obtain complete and updated information. Those powers should enable the Lead Overseer to acquire real insight into the type, dimension and impact of the ICT third-party risk posed to financial entities and ultimately to the Union’s financial system. Entrusting the ESAs with the lead oversight role is a prerequisite for understanding and addressing the systemic dimension of ICT risk in finance. The impact of critical ICT third-party service providers on the Union financial sector and the potential issues caused by the ICT concentration risk entailed call for taking a collective approach at Union level. The simultaneous carrying out of multiple audits and access rights, performed separately by numerous competent authorities, with little or no coordination among them, would prevent financial supervisors from obtaining a complete and comprehensive overview of ICT third-party risk in the Union, while also creating redundancy, burden and complexity for critical ICT third-party service providers if they were subject to numerous monitoring and inspection requests.
Due to the significant impact of being designated as critical, this Regulation should ensure that the rights of critical ICT third-party service providers are observed throughout the implementation of the Oversight Framework. Prior to being designated as critical, such providers should, for example, have the right to submit to the Lead Overseer a reasoned statement containing any relevant information for the purposes of the assessment related to their designation. Since the Lead Overseer should be empowered to submit recommendations on ICT risk matters and suitable remedies thereto, which include the power to oppose certain contractual arrangements ultimately affecting the stability of the financial entity or the financial system, critical ICT third-party service providers should also be given the opportunity to provide, prior to the finalisation of those recommendations, explanations regarding the expected impact of the solutions, envisaged in the recommendations, on customers that are entities falling outside the scope of this Regulation and to formulate solutions to mitigate risks. Critical ICT third-party service providers disagreeing with the recommendations should submit a reasoned explanation of their intention not to endorse the recommendation. Where such reasoned explanation is not submitted or where it is considered to be insufficient, the Lead Overseer should issue a public notice summarily describing the matter of non-compliance.
Competent authorities should duly include the task of verifying substantive compliance with recommendations issued by the Lead Overseer in their functions with regard to prudential supervision of financial entities. Competent authorities should be able to require financial entities to take additional measures to address the risks identified in the Lead Overseer’s recommendations, and should, in due course, issue notifications to that effect. Where the Lead Overseer addresses recommendations to critical ICT third-party service providers that are supervised under Directive (EU) 2022/2555, the competent authorities should be able, on a voluntary basis and before adopting additional measures, to consult the competent authorities under that Directive in order to foster a coordinated approach to dealing with the critical ICT third-party service providers in question.
The exercise of the oversight should be guided by three operational principles seeking to ensure: (a) close coordination among the ESAs in their Lead Overseer roles, through a joint oversight network (JON), (b) consistency with the framework established by Directive (EU) 2022/2555 (through a voluntary consultation of bodies under that Directive to avoid duplication of measures directed at critical ICT third-party service providers), and (c) applying diligence to minimise the potential risk of disruption to services provided by the critical ICT third-party service providers to customers that are entities falling outside the scope of this Regulation.
The Oversight Framework should not replace, or in any way or for any part substitute for, the requirement for financial entities to manage themselves the risks entailed by the use of ICT third-party service providers, including their obligation to maintain an ongoing monitoring of contractual arrangements concluded with critical ICT third-party service providers. Similarly, the Oversight Framework should not affect the full responsibility of financial entities for complying with, and discharging, all the legal obligations laid down in this Regulation and in the relevant financial services law.
To avoid duplications and overlaps, competent authorities should refrain from taking individually any measures aiming to monitor the critical ICT third-party service provider’s risks and should, in that respect, rely on the relevant Lead Overseer’s assessment. Any measures should in any case be coordinated and agreed in advance with the Lead Overseer in the context of the exercise of tasks in the Oversight Framework.
To promote convergence at international level as regards the use of best practices in the review and monitoring of ICT third-party service providers’ digital risk-management, the ESAs should be encouraged to conclude cooperation arrangements with relevant supervisory and regulatory third-country authorities.
To leverage the specific competences, technical skills and expertise of staff specialising in operational and ICT risk within the competent authorities, the three ESAs and, on a voluntary basis, the competent authorities under Directive (EU) 2022/2555, the Lead Overseer should draw on national supervisory capabilities and knowledge and set up dedicated examination teams for each critical ICT third-party service provider, pooling multidisciplinary teams in support of the preparation and execution of oversight activities, including general investigations and inspections of critical ICT third-party service providers, as well as for any necessary follow-up thereto.
Whereas costs resulting from oversight tasks would be fully funded from fees levied on critical ICT third-party service providers, the ESAs are. however, likely to incur, before the start of the Oversight Framework, costs for the implementation of dedicated ICT systems supporting the upcoming oversight, since dedicated ICT systems would need to be developed and deployed beforehand. This Regulation therefore provides for a hybrid funding model, whereby the Oversight Framework would, as such, be fully fee-funded, while the development of the ESAs’ ICT systems would be funded from Union and national competent authorities’ contributions.
Competent authorities should have all required supervisory, investigative and sanctioning powers to ensure the proper exercise of their duties under this Regulation. They should, in principle, publish notices of the administrative penalties they impose. Since financial entities and ICT third-party service providers can be established in different Member States and supervised by different competent authorities, the application of this Regulation should be facilitated by, on the one hand, close cooperation among relevant competent authorities, including the ECB with regard to specific tasks conferred on it by Council Regulation (EU) No 1024/2013, and, on the other hand, by consultation with the ESAs through the mutual exchange of information and the provision of assistance in the context of relevant supervisory activities.
In order to further quantify and qualify the criteria for the designation of ICT third-party service providers as critical and to harmonise oversight fees, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to supplement this Regulation by further specifying the systemic impact that a failure or operational outage of an ICT third-party service provider could have on the financial entities it provides ICT services to, the number of global systemically important institutions (G-SIIs), or other systemically important institutions (O-SIIs), that rely on the ICT third-party service provider in question, the number of ICT third-party service providers active on a given market, the costs of migrating data and ICT workloads to other ICT third-party service providers, as well as the amount of the oversight fees and the way in which they are to be paid. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (22). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member States’ experts, and their experts should systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
Regulatory technical standards should ensure the consistent harmonisation of the requirements laid down in this Regulation. In their roles as bodies endowed with highly specialised expertise, the ESAs should develop draft regulatory technical standards which do not involve policy choices, for submission to the Commission. Regulatory technical standards should be developed in the areas of ICT risk management, major ICT-related incident reporting, testing, as well as in relation to key requirements for a sound monitoring of ICT third-party risk. The Commission and the ESAs should ensure that those standards and requirements can be applied by all financial entities in a manner that is proportionate to their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations. The Commission should be empowered to adopt those regulatory technical standards by means of delegated acts pursuant to Article 290 TFEU and in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
To facilitate the comparability of reports on major ICT-related incidents and major operational or security payment-related incidents, as well as to ensure transparency regarding contractual arrangements for the use of ICT services provided by ICT third-party service providers, the ESAs should develop draft implementing technical standards establishing standardised templates, forms and procedures for financial entities to report a major ICT-related incident and a major operational or security payment-related incident, as well as standardised templates for the register of information. When developing those standards, the ESAs should take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations. The Commission should be empowered to adopt those implementing technical standards by means of implementing acts pursuant to Article 291 TFEU and in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
Since further requirements have already been specified through delegated and implementing acts based on technical regulatory and implementing technical standards in Regulations (EC) No 1060/2009 (23), (EU) No 648/2012 (24), (EU) No 600/2014 (25) and (EU) No 909/2014 (26) of the European Parliament and of the Council, it is appropriate to mandate the ESAs, either individually or jointly through the Joint Committee, to submit regulatory and implementing technical standards to the Commission for adoption of delegated and implementing acts carrying over and updating existing ICT risk management rules.
Since this Regulation, together with Directive (EU) 2022/2556 of the European Parliament and of the Council (27), entails a consolidation of the ICT risk management provisions across multiple regulations and directives of the Union’s financial services acquis, including Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, and Regulation (EU) 2016/1011 of the European Parliament and of the Council (28), in order to ensure full consistency, those Regulations should be amended to clarify that the applicable ICT risk-related provisions are laid down in this Regulation.
Consequently, the scope of the relevant articles related to operational risk, upon which empowerments laid down in Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014, and (EU) 2016/1011 had mandated the adoption of delegated and implementing acts, should be narrowed down with a view to carry over into this Regulation all provisions covering the digital operational resilience aspects which today are part of those Regulations.
The potential systemic cyber risk associated with the use of ICT infrastructures that enable the operation of payment systems and the provision of payment processing activities should be duly addressed at Union level through harmonised digital resilience rules. To that effect, the Commission should swiftly assess the need for reviewing the scope of this Regulation while aligning such review with the outcome of the comprehensive review envisaged under Directive (EU) 2015/2366. Numerous large-scale attacks over the past decade demonstrate how payment systems have become exposed to cyber threats. Placed at the core of the payment services chain and showing strong interconnections with the overall financial system, payment systems and payment processing activities acquired a critical significance for the functioning of the Union financial markets. Cyber-attacks on such systems can cause severe operational business disruptions with direct repercussions on key economic functions, such as the facilitation of payments, and indirect effects on related economic processes. Until a harmonised regime and the supervision of operators of payment systems and processing entities are put in place at Union level, Member States may, with a view to applying similar market practices, draw inspiration from the digital operational resilience requirements laid down by this Regulation, when applying rules to operators of payment systems and processing entities supervised under their own jurisdictions.
Since the objective of this Regulation, namely to achieve a high level of digital operational resilience for regulated financial entities, cannot be sufficiently achieved by the Member States because it requires harmonisation of various different rules in Union and national law, but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (29) and delivered an opinion on 10 May 2021 (30),
HAVE ADOPTED THIS REGULATION:
(a) requirements applicable to financial entities in relation to:
(i) information and communication technology (ICT) risk management;
(ii) reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;
(iii) reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in Article 2(1), points (a) to (d);
(iv) digital operational resilience testing;
(v) information and intelligence sharing in relation to cyber threats and vulnerabilities;
(vi) measures for the sound management of ICT third-party risk;
(b) requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities;
(c) rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities;
(d) rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation.
In relation to financial entities identified as essential or important entities pursuant to national rules transposing Article 3 of Directive (EU) 2022/2555, this Regulation shall be considered a sector-specific Union legal act for the purposes of Article 4 of that Directive.
This Regulation is without prejudice to the responsibility of Member States’ regarding essential State functions concerning public security, defence and national security in accordance with Union law.
(a) credit institutions;
(b) payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
(c) account information service providers;
(d) electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
(e) investment firms;
(f) crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (‘the Regulation on markets in crypto-assets’) and issuers of asset-referenced tokens;
(g) central securities depositories;
(h) central counterparties;
(i) trading venues;
(j) trade repositories;
(k) managers of alternative investment funds;
(l) management companies;
(m) data reporting service providers;
(n) insurance and reinsurance undertakings;
(o) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
(p) institutions for occupational retirement provision;
(q) credit rating agencies;
(r) administrators of critical benchmarks;
(s) crowdfunding service providers;
(t) securitisation repositories;
(u) ICT third-party service providers.
For the purposes of this Regulation, entities referred to in paragraph 1, points (a) to (t), shall collectively be referred to as ‘financial entities’.
This Regulation does not apply to:
(a) managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU;
(b) insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC;
(c) institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total;
(d) natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU;
(e) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises;
(f) post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU.
For the purposes of this Regulation, the following definitions shall apply:
‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;
‘network and information system’ means a network and information system as defined in Article 6, point 1, of Directive (EU) 2022/2555;
‘legacy ICT system’ means an ICT system that has reached the end of its lifecycle (end-of-life), that is not suitable for upgrades or fixes, for technological or commercial reasons, or is no longer supported by its supplier or by an ICT third-party service provider, but that is still in use and supports the functions of the financial entity;
‘security of network and information systems’ means security of network and information systems as defined in Article 6, point 2, of Directive (EU) 2022/2555;
‘ICT risk’ means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;
‘information asset’ means a collection of information, either tangible or intangible, that is worth protecting;
‘ICT asset’ means a software or hardware asset in the network and information systems used by the financial entity;
‘ICT-related incident’ means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;
‘operational or security payment-related incident’ means a single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity;
‘major ICT-related incident’ means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;
‘major operational or security payment-related incident’ means an operational or security payment-related incident that has a high adverse impact on the payment-related services provided;
‘cyber threat’ means ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881;
‘significant cyber threat’ means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;
‘cyber-attack’ means a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset;
‘threat intelligence’ means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations;
‘vulnerability’ means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;
‘threat-led penetration testing (TLPT)’ means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems;
‘ICT third-party risk’ means an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements;
‘ICT third-party service provider’ means an undertaking providing ICT services;
‘ICT intra-group service provider’ means an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;
‘ICT services’ means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;
‘critical or important function’ means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;
‘critical ICT third-party service provider’ means an ICT third-party service provider designated as critical in accordance with Article 31;
‘ICT third-party service provider established in a third country’ means an ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services;
‘subsidiary’ means a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU;
‘group’ means a group as defined in Article 2, point (11), of Directive 2013/34/EU;
‘parent undertaking’ means a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU;
‘ICT subcontractor established in a third country’ means an ICT subcontractor that is a legal person established in a third-country and that has entered into a contractual arrangement either with an ICT third-party service provider, or with an ICT third-party service provider established in a third country;
‘ICT concentration risk’ means an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions, or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the Union as a whole;
‘management body’ means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law;
‘credit institution’ means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (32);
‘institution exempted pursuant to Directive 2013/36/EU’ means an entity as referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU;
‘investment firm’ means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU;
‘small and non-interconnected investment firm’ means an investment firm that meets the conditions laid out in Article 12(1) of Regulation (EU) 2019/2033 of the European Parliament and of the Council (33);
‘payment institution’ means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;
‘payment institution exempted pursuant to Directive (EU) 2015/2366’ means a payment institution exempted pursuant to Article 32(1) of Directive (EU) 2015/2366;
‘account information service provider’ means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366;
‘electronic money institution’ means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council;
‘electronic money institution exempted pursuant to Directive 2009/110/EC’ means an electronic money institution benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC;
‘central counterparty’ means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;
‘trade repository’ means a trade repository as defined in Article 2, point (2), of Regulation (EU) No 648/2012;
‘central securities depository’ means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;
‘trading venue’ means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU;
‘manager of alternative investment funds’ means a manager of alternative investment funds as defined in Article 4(1), point (b), of Directive 2011/61/EU;
‘management company’ means a management company as defined in Article 2(1), point (b), of Directive 2009/65/EC;
‘data reporting service provider’ means a data reporting service provider within the meaning of Regulation (EU) No 600/2014, as referred to in Article 2(1), points (34) to (36) thereof;
‘insurance undertaking’ means an insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC;
‘reinsurance undertaking’ means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC;
‘insurance intermediary’ means an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 of the European Parliament and of the Council (34);
‘ancillary insurance intermediary’ means an ancillary insurance intermediary as defined in Article 2(1), point (4), of Directive (EU) 2016/97;
‘reinsurance intermediary’ means a reinsurance intermediary as defined in Article 2(1), point (5), of Directive (EU) 2016/97;
‘institution for occupational retirement provision’ means an institution for occupational retirement provision as defined in Article 6, point (1), of Directive (EU) 2016/2341;
‘small institution for occupational retirement provision’ means an institution for occupational retirement provision which operates pension schemes which together have less than 100 members in total;
‘credit rating agency’ means a credit rating agency as defined in Article 3(1), point (b), of Regulation (EC) No 1060/2009;
‘crypto-asset service provider’ means a crypto-asset service provider as defined in the relevant provision of the Regulation on markets in crypto-assets;
‘issuer of asset-referenced tokens’ means an issuer of asset-referenced tokens as defined in the relevant provision of the Regulation on markets in crypto-assets;
‘administrator of critical benchmarks’ means an administrator of ‘critical benchmarks’ as defined in Article 3(1), point (25), of Regulation (EU) 2016/1011;
‘crowdfunding service provider’ means a crowdfunding service provider as defined in Article 2(1), point (e), of Regulation (EU) 2020/1503 of the European Parliament and of the Council (35);
‘securitisation repository’ means a securitisation repository as defined in Article 2, point (23), of Regulation (EU) 2017/2402 of the European Parliament and of the Council (36);
‘microenterprise’ means a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;
‘Lead Overseer’ means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation;
‘Joint Committee’ means the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010;
‘small enterprise’ means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million;
‘medium-sized enterprise’ means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;
‘public authority’ means any government or other public administration entity, including national central banks.
Financial entities shall implement the rules laid down in Chapter II in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.
In addition, the application by financial entities of Chapters III, IV and V, Section I, shall be proportionate to their size and overall risk profile, and to the nature, scale and complexity of their services, activities and operations, as specifically provided for in the relevant rules of those Chapters.
The competent authorities shall consider the application of the proportionality principle by financial entities when reviewing the consistency of the ICT risk management framework on the basis of the reports submitted upon the request of competent authorities pursuant to Article 6(5) and Article 16(2).
Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk, in accordance with Article 6(4), in order to achieve a high level of digital operational resilience.
The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1).
For the purposes of the first subparagraph, the management body shall:
(a) bear the ultimate responsibility for managing the financial entity’s ICT risk;
(b) put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data;
(c) set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;
(d) bear the overall responsibility for setting and approving the digital operational resilience strategy as referred to in Article 6(8), including the determination of the appropriate risk tolerance level of ICT risk of the financial entity, as referred to in Article 6(8), point (b);
(e) approve, oversee and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans, referred to, respectively, in Article 11(1) and (3), which may be adopted as a dedicated specific policy forming an integral part of the financial entity’s overall business continuity policy and response and recovery plan;
(f) approve and periodically review the financial entity’s ICT internal audit plans, ICT audits and material modifications to them;
(g) allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training referred to in Article 13(6), and ICT skills for all staff;
(h) approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;
(i) put in place, at corporate level, reporting channels enabling it to be duly informed of the following:
(i) arrangements concluded with ICT third-party service providers on the use of ICT services,
(ii) any relevant planned material changes regarding the ICT third-party service providers,
(iii) the potential impact of such changes on the critical or important functions subject to those arrangements, including a risk analysis summary to assess the impact of those changes, and at least major ICT-related incidents and their impact, as well as response, recovery and corrective measures.
Financial entities, other than microenterprises, shall establish a role in order to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services, or shall designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.
Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.
Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.
The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructures, such as premises, data centres and sensitive designated areas, to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage.
In accordance with their ICT risk management framework, financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools. They shall provide complete and updated information on ICT risk and on their ICT risk management framework to the competent authorities upon their request.
Financial entities, other than microenterprises, shall assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. Financial entities shall ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.
The ICT risk management framework shall be documented and reviewed at least once a year, or periodically in the case of microenterprises, as well as upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes. It shall be continuously improved on the basis of lessons derived from implementation and monitoring. A report on the review of the ICT risk management framework shall be submitted to the competent authority upon its request.
The ICT risk management framework of financial entities, other than microenterprises, shall be subject to internal audit by auditors on a regular basis in line with the financial entities’ audit plan. Those auditors shall possess sufficient knowledge, skills and expertise in ICT risk, as well as appropriate independence. The frequency and focus of ICT audits shall be commensurate to the ICT risk of the financial entity.
Based on the conclusions from the internal audit review, financial entities shall establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings.
The ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented. To that end, the digital operational resilience strategy shall include methods to address ICT risk and attain specific ICT objectives, by:
(a) explaining how the ICT risk management framework supports the financial entity’s business strategy and objectives;
(b) establishing the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analysing the impact tolerance for ICT disruptions;
(c) setting out clear information security objectives, including key performance indicators and key risk metrics;
(d) explaining the ICT reference architecture and any changes needed to reach specific business objectives;
(e) outlining the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it;
(f) evidencing the current digital operational resilience situation on the basis of the number of major ICT-related incidents reported and the effectiveness of preventive measures;
(g) implementing digital operational resilience testing, in accordance with Chapter IV of this Regulation;
(h) outlining a communication strategy in the event of ICT-related incidents the disclosure of which is required in accordance with Article 14.
Financial entities may, in the context of the digital operational resilience strategy referred to in paragraph 8, define a holistic ICT multi-vendor strategy, at group or entity level, showing key dependencies on ICT third-party service providers and explaining the rationale behind the procurement mix of ICT third-party service providers.
Financial entities may, in accordance with Union and national sectoral law, outsource the tasks of verifying compliance with ICT risk management requirements to intra-group or external undertakings. In case of such outsourcing, the financial entity remains fully responsible for the verification of compliance with the ICT risk management requirements.
In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are:
(a) appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the proportionality principle as referred to in Article 4;
(b) reliable;
(c) equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced;
(d) technologically resilient in order to adequately deal with additional information processing needs as required under stressed market conditions or other adverse situations.
As part of the ICT risk management framework referred to in Article 6(1), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. Financial entities shall review as needed, and at least yearly, the adequacy of this classification and of any relevant documentation.
Financial entities shall, on a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets. Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting them.
Financial entities, other than microenterprises, shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their ICT supported business functions, information assets or ICT assets.
Financial entities shall identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and shall map those considered critical. They shall map the configuration of the information assets and ICT assets and the links and interdependencies between the different information assets and ICT assets.
Financial entities shall identify and document all processes that are dependent on ICT third-party service providers, and shall identify interconnections with ICT third-party service providers that provide services that support critical or important functions.
For the purposes of paragraphs 1, 4 and 5, financial entities shall maintain relevant inventories and update them periodically and every time any major change as referred to in paragraph 3 occurs.
Financial entities, other than microenterprises, shall on a regular basis, and at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems and, in any case before and after connecting technologies, applications or systems.
For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.
Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.
In order to achieve the objectives referred to in paragraph 2, financial entities shall use ICT solutions and processes that are appropriate in accordance with Article 4. Those ICT solutions and processes shall:
(a) ensure the security of the means of transfer of data;
(b) minimise the risk of corruption or loss of data, unauthorised access and technical flaws that may hinder business activity;
(c) prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data;
(d) ensure that data is protected from risks arising from data management, including poor administration, processing-related risks and human error.
(a) develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers, where applicable;
(b) following a risk-based approach, establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols that may include implementing automated mechanisms to isolate affected information assets in the event of cyber-attacks;
(c) implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof;
(d) implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes;
(e) implement documented policies, procedures and controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters, that are based on a risk assessment approach and are an integral part of the financial entity’s overall change management process, in order to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner;
(f) have appropriate and comprehensive documented policies for patches and updates.
For the purposes of the first subparagraph, point (b), financial entities shall design the network connection infrastructure in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion, especially for interconnected financial processes.
For the purposes of the first subparagraph, point (e), the ICT change management process shall be approved by appropriate lines of management and shall have specific protocols in place.
All detection mechanisms referred to in the first subparagraph shall be regularly tested in accordance with Article 25.
The detection mechanisms referred to in paragraph 1 shall enable multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incident response processes, including automatic alert mechanisms for relevant staff in charge of ICT-related incident response.
Financial entities shall devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks.
Data reporting service providers shall, in addition, have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports.
As part of the ICT risk management framework referred to in Article 6(1) and based on the identification requirements set out in Article 8, financial entities shall put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy, forming an integral part of the overall business continuity policy of the financial entity.
Financial entities shall implement the ICT business continuity policy through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to:
(a) ensure the continuity of the financial entity’s critical or important functions;
(b) quickly, appropriately and effectively respond to, and resolve, all ICT-related incidents in a way that limits damage and prioritises the resumption of activities and recovery actions;
(c) activate, without delay, dedicated plans that enable containment measures, processes and technologies suited to each type of ICT-related incident and prevent further damage, as well as tailored response and recovery procedures established in accordance with Article 12;
(d) estimate preliminary impacts, damages and losses;
(e) set out communication and crisis management actions that ensure that updated information is transmitted to all relevant internal staff and external stakeholders in accordance with Article 14, and report to the competent authorities in accordance with Article 19.
As part of the ICT risk management framework referred to in Article 6(1), financial entities shall implement associated ICT response and recovery plans which, in the case of financial entities other than microenterprises, shall be subject to independent internal audit reviews.
Financial entities shall put in place, maintain and periodically test appropriate ICT business continuity plans, notably with regard to critical or important functions outsourced or contracted through arrangements with ICT third-party service providers.
As part of the overall business continuity policy, financial entities shall conduct a business impact analysis (BIA) of their exposures to severe business disruptions. Under the BIA, financial entities shall assess the potential impact of severe business disruptions by means of quantitative and qualitative criteria, using internal and external data and scenario analysis, as appropriate. The BIA shall consider the criticality of identified and mapped business functions, support processes, third-party dependencies and information assets, and their interdependencies. Financial entities shall ensure that ICT assets and ICT services are designed and used in full alignment with the BIA, in particular with regard to adequately ensuring the redundancy of all critical components.
As part of their comprehensive ICT risk management, financial entities shall:
(a) test the ICT business continuity plans and the ICT response and recovery plans in relation to ICT systems supporting all functions at least yearly, as well as in the event of any substantive changes to ICT systems supporting critical or important functions;
(b) test the crisis communication plans established in accordance with Article 14.
For the purposes of the first subparagraph, point (a), financial entities, other than microenterprises, shall include in the testing plans scenarios of cyber-attacks and switchovers between the primary ICT infrastructure and the redundant capacity, backups and redundant facilities necessary to meet the obligations set out in Article 12.
Financial entities shall regularly review their ICT business continuity policy and ICT response and recovery plans, taking into account the results of tests carried out in accordance with the first subparagraph and recommendations stemming from audit checks or supervisory reviews.
Financial entities, other than microenterprises, shall have a crisis management function, which, in the event of activation of their ICT business continuity plans or ICT response and recovery plans, shall, inter alia, set out clear procedures to manage internal and external crisis communications in accordance with Article 14.
Financial entities shall keep readily accessible records of activities before and during disruption events when their ICT business continuity plans and ICT response and recovery plans are activated.
Central securities depositories shall provide the competent authorities with copies of the results of the ICT business continuity tests, or of similar exercises.
Financial entities, other than microenterprises, shall report to the competent authorities, upon their request, an estimation of aggregated annual costs and losses caused by major ICT-related incidents.
In accordance with Article 16 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, the ESAs, through the Joint Committee, shall by 17 July 2024 develop common guidelines on the estimation of aggregated annual costs and losses referred to in paragraph 10.
(a) backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data;
(b) restoration and recovery procedures and methods.
Financial entities shall set up backup systems that can be activated in accordance with the backup policies and procedures, as well as restoration and recovery procedures and methods. The activation of backup systems shall not jeopardise the security of the network and information systems or the availability, authenticity, integrity or confidentiality of data. Testing of the backup procedures and restoration and recovery procedures and methods shall be undertaken periodically.
When restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. The ICT systems shall be securely protected from any unauthorised access or ICT corruption and allow for the timely restoration of services making use of data and system backups as necessary.
For central counterparties, the recovery plans shall enable the recovery of all transactions at the time of disruption to allow the central counterparty to continue to operate with certainty and to complete settlement on the scheduled date.
Data reporting service providers shall additionally maintain adequate resources and have back-up and restoration facilities in place in order to offer and maintain their services at all times.
Financial entities, other than microenterprises, shall maintain redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs. Microenterprises shall assess the need to maintain such redundant ICT capacities based on their risk profile.
Central securities depositories shall maintain at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs.
The secondary processing site shall be:
(a) located at a geographical distance from the primary processing site to ensure that it bears a distinct risk profile and to prevent it from being affected by the event which has affected the primary site;
(b) capable of ensuring the continuity of critical or important functions identically to the primary site, or providing the level of services necessary to ensure that the financial entity performs its critical operations within the recovery objectives;
(c) immediately accessible to the financial entity’s staff to ensure continuity of critical or important functions in the event that the primary processing site has become unavailable.
In determining the recovery time and recovery point objectives for each function, financial entities shall take into account whether it is a critical or important function and the potential overall impact on market efficiency. Such time objectives shall ensure that, in extreme scenarios, the agreed service levels are met.
When recovering from an ICT-related incident, financial entities shall perform necessary checks, including any multiple checks and reconciliations, in order to ensure that the highest level of data integrity is maintained. These checks shall also be performed when reconstructing data from external stakeholders, in order to ensure that all data is consistent between systems.
Financial entities shall have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse the impact they are likely to have on their digital operational resilience.
Financial entities shall put in place post ICT-related incident reviews after a major ICT-related incident disrupts their core activities, analysing the causes of disruption and identifying required improvements to the ICT operations or within the ICT business continuity policy referred to in Article 11.
Financial entities, other than microenterprises, shall, upon request, communicate to the competent authorities, the changes that were implemented following post ICT-related incident reviews as referred to in the first subparagraph.
The post ICT-related incident reviews referred to in the first subparagraph shall determine whether the established procedures were followed and the actions taken were effective, including in relation to the following:
(a) the promptness in responding to security alerts and determining the impact of ICT-related incidents and their severity;
(b) the quality and speed of performing a forensic analysis, where deemed appropriate;
(c) the effectiveness of incident escalation within the financial entity;
(d) the effectiveness of internal and external communication.
Lessons derived from the digital operational resilience testing carried out in accordance with Articles 26 and 27 and from real life ICT-related incidents, in particular cyber-attacks, along with challenges faced upon the activation of ICT business continuity plans and ICT response and recovery plans, together with relevant information exchanged with counterparts and assessed during supervisory reviews, shall be duly incorporated on a continuous basis into the ICT risk assessment process. Those findings shall form the basis for appropriate reviews of relevant components of the ICT risk management framework referred to in Article 6(1).
Financial entities shall monitor the effectiveness of the implementation of their digital operational resilience strategy set out in Article 6(8). They shall map the evolution of ICT risk over time, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-attacks and their patterns, with a view to understanding the level of ICT risk exposure, in particular in relation to critical or important functions, and enhance the cyber maturity and preparedness of the financial entity.
Senior ICT staff shall report at least yearly to the management body on the findings referred to in paragraph 3 and put forward recommendations.
Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions. Where appropriate, financial entities shall also include ICT third-party service providers in their relevant training schemes in accordance with Article 30(2), point (i).
Financial entities, other than microenterprises, shall monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resilience. They shall keep up-to-date with the latest ICT risk management processes, in order to effectively combat current or new forms of cyber-attacks.
As part of the ICT risk management framework referred to in Article 6(1), financial entities shall have in place crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public, as appropriate.
As part of the ICT risk management framework, financial entities shall implement communication policies for internal staff and for external stakeholders. Communication policies for staff shall take into account the need to differentiate between staff involved in ICT risk management, in particular the staff responsible for response and recovery, and staff that needs to be informed.
At least one person in the financial entity shall be tasked with implementing the communication strategy for ICT-related incidents and fulfil the public and media function for that purpose.
The ESAs shall, through the Joint Committee, in consultation with the European Union Agency on Cybersecurity (ENISA), develop common draft regulatory technical standards in order to:
(a) specify further elements to be included in the ICT security policies, procedures, protocols and tools referred to in Article 9(2), with a view to ensuring the security of networks, enable adequate safeguards against intrusions and data misuse, preserve the availability, authenticity, integrity and confidentiality of data, including cryptographic techniques, and guarantee an accurate and prompt data transmission without major disruptions and undue delays;
(b) develop further components of the controls of access management rights referred to in Article 9(4), point (c), and associated human resource policy specifying access rights, procedures for granting and revoking rights, monitoring anomalous behaviour in relation to ICT risk through appropriate indicators, including for network use patterns, hours, IT activity and unknown devices;
(c) develop further the mechanisms specified in Article 10(1) enabling a prompt detection of anomalous activities and the criteria set out in Article 10(2) triggering ICT-related incident detection and response processes;
(d) specify further the components of the ICT business continuity policy referred to in Article 11(1);
(e) specify further the testing of ICT business continuity plans referred to in Article 11(6) to ensure that such testing duly takes into account scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly considers the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provider and, where relevant, the political risks in the respective providers’ jurisdictions;
(f) specify further the components of the ICT response and recovery plans referred to in Article 11(3);
(g) specifying further the content and format of the report on the review of the ICT risk management framework referred to in Article 6(5);
When developing those draft regulatory technical standards, the ESAs shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations, while duly taking into consideration any specific feature arising from the distinct nature of activities across different financial services sectors.
The ESAs shall submit those draft regulatory technical standards to the Commission by 17 January 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first paragraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
Without prejudice to the first subparagraph, the entities listed in the first subparagraph shall:
(a) put in place and maintain a sound and documented ICT risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of ICT risk, including for the protection of relevant physical components and infrastructures;
(b) continuously monitor the security and functioning of all ICT systems;
(c) minimise the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools which are appropriate to support the performance of their activities and the provision of services and adequately protect availability, authenticity, integrity and confidentiality of data in the network and information systems;
(d) allow sources of ICT risk and anomalies in the network and information systems to be promptly identified and detected and ICT-related incidents to be swiftly handled;
(e) identify key dependencies on ICT third-party service providers;
(f) ensure the continuity of critical or important functions, through business continuity plans and response and recovery measures, which include, at least, back-up and restoration measures;
(g) test, on a regular basis, the plans and measures referred to in point (f), as well as the effectiveness of the controls implemented in accordance with points (a) and (c);
(h) implement, as appropriate, relevant operational conclusions resulting from the tests referred to in point (g) and from post-incident analysis into the ICT risk assessment process and develop, according to needs and ICT risk profile, ICT security awareness programmes and digital operational resilience training for staff and management.
The ICT risk management framework referred to in paragraph 1, second subparagraph, point (a), shall be documented and reviewed periodically and upon the occurrence of major ICT-related incidents in compliance with supervisory instructions. It shall be continuously improved on the basis of lessons derived from implementation and monitoring. A report on the review of the ICT risk management framework shall be submitted to the competent authority upon its request.
The ESAs shall, through the Joint Committee, in consultation with the ENISA, develop common draft regulatory technical standards in order to:
(a) specify further the elements to be included in the ICT risk management framework referred to in paragraph 1, second subparagraph, point (a);
(b) specify further the elements in relation to systems, protocols and tools to minimise the impact of ICT risk referred to in paragraph 1, second subparagraph, point (c), with a view to ensuring the security of networks, enabling adequate safeguards against intrusions and data misuse and preserving the availability, authenticity, integrity and confidentiality of data;
(c) specify further the components of the ICT business continuity plans referred to in paragraph 1, second subparagraph, point (f);
(d) specify further the rules on the testing of business continuity plans and ensure the effectiveness of the controls referred to in paragraph 1, second subparagraph, point (g) and ensure that such testing duly takes into account scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails;
(e) specify further the content and format of the report on the review of the ICT risk management framework referred to in paragraph 2.
When developing those draft regulatory technical standards, the ESAs shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations.
The ESAs shall submit those draft regulatory technical standards to the Commission by 17 January 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.
Financial entities shall record all ICT-related incidents and significant cyber threats. Financial entities shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents.
The ICT-related incident management process referred to in paragraph 1 shall:
(a) put in place early warning indicators;
(b) establish procedures to identify, track, log, categorise and classify ICT-related incidents according to their priority and severity and according to the criticality of the services impacted, in accordance with the criteria set out in Article 18(1);
(c) assign roles and responsibilities that need to be activated for different ICT-related incident types and scenarios;
(d) set out plans for communication to staff, external stakeholders and media in accordance with Article 14 and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counterparts, as appropriate;
(e) ensure that at least major ICT-related incidents are reported to relevant senior management and inform the management body of at least major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of such ICT-related incidents;
(f) establish ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner.
(a) the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incident, and whether the ICT-related incident has caused reputational impact;
(b) the duration of the ICT-related incident, including the service downtime;
(c) the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States;
(d) the data losses that the ICT-related incident entails, in relation to availability, authenticity, integrity or confidentiality of data;
(e) the criticality of the services affected, including the financial entity’s transactions and operations;
(f) the economic impact, in particular direct and indirect costs and losses, of the ICT-related incident in both absolute and relative terms.
Financial entities shall classify cyber threats as significant based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk.
The ESAs shall, through the Joint Committee and in consultation with the ECB and ENISA, develop common draft regulatory technical standards further specifying the following:
(a) the criteria set out in paragraph 1, including materiality thresholds for determining major ICT-related incidents or, as applicable, major operational or security payment-related incidents, that are subject to the reporting obligation laid down in Article 19(1);
(b) the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT-related incidents or, as applicable, major operational or security payment-related incidents, to relevant competent authorities in other Member States’, and the details of reports of major ICT-related incidents or, as applicable, major operational or security payment-related incidents, to be shared with other competent authorities pursuant to Article 19(6) and (7);
(c) the criteria set out in paragraph 2 of this Article, including high materiality thresholds for determining significant cyber threats.
The ESAs shall submit those common draft regulatory technical standards to the Commission by 17 January 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 3 in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
Where a financial entity is subject to supervision by more than one national competent authority referred to in Article 46, Member States shall designate a single competent authority as the relevant competent authority responsible for carrying out the functions and duties provided for in this Article.
Credit institutions classified as significant, in accordance with Article 6(4) of Regulation (EU) No 1024/2013, shall report major ICT-related incidents to the relevant national competent authority designated in accordance with Article 4 of Directive 2013/36/EU, which shall immediately transmit that report to the ECB.
For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authority. In the event that a technical impossibility prevents the submission of the initial notification using the template, financial entities shall notify the competent authority about it via alternative means.
The initial notification and reports referred to in paragraph 4 shall include all information necessary for the competent authority to determine the significance of the major ICT-related incident and assess possible cross-border impacts.
Without prejudice to the reporting pursuant to the first subparagraph by the financial entity to the relevant competent authority, Member States may additionally determine that some or all financial entities shall also provide the initial notification and each report referred to in paragraph 4 of this Article using the templates referred to in Article 20 to the competent authorities or the computer security incident response teams (CSIRTs) designated or established in accordance with Directive (EU) 2022/2555.
Credit institutions classified as significant, in accordance with Article 6(4) of Regulation (EU) No 1024/2013, may, on a voluntary basis, notify significant cyber threats to relevant national competent authority, designated in accordance with Article 4 of Directive 2013/36/EU, which shall immediately transmit the notification to the ECB.
Member States may determine that those financial entities that on a voluntary basis notify in accordance with the first subparagraph may also transmit that notification to the CSIRTs designated or established in accordance with Directive (EU) 2022/2555.
In the case of a significant cyber threat, financial entities shall, where applicable, inform their clients that are potentially affected of any appropriate protection measures which the latter may consider taking.
(a) an initial notification;
(b) an intermediate report after the initial notification referred to in point (a), as soon as the status of the original incident has changed significantly or the handling of the major ICT-related incident has changed based on new information available, followed, as appropriate, by updated notifications every time a relevant status update is available, as well as upon a specific request of the competent authority;
(c) a final report, when the root cause analysis has been completed, regardless of whether mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates.
Financial entities may outsource, in accordance with Union and national sectoral law, the reporting obligations under this Article to a third-party service provider. In case of such outsourcing, the financial entity remains fully responsible for the fulfilment of the incident reporting requirements.
Upon receipt of the initial notification and of each report referred to in paragraph 4, the competent authority shall, in a timely manner, provide details of the major ICT-related incident to the following recipients based, as applicable, on their respective competences:
(a) EBA, ESMA or EIOPA;
(b) the ECB, in the case of financial entities referred to in Article 2(1), points (a), (b) and (d);
(c) the competent authorities, single points of contact or CSIRTs designated or established in accordance with Directive (EU) 2022/2555;
(d) the resolution authorities, as referred to in Article 3 of Directive 2014/59/EU, and the Single Resolution Board (SRB) with respect to entities referred to in Article 7(2) of Regulation (EU) No 806/2014 of the European Parliament and of the Council (37), and with respect to entities and groups referred to in Article 7(4)(b) and (5) of Regulation (EU) No 806/2014 if such details concern incidents that pose a risk to ensuring critical functions within the meaning of Article 2(1), point (35), of Directive 2014/59/EU; and
(e) other relevant public authorities under national law.
Following receipt of information in accordance with paragraph 6, EBA, ESMA or EIOPA and the ECB, in consultation with ENISA and in cooperation with the relevant competent authority, shall assess whether the major ICT-related incident is relevant for competent authorities in other Member States. Following that assessment, EBA, ESMA or EIOPA shall, as soon as possible, notify relevant competent authorities in other Member States accordingly. The ECB shall notify the members of the European System of Central Banks on issues relevant to the payment system. Based on that notification, the competent authorities shall, where appropriate, take all of the necessary measures to protect the immediate stability of the financial system.
The notification to be done by ESMA pursuant to paragraph 7 of this Article shall be without prejudice to the responsibility of the competent authority to urgently transmit the details of the major ICT-related incident to the relevant authority in the host Member State, where a central securities depository has significant cross-border activity in the host Member State, the major ICT-related incident is likely to have severe consequences for the financial markets of the host Member State and where there are cooperation arrangements among competent authorities related to the supervision of financial entities.
The ESAs, through the Joint Committee, and in consultation with ENISA and the ECB, shall develop:
(a) common draft regulatory technical standards in order to:
(i) establish the content of the reports for major ICT-related incidents in order to reflect the criteria laid down in Article 18(1) and incorporate further elements, such as details for establishing the relevance of the reporting for other Member States and whether it constitutes a major operational or security payment-related incident or not;
(ii) determine the time limits for the initial notification and for each report referred to in Article 19(4);
(iii) establish the content of the notification for significant cyber threats.
When developing those draft regulatory technical standards, the ESAs shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations, and in particular, with a view to ensuring that, for the purposes of this paragraph, point (a), point (ii), different time limits may reflect, as appropriate, specificities of financial sectors, without prejudice to maintaining a consistent approach to ICT-related incident reporting pursuant to this Regulation and to Directive (EU) 2022/2555. The ESAs shall, as applicable, provide justification when deviating from the approaches taken in the context of that Directive;
The ESAs shall submit the common draft regulatory technical standards referred to in the first paragraph, point (a), and the common draft implementing technical standards referred to in the first paragraph, point (b), to the Commission by 17 July 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the common regulatory technical standards referred to in the first paragraph, point (a), in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
Power is conferred on the Commission to adopt the common implementing technical standards referred to in the first paragraph, point (b), in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
The ESAs, through the Joint Committee, and in consultation with the ECB and ENISA, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities. The joint report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.
The joint report referred to in paragraph 1 shall comprise at least the following elements:
(a) prerequisites for the establishment of a single EU Hub;
(b) benefits, limitations and risks, including risks associated with the high concentration of sensitive information;
(c) the necessary capability to ensure interoperability with regard to other relevant reporting schemes;
(d) elements of operational management;
(e) conditions of membership;
(f) technical arrangements for financial entities and national competent authorities to access the single EU Hub;
(g) a preliminary assessment of financial costs incurred by setting-up the operational platform supporting the single EU Hub, including the requisite expertise.
Without prejudice to the technical input, advice or remedies and subsequent follow-up which may be provided, where applicable, in accordance with national law, by the CSIRTs under Directive (EU) 2022/2555, the competent authority shall, upon receipt of the initial notification and of each report as referred to in Article 19(4), acknowledge receipt and may, where feasible, provide in a timely manner relevant and proportionate feedback or high-level guidance to the financial entity, in particular by making available any relevant anonymised information and intelligence on similar threats, and may discuss remedies applied at the level of the financial entity and ways to minimise and mitigate adverse impact across the financial sector. Without prejudice to the supervisory feedback received, financial entities shall remain fully responsible for the handling and for consequences of the ICT-related incidents reported pursuant to Article 19(1).
The ESAs shall, through the Joint Committee, on an anonymised and aggregated basis, report yearly on major ICT-related incidents, the details of which shall be provided by competent authorities in accordance with Article 19(6), setting out at least the number of major ICT-related incidents, their nature and their impact on the operations of financial entities or clients, remedial actions taken and costs incurred.
The ESAs shall issue warnings and produce high-level statistics to support ICT threat and vulnerability assessments.
The requirements laid down in this Chapter shall also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions.
For the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience, and of promptly implementing corrective measures, financial entities, other than microenterprises, shall, taking into account the criteria set out in Article 4(2), establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework referred to in Article 6.
The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with Articles 25 and 26.
When conducting the digital operational resilience testing programme referred to in paragraph 1 of this Article, financial entities, other than microenterprises, shall follow a risk-based approach taking into account the criteria set out in Article 4(2) duly considering the evolving landscape of ICT risk, any specific risks to which the financial entity concerned is or might be exposed, the criticality of information assets and of services provided, as well as any other factor the financial entity deems appropriate.
Financial entities, other than microenterprises, shall ensure that tests are undertaken by independent parties, whether internal or external. Where tests are undertaken by an internal tester, financial entities shall dedicate sufficient resources and ensure that conflicts of interest are avoided throughout the design and execution phases of the test.
Financial entities, other than microenterprises, shall establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.
Financial entities, other than microenterprises, shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions.
The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.
Central securities depositories and central counterparties shall perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions of the financial entity.
Microenterprises shall perform the tests referred to in paragraph 1 by combining a risk-based approach with a strategic planning of ICT testing, by duly considering the need to maintain a balanced approach between the scale of resources and the time to be allocated to the ICT testing provided for in this Article, on the one hand, and the urgency, type of risk, criticality of information assets and of services provided, as well as any other relevant factor, including the financial entity’s ability to take calculated risks, on the other hand.
Financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than microenterprises, which are identified in accordance with paragraph 8, third subparagraph, of this Article, shall carry out at least every 3 years advanced testing by means of TLPT. Based on the risk profile of the financial entity and taking into account operational circumstances, the competent authority may, where necessary, request the financial entity to reduce or increase this frequency.
Each threat-led penetration test shall cover several or all critical or important functions of a financial entity, and shall be performed on live production systems supporting such functions.
Financial entities shall identify all relevant underlying ICT systems, processes and technologies supporting critical or important functions and ICT services, including those supporting the critical or important functions which have been outsourced or contracted to ICT third-party service providers.
Financial entities shall assess which critical or important functions need to be covered by the TLPT. The result of this assessment shall determine the precise scope of TLPT and shall be validated by the competent authorities.
Where ICT third-party service providers are included in the scope of TLPT, the financial entity shall take the necessary measures and safeguards to ensure the participation of such ICT third-party service providers in the TLPT and shall retain at all times full responsibility for ensuring compliance with this Regulation.
Without prejudice to paragraph 2, first and second subparagraphs, where the participation of an ICT third-party service provider in the TLPT, referred to in paragraph 3, is reasonably expected to have an adverse impact on the quality or security of services delivered by the ICT third-party service provider to customers that are entities falling outside the scope of this Regulation, or on the confidentiality of the data related to such services, the financial entity and the ICT third-party service provider may agree in writing that the ICT third-party service provider directly enters into contractual arrangements with an external tester, for the purpose of conducting, under the direction of one designated financial entity, a pooled TLPT involving several financial entities (pooled testing) to which the ICT third-party service provider provides ICT services.
That pooled testing shall cover the relevant range of ICT services supporting critical or important functions contracted to the respective ICT third-party service provider by the financial entities. The pooled testing shall be considered TLPT carried out by the financial entities participating in the pooled testing.
The number of financial entities participating in the pooled testing shall be duly calibrated taking into account the complexity and types of services involved.
Financial entities shall, with the cooperation of ICT third-party service providers and other parties involved, including the testers but excluding the competent authorities, apply effective risk management controls to mitigate the risks of any potential impact on data, damage to assets, and disruption to critical or important functions, services or operations at the financial entity itself, its counterparts or to the financial sector.
At the end of the testing, after reports and remediation plans have been agreed, the financial entity and, where applicable, the external testers shall provide to the authority, designated in accordance with paragraph 9 or 10, a summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with the requirements.
Authorities shall provide financial entities with an attestation confirming that the test was performed in accordance with the requirements as evidenced in the documentation in order to allow for mutual recognition of threat led penetration tests between competent authorities. The financial entity shall notify the relevant competent authority of the attestation, the summary of the relevant findings and the remediation plans.
Without prejudice to such attestation, financial entities shall remain at all times fully responsible for the impact of the tests referred to in paragraph 4.
Credit institutions that are classified as significant in accordance with Article 6(4) of Regulation (EU) No 1024/2013, shall only use external testers in accordance with Article 27(1), points (a) to (e).
Competent authorities shall identify financial entities that are required to perform TLPT taking into account the criteria set out in Article 4(2), based on an assessment of the following:
(a) impact-related factors, in particular the extent to which the services provided and activities undertaken by the financial entity impact the financial sector;
(b) possible financial stability concerns, including the systemic character of the financial entity at Union or national level, as applicable;
(c) specific ICT risk profile, level of ICT maturity of the financial entity or technology features involved.
Member States may designate a single public authority in the financial sector to be responsible for TLPT-related matters in the financial sector at national level and shall entrust it with all competences and tasks to that effect.
In the absence of a designation in accordance with paragraph 9 of this Article, and without prejudice to the power to identify the financial entities that are required to perform TLPT, a competent authority may delegate the exercise of some or all of the tasks referred to in this Article and Article 27 to another national authority in the financial sector.
The ESAs shall, in agreement with the ECB, develop joint draft regulatory technical standards in accordance with the TIBER-EU framework in order to specify further:
(a) the criteria used for the purpose of the application of paragraph 8, second subparagraph;
(b) the requirements and standards governing the use of internal testers;
(c) the requirements in relation to:
(i) the scope of TLPT referred to in paragraph 2;
(ii) the testing methodology and approach to be followed for each specific phase of the testing process;
(iii) the results, closure and remediation stages of the testing;
(d) the type of supervisory and other relevant cooperation which are needed for the implementation of TLPT, and for the facilitation of mutual recognition of that testing, in the context of financial entities that operate in more than one Member State, to allow an appropriate level of supervisory involvement and a flexible implementation to cater for specificities of financial sub-sectors or local financial markets.
When developing those draft regulatory technical standards, the ESAs shall give due consideration to any specific feature arising from the distinct nature of activities across different financial services sectors.
The ESAs shall submit those draft regulatory technical standards to the Commission by 17 July 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
(a) are of the highest suitability and reputability;
(b) possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing;
(c) are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks;
(d) provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT, including the due protection of the financial entity’s confidential information and redress for the business risks of the financial entity;
(e) are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.
(a) such use has been approved by the relevant competent authority or by the single public authority designated in accordance with Article 26(9) and (10);
(b) the relevant competent authority has verified that the financial entity has sufficient dedicated resources and ensured that conflicts of interest are avoided throughout the design and execution phases of the test; and
(c) the threat intelligence provider is external to the financial entity.
(a) financial entities that have in place contractual arrangements for the use of ICT services to run their business operations shall, at all times, remain fully responsible for compliance with, and the discharge of, all obligations under this Regulation and applicable financial services law;
(b) financial entities’ management of ICT third-party risk shall be implemented in light of the principle of proportionality, taking into account:
(i) the nature, scale, complexity and importance of ICT-related dependencies,
(ii) the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial services and activities, at individual and at group level.
As part of their ICT risk management framework, financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than microenterprises, shall adopt, and regularly review, a strategy on ICT third-party risk, taking into account the multi-vendor strategy referred to in Article 6(9), where applicable. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management body shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions.
As part of their ICT risk management framework, financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
The contractual arrangements referred to in the first subparagraph shall be appropriately documented, distinguishing between those that cover ICT services supporting critical or important functions and those that do not.
Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.
Financial entities shall make available to the competent authority, upon its request, the full register of information or, as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity.
Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.
(a) assess whether the contractual arrangement covers the use of ICT services supporting a critical or important function;
(b) assess if supervisory conditions for contracting are met;
(c) identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangement may contribute to reinforcing ICT concentration risk as referred to in Article 29;
(d) undertake all due diligence on prospective ICT third-party service providers and ensure throughout the selection and assessment processes that the ICT third-party service provider is suitable;
(e) identify and assess conflicts of interest that the contractual arrangement may cause.
Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards.
In exercising access, inspection and audit rights over the ICT third-party service provider, financial entities shall, on the basis of a risk-based approach, pre-determine the frequency of audits and inspections as well as the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards.
Where contractual arrangements concluded with ICT third-party service providers on the use of ICT services entail high technical complexity, the financial entity shall verify that auditors, whether internal or external, or a pool of auditors, possess appropriate skills and knowledge to effectively perform the relevant audits and assessments.
(a) significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms;
(b) circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider;
(c) ICT third-party service provider’s evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data;
(d) where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement.
Financial entities shall ensure that they are able to exit contractual arrangements without:
(a) disruption to their business activities,
(b) limiting compliance with regulatory requirements,
(c) detriment to the continuity and quality of services provided to clients.
Exit plans shall be comprehensive, documented and, in accordance with the criteria set out in Article 4(2), shall be sufficiently tested and reviewed periodically.
Financial entities shall identify alternative solutions and develop transition plans enabling them to remove the contracted ICT services and the relevant data from the ICT third-party service provider and to securely and integrally transfer them to alternative providers or reincorporate them in-house.
Financial entities shall have appropriate contingency measures in place to maintain business continuity in the event of the circumstances referred to in the first subparagraph.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
When developing those draft regulatory technical standards, the ESAs shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations. The ESAs shall submit those draft regulatory technical standards to the Commission by 17 January 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
(a) contracting an ICT third-party service provider that is not easily substitutable; or
(b) having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same ICT third-party service provider or with closely connected ICT third-party service providers.
Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy.
Where contractual arrangements concern ICT services supporting critical or important functions, financial entities shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy as well as any constraint that may arise in respect to the urgent recovery of the financial entity’s data.
Where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider established in a third country, financial entities shall, in addition to the considerations referred to in the second subparagraph, also consider the compliance with Union data protection rules and the effective enforcement of the law in that third country.
Where the contractual arrangements on the use of ICT services supporting critical or important functions provide for subcontracting, financial entities shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity in that respect.
The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format.
The contractual arrangements on the use of ICT services shall include at least the following elements:
(a) a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;
(b) the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations;
(c) provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;
(d) provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements;
(e) service level descriptions, including updates and revisions thereof;
(f) the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs;
(g) the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them;
(h) termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities;
(i) the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training in accordance with Article 13(6).
(a) full service level descriptions, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met;
(b) notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels;
(c) requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework;
(d) the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT as referred to in Articles 26 and 27;
(e) the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails the following:
(i) unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;
(ii) the right to agree on alternative assurance levels if other clients’ rights are affected;
(iii) the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party; and
(iv) the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits;
(f) exit strategies, in particular the establishment of a mandatory adequate transition period:
(i) during which the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring;
(ii) allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided.
By way of derogation from point (e), the ICT third-party service provider and the financial entity that is a microenterprise may agree that the financial entity’s rights of access, inspection and audit can be delegated to an independent third party, appointed by the ICT third-party service provider, and that the financial entity is able to request information and assurance on the ICT third-party service provider’s performance from the third party at any time.
When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed by public authorities for specific services.
The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify further the elements referred to in paragraph 2, point (a), which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions.
When developing those draft regulatory technical standards, the ESAs shall take into consideration the size and overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations.
The ESAs shall submit those draft regulatory technical standards to the Commission by 17 July 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
(a) designate the ICT third-party service providers that are critical for financial entities, following an assessment that takes into account the criteria specified in paragraph 2;
(b) appoint as Lead Overseer for each critical ICT third-party service provider the ESA that is responsible, in accordance with Regulations (EU) No 1093/2010, (EU) No 1094/2010 or (EU) No 1095/2010, for the financial entities having together the largest share of total assets out of the value of total assets of all financial entities using the services of the relevant critical ICT third-party service provider, as evidenced by the sum of the individual balance sheets of those financial entities.
(a) the systemic impact on the stability, continuity or quality of the provision of financial services in the event that the relevant ICT third-party service provider would face a large scale operational failure to provide its services, taking into account the number of financial entities and the total value of assets of financial entities to which the relevant ICT third-party service provider provides services;
(b) the systemic character or importance of the financial entities that rely on the relevant ICT third-party service provider, assessed in accordance with the following parameters:
(i) the number of global systemically important institutions (G-SIIs) or other systemically important institutions (O-SIIs) that rely on the respective ICT third-party service provider;
(ii) the interdependence between the G-SIIs or O-SIIs referred to in point (i) and other financial entities, including situations where the G-SIIs or O-SIIs provide financial infrastructure services to other financial entities;
(c) the reliance of financial entities on the services provided by the relevant ICT third-party service provider in relation to critical or important functions of financial entities that ultimately involve the same ICT third-party service provider, irrespective of whether financial entities rely on those services directly or indirectly, through subcontracting arrangements;
(d) the degree of substitutability of the ICT third-party service provider, taking into account the following parameters:
(i) the lack of real alternatives, even partial, due to the limited number of ICT third-party service providers active on a specific market, or the market share of the relevant ICT third-party service provider, or the technical complexity or sophistication involved, including in relation to any proprietary technology, or the specific features of the ICT third-party service provider’s organisation or activity;
(ii) difficulties in relation to partially or fully migrating the relevant data and workloads from the relevant ICT third-party service provider to another ICT third-party service provider, due either to significant financial costs, time or other resources that the migration process may entail, or to increased ICT risk or other operational risks to which the financial entity may be exposed through such migration.
Where the ICT third-party service provider belongs to a group, the criteria referred to in paragraph 2 shall be considered in relation to the ICT services provided by the group as a whole.
Critical ICT third-party service providers which are part of a group shall designate one legal person as a coordination point to ensure adequate representation and communication with the Lead Overseer.
The Lead Overseer shall notify the ICT third-party service provider of the outcome of the assessment leading to the designation referred in paragraph 1, point (a). Within 6 weeks from the date of the notification, the ICT third-party service provider may submit to the Lead Overseer a reasoned statement with any relevant information for the purposes of the assessment. The Lead Overseer shall consider the reasoned statement and may request additional information to be submitted within 30 calendar days of the receipt of such statement.
After designating an ICT third-party service provider as critical, the ESAs, through the Joint Committee, shall notify the ICT third-party service provider of such designation and the starting date as from which they will effectively be subject to oversight activities. That starting date shall be no later than one month after the notification. The ICT third-party service provider shall notify the financial entities to which they provide services of their designation as critical.
The Commission is empowered to adopt a delegated act in accordance with Article 57 to supplement this Regulation by specifying further the criteria referred to in paragraph 2 of this Article, by 17 July 2024.
The designation referred to in paragraph 1, point (a), shall not be used until the Commission has adopted a delegated act in accordance with paragraph 6.
The designation referred to in paragraph 1, point (a), shall not apply to the following:
(i) financial entities providing ICT services to other financial entities;
(ii) ICT third-party service providers that are subject to oversight frameworks established for the purposes of supporting the tasks referred to in Article 127(2) of the Treaty on the Functioning of the European Union;
(iii) ICT intra-group service providers;
(iv) ICT third-party service providers providing ICT services solely in one Member State to financial entities that are only active in that Member State.
The ESAs, through the Joint Committee, shall establish, publish and update yearly the list of critical ICT third-party service providers at Union level.
For the purposes of paragraph 1, point (a), competent authorities shall, on a yearly and aggregated basis, transmit the reports referred to in Article 28(3), third subparagraph, to the Oversight Forum established pursuant to Article 32. The Oversight Forum shall assess the ICT third-party dependencies of financial entities based on the information received from the competent authorities.
The ICT third-party service providers that are not included in the list referred to in paragraph 9 may request to be designated as critical in accordance with paragraph 1, point (a).
For the purpose of the first subparagraph, the ICT third-party service provider shall submit a reasoned application to EBA, ESMA or EIOPA, which, through the Joint Committee, shall decide whether to designate that ICT third-party service provider as critical in accordance with paragraph 1, point (a).
The decision referred to in the second subparagraph shall be adopted and notified to the ICT third-party service provider within 6 months of receipt of the application.
Financial entities shall only make use of the services of an ICT third-party service provider established in a third country and which has been designated as critical in accordance with paragraph 1, point (a), if the latter has established a subsidiary in the Union within the 12 months following the designation.
The critical ICT third-party service provider referred to in paragraph 12 shall notify the Lead Overseer of any changes to the structure of the management of the subsidiary established in the Union.
The Oversight Forum shall regularly discuss relevant developments on ICT risk and vulnerabilities and promote a consistent approach in the monitoring of ICT third-party risk at Union level.
The Oversight Forum shall, on a yearly basis, undertake a collective assessment of the results and findings of the oversight activities conducted for all critical ICT third-party service providers and promote coordination measures to increase the digital operational resilience of financial entities, foster best practices on addressing ICT concentration risk and explore mitigants for cross-sector risk transfers.
The Oversight Forum shall submit comprehensive benchmarks for critical ICT third-party service providers to be adopted by the Joint Committee as joint positions of the ESAs in accordance with Article 56(1) of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
The Oversight Forum shall be composed of:
(a) the Chairpersons of the ESAs;
(b) one high-level representative from the current staff of the relevant competent authority referred to in Article 46 from each Member State;
(c) the Executive Directors of each ESA and one representative from the Commission, from the ESRB, from ECB and from ENISA as observers;
(d) where appropriate, one additional representative of a competent authority referred to in Article 46 from each Member State as observer;
(e) where applicable, one representative of the competent authorities designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as a critical ICT third-party service provider, as observer.
The Oversight Forum may, where appropriate, seek the advice of independent experts appointed in accordance with paragraph 6.
The ESAs shall publish on their website the list of high-level representatives from the current staff of the relevant competent authority designated by Member States.
The independent experts shall be appointed on the basis of their expertise in financial stability, digital operational resilience and ICT security matters. They shall act independently and objectively in the sole interest of the Union as a whole and shall neither seek nor take instructions from Union institutions or bodies, from any government of a Member State or from any other public or private body.
In accordance with Article 16 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, the ESAs shall by 17 July 2024 issue, for the purposes of this Section, guidelines on the cooperation between the ESAs and the competent authorities covering the detailed procedures and conditions for the allocation and execution of tasks between competent authorities and the ESAs and the details on the exchanges of information which are necessary for competent authorities to ensure the follow-up of recommendations pursuant to Article 35(1), point (d), addressed to critical ICT third-party service providers.
The requirements set out in this Section shall be without prejudice to the application of Directive (EU) 2022/2555 and of other Union rules on oversight applicable to providers of cloud computing services.
The ESAs, through the Joint Committee and based on preparatory work conducted by the Oversight Forum, shall, on yearly basis, submit a report on the application of this Section to the European Parliament, the Council and the Commission.
The Lead Overseer, appointed in accordance with Article 31(1), point (b), shall conduct the oversight of the assigned critical ICT third-party service providers and shall be, for the purposes of all matters related to the oversight, the primary point of contact for those critical ICT third-party service providers.
For the purposes of paragraph 1, the Lead Overseer shall assess whether each critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities.
The assessment referred to in the first subparagraph shall focus mainly on ICT services provided by the critical ICT third-party service provider supporting the critical or important functions of financial entities. Where necessary to address all relevant risks, that assessment shall extend to ICT services supporting functions other than those that are critical or important.
(a) ICT requirements to ensure, in particular, the security, availability, continuity, scalability and quality of services which the critical ICT third-party service provider provides to financial entities, as well as the ability to maintain at all times high standards of availability, authenticity, integrity or confidentiality of data;
(b) the physical security contributing to ensuring the ICT security, including the security of premises, facilities, data centres;
(c) the risk management processes, including ICT risk management policies, ICT business continuity policy and ICT response and recovery plans;
(d) the governance arrangements, including an organisational structure with clear, transparent and consistent lines of responsibility and accountability rules enabling effective ICT risk management;
(e) the identification, monitoring and prompt reporting of material ICT-related incidents to financial entities, the management and resolution of those incidents, in particular cyber-attacks;
(f) the mechanisms for data portability, application portability and interoperability, which ensure an effective exercise of termination rights by the financial entities;
(g) the testing of ICT systems, infrastructure and controls;
(h) the ICT audits;
(i) the use of relevant national and international standards applicable to the provision of its ICT services to the financial entities.
Prior to the adoption of the oversight plan, the Lead Overseer shall communicate the draft oversight plan to the critical ICT third-party service provider.
Upon receipt of the draft oversight plan, the critical ICT third-party service provider may submit a reasoned statement within 15 calendar days evidencing the expected impact on customers which are entities falling outside of the scope of this Regulation and where appropriate, formulating solutions to mitigate risks.
To ensure a consistent approach to oversight activities and with a view to enabling coordinated general oversight strategies and cohesive operational approaches and work methodologies, the three Lead Overseers appointed in accordance with Article 31(1), point (b), shall set up a JON to coordinate among themselves in the preparatory stages and to coordinate the conduct of oversight activities over their respective overseen critical ICT third-party service providers, as well as in the course of any action that may be needed pursuant to Article 42.
For the purposes of paragraph 1, the Lead Overseers shall draw up a common oversight protocol specifying the detailed procedures to be followed for carrying out the day-to-day coordination and for ensuring swift exchanges and reactions. The protocol shall be periodically revised to reflect operational needs, in particular the evolution of practical oversight arrangements.
The Lead Overseers may, on an ad-hoc basis, call on the ECB and ENISA to provide technical advice, share hands-on experience or join specific coordination meetings of the JON.
(a) to request all relevant information and documentation in accordance with Article 37;
(b) to conduct general investigations and inspections in accordance with Articles 38 and 39, respectively;
(c) to request, after the completion of the oversight activities, reports specifying the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service providers in relation to the recommendations referred to in point (d) of this paragraph;
(d) to issue recommendations on the areas referred to in Article 33(3), in particular concerning the following:
(i) the use of specific ICT security and quality requirements or processes, in particular in relation to the roll-out of patches, updates, encryption and other security measures which the Lead Overseer deems relevant for ensuring the ICT security of services provided to financial entities;
(ii) the use of conditions and terms, including their technical implementation, under which the critical ICT third-party service providers provide ICT services to financial entities, which the Lead Overseer deems relevant for preventing the generation of single points of failure, the amplification thereof, or for minimising the possible systemic impact across the Union’s financial sector in the event of ICT concentration risk;
(iii) any planned subcontracting, where the Lead Overseer deems that further subcontracting, including subcontracting arrangements which the critical ICT third-party service providers plan to enter into with ICT third-party service providers or with ICT subcontractors established in a third country, may trigger risks for the provision of services by the financial entity, or risks to the financial stability, based on the examination of the information gathered in accordance with Articles 37 and 38;
(iv) refraining from entering into a further subcontracting arrangement, where the following cumulative conditions are met:
the envisaged subcontractor is an ICT third-party service provider or an ICT subcontractor established in a third country;
the subcontracting concerns critical or important functions of the financial entity; and
the Lead Overseer deems that the use of such subcontracting poses a clear and serious risk to the financial stability of the Union or to financial entities, including to the ability of financial entities to comply with supervisory requirements.
For the purpose of point (iv) of this point, ICT third-party service providers shall, using the template referred to in Article 41(1), point (b), transmit the information regarding subcontracting to the Lead Overseer.
(a) ensure regular coordination within the JON, and in particular shall seek consistent approaches, as appropriate, with regard to the oversight of critical ICT third-party service providers;
(b) take due account of the framework established by Directive (EU) 2022/2555 and, where necessary, consult the relevant competent authorities designated or established in accordance with that Directive, in order to avoid duplication of technical and organisational measures that might apply to critical ICT third-party service providers pursuant to that Directive;
(c) seek to minimise, to the extent possible, the risk of disruption to services provided by critical ICT third-party service providers to customers that are entities falling outside the scope of this Regulation.
Before issuing recommendations in accordance with paragraph 1, point (d), the Lead Overseer shall give the opportunity to the ICT third-party service provider to provide, within 30 calendar days, relevant information evidencing the expected impact on customers that are entities falling outside the scope of this Regulation and, where appropriate, formulating solutions to mitigate risks.
The Lead Overseer shall inform the JON of the outcome of the exercise of the powers referred to in paragraph 1, points (a) and (b). The Lead Overseer shall, without undue delay, transmit the reports referred to in paragraph 1, point (c), to the JON and to the competent authorities of the financial entities using the ICT services of that critical ICT third-party service provider.
Critical ICT third-party service providers shall cooperate in good faith with the Lead Overseer, and assist it in the fulfilment of its tasks.
In the event of whole or partial non-compliance with the measures required to be taken pursuant to the exercise of the powers under paragraph 1, points (a), (b) and (c), and after the expiry of a period of at least 30 calendar days from the date on which the critical ICT third-party service provider received notification of the respective measures, the Lead Overseer shall adopt a decision imposing a periodic penalty payment to compel the critical ICT third-party service provider to comply with those measures.
The periodic penalty payment referred to in paragraph 6 shall be imposed on a daily basis until compliance is achieved and for no more than a period of six months following the notification of the decision to impose a periodic penalty payment to the critical ICT third-party service provider.
The amount of the periodic penalty payment, calculated from the date stipulated in the decision imposing the periodic penalty payment, shall be up to 1 % of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year. When determining the amount of the penalty payment, the Lead Overseer shall take into account the following criteria regarding non-compliance with the measures referred to in paragraph 6:
(a) the gravity and the duration of non-compliance;
(b) whether non-compliance has been committed intentionally or negligently;
(c) the level of cooperation of the ICT third-party service provider with the Lead Overseer.
For the purposes of the first subparagraph, in order to ensure a consistent approach, the Lead Overseer shall engage in consultation within the JON.
Penalty payments shall be of an administrative nature and shall be enforceable. Enforcement shall be governed by the rules of civil procedure in force in the Member State on the territory of which inspections and access shall be carried out. Courts of the Member State concerned shall have jurisdiction over complaints related to irregular conduct of enforcement. The amounts of the penalty payments shall be allocated to the general budget of the European Union.
The Lead Overseer shall disclose to the public every periodic penalty payment that has been imposed, unless such disclosure would seriously jeopardise the financial markets or cause disproportionate damage to the parties involved.
Before imposing a periodic penalty payment under paragraph 6, the Lead Overseer shall give the representatives of the critical ICT third-party service provider subject to the proceedings the opportunity to be heard on the findings and shall base its decisions only on findings on which the critical ICT third-party service provider subject to the proceedings has had an opportunity to comment.
The rights of the defence of the persons subject to the proceedings shall be fully respected in the proceedings. The critical ICT third-party service provider subject to the proceedings shall be entitled to have access to the file, subject to the legitimate interest of other persons in the protection of their business secrets. The right of access to the file shall not extend to confidential information or to the Lead Overseer’s internal preparatory documents.
(a) in Article 35(1), point (a); and
(b) in Article 35(1), point (b), in accordance with Article 38(2), points (a), (b) and (d), and in Article 39(1) and (2), point (a).
The powers referred to in the first subparagraph may be exercised subject to all of the following conditions:
(i) the conduct of an inspection in a third-country is deemed necessary by the Lead Overseer to allow it to fully and effectively perform its duties under this Regulation;
(ii) the inspection in a third-country is directly related to the provision of ICT services to financial entities in the Union;
(iii) the critical ICT third-party service provider concerned consents to the conduct of an inspection in a third-country; and
(iv) the relevant authority of the third-country concerned has been officially notified by the Lead Overseer and raised no objection thereto.
Those cooperation arrangements shall specify at least the following elements:
(a) the procedures for the coordination of oversight activities carried out under this Regulation and any analogous monitoring of ICT third-party risk in the financial sector exercised by the relevant authority of the third country concerned, including details for transmitting the agreement of the latter to allow the conduct, by the Lead Overseer and its designated team, of general investigations and on-site inspections as referred to in paragraph 1, first subparagraph, on the territory under its jurisdiction;
(b) the mechanism for the transmission of any relevant information between EBA, ESMA or EIOPA and the relevant authority of the third country concerned, in particular in connection with information that may be requested by the Lead Overseer pursuant to Article 37;
(c) the mechanisms for the prompt notification by the relevant authority of the third-country concerned to EBA, ESMA or EIOPA of cases where an ICT third-party service provider established in a third country and designated as critical in accordance with Article 31(1), point (a), is deemed to have infringed the requirements to which it is obliged to adhere pursuant to the applicable law of the third country concerned when providing services to financial institutions in that third country, as well as the remedies and penalties applied;
(d) the regular transmission of updates on regulatory or supervisory developments on the monitoring of ICT third-party risk of financial institutions in the third country concerned;
(e) the details for allowing, if needed, the participation of one representative of the relevant third-country authority in the inspections conducted by the Lead Overseer and the designated team.
(a) exercise its powers under Article 35 on the basis of all facts and documents available to it;
(b) document and explain any consequence of its inability to conduct the envisaged oversight activities as referred to in this Article.
The potential consequences referred to in point (b) of this paragraph shall be taken into consideration in the Lead Overseer’s recommendations issued pursuant to Article 35(1), point (d).
The Lead Overseer may, by simple request or by decision, require critical ICT third-party service providers to provide all information that is necessary for the Lead Overseer to carry out its duties under this Regulation, including all relevant business or operational documents, contracts, policies, documentation, ICT security audit reports, ICT-related incident reports, as well as any information relating to parties to whom the critical ICT third-party service provider has outsourced operational functions or activities.
When sending a simple request for information under paragraph 1, the Lead Overseer shall:
(a) refer to this Article as the legal basis of the request;
(b) state the purpose of the request;
(c) specify what information is required;
(d) set a time limit within which the information is to be provided;
(e) inform the representative of the critical ICT third-party service provider from whom the information is requested that he or she is not obliged to provide the information, but in the event of a voluntary reply to the request the information provided must not be incorrect or misleading.
(a) refer to this Article as the legal basis of the request;
(b) state the purpose of the request;
(c) specify what information is required;
(d) set a time limit within which the information is to be provided;
(e) indicate the periodic penalty payments provided for in Article 35(6) where the production of the required information is incomplete or when such information is not provided within the time limit referred to in point (d) of this paragraph;
(f) indicate the right to appeal the decision to ESA’s Board of Appeal and to have the decision reviewed by the Court of Justice of the European Union (Court of Justice) in accordance with Articles 60 and 61 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
The representatives of the critical ICT third-party service providers shall supply the information requested. Lawyers duly authorised to act may supply the information on behalf of their clients. The critical ICT third-party service provider shall remain fully responsible if the information supplied is incomplete, incorrect or misleading.
The Lead Overseer shall, without delay, transmit a copy of the decision to supply information to the competent authorities of the financial entities using the services of the relevant critical ICT third-party service providers and to the JON.
In order to carry out its duties under this Regulation, the Lead Overseer, assisted by the joint examination team referred to in Article 40(1), may, where necessary, conduct investigations of critical ICT third-party service providers.
The Lead Overseer shall have the power to:
(a) examine records, data, procedures and any other material relevant to the execution of its tasks, irrespective of the medium on which they are stored;
(b) take or obtain certified copies of, or extracts from, such records, data, documented procedures and any other material;
(c) summon representatives of the critical ICT third-party service provider for oral or written explanations on facts or documents relating to the subject matter and purpose of the investigation and to record the answers;
(d) interview any other natural or legal person who consents to be interviewed for the purpose of collecting information relating to the subject matter of an investigation;
(e) request records of telephone and data traffic.
That authorisation shall also indicate the periodic penalty payments provided for in Article 35(6) where the production of the required records, data, documented procedures or any other material, or the answers to questions asked to representatives of the ICT third-party service provider are not provided or are incomplete.
The representatives of the critical ICT third-party service providers are required to submit to the investigations on the basis of a decision of the Lead Overseer. The decision shall specify the subject matter and purpose of the investigation, the periodic penalty payments provided for in Article 35(6), the legal remedies available under Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, and the right to have the decision reviewed by the Court of Justice.
In good time before the start of the investigation, the Lead Overseer shall inform competent authorities of the financial entities using the ICT services of that critical ICT third-party service provider of the envisaged investigation and of the identity of the authorised persons.
The Lead Overseer shall communicate to the JON all information transmitted pursuant to the first subparagraph.
For the purposes of exercising the powers referred to in the first subparagraph, the Lead Overseer shall consult the JON.
(a) enter any such business premises, land or property; and
(b) seal any such business premises, books or records, for the period of, and to the extent necessary for, the inspection.
The officials and other persons authorised by the Lead Overseer shall exercise their powers upon production of a written authorisation specifying the subject matter and the purpose of the inspection, and the periodic penalty payments provided for in Article 35(6) where the representatives of the critical ICT third-party service providers concerned do not submit to the inspection.
In good time before the start of the inspection, the Lead Overseer shall inform the competent authorities of the financial entities using that ICT third-party service provider.
Inspections shall cover the full range of relevant ICT systems, networks, devices, information and data either used for, or contributing to, the provision of ICT services to financial entities.
Before any planned on-site inspection, the Lead Overseer shall give reasonable notice to the critical ICT third-party service providers, unless such notice is not possible due to an emergency or crisis situation, or if it would lead to a situation where the inspection or audit would no longer be effective.
The critical ICT third-party service provider shall submit to on-site inspections ordered by decision of the Lead Overseer. The decision shall specify the subject matter and purpose of the inspection, fix the date on which the inspection shall begin and shall indicate the periodic penalty payments provided for in Article 35(6), the legal remedies available under Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, as well as the right to have the decision reviewed by the Court of Justice.
Where the officials and other persons authorised by the Lead Overseer find that a critical ICT third-party service provider opposes an inspection ordered pursuant to this Article, the Lead Overseer shall inform the critical ICT third-party service provider of the consequences of such opposition, including the possibility for competent authorities of the relevant financial entities to require financial entities to terminate the contractual arrangements concluded with that critical ICT third-party service provider.
When conducting oversight activities, in particular general investigations or inspections, the Lead Overseer shall be assisted by a joint examination team established for each critical ICT third-party service provider.
The joint examination team referred to in paragraph 1 shall be composed of staff members from:
(a) the ESAs;
(b) the relevant competent authorities supervising the financial entities to which the critical ICT third-party service provider provides ICT services;
(c) the national competent authority referred to in Article 32(4), point (e), on a voluntary basis;
(d) one national competent authority from the Member State where the critical ICT third-party service provider is established, on a voluntary basis.
Members of the joint examination team shall have expertise in ICT matters and in operational risk. The joint examination team shall work under the coordination of a designated Lead Overseer staff member (the ‘Lead Overseer coordinator’).
Within 3 months of the completion of an investigation or inspection, the Lead Overseer, after consulting the Oversight Forum, shall adopt recommendations to be addressed to the critical ICT third-party service provider pursuant to the powers referred to in Article 35.
The recommendations referred to in paragraph 3 shall be immediately communicated to the critical ICT third-party service provider and to the competent authorities of the financial entities to which it provides ICT services.
For the purposes of fulfilling the oversight activities, the Lead Overseer may take into consideration any relevant third-party certifications and ICT third-party internal or external audit reports made available by the critical ICT third-party service provider.
(a) the information to be provided by an ICT third-party service provider in the application for a voluntary request to be designated as critical under Article 31(11);
(b) the content, structure and format of the information to be submitted, disclosed or reported by the ICT third-party service providers pursuant to Article 35(1), including the template for providing information on subcontracting arrangements;
(c) the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks, and working arrangements.
(d) the details of the competent authorities’ assessment of the measures taken by critical ICT third-party service providers based on the recommendations of the Lead Overseer pursuant to Article 42(3).
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 1 in accordance with the procedure laid down in Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
Within 60 calendar days of the receipt of the recommendations issued by the Lead Overseer pursuant to Article 35(1), point (d), critical ICT third-party service providers shall either notify the Lead Overseer of their intention to follow the recommendations or provide a reasoned explanation for not following such recommendations. The Lead Overseer shall immediately transmit this information to the competent authorities of the financial entities concerned.
The Lead Overseer shall publicly disclose where a critical ICT third-party service provider fails to notify the Lead Overseer in accordance with paragraph 1 or where the explanation provided by the critical ICT third-party service provider is not deemed sufficient. The information published shall disclose the identity of the critical ICT third-party service provider as well as information on the type and nature of the non-compliance. Such information shall be limited to what is relevant and proportionate for the purpose of ensuring public awareness, unless such publication would cause disproportionate damage to the parties involved or could seriously jeopardise the orderly functioning and integrity of financial markets or the stability of the whole or part of the financial system of the Union.
The Lead Overseer shall notify the ICT third-party service provider of that public disclosure.
When managing ICT third-party risk, financial entities shall take into account the risks referred to in the first subparagraph.
Where a competent authority deems that a financial entity fails to take into account or to sufficiently address within its management of ICT third-party risk the specific risks identified in the recommendations, it shall notify the financial entity of the possibility of a decision being taken, within 60 calendar days of the receipt of such notification, pursuant to paragraph 6, in the absence of appropriate contractual arrangements aiming to address such risks.
Upon receiving the reports referred to in Article 35(1), point (c), and prior to taking a decision as referred to in paragraph 6 of this Article, competent authorities may, on a voluntary basis, consult the competent authorities designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as a critical ICT third-party service provider.
Competent authorities may, as a measure of last resort, following the notification and, if appropriate, the consultation as set out in paragraph 4 and 5 of this Article, in accordance with Article 50, take a decision requiring financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party service provider until the risks identified in the recommendations addressed to critical ICT third-party service providers have been addressed. Where necessary, they may require financial entities to terminate, in part or completely, the relevant contractual arrangements concluded with the critical ICT third-party service providers.
Where a critical ICT third-party service provider refuses to endorse recommendations, based on a divergent approach from the one advised by the Lead Overseer, and such a divergent approach may adversely impact a large number of financial entities, or a significant part of the financial sector, and individual warnings issued by competent authorities have not resulted in consistent approaches mitigating the potential risk to financial stability, the Lead Overseer may, after consulting the Oversight Forum, issue non-binding and non-public opinions to competent authorities, in order to promote consistent and convergent supervisory follow-up measures, as appropriate.
Upon receiving the reports referred to in Article 35(1), point (c), competent authorities, when taking a decision as referred to in paragraph 6 of this Article, shall take into account the type and magnitude of risk that is not addressed by the critical ICT third-party service provider, as well as the seriousness of the non-compliance, having regard to the following criteria:
(a) the gravity and the duration of the non-compliance;
(b) whether the non-compliance has revealed serious weaknesses in the critical ICT third-party service provider’s procedures, management systems, risk management and internal controls;
(c) whether a financial crime was facilitated, occasioned or is otherwise attributable to the non-compliance;
(d) whether the non-compliance has been intentional or negligent;
(e) whether the suspension or termination of the contractual arrangements introduces a risk for continuity of the financial entity’s business operations notwithstanding the financial entity’s efforts to avoid disruption in the provision of its services;
(f) where applicable, the opinion of the competent authorities designated or established in accordance with Directive (EU) 2022/2555 responsible for the supervision of an essential or important entity subject to that Directive, which has been designated as a critical ICT third-party service provider, requested on a voluntary basis in accordance with paragraph 5 of this Article.
Competent authorities shall grant financial entities the necessary period of time to enable them to adjust the contractual arrangements with critical ICT third-party service providers in order to avoid detrimental effects on their digital operational resilience and to allow them to deploy exit strategies and transition plans as referred to in Article 28.
The critical ICT third-party service providers affected by the decisions provided for in paragraph 6 shall fully cooperate with the financial entities impacted, in particular in the context of the process of suspension or termination of their contractual arrangements.
Competent authorities shall regularly inform the Lead Overseer on the approaches and measures taken in their supervisory tasks in relation to financial entities as well as on the contractual arrangements concluded by financial entities where critical ICT third-party service providers have not endorsed in part or entirely recommendations addressed to them by the Lead Overseer.
The Lead Overseer may, upon request, provide further clarifications on the recommendations issued to guide the competent authorities on the follow-up measures.
The amount of a fee charged to a critical ICT third-party service provider shall cover all costs derived from the execution of the duties set out in this Section and shall be proportionate to its turnover.
Without prejudice to Article 36, EBA, ESMA and EIOPA may, in accordance with Article 33 of Regulations (EU) No 1093/2010, (EU) No 1095/2010 and (EU) No 1094/2010, respectively, conclude administrative arrangements with third-country regulatory and supervisory authorities to foster international cooperation on ICT third-party risk across different financial sectors, in particular by developing best practices for the review of ICT risk management practices and controls, mitigation measures and incident responses.
The ESAs shall, through the Joint Committee, submit every five years a joint confidential report to the European Parliament, to the Council and to the Commission, summarising the findings of relevant discussions held with the third countries’ authorities referred to in paragraph 1, focusing on the evolution of ICT third-party risk and the implications for financial stability, market integrity, investor protection and the functioning of the internal market.
(a) aims to enhance the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting defence capabilities, threat detection techniques, mitigation strategies or response and recovery stages;
(b) takes places within trusted communities of financial entities;
(c) is implemented through information-sharing arrangements that protect the potentially sensitive nature of the information shared, and that are governed by rules of conduct in full respect of business confidentiality, protection of personal data in accordance with Regulation (EU) 2016/679 and guidelines on competition policy.
For the purpose of paragraph 1, point (c), the information-sharing arrangements shall define the conditions for participation and, where appropriate, shall set out the details on the involvement of public authorities and the capacity in which they may be associated to the information-sharing arrangements, on the involvement of ICT third-party service providers, and on operational elements, including the use of dedicated IT platforms.
Financial entities shall notify competent authorities of their participation in the information-sharing arrangements referred to in paragraph 1, upon validation of their membership, or, as applicable, of the cessation of their membership, once it takes effect.
Without prejudice to the provisions on the Oversight Framework for critical ICT third-party service providers referred to in Chapter V, Section II, of this Regulation, compliance with this Regulation shall be ensured by the following competent authorities in accordance with the powers granted by the respective legal acts:
(a) for credit institutions and for institutions exempted pursuant to Directive 2013/36/EU, the competent authority designated in accordance with Article 4 of that Directive, and for credit institutions classified as significant in accordance with Article 6(4) of Regulation (EU) No 1024/2013, the ECB in accordance with the powers and tasks conferred by that Regulation;
(b) for payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366, electronic money institutions, including those exempted pursuant to Directive 2009/110/EC, and account information service providers as referred to in Article 33(1) of Directive (EU) 2015/2366, the competent authority designated in accordance with Article 22 of Directive (EU) 2015/2366;
(c) for investment firms, the competent authority designated in accordance with Article 4 of Directive (EU) 2019/2034 of the European Parliament and of the Council (38);
(d) for crypto-asset service providers as authorised under the Regulation on markets in crypto-assets and issuers of asset-referenced tokens, the competent authority designated in accordance with the relevant provision of that Regulation;
(e) for central securities depositories, the competent authority designated in accordance with Article 11 of Regulation (EU) No 909/2014;
(f) for central counterparties, the competent authority designated in accordance with Article 22 of Regulation (EU) No 648/2012;
(g) for trading venues and data reporting service providers, the competent authority designated in accordance with Article 67 of Directive 2014/65/EU, and the competent authority as defined in Article 2(1), point (18), of Regulation (EU) No 600/2014;
(h) for trade repositories, the competent authority designated in accordance with Article 22 of Regulation (EU) No 648/2012;
(i) for managers of alternative investment funds, the competent authority designated in accordance with Article 44 of Directive 2011/61/EU;
(j) for management companies, the competent authority designated in accordance with Article 97 of Directive 2009/65/EC;
(k) for insurance and reinsurance undertakings, the competent authority designated in accordance with Article 30 of Directive 2009/138/EC;
(l) for insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, the competent authority designated in accordance with Article 12 of Directive (EU) 2016/97;
(m) for institutions for occupational retirement provision, the competent authority designated in accordance with Article 47 of Directive (EU) 2016/2341;
(n) for credit rating agencies, the competent authority designated in accordance with Article 21 of Regulation (EC) No 1060/2009;
(o) for administrators of critical benchmarks, the competent authority designated in accordance with Articles 40 and 41 of Regulation (EU) 2016/1011;
(p) for crowdfunding service providers, the competent authority designated in accordance with Article 29 of Regulation (EU) 2020/1503;
(q) for securitisation repositories, the competent authority designated in accordance with Articles 10 and 14(1) of Regulation (EU) 2017/2402.
To foster cooperation and enable supervisory exchanges between the competent authorities designated under this Regulation and the Cooperation Group established by Article 14 of Directive (EU) 2022/2555, the ESAs and the competent authorities may participate in the activities of the Cooperation Group for matters that concern their supervisory activities in relation to financial entities. The ESAs and the competent authorities may request to be invited to participate in the activities of the Cooperation Group for matters in relation to essential or important entities subject to Directive (EU) 2022/2555 that have also been designated as critical ICT third-party service providers pursuant to Article 31 of this Regulation.
Where appropriate, competent authorities may consult and share information with the single points of contact and the CSIRTs designated or established in accordance with Directive (EU) 2022/2555.
Where appropriate, competent authorities may request any relevant technical advice and assistance from the competent authorities designated or established in accordance with Directive (EU) 2022/2555 and establish cooperation arrangements to allow effective and fast-response coordination mechanisms to be set up.
The arrangements referred to in paragraph 3 of this Article may, inter alia, specify the procedures for the coordination of supervisory and oversight activities in relation to essential or important entities subject to Directive (EU) 2022/2555 that have been designated as critical ICT third-party service providers pursuant to Article 31 of this Regulation, including for the conduct, in accordance with national law, of investigations and on-site inspections, as well as for mechanisms for the exchange of information between the competent authorities under this Regulation and the competent authorities designated or established in accordance with that Directive which includes access to information requested by the latter authorities.
Competent authorities shall cooperate closely among themselves and, where applicable, with the Lead Overseer.
Competent authorities and the Lead Overseer shall, in a timely manner, mutually exchange all relevant information concerning critical ICT third-party service providers which is necessary for them to carry out their respective duties under this Regulation, in particular in relation to identified risks, approaches and measures taken as part of the Lead Overseer’s oversight tasks.
They may develop crisis management and contingency exercises involving cyber-attack scenarios with a view to developing communication channels and gradually enabling an effective coordinated response at Union level in the event of a major cross-border ICT-related incident or related threat having a systemic impact on the Union’s financial sector as a whole.
Those exercises may, as appropriate, also test the financial sector’s dependencies on other economic sectors.
Competent authorities shall have all supervisory, investigatory and sanctioning powers necessary to fulfil their duties under this Regulation.
The powers referred to in paragraph 1 shall include at least the following powers to:
(a) have access to any document or data held in any form that the competent authority considers relevant for the performance of its duties and receive or take a copy of it;
(b) carry out on-site inspections or investigations, which shall include but shall not be limited to;
(i) summoning representatives of the financial entities for oral or written explanations on facts or documents relating to the subject matter and purpose of the investigation and to record the answers;
(ii) interviewing any other natural or legal person who consents to be interviewed for the purpose of collecting information relating to the subject matter of an investigation;
(c) require corrective and remedial measures for breaches of the requirements of this Regulation.
Those penalties and measures shall be effective, proportionate and dissuasive.
(a) issue an order requiring the natural or legal person to cease conduct that is in breach of this Regulation and to desist from a repetition of that conduct;
(b) require the temporary or permanent cessation of any practice or conduct that the competent authority considers to be contrary to the provisions of this Regulation and prevent repetition of that practice or conduct;
(c) adopt any type of measure, including of pecuniary nature, to ensure that financial entities continue to comply with legal requirements;
(d) require, insofar as permitted by national law, existing data traffic records held by a telecommunication operator, where there is a reasonable suspicion of a breach of this Regulation and where such records may be relevant to an investigation into breaches of this Regulation; and
(e) issue public notices, including public statements indicating the identity of the natural or legal person and the nature of the breach.
Where paragraph 2, point (c), and paragraph 4 apply to legal persons, Member States shall confer on competent authorities the power to apply the administrative penalties and remedial measures, subject to the conditions provided for in national law, to members of the management body, and to other individuals who under national law are responsible for the breach.
Member States shall ensure that any decision imposing administrative penalties or remedial measures set out in paragraph 2, point (c), is properly reasoned and is subject to a right of appeal.
(a) directly;
(b) in collaboration with other authorities;
(c) under their responsibility by delegation to other authorities; or
(d) by application to the competent judicial authorities.
(a) the materiality, gravity and the duration of the breach;
(b) the degree of responsibility of the natural or legal person responsible for the breach;
(c) the financial strength of the responsible natural or legal person;
(d) the importance of profits gained or losses avoided by the responsible natural or legal person, insofar as they can be determined;
(e) the losses for third parties caused by the breach, insofar as they can be determined;
(f) the level of cooperation of the responsible natural or legal person with the competent authority, without prejudice to the need to ensure disgorgement of profits gained or losses avoided by that natural or legal person;
(g) previous breaches by the responsible natural or legal person.
Member States may decide not to lay down rules for administrative penalties or remedial measures for breaches that are subject to criminal penalties under their national law.
Where Member States have chosen to lay down criminal penalties for breaches of this Regulation, they shall ensure that appropriate measures are in place so that competent authorities have all the necessary powers to liaise with judicial, prosecuting, or criminal justice authorities within their jurisdiction to receive specific information related to criminal investigations or proceedings commenced for breaches of this Regulation, and to provide the same information to other competent authorities, as well as EBA, ESMA or EIOPA to fulfil their obligations to cooperate for the purposes of this Regulation.
Member States shall notify the laws, regulations and administrative provisions implementing this Chapter, including any relevant criminal law provisions, to the Commission, ESMA, the EBA and EIOPA by 17 January 2025. Member States shall notify the Commission, ESMA, the EBA and EIOPA without undue delay of any subsequent amendments thereto.
Competent authorities shall publish on their official websites, without undue delay, any decision imposing an administrative penalty against which there is no appeal after the addressee of the penalty has been notified of that decision.
The publication referred to in paragraph 1 shall include information on the type and nature of the breach, the identity of the persons responsible and the penalties imposed.
Where the competent authority, following a case-by-case assessment, considers that the publication of the identity, in the case of legal persons, or of the identity and personal data, in the case of natural persons, would be disproportionate, including risks in relation to the protection of personal data, jeopardise the stability of financial markets or the pursuit of an ongoing criminal investigation, or cause, insofar as these can be determined, disproportionate damages to the person involved, it shall adopt one of the following solutions in respect of the decision imposing an administrative penalty:
(a) defer its publication until all reasons for non-publication cease to exist;
(b) publish it on an anonymous basis, in accordance with national law; or
(c) refrain from publishing it, where the options set out in points (a) and (b) are deemed either insufficient to guarantee a lack of any danger for the stability of financial markets, or where such a publication would not be proportionate to the leniency of the imposed penalty.
In the case of a decision to publish an administrative penalty on an anonymous basis in accordance with paragraph 3, point (b), the publication of the relevant data may be postponed.
Where a competent authority publishes a decision imposing an administrative penalty against which there is an appeal before the relevant judicial authorities, competent authorities shall immediately add on their official website that information and, at later stages, any subsequent related information on the outcome of such appeal. Any judicial decision annulling a decision imposing an administrative penalty shall also be published.
Competent authorities shall ensure that any publication referred to in paragraphs 1 to 4 shall remain on their official website only for the period which is necessary to bring forth this Article. This period shall not exceed five years after its publication.
Any confidential information received, exchanged or transmitted pursuant to this Regulation shall be subject to the conditions of professional secrecy laid down in paragraph 2.
The obligation of professional secrecy applies to all persons who work, or who have worked, for the competent authorities pursuant to this Regulation, or for any authority or market undertaking or natural or legal person to whom those competent authorities have delegated their powers, including auditors and experts contracted by them.
Information covered by professional secrecy, including the exchange of information among competent authorities under this Regulation and competent authorities designated or established in accordance with Directive (EU) 2022/2555, shall not be disclosed to any other person or authority except by virtue of provisions laid down by Union or national law;
All information exchanged between the competent authorities pursuant to this Regulation that concerns business or operational conditions and other economic or personal affairs shall be considered confidential and shall be subject to the requirements of professional secrecy, except where the competent authority states, at the time of communication, that such information may be disclosed or where such disclosure is necessary for legal proceedings.
The ESAs and the competent authorities shall be allowed to process personal data only where necessary for the purpose of carrying out their respective obligations and duties pursuant to this Regulation, in particular for investigation, inspection, request for information, communication, publication, evaluation, verification, assessment and drafting of oversight plans. The personal data shall be processed in accordance with Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, whichever is applicable.
Except where otherwise provided in other sectoral acts, the personal data referred to in paragraph 1 shall be retained until the discharge of the applicable supervisory duties and in any case for a maximum period of 15 years, except in the event of pending court proceedings requiring further retention of such data.
The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
The power to adopt delegated acts referred to in Articles 31(6) and 43(2) shall be conferred on the Commission for a period of five years from 17 January 2024. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.
The delegation of power referred to in Articles 31(6) and 43(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.
As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
A delegated act adopted pursuant to Articles 31(6) and 43(2) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.
(a) the criteria for the designation of critical ICT third-party service providers in accordance with Article 31(2);
(b) the voluntary nature of the notification of significant cyber threats referred to in Article 19;
(c) the regime referred to in Article 31(12) and the powers of the Lead Overseer provided for in Article 35(1), point (d), point (iv), first indent, with a view to evaluating the effectiveness of those provisions with regard to ensuring effective oversight of critical ICT third-party service providers established in a third country, and the necessity to establish a subsidiary in the Union.
For the purposes of the first subparagraph of this point, the review shall include an analysis of the regime referred to in Article 31(12), including in terms of access for Union financial entities to services from third countries and availability of such services on the Union market and it shall take into account further developments in the markets for the services covered by this Regulation, the practical experience of financial entities and financial supervisors with regard to the application and, respectively, supervision of that regime, and any relevant regulatory and supervisory developments taking place at international level.
(d) the appropriateness of including in the scope of this Regulation financial entities referred to in Article 2(3), point (e), making use of automated sales systems, in light of future market developments on the use of such systems;
(e) the functioning and effectiveness of the JON in supporting the consistency of the oversight and the efficiency of the exchange of information within the Oversight Framework.
Based on that review report, and after consulting ESAs, ECB and the ESRB, the Commission may submit, where appropriate and as part of the legislative proposal that it may adopt pursuant to Article 108, second paragraph, of Directive (EU) 2015/2366, a proposal to ensure that all operators of payment systems and entities involved in payment-processing activities are subject to an appropriate oversight, while taking into account existing oversight by the central bank.
Regulation (EC) No 1060/2009 is amended as follows:
‘A credit rating agency shall have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council(*1).
‘12.
The credit rating agency infringes Article 6(2), in conjunction with point 4 of Section A of Annex I, by not having sound administrative or accounting procedures, internal control mechanisms, effective procedures for risk assessment, or effective control or safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554; or by not implementing or maintaining decision-making procedures or organisational structures as required by that point.’.
Regulation (EU) No 648/2012 is amended as follows:
‘3. A CCP shall maintain and operate an organisational structure that ensures continuity and orderly functioning in the performance of its services and activities. It shall employ appropriate and proportionate systems, resources and procedures, including ICT systems managed in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council(*2).
‘1. A CCP shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan, which shall include ICT business continuity policy and ICT response and recovery plans put in place and implemented in accordance with Regulation (EU) 2022/2554, aiming to ensure the preservation of its functions, the timely recovery of operations and the fulfilment of the CCP’s obligations.’;
‘3. In order to ensure consistent application of this Article, ESMA shall, after consulting the members of the ESCB, develop draft regulatory technical standards specifying the minimum content and requirements of the business continuity policy and of the disaster recovery plan, excluding ICT business continuity policy and disaster recovery plans.’;
‘3. In order to ensure consistent application of this Article, ESMA shall develop draft regulatory technical standards specifying the details, other than for requirements related to ICT risk management, of the application for registration referred to in paragraph 1.’;
‘1. A trade repository shall identify sources of operational risk and minimise them also through the development of appropriate systems, controls and procedures, including ICT systems managed in accordance with Regulation (EU) 2022/2554.
A trade repository shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan including ICT business continuity policy and ICT response and recovery plans established in accordance with Regulation (EU) 2022/2554, aiming to ensure the maintenance of its functions, the timely recovery of operations and the fulfilment of the trade repository’s obligations.’;
in Article 80, paragraph 1 is deleted.
in Annex I, Section II is amended as follows:
’- (a) a trade repository infringes Article 79(1) by not identifying sources of operational risk or by not minimising those risks through the development of appropriate systems, controls and procedures including ICT systems managed in accordance with Regulation (EU) 2022/2554;
(b) a trade repository infringes Article 79(2) by not establishing, implementing or maintaining an adequate business continuity policy and disaster recovery plan established in accordance with Regulation (EU) 2022/2554, aiming to ensure the maintenance of its functions, the timely recovery of operations and the fulfilment of the trade repository’s obligations;’;
(b) point (c) is deleted.
(a) Section II is amended as follows:
(i) point (c) is replaced by the following:
’- (c) a Tier 2 CCP infringes Article 26(3) by not maintaining or operating an organisational structure that ensures continuity and orderly functioning in the performance of its services and activities or by not employing appropriate and proportionate systems, resources or procedures including ICT systems managed in accordance with Regulation (EU) 2022/2554;’;
(ii) point (f) is deleted.
(b) in Section III, point (a) is replaced by the following:
’- (a) a Tier 2 CCP infringes Article 34(1) by not establishing, implementing or maintaining an adequate business continuity policy and response and recovery plan set up in accordance with Regulation (EU) 2022/2554, aiming to ensure the preservation of its functions, the timely recovery of operations and the fulfilment of the CCP’s obligations, which at least allows for the recovery of all transactions at the time of disruption to allow the CCP to continue to operate with certainty and to complete settlement on the scheduled date;‘.
Article 45 of Regulation (EU) No 909/2014 is amended as follows:
‘1. A CSD shall identify sources of operational risk, both internal and external, and minimise their impact also through the deployment of appropriate ICT tools, processes and policies set up and managed in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council(*3), as well as through any other relevant appropriate tools, controls and procedures for other types of operational risk, including for all the securities settlement systems it operates.
paragraph 2 is deleted;
paragraphs 3 and 4 are replaced by the following:
‘3. For services that it provides as well as for each securities settlement system that it operates, a CSD shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan, including ICT business continuity policy and ICT response and recovery plans established in accordance with Regulation (EU) 2022/2554, to ensure the preservation of its services, the timely recovery of operations and the fulfilment of the CSD’s obligations in the case of events that pose a significant risk to disrupting operations.
The plan referred to in paragraph 3 shall provide for the recovery of all transactions and participants’ positions at the time of disruption to allow the participants of a CSD to continue to operate with certainty and to complete settlement on the scheduled date, including by ensuring that critical IT systems can resume operations from the time of disruption as provided for in Article 12(5) and (7) of Regulation (EU) 2022/2554.’;
paragraph 6 is replaced by the following:
‘6. A CSD shall identify, monitor and manage the risks that key participants in the securities settlement systems it operates, as well as service and utility providers, and other CSDs or other market infrastructures might pose to its operations. It shall, upon request, provide competent and relevant authorities with information on any such risk identified. It shall also inform the competent authority and relevant authorities without delay of any operational incidents, other than in relation to ICT risk, resulting from such risks.’;
‘7. ESMA shall, in close cooperation with the members of the ESCB, develop draft regulatory technical standards to specify the operational risks referred to in paragraphs 1 and 6, other than ICT risk, and the methods to test, to address or to minimise those risks, including the business continuity policies and disaster recovery plans referred to in paragraphs 3 and 4 and the methods of assessment thereof.’.
Regulation (EU) No 600/2014 is amended as follows:
‘4.
An APA shall comply with the requirements concerning the security of network and information systems set out in Regulation (EU) 2022/2554 of the European Parliament and of the Council(*4).
’- (c) the concrete organisational requirements laid down in paragraphs 3 and 5.’;
‘5. A CTP shall comply with the requirements concerning the security of network and information systems set out in Regulation (EU) 2022/2554.’.
’- (e) the concrete organisational requirements laid down in paragraph 4.’;
‘3. An ARM shall comply with the requirements concerning the security of network and information systems set out in Regulation (EU) 2022/2554.’;
’- (b) the concrete organisational requirements laid down in paragraphs 2 and 4.’.
In Article 6 of Regulation (EU) 2016/1011, the following paragraph is added:
‘6.
For critical benchmarks, an administrator shall have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council(*5).
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 17 January 2025.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Strasbourg, 14 December 2022.
For the European Parliament
The President
R. METSOLA
For the Council
The President
M. BEK
27.10.2022 EN Official Journal of the European Union L 277/1
REGULATION (EU) 2022/2065 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof, Having regard to the proposal from the European Commission, After transmission of the draft legislative act to the national parliaments, Having regard to the opinion of the European Economic and Social Committee [^1], Having regard to the opinion of the Committee of the Regions [^2], Acting in accordance with the ordinary legislative procedure [^3],
Whereas:
(1) Information society services and especially intermediary services have become an important part of the Union’s economy and the daily life of Union citizens. Twenty years after the adoption of the existing legal framework applicable to such services laid down in Directive 2000/31/EC of the European Parliament and of the Council (4), new and innovative business models and services, such as online social networks and online platforms allowing consumers to conclude distance contracts with traders, have allowed business users and consumers to impart and access information and engage in transactions in novel ways. A majority of Union citizens now uses those services on a daily basis. However, the digital transformation and increased use of those services has also resulted in new risks and challenges for individual recipients of the relevant service, companies and society as a whole.
(2) Member States are increasingly introducing, or are considering introducing, national laws on the matters covered by this Regulation, imposing, in particular, diligence requirements for providers of intermediary services as regards the way they should tackle illegal content, online disinformation or other societal risks. Those diverging national laws negatively affect the internal market, which, pursuant to Article 26 of the Treaty on the Functioning of the European Union (TFEU), comprises an area without internal frontiers in which the free movement of goods and services and freedom of establishment are ensured, taking into account the inherently cross-border nature of the internet, which is generally used to provide those services. The conditions for the provision of intermediary services across the internal market should be harmonised, so as to provide businesses with access to new markets and opportunities to exploit the benefits of the internal market, while allowing consumers and other recipients of the services to have increased choice. Business users, consumers and other users are considered to be ‘recipients of the service’ for the purpose of this Regulation.
(3) Responsible and diligent behaviour by providers of intermediary services is essential for a safe, predictable and trustworthy online environment and for allowing Union citizens and other persons to exercise their fundamental rights guaranteed in the Charter of Fundamental Rights of the European Union (the ‘Charter’), in particular the freedom of expression and of information, the freedom to conduct a business, the right to non-discrimination and the attainment of a high level of consumer protection.
(4) Therefore, in order to safeguard and improve the functioning of the internal market, a targeted set of uniform, effective and proportionate mandatory rules should be established at Union level. This Regulation provides the conditions for innovative digital services to emerge and to scale up in the internal market. The approximation of national regulatory measures at Union level concerning the requirements for providers of intermediary services is necessary to avoid and put an end to fragmentation of the internal market and to ensure legal certainty, thus reducing uncertainty for developers and fostering interoperability. By using requirements that are technology neutral, innovation should not be hampered but instead be stimulated.
(5) This Regulation should apply to providers of certain information society services as defined in Directive (EU) 2015/1535 of the European Parliament and of the Council [^5], that is, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient. Specifically, this Regulation should apply to providers of intermediary services, and in particular intermediary services consisting of services known as ‘mere conduit’, ‘caching’ and ‘hosting’ services, given that the exponential growth of the use made of those services, mainly for legitimate and socially beneficial purposes of all kinds, has also increased their role in the intermediation and spread of unlawful or otherwise harmful information and activities.
(6) In practice, certain providers of intermediary services intermediate in relation to services that may or may not be provided by electronic means, such as remote information technology services, transport, accommodation or delivery services. This Regulation should apply only to intermediary services and not affect requirements set out in Union or national law relating to products or services intermediated through intermediary services, including in situations where the intermediary service constitutes an integral part of another service which is not an intermediary service as recognised in the case-law of the Court of Justice of the European Union.
(7) In order to ensure the effectiveness of the rules laid down in this Regulation and a level playing field within the internal market, those rules should apply to providers of intermediary services irrespective of their place of establishment or their location, in so far as they offer services in the Union, as evidenced by a substantial connection to the Union.
(8) Such a substantial connection to the Union should be considered to exist where the service provider has an establishment in the Union or, in the absence of such an establishment, where the number of recipients of the service in one or more Member States is significant in relation to the population thereof, or on the basis of the targeting of activities towards one or more Member States. The targeting of activities towards one or more Member States can be determined on the basis of all relevant circumstances, including factors such as the use of a language or a currency generally used in that Member State, or the possibility of ordering products or services, or the use of a relevant top-level domain. The targeting of activities towards a Member State could also be derived from the availability of an application in the relevant national application store, from the provision of local advertising or advertising in a language used in that Member State, or from the handling of customer relations such as by providing customer service in a language generally used in that Member State. A substantial connection should also be assumed where a service provider directs its activities to one or more Member States within the meaning of Article 17(1), point (c), of Regulation (EU) No 1215/2012 of the European Parliament and of the Council [^6]. In contrast, mere technical accessibility of a website from the Union cannot, on that ground alone, be considered as establishing a substantial connection to the Union.
(9) This Regulation fully harmonises the rules applicable to intermediary services in the internal market with the objective of ensuring a safe, predictable and trusted online environment, addressing the dissemination of illegal content online and the societal risks that the dissemination of disinformation or other content may generate, and within which fundamental rights enshrined in the Charter are effectively protected and innovation is facilitated. Accordingly, Member States should not adopt or maintain additional national requirements relating to the matters falling within the scope of this Regulation, unless explicitly provided for in this Regulation, since this would affect the direct and uniform application of the fully harmonised rules applicable to providers of intermediary services in accordance with the objectives of this Regulation. This should not preclude the possibility of applying other national legislation applicable to providers of intermediary services, in compliance with Union law, including Directive 2000/31/EC, in particular its Article 3, where the provisions of national law pursue other legitimate public interest objectives than those pursued by this Regulation.
(10) This Regulation should be without prejudice to other acts of Union law regulating the provision of information society services in general, regulating other aspects of the provision of intermediary services in the internal market or specifying and complementing the harmonised rules set out in this Regulation, such as Directive 2010/13/EU of the European Parliament and of the Council [^7] including the provisions thereof regarding video-sharing platforms, Regulations (EU) 2019/1148 [^8], (EU) 2019/1150 [^9], (EU) 2021/784 [^10] and (EU) 2021/1232 [^11] of the European Parliament and of the Council and Directive 2002/58/EC of the European Parliament and of the Council [^12], and provisions of Union law set out in a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters and in a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings. Similarly, for reasons of clarity, this Regulation should be without prejudice to Union law on consumer protection, in particular Regulations (EU) 2017/2394 [^13] and (EU) 2019/1020 [^14] of the European Parliament and of the Council, Directives 2001/95/EC [^15], 2005/29/EC [^16], 2011/83/EU [^17] and 2013/11/EU [^18] of the European Parliament and of the Council, and Council Directive 93/13/EEC [^19], and on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council [^20]. This Regulation should also be without prejudice to Union rules on private international law, in particular rules regarding jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, as Regulation (EU) No 1215/2012, and rules on the law applicable to contractual and non-contractual obligations. The protection of individuals with regard to the processing of personal data is governed solely by the rules of Union law on that subject, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC. This Regulation should also be without prejudice to Union law on working conditions and Union law in the field of judicial cooperation in civil and criminal matters. However, to the extent that those Union legal acts pursue the same objectives as those laid down in this Regulation, the rules of this Regulation should apply in respect of issues that are not addressed or not fully addressed by those other legal acts as well as issues on which those other legal acts leave Member States the possibility of adopting certain measures at national level.
(11) It should be clarified that this Regulation is without prejudice to Union law on copyright and related rights, including Directives 2001/29/EC [^21], 2004/48/EC [^22] and (EU) 2019/790 [^23] of the European Parliament and of the Council, which establish specific rules and procedures that should remain unaffected.
(12) In order to achieve the objective of ensuring a safe, predictable and trustworthy online environment, for the purpose of this Regulation the concept of ‘illegal content’ should broadly reflect the existing rules in the offline environment. In particular, the concept of ‘illegal content’ should be defined broadly to cover information relating to illegal content, products, services and activities. In particular, that concept should be understood to refer to information, irrespective of its form, that under the applicable law is either itself illegal, such as illegal hate speech or terrorist content and unlawful discriminatory content, or that the applicable rules render illegal in view of the fact that it relates to illegal activities. Illustrative examples include the sharing of images depicting child sexual abuse, the unlawful non-consensual sharing of private images, online stalking, the sale of non-compliant or counterfeit products, the sale of products or the provision of services in infringement of consumer protection law, the non-authorised use of copyright protected material, the illegal offer of accommodation services or the illegal sale of live animals. In contrast, an eyewitness video of a potential crime should not be considered to constitute illegal content, merely because it depicts an illegal act, where recording or disseminating such a video to the public is not illegal under national or Union law. In this regard, it is immaterial whether the illegality of the information or activity results from Union law or from national law that is in compliance with Union law and what the precise nature or subject matter is of the law in question.
(13) Considering the particular characteristics of the services concerned and the corresponding need to make the providers thereof subject to certain specific obligations, it is necessary to distinguish, within the broader category of providers of hosting services as defined in this Regulation, the subcategory of online platforms. Online platforms, such as social networks or online platforms allowing consumers to conclude distance contracts with traders, should be defined as providers of hosting services that not only store information provided by the recipients of the service at their request, but that also disseminate that information to the public at the request of the recipients of the service. However, in order to avoid imposing overly broad obligations, providers of hosting services should not be considered as online platforms where the dissemination to the public is merely a minor and purely ancillary feature that is intrinsically linked to another service, or a minor functionality of the principal service, and that feature or functionality cannot, for objective technical reasons, be used without that other or principal service, and the integration of that feature or functionality is not a means to circumvent the applicability of the rules of this Regulation applicable to online platforms. For example, the comments section in an online newspaper could constitute such a feature, where it is clear that it is ancillary to the main service represented by the publication of news under the editorial responsibility of the publisher. In contrast, the storage of comments in a social network should be considered an online platform service where it is clear that it is not a minor feature of the service offered, even if it is ancillary to publishing the posts of recipients of the service. For the purposes of this Regulation, cloud computing or web-hosting services should not be considered to be an online platform where dissemination of specific information to the public constitutes a minor and ancillary feature or a minor functionality of such services. Moreover, cloud computing services and web-hosting services, when serving as infrastructure, such as the underlying infrastructural storage and computing services of an internet-based application, website or online platform, should not in themselves be considered as disseminating to the public information stored or processed at the request of a recipient of the application, website or online platform which they host.
(14) The concept of ‘dissemination to the public’, as used in this Regulation, should entail the making available of information to a potentially unlimited number of persons, meaning making the information easily accessible to recipients of the service in general without further action by the recipient of the service providing the information being required, irrespective of whether those persons actually access the information in question. Accordingly, where access to information requires registration or admittance to a group of recipients of the service, that information should be considered to be disseminated to the public only where recipients of the service seeking to access the information are automatically registered or admitted without a human decision or selection of whom to grant access. Interpersonal communication services, as defined in Directive (EU) 2018/1972 of the European Parliament and of the Council [^24], such as emails or private messaging services, fall outside the scope of the definition of online platforms as they are used for interpersonal communication between a finite number of persons determined by the sender of the communication. However, the obligations set out in this Regulation for providers of online platforms may apply to services that allow the making available of information to a potentially unlimited number of recipients, not determined by the sender of the communication, such as through public groups or open channels. Information should be considered disseminated to the public within the meaning of this Regulation only where that dissemination occurs upon the direct request by the recipient of the service that provided the information.
(15) Where some of the services provided by a provider are covered by this Regulation whilst others are not, or where the services provided by a provider are covered by different sections of this Regulation, the relevant provisions of this Regulation should apply only in respect of those services that fall within their scope.
(16) The legal certainty provided by the horizontal framework of conditional exemptions from liability for providers of intermediary services, laid down in Directive 2000/31/EC, has allowed many novel services to emerge and scale up across the internal market. That framework should therefore be preserved. However, in view of the divergences when transposing and applying the relevant rules at national level, and for reasons of clarity and coherence, that framework should be incorporated in this Regulation. It is also necessary to clarify certain elements of that framework, having regard to the case-law of the Court of Justice of the European Union.
(17) The rules on liability of providers of intermediary services set out in this Regulation should only establish when the provider of intermediary services concerned cannot be held liable in relation to illegal content provided by the recipients of the service. Those rules should not be understood to provide a positive basis for establishing when a provider can be held liable, which is for the applicable rules of Union or national law to determine. Furthermore, the exemptions from liability established in this Regulation should apply in respect of any type of liability as regards any type of illegal content, irrespective of the precise subject matter or nature of those laws.
(18) The exemptions from liability established in this Regulation should not apply where, instead of confining itself to providing the services neutrally by a merely technical and automatic processing of the information provided by the recipient of the service, the provider of intermediary services plays an active role of such a kind as to give it knowledge of, or control over, that information. Those exemptions should accordingly not be available in respect of liability relating to information provided not by the recipient of the service but by the provider of the intermediary service itself, including where the information has been developed under the editorial responsibility of that provider.
(19) In view of the different nature of the activities of ‘mere conduit’, ‘caching’ and ‘hosting’ and the different position and abilities of the providers of the services in question, it is necessary to distinguish the rules applicable to those activities, in so far as under this Regulation they are subject to different requirements and conditions and their scope differs, as interpreted by the Court of Justice of the European Union.
(20) Where a provider of intermediary services deliberately collaborates with a recipient of the services in order to undertake illegal activities, the services should not be deemed to have been provided neutrally and the provider should therefore not be able to benefit from the exemptions from liability provided for in this Regulation. This should be the case, for instance, where the provider offers its service with the main purpose of facilitating illegal activities, for example by making explicit that its purpose is to facilitate illegal activities or that its services are suited for that purpose. The fact alone that a service offers encrypted transmissions or any other system that makes the identification of the user impossible should not in itself qualify as facilitating illegal activities.
(21) A provider should be able to benefit from the exemptions from liability for ‘mere conduit’ and for ‘caching’ services when it is in no way involved with the information transmitted or accessed. This requires, among other things, that the provider does not modify the information that it transmits or to which it provides access. However, this requirement should not be understood to cover manipulations of a technical nature which take place in the course of the transmission or access, as long as those manipulations do not alter the integrity of the information transmitted or to which access is provided.
(22) In order to benefit from the exemption from liability for hosting services, the provider should, upon obtaining actual knowledge or awareness of illegal activities or illegal content, act expeditiously to remove or to disable access to that content. The removal or disabling of access should be undertaken in the observance of the fundamental rights of the recipients of the service, including the right to freedom of expression and of information. The provider can obtain such actual knowledge or awareness of the illegal nature of the content, inter alia through its own-initiative investigations or through notices submitted to it by individuals or entities in accordance with this Regulation in so far as such notices are sufficiently precise and adequately substantiated to allow a diligent economic operator to reasonably identify, assess and, where appropriate, act against the allegedly illegal content. However, such actual knowledge or awareness cannot be considered to be obtained solely on the ground that that provider is aware, in a general sense, of the fact that its service is also used to store illegal content. Furthermore, the fact that the provider automatically indexes information uploaded to its service, that it has a search function or that it recommends information on the basis of the profiles or preferences of the recipients of the service is not a sufficient ground for considering that provider to have ‘specific’ knowledge of illegal activities carried out on that platform or of illegal content stored on it.
(23) The exemption of liability should not apply where the recipient of the service is acting under the authority or the control of the provider of a hosting service. For example, where the provider of an online platform that allows consumers to conclude distance contracts with traders determines the price of the goods or services offered by the trader, it could be considered that the trader acts under the authority or control of that online platform.
(24) In order to ensure the effective protection of consumers when engaging in intermediated commercial transactions online, certain providers of hosting services, namely online platforms that allow consumers to conclude distance contracts with traders, should not be able to benefit from the exemption from liability for hosting service providers established in this Regulation, in so far as those online platforms present the relevant information relating to the transactions at issue in such a way as to lead consumers to believe that that information was provided by those online platforms themselves or by traders acting under their authority or control, and that those online platforms thus have knowledge of or control over the information, even if that may in reality not be the case. Examples of such behaviour could be where an online platform fails to display clearly the identity of the trader, as required by this Regulation, where an online platform withholds the identity or contact details of the trader until after the conclusion of the contract concluded between the trader and the consumer, or where an online platform markets the product or service in its own name rather than in the name of the trader who will supply that product or service. In that regard, it should be determined objectively, on the basis of all relevant circumstances, whether the presentation could lead an average consumer to believe that the information in question was provided by the online platform itself or by traders acting under its authority or control.
(25) The exemptions from liability established in this Regulation should not affect the possibility of injunctions of different kinds against providers of intermediary services, even where they meet the conditions set out as part of those exemptions. Such injunctions could, in particular, consist of orders by courts or administrative authorities, issued in compliance with Union law, requiring the termination or prevention of any infringement, including the removal of illegal content specified in such orders, or the disabling of access to it.
(26) In order to create legal certainty, and not to discourage activities that aim to detect, identify and act against illegal content that providers of all categories of intermediary services undertake on a voluntary basis, it should be clarified that the mere fact that providers undertake such activities does not render unavailable the exemptions from liability set out in this Regulation, provided those activities are carried out in good faith and in a diligent manner. The condition of acting in good faith and in a diligent manner should include acting in an objective, non-discriminatory and proportionate manner, with due regard to the rights and legitimate interests of all parties involved, and providing the necessary safeguards against unjustified removal of legal content, in accordance with the objective and requirements of this Regulation. To that aim, the providers concerned should, for example, take reasonable measures to ensure that, where automated tools are used to conduct such activities, the relevant technology is sufficiently reliable to limit to the maximum extent possible the rate of errors. In addition, it is appropriate to clarify that the mere fact that the providers take measures, in good faith, to comply with the requirements of Union law, including those set out in this Regulation as regards the implementation of their terms and conditions, should not render unavailable the exemptions from liability set out in this Regulation. Therefore, any such activities and measures that a provider may have taken should not be taken into account when determining whether the provider can rely on an exemption from liability, in particular as regards whether the provider provides its service neutrally and can therefore fall within the scope of the relevant provision, without this rule however implying that the provider can necessarily rely thereon. Voluntary actions should not be used to circumvent the obligations of providers of intermediary services under this Regulation.
(27) Whilst the rules on liability of providers of intermediary services set out in this Regulation concentrate on the exemption from liability of providers of intermediary services, it is important to recall that, despite the generally important role played by such providers, the problem of illegal content and activities online should not be dealt with by solely focusing on their liability and responsibilities. Where possible, third parties affected by illegal content transmitted or stored online should attempt to resolve conflicts relating to such content without involving the providers of intermediary services in question. Recipients of the service should be held liable, where the applicable rules of Union and national law determining such liability so provide, for the illegal content that they provide and may disseminate to the public through intermediary services. Where appropriate, other actors, such as group moderators in closed online environments, in particular in the case of large groups, should also help to avoid the spread of illegal content online, in accordance with the applicable law. Furthermore, where it is necessary to involve information society services providers, including providers of intermediary services, any requests or orders for such involvement should, as a general rule, be directed to the specific provider that has the technical and operational ability to act against specific items of illegal content, so as to prevent and minimise any possible negative effects on the availability and accessibility of information that is not illegal content.
(28) Since 2000, new technologies have emerged that improve the availability, efficiency, speed, reliability, capacity and security of systems for the transmission, ‘findability’ and storage of data online, leading to an increasingly complex online ecosystem. In this regard, it should be recalled that providers of services establishing and facilitating the underlying logical architecture and proper functioning of the internet, including technical auxiliary functions, can also benefit from the exemptions from liability set out in this Regulation, to the extent that their services qualify as ‘mere conduit’, ‘caching’ or ‘hosting’ services. Such services include, as the case may be, wireless local area networks, domain name system (DNS) services, top-level domain name registries, registrars, certificate authorities that issue digital certificates, virtual private networks, online search engines, cloud infrastructure services, or content delivery networks, that enable, locate or improve the functions of other providers of intermediary services. Likewise, services used for communications purposes, and the technical means of their delivery, have also evolved considerably, giving rise to online services such as Voice over IP, messaging services and web-based email services, where the communication is delivered via an internet access service. Those services, too, can benefit from the exemptions from liability, to the extent that they qualify as ‘mere conduit’, ‘caching’ or ‘hosting’ services.
(29) Intermediary services span a wide range of economic activities which take place online and that develop continually to provide for transmission of information that is swift, safe and secure, and to ensure convenience of all participants of the online ecosystem. For example, ‘mere conduit’ intermediary services include generic categories of services, such as internet exchange points, wireless access points, virtual private networks, DNS services and resolvers, top-level domain name registries, registrars, certificate authorities that issue digital certificates, voice over IP and other interpersonal communication services, while generic examples of ‘caching’ intermediary services include the sole provision of content delivery networks, reverse proxies or content adaptation proxies. Such services are crucial to ensure the smooth and efficient transmission of information delivered on the internet. Examples of ‘hosting services’ include categories of services such as cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing. Intermediary services may be provided in isolation, as a part of another type of intermediary service, or simultaneously with other intermediary services. Whether a specific service constitutes a ‘mere conduit’, ‘caching’ or ‘hosting’ service depends solely on its technical functionalities, which might evolve in time, and should be assessed on a case-by-case basis.
(30) Providers of intermediary services should not be, neither de jure, nor de facto, subject to a monitoring obligation with respect to obligations of a general nature. This does not concern monitoring obligations in a specific case and, in particular, does not affect orders by national authorities in accordance with national legislation, in compliance with Union law, as interpreted by the Court of Justice of the European Union, and in accordance with the conditions established in this Regulation. Nothing in this Regulation should be construed as an imposition of a general monitoring obligation or a general active fact-finding obligation, or as a general obligation for providers to take proactive measures in relation to illegal content.
(31) Depending on the legal system of each Member State and the field of law at issue, national judicial or administrative authorities, including law enforcement authorities, may order providers of intermediary services to act against one or more specific items of illegal content or to provide certain specific information. The national laws on the basis of which such orders are issued differ considerably and the orders are increasingly addressed in cross-border situations. In order to ensure that those orders can be complied with in an effective and efficient manner, in particular in a cross-border context, so that the public authorities concerned can carry out their tasks and the providers are not subject to any disproportionate burdens, without unduly affecting the rights and legitimate interests of any third parties, it is necessary to set certain conditions that those orders should meet and certain complementary requirements relating to the processing of those orders. Consequently, this Regulation should harmonise only certain specific minimum conditions that such orders should fulfil in order to give rise to the obligation of providers of intermediary services to inform the relevant authorities about the effect given to those orders. Therefore, this Regulation does not provide the legal basis for the issuing of such orders, nor does it regulate their territorial scope or cross-border enforcement.
(32) The applicable Union or national law on the basis of which those orders are issued might require additional conditions and should be the basis for the enforcement of the respective orders. In the event of non-compliance with such orders, the issuing Member State should be able to enforce them in accordance with its national law. The applicable national law should be in compliance with Union law, including the Charter and the TFEU provisions on the freedom of establishment and the freedom to provide services within the Union, in particular with regard to online gambling and betting services. Similarly, the application of such national laws for the enforcement of the respective orders is without prejudice to applicable Union legal acts or international agreements concluded by the Union or by Member States relating to the cross-border recognition, execution and enforcement of those orders, in particular in civil and criminal matters. On the other hand, the enforcement of the obligation to inform the relevant authorities about the effect given to those orders, as opposed to the enforcement of the orders themselves, should be subject to the rules set out in this Regulation.
(33) The provider of intermediary services should inform the issuing authority about any follow-up given to such orders without undue delay, in compliance with the time limits set out in relevant Union or national law.
(34) Relevant national authorities should be able to issue such orders against content considered illegal or orders to provide information on the basis of Union law or national law in compliance with Union law, in particular the Charter, and to address them to providers of intermediary services, including those established in another Member State. However, this Regulation should be without prejudice to Union law in the field of judicial cooperation in civil or criminal matters, including Regulation (EU) No 1215/2012 and a Regulation on European production and preservation orders for electronic evidence in criminal matters, and to national criminal or civil procedural law. Therefore, where those laws in the context of criminal or civil proceedings provide for conditions that are additional to or incompatible with the conditions provided for in this Regulation in relation to orders to act against illegal content or to provide information, the conditions provided for in this Regulation might not apply or might be adapted. In particular, the obligation on the Digital Services Coordinator from the Member State of the issuing authority to transmit a copy of the orders to all other Digital Services Coordinators might not apply in the context of criminal proceedings or might be adapted, where the applicable national criminal procedural law so provides. Furthermore, the obligation for the orders to contain a statement of reasons explaining why the information is illegal content should be adapted, where necessary, under the applicable national criminal procedural law for the prevention, investigation, detection and prosecution of criminal offences. Finally, the obligation on the providers of intermediary services to inform the recipient of the service might be delayed in accordance with applicable Union or national law, in particular in the context of criminal, civil or administrative proceedings. In addition, the orders should be issued in compliance with Regulation (EU) 2016/679 and the prohibition of general obligations to monitor information or to actively seek facts or circumstances indicating illegal activity laid down in this Regulation. The conditions and requirements laid down in this Regulation which apply to orders to act against illegal content are without prejudice to other Union acts providing for similar systems for acting against specific types of illegal content, such as Regulation (EU) 2021/784, Regulation (EU) 2019/1020, or Regulation (EU) 2017/2394 that confers specific powers to order the provision of information to Member State consumer law enforcement authorities, whilst the conditions and requirements that apply to orders to provide information are without prejudice to other Union acts providing for similar relevant rules for specific sectors. Those conditions and requirements should be without prejudice to retention and preservation rules under applicable national law, in compliance with Union law and confidentiality requests by law enforcement authorities related to the non-disclosure of information. Those conditions and requirements should not affect the possibility for Member States to require a provider of intermediary services to prevent an infringement, in compliance with Union law including this Regulation, and in particular with the prohibition of general monitoring obligations.
(35) The conditions and requirements laid down in this Regulation should be fulfilled at the latest when the order is transmitted to the provider concerned. Therefore, the order may be issued in one of the official languages of the issuing authority of the Member State concerned. However, where that language is different from the language declared by the provider of intermediary services, or from another official language of the Member States agreed between the authority issuing the order and the provider of intermediary services, the transmission of the order should be accompanied by a translation of at least the elements of the order which are set out in this Regulation. Where a provider of intermediary services has agreed with the authorities of a Member State to use a certain language, it should be encouraged to accept orders in the same language issued by authorities in other Member States. The orders should include elements that enable the addressee to identify the issuing authority, including the contact details of a contact point within that authority where appropriate, and to verify the authenticity of the order.
(36) The territorial scope of such orders to act against illegal content should be clearly set out on the basis of the applicable Union or national law enabling the issuance of the order and should not exceed what is strictly necessary to achieve its objectives. In that regard, the national judicial or administrative authority, which might be a law enforcement authority, issuing the order should balance the objective that the order seeks to achieve, in accordance with the legal basis enabling its issuance, with the rights and legitimate interests of all third parties that may be affected by the order, in particular their fundamental rights under the Charter. In particular in a cross-border context, the effect of the order should in principle be limited to the territory of the issuing Member State, unless the illegality of the content derives directly from Union law or the issuing authority considers that the rights at stake require a wider territorial scope, in accordance with Union and international law, while taking into account the interests of international comity.
(37) The orders to provide information regulated by this Regulation concern the production of specific information about individual recipients of the intermediary service concerned who are identified in those orders for the purposes of determining compliance by the recipients of the service with applicable Union or national rules. Such orders should request information with the aim of enabling the identification of the recipients of the service concerned. Therefore, orders regarding information on a group of recipients of the service who are not specifically identified, including orders to provide aggregate information required for statistical purposes or evidence-based policy-making, are not covered by the requirements of this Regulation on the provision of information.
(38) Orders to act against illegal content and to provide information are subject to the rules safeguarding the competence of the Member State in which the service provider addressed is established and the rules laying down possible derogations from that competence in certain cases, set out in Article 3 of Directive 2000/31/EC, only if the conditions of that Article are met. Given that the orders in question relate to specific items of illegal content and information, respectively, where they are addressed to providers of intermediary services established in another Member State they do not in principle restrict those providers’ freedom to provide their services across borders. Therefore, the rules set out in Article 3 of Directive 2000/31/EC, including those regarding the need to justify measures derogating from the competence of the Member State in which the service provider is established on certain specified grounds and regarding the notification of such measures, do not apply in respect of those orders.
(39) The requirements to provide information on redress mechanisms available to the provider of the intermediary service and to the recipient of the service who provided the content include a requirement to provide information about administrative complaint-handling mechanisms and judicial redress including appeals against orders issued by judicial authorities. Moreover, Digital Services Coordinators could develop national tools and guidance as regards complaint and redress mechanisms applicable in their respective territory, in order to facilitate access to such mechanisms by recipients of the service. Finally, when applying this Regulation Member States should respect the fundamental right to an effective judicial remedy and to a fair trial as provided for in Article 47 of the Charter. This Regulation should therefore not prevent the relevant national judicial or administrative authorities from issuing, on the basis of the applicable Union or national law, an order to restore content, where such content was in compliance with the terms and conditions of the provider of the intermediary service but has been erroneously considered as illegal by that provider and has been removed.
(40) In order to achieve the objectives of this Regulation, and in particular to improve the functioning of the internal market and ensure a safe and transparent online environment, it is necessary to establish a clear, effective, predictable and balanced set of harmonised due diligence obligations for providers of intermediary services. Those obligations should aim in particular to guarantee different public policy objectives such as the safety and trust of the recipients of the service, including consumers, minors and users at particular risk of being subject to hate speech, sexual harassment or other discriminatory actions, the protection of relevant fundamental rights enshrined in the Charter, the meaningful accountability of those providers and the empowerment of recipients and other affected parties, whilst facilitating the necessary oversight by competent authorities.
(41) In that regard, it is important that the due diligence obligations are adapted to the type, size and nature of the intermediary service concerned. This Regulation therefore sets out basic obligations applicable to all providers of intermediary services, as well as additional obligations for providers of hosting services and, more specifically, providers of online platforms and of very large online platforms and of very large online search engines. To the extent that providers of intermediary services fall within a number of different categories in view of the nature of their services and their size, they should comply with all the corresponding obligations of this Regulation in relation to those services. Those harmonised due diligence obligations, which should be reasonable and non-arbitrary, are needed to address the identified public policy concerns, such as safeguarding the legitimate interests of the recipients of the service, addressing illegal practices and protecting the fundamental rights enshrined in the Charter. The due diligence obligations are independent from the question of liability of providers of intermediary services which need therefore to be assessed separately.
(42) In order to facilitate smooth and efficient two-way communications, including, where relevant, by acknowledging the receipt of such communications, relating to matters covered by this Regulation, providers of intermediary services should be required to designate a single electronic point of contact and to publish and update relevant information relating to that point of contact, including the languages to be used in such communications. The electronic point of contact can also be used by trusted flaggers and by professional entities which are under a specific relationship with the provider of intermediary services. In contrast to the legal representative, the electronic point of contact should serve operational purposes and should not be required to have a physical location. Providers of intermediary services can designate the same single point of contact for the requirements of this Regulation as well as for the purposes of other acts of Union law. When specifying the languages of communication, providers of intermediary services are encouraged to ensure that the languages chosen do not in themselves constitute an obstacle to communication. Where necessary, it should be possible for providers of intermediary services and Member States’ authorities to reach a separate agreement on the language of communication, or to seek alternative means to overcome the language barrier, including by using all available technological means or internal and external human resources.
(43) Providers of intermediary services should also be required to designate a single point of contact for recipients of services, enabling rapid, direct and efficient communication in particular by easily accessible means such as telephone numbers, email addresses, electronic contact forms, chatbots or instant messaging. It should be explicitly indicated when a recipient of the service communicates with chatbots. Providers of intermediary services should allow recipients of services to choose means of direct and efficient communication which do not solely rely on automated tools. Providers of intermediary services should make all reasonable efforts to guarantee that sufficient human and financial resources are allocated to ensure that this communication is performed in a timely and efficient manner.
(44) Providers of intermediary services that are established in a third country and that offer services in the Union should designate a sufficiently mandated legal representative in the Union and provide information relating to their legal representatives to the relevant authorities and make it publicly available. In order to comply with that obligation, such providers of intermediary services should ensure that the designated legal representative has the necessary powers and resources to cooperate with the relevant authorities. This could be the case, for example, where a provider of intermediary services appoints a subsidiary undertaking of the same group as the provider, or its parent undertaking, if that subsidiary or parent undertaking is established in the Union. However, it might not be the case, for instance, when the legal representative is subject to reconstruction proceedings, bankruptcy, or personal or corporate insolvency. That obligation should allow for the effective oversight and, where necessary, enforcement of this Regulation in relation to those providers. It should be possible for a legal representative to be mandated, in accordance with national law, by more than one provider of intermediary services. It should be possible for the legal representative to also function as a point of contact, provided the relevant requirements of this Regulation are complied with.
(45) Whilst the freedom of contract of providers of intermediary services should in principle be respected, it is appropriate to set certain rules on the content, application and enforcement of the terms and conditions of those providers in the interests of transparency, the protection of recipients of the service and the avoidance of unfair or arbitrary outcomes. Providers of the intermediary services should clearly indicate and maintain up-to-date in their terms and conditions the information as to the grounds on the basis of which they may restrict the provision of their services. In particular, they should include information on any policies, procedures, measures and tools used for the purpose of content moderation, including algorithmic decision-making and human review, as well as the rules of procedure of their internal complaint-handling system. They should also provide easily accessible information on the right to terminate the use of the service. Providers of intermediary services may use graphical elements in their terms of service, such as icons or images, to illustrate the main elements of the information requirements set out in this Regulation. Providers should inform recipients of their service through appropriate means of significant changes made to terms and conditions, for instance when they modify the rules on information that is permitted on their service, or other such changes which could directly impact the ability of the recipients to make use of the service.
(46) Providers of intermediary services that are primarily directed at minors, for example through the design or marketing of the service, or which are used predominantly by minors, should make particular efforts to render the explanation of their terms and conditions easily understandable to minors.
(47) When designing, applying and enforcing those restrictions, providers of intermediary services should act in a non-arbitrary and non-discriminatory manner and take into account the rights and legitimate interests of the recipients of the service, including fundamental rights as enshrined in the Charter. For example, providers of very large online platforms should in particular pay due regard to freedom of expression and of information, including media freedom and pluralism. All providers of intermediary services should also pay due regard to relevant international standards for the protection of human rights, such as the United Nations Guiding Principles on Business and Human Rights.
(48) Given their special role and reach, it is appropriate to impose on very large online platforms and very large online search engines additional requirements regarding information and transparency of their terms and conditions. Consequently, providers of very large online platforms and very large online search engines should provide their terms and conditions in the official languages of all Member States in which they offer their services and should also provide recipients of the services with a concise and easily readable summary of the main elements of the terms and conditions. Such summaries should identify the main elements of the information requirements, including the possibility of easily opting out from optional clauses.
(49) To ensure an adequate level of transparency and accountability, providers of intermediary services should make publicly available an annual report in a machine-readable format, in accordance with the harmonised requirements contained in this Regulation, on the content moderation in which they engage, including the measures taken as a result of the application and enforcement of their terms and conditions. However, in order to avoid disproportionate burdens, those transparency reporting obligations should not apply to providers that are micro or small enterprises as defined in Commission Recommendation 2003/361/EC [^25] and which are not very large online platforms within the meaning of this Regulation.
(50) Providers of hosting services play a particularly important role in tackling illegal content online, as they store information provided by and at the request of the recipients of the service and typically give other recipients access thereto, sometimes on a large scale. It is important that all providers of hosting services, regardless of their size, put in place easily accessible and user-friendly notice and action mechanisms that facilitate the notification of specific items of information that the notifying party considers to be illegal content to the provider of hosting services concerned (‘notice’), pursuant to which that provider can decide whether or not it agrees with that assessment and wishes to remove or disable access to that content (‘action’). Such mechanisms should be clearly identifiable, located close to the information in question and at least as easy to find and use as notification mechanisms for content that violates the terms and conditions of the hosting service provider. Provided the requirements on notices are met, it should be possible for individuals or entities to notify multiple specific items of allegedly illegal content through a single notice in order to ensure the effective operation of notice and action mechanisms. The notification mechanism should allow, but not require, the identification of the individual or the entity submitting a notice. For some types of items of information notified, the identity of the individual or the entity submitting a notice might be necessary to determine whether the information in question constitutes illegal content, as alleged. The obligation to put in place notice and action mechanisms should apply, for instance, to file storage and sharing services, web hosting services, advertising servers and paste bins, in so far as they qualify as hosting services covered by this Regulation.
(51) Having regard to the need to take due account of the fundamental rights guaranteed under the Charter of all parties concerned, any action taken by a provider of hosting services pursuant to receiving a notice should be strictly targeted, in the sense that it should serve to remove or disable access to the specific items of information considered to constitute illegal content, without unduly affecting the freedom of expression and of information of recipients of the service. Notices should therefore, as a general rule, be directed to the providers of hosting services that can reasonably be expected to have the technical and operational ability to act against such specific items. The providers of hosting services who receive a notice for which they cannot, for technical or operational reasons, remove the specific item of information should inform the person or entity who submitted the notice.
(52) The rules on such notice and action mechanisms should be harmonised at Union level, so as to provide for the timely, diligent and non-arbitrary processing of notices on the basis of rules that are uniform, transparent and clear and that provide for robust safeguards to protect the right and legitimate interests of all affected parties, in particular their fundamental rights guaranteed by the Charter, irrespective of the Member State in which those parties are established or reside and of the field of law at issue. Those fundamental rights include but are not limited to: for the recipients of the service, the right to freedom of expression and of information, the right to respect for private and family life, the right to protection of personal data, the right to non-discrimination and the right to an effective remedy; for the service providers, the freedom to conduct a business, including the freedom of contract; for parties affected by illegal content, the right to human dignity, the rights of the child, the right to protection of property, including intellectual property, and the right to non-discrimination. Providers of hosting services should act upon notices in a timely manner, in particular by taking into account the type of illegal content being notified and the urgency of taking action. For instance, such providers can be expected to act without delay when allegedly illegal content involving a threat to life or safety of persons is being notified. The provider of hosting services should inform the individual or entity notifying the specific content without undue delay after taking a decision whether or not to act upon the notice.
(53) The notice and action mechanisms should allow for the submission of notices which are sufficiently precise and adequately substantiated to enable the provider of hosting services concerned to take an informed and diligent decision, compatible with the freedom of expression and of information, in respect of the content to which the notice relates, in particular whether or not that content is to be considered illegal content and is to be removed or access thereto is to be disabled. Those mechanisms should be such as to facilitate the provision of notices that contain an explanation of the reasons why the individual or the entity submitting a notice considers that content to be illegal content, and a clear indication of the location of that content. Where a notice contains sufficient information to enable a diligent provider of hosting services to identify, without a detailed legal examination, that it is clear that the content is illegal, the notice should be considered to give rise to actual knowledge or awareness of illegality. Except for the submission of notices relating to offences referred to in Articles 3 to 7 of Directive 2011/93/EU of the European Parliament and of the Council [^26], those mechanisms should ask the individual or the entity submitting a notice to disclose its identity in order to avoid misuse.
(54) Where a provider of hosting services decides, on the ground that the information provided by the recipients is illegal content or is incompatible with its terms and conditions, to remove or disable access to information provided by a recipient of the service or to otherwise restrict its visibility or monetisation, for instance following receipt of a notice or acting on its own initiative, including exclusively by automated means, that provider should inform in a clear and easily comprehensible way the recipient of its decision, the reasons for its decision and the available possibilities for redress to contest the decision, in view of the negative consequences that such decisions may have for the recipient, including as regards the exercise of its fundamental right to freedom of expression. That obligation should apply irrespective of the reasons for the decision, in particular whether the action has been taken because the information notified is considered to be illegal content or incompatible with the applicable terms and conditions. Where the decision was taken following receipt of a notice, the provider of hosting services should only reveal the identity of the person or entity who submitted the notice to the recipient of the service where this information is necessary to identify the illegality of the content, such as in cases of infringements of intellectual property rights.
(55) Restriction of visibility may consist in demotion in ranking or in recommender systems, as well as in limiting accessibility by one or more recipients of the service or blocking the user from an online community without the user being aware (‘shadow banning’). The monetisation via advertising revenue of information provided by the recipient of the service can be restricted by suspending or terminating the monetary payment or revenue associated to that information. The obligation to provide a statement of reasons should however not apply with respect to deceptive high-volume commercial content disseminated through intentional manipulation of the service, in particular inauthentic use of the service such as the use of bots or fake accounts or other deceptive uses of the service. Irrespective of other possibilities to challenge the decision of the provider of hosting services, the recipient of the service should always have a right to effective remedy before a court in accordance with the national law.
(56) A provider of hosting services may in some instances become aware, such as through a notice by a notifying party or through its own voluntary measures, of information relating to certain activity of a recipient of the service, such as the provision of certain types of illegal content, that reasonably justify, having regard to all relevant circumstances of which the provider of hosting services is aware, the suspicion that that recipient may have committed, may be committing or is likely to commit a criminal offence involving a threat to the life or safety of person or persons, such as offences specified in Directive 2011/36/EU of the European Parliament and of the Council [^27], Directive 2011/93/EU or Directive (EU) 2017/541 of the European Parliament and of the Council [^28]. For example, specific items of content could give rise to a suspicion of a threat to the public, such as incitement to terrorism within the meaning of Article 21 of Directive (EU) 2017/541. In such instances, the provider of hosting services should inform without delay the competent law enforcement authorities of such suspicion. The provider of hosting services should provide all relevant information available to it, including, where relevant, the content in question and, if available, the time when the content was published, including the designated time zone, an explanation of its suspicion and the information necessary to locate and identify the relevant recipient of the service. This Regulation does not provide the legal basis for profiling of recipients of the services with a view to the possible identification of criminal offences by providers of hosting services. Providers of hosting services should also respect other applicable rules of Union or national law for the protection of the rights and freedoms of individuals when informing law enforcement authorities.
(57) To avoid disproportionate burdens, the additional obligations imposed under this Regulation on providers of online platforms, including platforms allowing consumers to conclude distance contracts with traders, should not apply to providers that qualify as micro or small enterprises as defined in Recommendation 2003/361/EC. For the same reason, those additional obligations should also not apply to providers of online platforms that previously qualified as micro or small enterprises during a period of 12 months after they lose that status. Such providers should not be excluded from the obligation to provide information on the average monthly active recipients of the service at the request of the Digital Services Coordinator of establishment or the Commission. However, considering that very large online platforms or very large online search engines have a larger reach and a greater impact in influencing how recipients of the service obtain information and communicate online, such providers should not benefit from that exclusion, irrespective of whether they qualify or recently qualified as micro or small enterprises. The consolidation rules laid down in Recommendation 2003/361/EC help ensure that any circumvention of those additional obligations is prevented. Nothing in this Regulation precludes providers of online platforms that are covered by that exclusion from setting up, on a voluntary basis, a system that complies with one or more of those obligations.
(58) Recipients of the service should be able to easily and effectively contest certain decisions of providers of online platforms concerning the illegality of content or its incompatibility with the terms and conditions that negatively affect them. Therefore, providers of online platforms should be required to provide for internal complaint-handling systems, which meet certain conditions that aim to ensure that the systems are easily accessible and lead to swift, non-discriminatory, non-arbitrary and fair outcomes, and are subject to human review where automated means are used. Such systems should enable all recipients of the service to lodge a complaint and should not set formal requirements, such as referral to specific, relevant legal provisions or elaborate legal explanations. Recipients of the service who submitted a notice through the notice and action mechanism provided for in this Regulation or through the notification mechanism for content that violate the terms and conditions of the provider of online platforms should be entitled to use the complaint mechanism to contest the decision of the provider of online platforms on their notices, including when they consider that the action taken by that provider was not adequate. The possibility to lodge a complaint for the reversal of the contested decisions should be available for at least six months, to be calculated from the moment at which the provider of online platforms informed the recipient of the service of the decision.
(59) In addition, provision should be made for the possibility of engaging, in good faith, in the out-of-court dispute settlement of such disputes, including those that could not be resolved in a satisfactory manner through the internal complaint-handling systems, by certified bodies that have the requisite independence, means and expertise to carry out their activities in a fair, swift and cost-effective manner. The independence of the out-of-court dispute settlement bodies should be ensured also at the level of the natural persons in charge of resolving disputes, including through rules on conflict of interest. The fees charged by the out-of-court dispute settlement bodies should be reasonable, accessible, attractive, inexpensive for consumers and proportionate, and assessed on a case-by-case basis. Where an out-of-court dispute settlement body is certified by the competent Digital Services Coordinator, that certification should be valid in all Member States. Providers of online platforms should be able to refuse to engage in out-of-court dispute settlement procedures under this Regulation when the same dispute, in particular as regards the information concerned and the grounds for taking the contested decision, the effects of the decision and the grounds raised for contesting the decision, has already been resolved by or is already subject to an ongoing procedure before the competent court or before another competent out-of-court dispute settlement body. Recipients of the service should be able to choose between the internal complaint mechanism, an out-of-court dispute settlement and the possibility to initiate, at any stage, judicial proceedings. Since the outcome of the out-of-court dispute settlement procedure is not binding, the parties should not be prevented from initiating judicial proceedings in relation to the same dispute. The possibilities to contest decisions of providers of online platforms thus created should leave unaffected in all respects the possibility to seek judicial redress in accordance with the laws of the Member State concerned, and therefore should not affect the exercise of the right to an effective judicial remedy under Article 47 of the Charter. The provisions in this Regulation on out-of-court dispute settlement should not require Member States to establish such out-of-court settlement bodies.
(60) For contractual consumer-to-business disputes regarding the purchase of goods or services, Directive 2013/11/EU ensures that Union consumers and businesses in the Union have access to quality-certified alternative dispute resolution entities. In this regard, it should be clarified that the rules of this Regulation on out-of-court dispute settlement are without prejudice to that Directive, including the right of consumers under that Directive to withdraw from the procedure at any stage if they are dissatisfied with the performance or the operation of the procedure.
(61) Action against illegal content can be taken more quickly and reliably where providers of online platforms take the necessary measures to ensure that notices submitted by trusted flaggers, acting within their designated area of expertise, through the notice and action mechanisms required by this Regulation are treated with priority, without prejudice to the requirement to process and decide upon all notices submitted under those mechanisms in a timely, diligent and non-arbitrary manner. Such trusted flagger status should be awarded by the Digital Services Coordinator of the Member State in which the applicant is established and should be recognised by all providers of online platforms within the scope of this Regulation. Such trusted flagger status should only be awarded to entities, and not individuals, that have demonstrated, among other things, that they have particular expertise and competence in tackling illegal content and that they work in a diligent, accurate and objective manner. Such entities can be public in nature, such as, for terrorist content, internet referral units of national law enforcement authorities or of the European Union Agency for Law Enforcement Cooperation (‘Europol’) or they can be non-governmental organisations and private or semi-public bodies such as the organisations part of the INHOPE network of hotlines for reporting child sexual abuse material and organisations committed to notifying illegal racist and xenophobic expressions online. To avoid diminishing the added value of such mechanism, the overall number of trusted flaggers awarded in accordance with this Regulation should be limited. In particular, industry associations representing their members’ interests are encouraged to apply for the status of trusted flaggers, without prejudice to the right of private entities or individuals to enter into bilateral agreements with the providers of online platforms.
(62) Trusted flaggers should publish easily comprehensible and detailed reports on notices submitted in accordance with this Regulation. Those reports should indicate information such as the number of notices categorised by the provider of hosting services, the type of content, and the action taken by the provider. Given that trusted flaggers have demonstrated expertise and competence, the processing of notices submitted by trusted flaggers can be expected to be less burdensome and therefore faster compared to notices submitted by other recipients of the service. However, the average time taken to process may still vary depending on factors including the type of illegal content, the quality of notices, and the actual technical procedures put in place for the submission of such notices. For example, while the Code of conduct on countering illegal hate speech online of 2016 sets a benchmark for the participating companies with respect to the time needed to process valid notifications for removal of illegal hate speech, other types of illegal content may take considerably different timelines for processing, depending on the specific facts and circumstances and types of illegal content at stake. In order to avoid abuses of the trusted flagger status, it should be possible to suspend such status when a Digital Services Coordinator of establishment opened an investigation based on legitimate reasons. The rules of this Regulation on trusted flaggers should not be understood to prevent providers of online platforms from giving similar treatment to notices submitted by entities or individuals that have not been awarded trusted flagger status under this Regulation, from otherwise cooperating with other entities, in accordance with the applicable law, including this Regulation and Regulation (EU) 2016/794 of the European Parliament and of the Council [^29]. The rules of this Regulation should not prevent the providers of online platforms from making use of such trusted flagger or similar mechanisms to take quick and reliable action against content that is incompatible with their terms and conditions, in particular against content that is harmful for vulnerable recipients of the service, such as minors.
(63) The misuse of online platforms by frequently providing manifestly illegal content or by frequently submitting manifestly unfounded notices or complaints under the mechanisms and systems, respectively, established under this Regulation undermines trust and harms the rights and legitimate interests of the parties concerned. Therefore, there is a need to put in place appropriate, proportionate and effective safeguards against such misuse, that need to respect the rights and legitimate interests of all parties involved, including the applicable fundamental rights and freedoms as enshrined in the Charter, in particular the freedom of expression. Information should be considered to be manifestly illegal content and notices or complaints should be considered manifestly unfounded where it is evident to a layperson, without any substantive analysis, that the content is illegal or, respectively, that the notices or complaints are unfounded.
(64) Under certain conditions, providers of online platforms should temporarily suspend their relevant activities in respect of the person engaged in abusive behaviour. This is without prejudice to the freedom by providers of online platforms to determine their terms and conditions and establish stricter measures in the case of manifestly illegal content related to serious crimes, such as child sexual abuse material. For reasons of transparency, this possibility should be set out, clearly and in sufficient detail, in the terms and conditions of the online platforms. Redress should always be open to the decisions taken in this regard by providers of online platforms and they should be subject to oversight by the competent Digital Services Coordinator. Providers of online platforms should send a prior warning before deciding on the suspension, which should include the reasons for the possible suspension and the means of redress against the decision of the providers of the online platform. When deciding on the suspension, providers of online platforms should send the statement of reasons in accordance with the rules set out in this Regulation. The rules of this Regulation on misuse should not prevent providers of online platforms from taking other measures to address the provision of illegal content by recipients of their service or other misuse of their services, including through the violation of their terms and conditions, in accordance with the applicable Union and national law. Those rules are without prejudice to any possibility to hold the persons engaged in misuse liable, including for damages, provided for in Union or national law.
(65) In view of the particular responsibilities and obligations of providers of online platforms, they should be made subject to transparency reporting obligations, which apply in addition to the transparency reporting obligations applicable to all providers of intermediary services under this Regulation. For the purposes of determining whether online platforms and online search engines may be very large online platforms or very large online search engines, respectively, that are subject to certain additional obligations under this Regulation, the transparency reporting obligations for online platforms and online search engines should include certain obligations relating to the publication and communication of information on the average monthly active recipients of the service in the Union.
(66) In order to ensure transparency and to enable scrutiny over the content moderation decisions of the providers of online platforms and monitoring the spread of illegal content online, the Commission should maintain and publish a database which contains the decisions and statements of reasons of the providers of online platforms when they remove or otherwise restrict availability of and access to information. In order to keep the database continuously updated, the providers of online platforms should submit, in a standard format, the decisions and statement of reasons without undue delay after taking a decision, to allow for real-time updates where technically possible and proportionate to the means of the online platform in question. The structured database should allow access to, and queries for, the relevant information, in particular as regards the type of alleged illegal content at stake.
(67) Dark patterns on online interfaces of online platforms are practices that materially distort or impair, either on purpose or in effect, the ability of recipients of the service to make autonomous and informed choices or decisions. Those practices can be used to persuade the recipients of the service to engage in unwanted behaviours or into undesired decisions which have negative consequences for them. Providers of online platforms should therefore be prohibited from deceiving or nudging recipients of the service and from distorting or impairing the autonomy, decision-making, or choice of the recipients of the service via the structure, design or functionalities of an online interface or a part thereof. This should include, but not be limited to, exploitative design choices to direct the recipient to actions that benefit the provider of online platforms, but which may not be in the recipients’ interests, presenting choices in a non-neutral manner, such as giving more prominence to certain choices through visual, auditory, or other components, when asking the recipient of the service for a decision. It should also include repeatedly requesting a recipient of the service to make a choice where such a choice has already been made, making the procedure of cancelling a service significantly more cumbersome than signing up to it, or making certain choices more difficult or time-consuming than others, making it unreasonably difficult to discontinue purchases or to sign out from a given online platform allowing consumers to conclude distance contracts with traders, and deceiving the recipients of the service by nudging them into decisions on transactions, or by default settings that are very difficult to change, and so unreasonably bias the decision making of the recipient of the service, in a way that distorts and impairs their autonomy, decision-making and choice. However, rules preventing dark patterns should not be understood as preventing providers to interact directly with recipients of the service and to offer new or additional services to them. Legitimate practices, for example in advertising, that are in compliance with Union law should not in themselves be regarded as constituting dark patterns. Those rules on dark patterns should be interpreted as covering prohibited practices falling within the scope of this Regulation to the extent that those practices are not already covered under Directive 2005/29/EC or Regulation (EU) 2016/679.
(68) Online advertising plays an important role in the online environment, including in relation to the provision of online platforms, where the provision of the service is sometimes in whole or in part remunerated directly or indirectly, through advertising revenues. Online advertising can contribute to significant risks, ranging from advertisements that are themselves illegal content, to contributing to financial incentives for the publication or amplification of illegal or otherwise harmful content and activities online, or the discriminatory presentation of advertisements with an impact on the equal treatment and opportunities of citizens. In addition to the requirements resulting from Article 6 of Directive 2000/31/EC, providers of online platforms should therefore be required to ensure that the recipients of the service have certain individualised information necessary for them to understand when and on whose behalf the advertisement is presented. They should ensure that the information is salient, including through standardised visual or audio marks, clearly identifiable and unambiguous for the average recipient of the service, and should be adapted to the nature of the individual service’s online interface. In addition, recipients of the service should have information directly accessible from the online interface where the advertisement is presented, on the main parameters used for determining that a specific advertisement is presented to them, providing meaningful explanations of the logic used to that end, including when this is based on profiling. Such explanations should include information on the method used for presenting the advertisement, for example whether it is contextual or other type of advertising, and, where applicable, the main profiling criteria used; it should also inform the recipient about any means available for them to change such criteria. The requirements of this Regulation on the provision of information relating to advertising is without prejudice to the application of the relevant provisions of Regulation (EU) 2016/679, in particular those regarding the right to object, automated individual decision-making, including profiling, and specifically the need to obtain consent of the data subject prior to the processing of personal data for targeted advertising. Similarly, it is without prejudice to the provisions laid down in Directive 2002/58/EC in particular those regarding the storage of information in terminal equipment and the access to information stored therein. Finally, this Regulation complements the application of the Directive 2010/13/EU which imposes measures to enable users to declare audiovisual commercial communications in user-generated videos. It also complements the obligations for traders regarding the disclosure of commercial communications deriving from Directive 2005/29/EC.
(69) When recipients of the service are presented with advertisements based on targeting techniques optimised to match their interests and potentially appeal to their vulnerabilities, this can have particularly serious negative effects. In certain cases, manipulative techniques can negatively impact entire groups and amplify societal harms, for example by contributing to disinformation campaigns or by discriminating against certain groups. Online platforms are particularly sensitive environments for such practices and they present a higher societal risk. Consequently, providers of online platforms should not present advertisements based on profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679, using special categories of personal data referred to in Article 9(1) of that Regulation, including by using profiling categories based on those special categories. This prohibition is without prejudice to the obligations applicable to providers of online platforms or any other service provider or advertiser involved in the dissemination of the advertisements under Union law on protection of personal data.
(70) A core part of the online platform’s business is the manner in which information is prioritised and presented on its online interface to facilitate and optimise access to information for the recipients of the service. This is done, for example, by algorithmically suggesting, ranking and prioritising information, distinguishing through text or other visual representations, or otherwise curating information provided by recipients. Such recommender systems can have a significant impact on the ability of recipients to retrieve and interact with information online, including to facilitate the search of relevant information for recipients of the service and contribute to an improved user experience. They also play an important role in the amplification of certain messages, the viral dissemination of information and the stimulation of online behaviour. Consequently, online platforms should consistently ensure that recipients of their service are appropriately informed about how recommender systems impact the way information is displayed, and can influence how information is presented to them. They should clearly present the parameters for such recommender systems in an easily comprehensible manner to ensure that the recipients of the service understand how information is prioritised for them. Those parameters should include at least the most important criteria in determining the information suggested to the recipient of the service and the reasons for their respective importance, including where information is prioritised based on profiling and their online behaviour.
(71) The protection of minors is an important policy objective of the Union. An online platform can be considered to be accessible to minors when its terms and conditions permit minors to use the service, when its service is directed at or predominantly used by minors, or where the provider is otherwise aware that some of the recipients of its service are minors, for example because it already processes personal data of the recipients of its service revealing their age for other purposes. Providers of online platforms used by minors should take appropriate and proportionate measures to protect minors, for example by designing their online interfaces or parts thereof with the highest level of privacy, safety and security for minors by default where appropriate or adopting standards for protection of minors, or participating in codes of conduct for protecting minors. They should consider best practices and available guidance, such as that provided by the communication of the Commission on A Digital Decade for children and youth: the new European strategy for a better internet for kids (BIK+). Providers of online platforms should not present advertisements based on profiling using personal data of the recipient of the service when they are aware with reasonable certainty that the recipient of the service is a minor. In accordance with Regulation (EU) 2016/679, notably the principle of data minimisation as provided for in Article 5(1), point (c), thereof, this prohibition should not lead the provider of the online platform to maintain, acquire or process more personal data than it already has in order to assess if the recipient of the service is a minor. Thus, this obligation should not incentivize providers of online platforms to collect the age of the recipient of the service prior to their use. It should be without prejudice to Union law on protection of personal data.
(72) In order to contribute to a safe, trustworthy and transparent online environment for consumers, as well as for other interested parties such as competing traders and holders of intellectual property rights, and to deter traders from selling products or services in violation of the applicable rules, online platforms allowing consumers to conclude distance contracts with traders should ensure that such traders are traceable. The trader should therefore be required to provide certain essential information to the providers of online platforms allowing consumers to conclude distance contracts with traders, including for purposes of promoting messages on or offering products. That requirement should also be applicable to traders that promote messages on products or services on behalf of brands, based on underlying agreements. Those providers of online platforms should store all information in a secure manner for the duration of their contractual relationship with the trader and 6 months thereafter, to allow any claims to be filed against the trader or orders related to the trader to be complied with. This obligation is necessary and proportionate, so that the information can be accessed, in accordance with the applicable law, including on the protection of personal data, by public authorities and private parties with a legitimate interest, including through the orders to provide information referred to in this Regulation. This obligation leaves unaffected potential obligations to preserve certain content for longer periods of time, on the basis of other Union law or national laws, in compliance with Union law. Without prejudice to the definition provided for in this Regulation, any trader, irrespective of whether it is a natural or legal person, identified on the basis of Article 6a### Recital 1 (1) , point (b), of Directive 2011/83/EU and Article 7(4), point (f), of Directive 2005/29/EC should be traceable when offering a product or service through an online platform. Directive 2000/31/EC obliges all information society services providers to render easily, directly and permanently accessible to the recipients of the service and competent authorities certain information allowing the identification of all providers. The traceability requirements for providers of online platforms allowing consumers to conclude distance contracts with traders set out in this Regulation do not affect the application of Council Directive (EU) 2021/514 [^30], which pursues other legitimate public interest objectives.
(73) To ensure an efficient and adequate application of that obligation, without imposing any disproportionate burdens, providers of online platforms allowing consumers to conclude distance contracts with traders should make best efforts to assess the reliability of the information provided by the traders concerned, in particular by using freely available official online databases and online interfaces, such as national trade registers and the VAT Information Exchange System, or request the traders concerned to provide trustworthy supporting documents, such as copies of identity documents, certified payment accounts’ statements, company certificates and trade register certificates. They may also use other sources, available for use at a distance, which offer a similar degree of reliability for the purpose of complying with this obligation. However, the providers of online platforms concerned should not be required to engage in excessive or costly online fact-finding exercises or to carry out disproportionate verifications on the spot. Nor should such providers, which have made the best efforts required by this Regulation, be understood as guaranteeing the reliability of the information towards consumer or other interested parties.
(74) Providers of online platforms allowing consumers to conclude distance contracts with traders should design and organise their online interface in a way that enables traders to comply with their obligations under relevant Union law, in particular the requirements set out in Articles 6 and 8 of Directive 2011/83/EU, Article 7 of Directive 2005/29/EC, Articles 5 and 6 of Directive 2000/31/EC and Article 3 of Directive 98/6/EC of the European Parliament and of the Council [^31]. For that purpose, the providers of online platforms concerned should make best efforts to assess whether the traders using their services have uploaded complete information on their online interfaces, in line with relevant applicable Union law. The providers of online platforms should ensure that products or services are not offered as long as such information is not complete. This should not amount to an obligation for the providers of online platforms concerned to generally monitor the products or services offered by traders through their services nor a general fact-finding obligation, in particular to assess the accuracy of the information provided by traders. The online interfaces should be user-friendly and easily accessible for traders and consumers. Additionally and after allowing the offering of the product or service by the trader, the providers of online platforms concerned should make reasonable efforts to randomly check whether the products or services offered have been identified as being illegal in any official, freely accessible and machine-readable online databases or online interfaces available in a Member State or in the Union. The Commission should also encourage traceability of products through technology solutions such as digitally signed Quick Response codes (or ‘QR codes’) or non-fungible tokens. The Commission should promote the development of standards and, in the absence of them, of market led solutions which can be acceptable to the parties concerned.
(75) Given the importance of very large online platforms, due to their reach, in particular as expressed in the number of recipients of the service, in facilitating public debate, economic transactions and the dissemination to the public of information, opinions and ideas and in influencing how recipients obtain and communicate information online, it is necessary to impose specific obligations on the providers of those platforms, in addition to the obligations applicable to all online platforms. Due to their critical role in locating and making information retrievable online, it is also necessary to impose those obligations, to the extent they are applicable, on the providers of very large online search engines. Those additional obligations on providers of very large online platforms and of very large online search engines are necessary to address those public policy concerns, there being no alternative and less restrictive measures that would effectively achieve the same result.
(76) Very large online platforms and very large online search engines may cause societal risks, different in scope and impact from those caused by smaller platforms. Providers of such very large online platforms and of very large online search engines should therefore bear the highest standard of due diligence obligations, proportionate to their societal impact. Once the number of active recipients of an online platform or of active recipients of an online search engine, calculated as an average over a period of six months, reaches a significant share of the Union population, the systemic risks the online platform or online search engine poses may have a disproportionate impact in the Union. Such significant reach should be considered to exist where such number exceeds an operational threshold set at 45 million, that is, a number equivalent to 10 % of the Union population. This operational threshold should be kept up to date and therefore the Commission should be empowered to supplement the provisions of this Regulation by adopting delegated acts, where necessary.
(77) In order to determine the reach of a given online platform or online search engine, it is necessary to establish the average number of active recipients of each service individually. Accordingly, the number of average monthly active recipients of an online platform should reflect all the recipients actually engaging with the service at least once in a given period of time, by being exposed to information disseminated on the online interface of the online platform, such as viewing it or listening to it, or by providing information, such as traders on an online platforms allowing consumers to conclude distance contracts with traders. For the purposes of this Regulation, engagement is not limited to interacting with information by clicking on, commenting, linking, sharing, purchasing or carrying out transactions on an online platform. Consequently, the concept of active recipient of the service does not necessarily coincide with that of a registered user of a service. As regards online search engines, the concept of active recipients of the service should cover those who view information on their online interface, but not, for example, the owners of the websites indexed by an online search engine, as they do not actively engage with the service. The number of active recipients of a service should include all unique recipients of the service that engage with the specific service. To this effect, a recipient of the service that uses different online interfaces, such as websites or applications, including where the services are accessed through different uniform resource locators (URLs) or domain names, should, where possible, be counted only once. However, the concept of active recipient of the service should not include incidental use of the service by recipients of other providers of intermediary services that indirectly make available information hosted by the provider of online platforms through linking or indexing by a provider of online search engine. Further, this Regulation does not require providers of online platforms or of online search engines to perform specific tracking of individuals online. Where such providers are able to discount automated users such as bots or scrapers without further processing of personal data and tracking, they may do so. The determination of the number of active recipients of the service can be impacted by market and technical developments and therefore the Commission should be empowered to supplement the provisions of this Regulation by adopting delegated acts laying down the methodology to determine the active recipients of an online platform or of an online search engine, where necessary, reflecting the nature of the service and the way recipients of the service interact with it.
(78) In view of the network effects characterising the platform economy, the user base of an online platform or an online search engine may quickly expand and reach the dimension of a very large online platform or a very large online search engine, with the related impact on the internal market. This may be the case in the event of exponential growth experienced in short periods of time, or by a large global presence and turnover allowing the online platform or the online search engine to fully exploit network effects and economies of scale and of scope. A high annual turnover or market capitalisation can in particular be an indication of fast scalability in terms of user reach. In those cases, the Digital Services Coordinator of establishment or the Commission should be able to request more frequent reporting from the provider of the online platform or of the online search engine on the number of active recipients of the service to be able to timely identify the moment at which that platform or that search engine should be designated as a very large online platform or very large online search engine, respectively, for the purposes of this Regulation.
(79) Very large online platforms and very large online search engines can be used in a way that strongly influences safety online, the shaping of public opinion and discourse, as well as online trade. The way they design their services is generally optimised to benefit their often advertising-driven business models and can cause societal concerns. Effective regulation and enforcement is necessary in order to effectively identify and mitigate the risks and the societal and economic harm that may arise. Under this Regulation, providers of very large online platforms and of very large online search engines should therefore assess the systemic risks stemming from the design, functioning and use of their services, as well as from potential misuses by the recipients of the service, and should take appropriate mitigating measures in observance of fundamental rights. In determining the significance of potential negative effects and impacts, providers should consider the severity of the potential impact and the probability of all such systemic risks. For example, they could assess whether the potential negative impact can affect a large number of persons, its potential irreversibility, or how difficult it is to remedy and restore the situation prevailing prior to the potential impact.
(80) Four categories of systemic risks should be assessed in-depth by the providers of very large online platforms and of very large online search engines. A first category concerns the risks associated with the dissemination of illegal content, such as the dissemination of child sexual abuse material or illegal hate speech or other types of misuse of their services for criminal offences, and the conduct of illegal activities, such as the sale of products or services prohibited by Union or national law, including dangerous or counterfeit products, or illegally-traded animals. For example, such dissemination or activities may constitute a significant systemic risk where access to illegal content may spread rapidly and widely through accounts with a particularly wide reach or other means of amplification. Providers of very large online platforms and of very large online search engines should assess the risk of dissemination of illegal content irrespective of whether or not the information is also incompatible with their terms and conditions. This assessment is without prejudice to the personal responsibility of the recipient of the service of very large online platforms or of the owners of websites indexed by very large online search engines for possible illegality of their activity under the applicable law.
(81) A second category concerns the actual or foreseeable impact of the service on the exercise of fundamental rights, as protected by the Charter, including but not limited to human dignity, freedom of expression and of information, including media freedom and pluralism, the right to private life, data protection, the right to non-discrimination, the rights of the child and consumer protection. Such risks may arise, for example, in relation to the design of the algorithmic systems used by the very large online platform or by the very large online search engine or the misuse of their service through the submission of abusive notices or other methods for silencing speech or hampering competition. When assessing risks to the rights of the child, providers of very large online platforms and of very large online search engines should consider for example how easy it is for minors to understand the design and functioning of the service, as well as how minors can be exposed through their service to content that may impair minors’ health, physical, mental and moral development. Such risks may arise, for example, in relation to the design of online interfaces which intentionally or unintentionally exploit the weaknesses and inexperience of minors or which may cause addictive behaviour.
(82) A third category of risks concerns the actual or foreseeable negative effects on democratic processes, civic discourse and electoral processes, as well as public security.
(83) A fourth category of risks stems from similar concerns relating to the design, functioning or use, including through manipulation, of very large online platforms and of very large online search engines with an actual or foreseeable negative effect on the protection of public health, minors and serious negative consequences to a person’s physical and mental well-being, or on gender-based violence. Such risks may also stem from coordinated disinformation campaigns related to public health, or from online interface design that may stimulate behavioural addictions of recipients of the service.
(84) When assessing such systemic risks, providers of very large online platforms and of very large online search engines should focus on the systems or other elements that may contribute to the risks, including all the algorithmic systems that may be relevant, in particular their recommender systems and advertising systems, paying attention to the related data collection and use practices. They should also assess whether their terms and conditions and the enforcement thereof are appropriate, as well as their content moderation processes, technical tools and allocated resources. When assessing the systemic risks identified in this Regulation, those providers should also focus on the information which is not illegal, but contributes to the systemic risks identified in this Regulation. Such providers should therefore pay particular attention on how their services are used to disseminate or amplify misleading or deceptive content, including disinformation. Where the algorithmic amplification of information contributes to the systemic risks, those providers should duly reflect this in their risk assessments. Where risks are localised or there are linguistic differences, those providers should also account for this in their risk assessments. Providers of very large online platforms and of very large online search engines should, in particular, assess how the design and functioning of their service, as well as the intentional and, oftentimes, coordinated manipulation and use of their services, or the systemic infringement of their terms of service, contribute to such risks. Such risks may arise, for example, through the inauthentic use of the service, such as the creation of fake accounts, the use of bots or deceptive use of a service, and other automated or partially automated behaviours, which may lead to the rapid and widespread dissemination to the public of information that is illegal content or incompatible with an online platform’s or online search engine’s terms and conditions and that contributes to disinformation campaigns.
(85) In order to make it possible that subsequent risk assessments build on each other and show the evolution of the risks identified, as well as to facilitate investigations and enforcement actions, providers of very large online platforms and of very large online search engines should preserve all supporting documents relating to the risk assessments that they carried out, such as information regarding the preparation thereof, underlying data and data on the testing of their algorithmic systems.
(86) Providers of very large online platforms and of very large online search engines should deploy the necessary means to diligently mitigate the systemic risks identified in the risk assessments, in observance of fundamental rights. Any measures adopted should respect the due diligence requirements of this Regulation and be reasonable and effective in mitigating the specific systemic risks identified. They should be proportionate in light of the economic capacity of the provider of the very large online platform or of the very large online search engine and the need to avoid unnecessary restrictions on the use of their service, taking due account of potential negative effects on those fundamental rights. Those providers should give particular consideration to the impact on freedom of expression.
(87) Providers of very large online platforms and of very large online search engines should consider under such mitigating measures, for example, adapting any necessary design, feature or functioning of their service, such as the online interface design. They should adapt and apply their terms and conditions, as necessary, and in accordance with the rules of this Regulation on terms and conditions. Other appropriate measures could include adapting their content moderation systems and internal processes or adapting their decision-making processes and resources, including the content moderation personnel, their training and local expertise. This concerns in particular the speed and quality of processing of notices. In this regard, for example, the Code of conduct on countering illegal hate speech online of 2016 sets a benchmark to process valid notifications for removal of illegal hate speech in less than 24 hours. Providers of very large online platforms, in particular those primarily used for the dissemination to the public of pornographic content, should diligently meet all their obligations under this Regulation in respect of illegal content constituting cyber violence, including illegal pornographic content, especially with regard to ensuring that victims can effectively exercise their rights in relation to content representing non-consensual sharing of intimate or manipulated material through the rapid processing of notices and removal of such content without undue delay. Other types of illegal content may require longer or shorter timelines for processing of notices, which will depend on the facts, circumstances and types of illegal content at hand. Those providers may also initiate or increase cooperation with trusted flaggers and organise training sessions and exchanges with trusted flagger organisations.
(88) Providers of very large online platforms and of very large online search engines should also be diligent in the measures they take to test and, where necessary, adapt their algorithmic systems, not least their recommender systems. They may need to mitigate the negative effects of personalised recommendations and correct the criteria used in their recommendations. The advertising systems used by providers of very large online platforms and of very large online search engines can also be a catalyser for the systemic risks. Those providers should consider corrective measures, such as discontinuing advertising revenue for specific information, or other actions, such as improving the visibility of authoritative information sources, or more structurally adapting their advertising systems. Providers of very large online platforms and of very large online search engines may need to reinforce their internal processes or supervision of any of their activities, in particular as regards the detection of systemic risks, and conduct more frequent or targeted risk assessments related to new functionalities. In particular, where risks are shared across different online platforms or online search engines, they should cooperate with other service providers, including by initiating or joining existing codes of conduct or other self-regulatory measures. They should also consider awareness-raising actions, in particular where risks relate to disinformation campaigns.
(89) Providers of very large online platforms and of very large online search engines should take into account the best interests of minors in taking measures such as adapting the design of their service and their online interface, especially when their services are aimed at minors or predominantly used by them. They should ensure that their services are organised in a way that allows minors to access easily mechanisms provided for in this Regulation, where applicable, including notice and action and complaint mechanisms. They should also take measures to protect minors from content that may impair their physical, mental or moral development and provide tools that enable conditional access to such information. In selecting the appropriate mitigation measures, providers can consider, where appropriate, industry best practices, including as established through self-regulatory cooperation, such as codes of conduct, and should take into account the guidelines from the Commission.
(90) Providers of very large online platforms and of very large online search engines should ensure that their approach to risk assessment and mitigation is based on the best available information and scientific insights and that they test their assumptions with the groups most impacted by the risks and the measures they take. To this end, they should, where appropriate, conduct their risk assessments and design their risk mitigation measures with the involvement of representatives of the recipients of the service, representatives of groups potentially impacted by their services, independent experts and civil society organisations. They should seek to embed such consultations into their methodologies for assessing the risks and designing mitigation measures, including, as appropriate, surveys, focus groups, round tables, and other consultation and design methods. In the assessment on whether a measure is reasonable, proportionate and effective, special consideration should be given to the right to freedom of expression.
(91) In times of crisis, there might be a need for certain specific measures to be taken urgently by providers of very large online platforms, in addition to measures they would be taking in view of their other obligations under this Regulation. In that regard, a crisis should be considered to occur when extraordinary circumstances occur that can lead to a serious threat to public security or public health in the Union or significant parts thereof. Such crises could result from armed conflicts or acts of terrorism, including emerging conflicts or acts of terrorism, natural disasters such as earthquakes and hurricanes, as well as from pandemics and other serious cross-border threats to public health. The Commission should be able to require, upon recommendation by the European Board for Digital Services (‘the Board’), providers of very large online platforms and providers of very large search engines to initiate a crisis response as a matter of urgency. Measures that those providers may identify and consider applying may include, for example, adapting content moderation processes and increasing the resources dedicated to content moderation, adapting terms and conditions, relevant algorithmic systems and advertising systems, further intensifying cooperation with trusted flaggers, taking awareness-raising measures and promoting trusted information and adapting the design of their online interfaces. The necessary requirements should be provided for to ensure that such measures are taken within a very short time frame and that the crisis response mechanism is only used where, and to the extent that, this is strictly necessary and any measures taken under this mechanism are effective and proportionate, taking due account of the rights and legitimate interests of all parties concerned. The use of the mechanism should be without prejudice to the other provisions of this Regulation, such as those on risk assessments and mitigation measures and the enforcement thereof and those on crisis protocols.
(92) Given the need to ensure verification by independent experts, providers of very large online platforms and of very large online search engines should be accountable, through independent auditing, for their compliance with the obligations laid down by this Regulation and, where relevant, any complementary commitments undertaken pursuant to codes of conduct and crises protocols. In order to ensure that audits are carried out in an effective, efficient and timely manner, providers of very large online platforms and of very large online search engines should provide the necessary cooperation and assistance to the organisations carrying out the audits, including by giving the auditor access to all relevant data and premises necessary to perform the audit properly, including, where appropriate, to data related to algorithmic systems, and by answering oral or written questions. Auditors should also be able to make use of other sources of objective information, including studies by vetted researchers. Providers of very large online platforms and of very large online search engines should not undermine the performance of the audit. Audits should be performed according to best industry practices and high professional ethics and objectivity, with due regard, as appropriate, to auditing standards and codes of practice. Auditors should guarantee the confidentiality, security and integrity of the information, such as trade secrets, that they obtain when performing their tasks. This guarantee should not be a means to circumvent the applicability of audit obligations in this Regulation. Auditors should have the necessary expertise in the area of risk management and technical competence to audit algorithms. They should be independent, in order to be able to perform their tasks in an adequate and trustworthy manner. They should comply with core independence requirements for prohibited non-auditing services, firm rotation and non-contingent fees. If their independence and technical competence is not beyond doubt, they should resign or abstain from the audit engagement.
(93) The audit report should be substantiated, in order to give a meaningful account of the activities undertaken and the conclusions reached. It should help inform, and where appropriate suggest improvements to the measures taken by the providers of the very large online platform and of the very large online search engine to comply with their obligations under this Regulation. The audit report should be transmitted to the Digital Services Coordinator of establishment, the Commission and the Board following the receipt of the audit report. Providers should also transmit upon completion without undue delay each of the reports on the risk assessment and the mitigation measures, as well as the audit implementation report of the provider of the very large online platform or of the very large online search engine showing how they have addressed the audit’s recommendations. The audit report should include an audit opinion based on the conclusions drawn from the audit evidence obtained. A ‘positive opinion’ should be given where all evidence shows that the provider of the very large online platform or of the very large online search engine complies with the obligations laid down by this Regulation or, where applicable, any commitments it has undertaken pursuant to a code of conduct or crisis protocol, in particular by identifying, evaluating and mitigating the systemic risks posed by its system and services. A ‘positive opinion’ should be accompanied by comments where the auditor wishes to include remarks that do not have a substantial effect on the outcome of the audit. A ‘negative opinion’ should be given where the auditor considers that the provider of the very large online platform or of the very large online search engine does not comply with this Regulation or the commitments undertaken. Where the audit opinion could not reach a conclusion for specific elements that fall within the scope of the audit, an explanation of reasons for the failure to reach such a conclusion should be included in the audit opinion. Where applicable, the report should include a description of specific elements that could not be audited, and an explanation of why these could not be audited.
(94) The obligations on assessment and mitigation of risks should trigger, on a case-by-case basis, the need for providers of very large online platforms and of very large online search engines to assess and, where necessary, adjust the design of their recommender systems, for example by taking measures to prevent or minimise biases that lead to the discrimination of persons in vulnerable situations, in particular where such adjustment is in accordance with data protection law and when the information is personalised on the basis of special categories of personal data referred to in Article 9 of the Regulation (EU) 2016/679. In addition, and complementing the transparency obligations applicable to online platforms as regards their recommender systems, providers of very large online platforms and of very large online search engines should consistently ensure that recipients of their service enjoy alternative options which are not based on profiling, within the meaning of Regulation (EU) 2016/679, for the main parameters of their recommender systems. Such choices should be directly accessible from the online interface where the recommendations are presented.
(95) Advertising systems used by very large online platforms and very large online search engines pose particular risks and require further public and regulatory supervision on account of their scale and ability to target and reach recipients of the service based on their behaviour within and outside that platform’s or search engine’s online interface. Very large online platforms or very large online search engines should ensure public access to repositories of advertisements presented on their online interfaces to facilitate supervision and research into emerging risks brought about by the distribution of advertising online, for example in relation to illegal advertisements or manipulative techniques and disinformation with a real and foreseeable negative impact on public health, public security, civil discourse, political participation and equality. Repositories should include the content of advertisements, including the name of the product, service or brand and the subject matter of the advertisement, and related data on the advertiser, and, if different, the natural or legal person who paid for the advertisement, and the delivery of the advertisement, in particular where targeted advertising is concerned. This information should include both information about targeting criteria and delivery criteria, in particular when advertisements are delivered to persons in vulnerable situations, such as minors.
(96) In order to appropriately monitor and assess the compliance of very large online platforms and of very large online search engines with the obligations laid down by this Regulation, the Digital Services Coordinator of establishment or the Commission may require access to or reporting of specific data, including data related to algorithms. Such a requirement may include, for example, the data necessary to assess the risks and possible harms brought about by the very large online platform’s or the very large online search engine’s systems, data on the accuracy, functioning and testing of algorithmic systems for content moderation, recommender systems or advertising systems, including, where appropriate, training data and algorithms, or data on processes and outputs of content moderation or of internal complaint-handling systems within the meaning of this Regulation. Such data access requests should not include requests to produce specific information about individual recipients of the service for the purpose of determining compliance of such recipients with other applicable Union or national law. Investigations by researchers on the evolution and severity of online systemic risks are particularly important for bridging information asymmetries and establishing a resilient system of risk mitigation, informing providers of online platforms, providers of online search engines, Digital Services Coordinators, other competent authorities, the Commission and the public.
(97) This Regulation therefore provides a framework for compelling access to data from very large online platforms and very large online search engines to vetted researchers affiliated to a research organisation within the meaning of Article 2 of Directive (EU) 2019/790, which may include, for the purpose of this Regulation, civil society organisations that are conducting scientific research with the primary goal of supporting their public interest mission. All requests for access to data under that framework should be proportionate and appropriately protect the rights and legitimate interests, including the protection of personal data, trade secrets and other confidential information, of the very large online platform or of the very large online search engine and any other parties concerned, including the recipients of the service. However, to ensure that the objective of this Regulation is achieved, consideration of the commercial interests of providers should not lead to a refusal to provide access to data necessary for the specific research objective pursuant to a request under this Regulation. In this regard, whilst without prejudice to Directive (EU) 2016/943 of the European Parliament and of the Council [^32], providers should ensure appropriate access for researchers, including, where necessary, by taking technical protections such as through data vaults. Data access requests could cover, for example, the number of views or, where relevant, other types of access to content by recipients of the service prior to its removal by the providers of very large online platforms or of very large online search engines.
(98) In addition, where data is publicly accessible, such providers should not prevent researchers meeting an appropriate subset of criteria from using this data for research purposes that contribute to the detection, identification and understanding of systemic risks. They should provide access to such researchers including, where technically possible, in real-time, to the publicly accessible data, for example on aggregated interactions with content from public pages, public groups, or public figures, including impression and engagement data such as the number of reactions, shares, comments from recipients of the service. Providers of very large online platforms or of very large online search engines should be encouraged to cooperate with researchers and provide broader access to data for monitoring societal concerns through voluntary efforts, including through commitments and procedures agreed under codes of conduct or crisis protocols. Those providers and researchers should pay particular attention to the protection of personal data, and ensure that any processing of personal data complies with Regulation (EU) 2016/679. Providers should anonymise or pseudonymise personal data except in those cases that would render impossible the research purpose pursued.
(99) Given the complexity of the functioning of the systems deployed and the systemic risks they present to society, providers of very large online platforms and of very large online search engines should establish a compliance function, which should be independent from the operational functions of those providers. The head of the compliance function should report directly to the management of those providers, including for concerns of non-compliance with this Regulation. The compliance officers that are part of the compliance function should have the necessary qualifications, knowledge, experience and ability to operationalise measures and monitor the compliance with this Regulation within the organisation of the providers of very large online platform or of very large online search engine. Providers of very large online platforms and of very large online search engines should ensure that the compliance function is involved, properly and in a timely manner, in all issues which relate to this Regulation including in the risk assessment and mitigation strategy and specific measures, as well as assessing compliance, where applicable, with commitments made by those providers under the codes of conduct and crisis protocols they subscribe to.
(100) In view of the additional risks relating to their activities and their additional obligations under this Regulation, additional transparency requirements should apply specifically to very large online platforms and very large online search engines, notably to report comprehensively on the risk assessments performed and subsequent measures adopted as provided by this Regulation.
(101) The Commission should be in possession of all the necessary resources, in terms of staffing, expertise, and financial means, for the performance of its tasks under this Regulation. In order to ensure the availability of the resources necessary for the adequate supervision at Union level under this Regulation, and considering that Member States should be entitled to charge providers established in their territory a supervisory fee to in respect of the supervisory and enforcement tasks exercised by their authorities, the Commission should charge a supervisory fee, the level of which should be established on an annual basis, on very large online platforms and very large online search engines. The overall amount of the annual supervisory fee charged should be established on the basis of the overall amount of the costs incurred by the Commission to exercise its supervisory tasks under this Regulation, as reasonably estimated beforehand. Such amount should include costs relating to the exercise of the specific powers and tasks of supervision, investigation, enforcement and monitoring in respect of providers of very large online platforms and of very large online search engines, including costs related to the designation of very large online platforms and of very large online search engines or to the set up, maintenance and operation of the databases envisaged under this Regulation. It should also include costs relating to the set-up, maintenance and operation of the basic information and institutional infrastructure for the cooperation among Digital Services Coordinators, the Board and the Commission, taking into account the fact that in view of their size and reach very large online platforms and very large online search engines have a significant impact on the resources needed to support such infrastructure. The estimation of the overall costs should take into account the supervisory costs incurred in the previous year including, where applicable, those costs exceeding the individual annual supervisory fee charged in the previous year. The external assigned revenues resulting from the annual supervisory fee could be used to finance additional human resources, such as contractual agents and seconded national experts, and other expenditure related to the fulfilment of the tasks entrusted to the Commission by this Regulation. The annual supervisory fee to be charged on providers of very large online platforms and of very large online search engines should be proportionate to the size of the service as reflected by the number of its active recipients of the service in the Union. Moreover, the individual annual supervisory fee should not exceed an overall ceiling for each provider of very large online platforms or of very large online search engines taking into account the economic capacity of the provider of the designated service or services.
(102) To facilitate the effective and consistent application of the obligations in this Regulation that may require implementation through technological means, it is important to promote voluntary standards covering certain technical procedures, where the industry can help develop standardised means to support providers of intermediary services in complying with this Regulation, such as allowing the submission of notices, including through application programming interfaces, or standards related to terms and conditions or standards relating to audits, or standards related to the interoperability of advertisement repositories. In addition, such standards could include standards related to online advertising, recommender systems, accessibility and the protection of minors online. Providers of intermediary services are free to adopt the standards, but their adoption does not presume compliance with this Regulation. At the same time, by providing best practices, such standards could in particular be useful for relatively small providers of intermediary services. The standards could distinguish between different types of illegal content or different types of intermediary services, as appropriate.
(103) The Commission and the Board should encourage the drawing-up of voluntary codes of conduct, as well as the implementation of the provisions of those codes in order to contribute to the application of this Regulation. The Commission and the Board should aim that the codes of conduct clearly define the nature of the public interest objectives being addressed, that they contain mechanisms for independent evaluation of the achievement of those objectives and that the role of relevant authorities is clearly defined. Particular attention should be given to avoiding negative effects on security, the protection of privacy and personal data, as well as to the prohibition on imposing general monitoring obligations. While the implementation of codes of conduct should be measurable and subject to public oversight, this should not impair the voluntary nature of such codes and the freedom of interested parties to decide whether to participate. In certain circumstances, it is important that very large online platforms cooperate in the drawing-up and adhere to specific codes of conduct. Nothing in this Regulation prevents other service providers from adhering to the same standards of due diligence, adopting best practices and benefitting from the guidelines provided by the Commission and the Board, by participating in the same codes of conduct.
(104) It is appropriate that this Regulation identify certain areas of consideration for such codes of conduct. In particular, risk mitigation measures concerning specific types of illegal content should be explored via self- and co-regulatory agreements. Another area for consideration is the possible negative impacts of systemic risks on society and democracy, such as disinformation or manipulative and abusive activities or any adverse effects on minors. This includes coordinated operations aimed at amplifying information, including disinformation, such as the use of bots or fake accounts for the creation of intentionally inaccurate or misleading information, sometimes with a purpose of obtaining economic gain, which are particularly harmful for vulnerable recipients of the service, such as minors. In relation to such areas, adherence to and compliance with a given code of conduct by a very large online platform or a very large online search engine may be considered as an appropriate risk mitigating measure. The refusal without proper explanations by a provider of an online platform or of an online search engine of the Commission’s invitation to participate in the application of such a code of conduct could be taken into account, where relevant, when determining whether the online platform or the online search engine has infringed the obligations laid down by this Regulation. The mere fact of participating in and implementing a given code of conduct should not in itself presume compliance with this Regulation.
(105) The codes of conduct should facilitate the accessibility of very large online platforms and very large online search engines, in compliance with Union and national law, in order to facilitate their foreseeable use by persons with disabilities. In particular, the codes of conduct could ensure that the information is presented in a perceivable, operable, understandable and robust way and that forms and measures provided pursuant to this Regulation are made available in a manner that is easy to find and accessible to persons with disabilities.
(106) The rules on codes of conduct under this Regulation could serve as a basis for already established self-regulatory efforts at Union level, including the Product Safety Pledge, the Memorandum of understanding on the sale of counterfeit goods on the internet, the Code of conduct on countering illegal hate speech online, as well as the Code of Practice on Disinformation. In particular for the latter, following the Commission’s guidance, the Code of Practice on Disinformation has been strengthened as announced in the European Democracy Action Plan.
(107) The provision of online advertising generally involves several actors, including intermediary services that connect publishers of advertisements with advertisers. Codes of conduct should support and complement the transparency obligations relating to advertising for providers of online platforms, of very large online platforms and of very large online search engines set out in this Regulation in order to provide for flexible and effective mechanisms to facilitate and enhance the compliance with those obligations, notably as concerns the modalities of the transmission of the relevant information. This should include facilitating the transmission of the information on the advertiser who pays for the advertisement when they differ from the natural or legal person on whose behalf the advertisement is presented on the online interface of an online platform. The codes of conduct should also include measures to ensure that meaningful information about the monetisation of data is appropriately shared throughout the value chain. The involvement of a wide range of stakeholders should ensure that those codes of conduct are widely supported, technically sound, effective and offer the highest levels of user-friendliness to ensure that the transparency obligations achieve their objectives. In order to ensure the effectiveness of codes of conduct, the Commission should include evaluation mechanisms in drawing up the codes of conduct. Where appropriate, the Commission may invite the Fundamental Rights Agency or the European Data Protection Supervisor to express their opinions on the respective code of conduct.
(108) In addition to the crisis response mechanism for very large online platforms and very large online search engines, the Commission may initiate the drawing up of voluntary crisis protocols to coordinate a rapid, collective and cross-border response in the online environment. Such can be the case, for example, where online platforms are misused for the rapid spread of illegal content or disinformation or where the need arises for rapid dissemination of reliable information. In light of the important role of very large online platforms in disseminating information in our societies and across borders, providers of such platforms should be encouraged in drawing up and applying specific crisis protocols. Such crisis protocols should be activated only for a limited period of time and the measures adopted should also be limited to what is strictly necessary to address the extraordinary circumstance. Those measures should be consistent with this Regulation, and should not amount to a general obligation for the participating providers of very large online platforms and of very large online search engines to monitor the information which they transmit or store, nor actively to seek facts or circumstances indicating illegal content.
(109) In order to ensure adequate oversight and enforcement of the obligations laid down in this Regulation, Member States should designate at least one authority with the task to supervise the application and enforce this Regulation, without prejudice to the possibility to designate an existing authority and to its legal form in accordance with national law. Member States should, however, be able to entrust more than one competent authority, with specific supervisory or enforcement tasks and competences concerning the application of this Regulation, for example for specific sectors where existing authorities may also be empowered, such as electronic communications’ regulators, media regulators or consumer protection authorities, reflecting their domestic constitutional, organisational and administrative structure. In the exercise of their tasks, all competent authorities should contribute to the achievement of the objectives of this Regulation, namely to the proper functioning of the internal market for intermediary services where the harmonised rules for a safe, predictable and trusted online environment that facilitates innovation, and in particular the due diligence obligations applicable to different categories of providers of intermediary services, are effectively supervised and enforced, with a view to ensure that fundamental rights, as enshrined in the Charter, including the principle of consumer protection, are effectively protected. This Regulation does not require Member States to confer on competent authorities the task to adjudicate on the lawfulness of specific items of content.
(110) Given the cross-border nature of the services at stake and the horizontal range of obligations introduced by this Regulation, one authority appointed with the task of supervising the application and, where necessary, enforcing this Regulation should be identified as a Digital Services Coordinator in each Member State. Where more than one competent authority is appointed to supervise the application of, and enforce, this Regulation, only one authority in that Member State should be designated as a Digital Services Coordinator. The Digital Services Coordinator should act as the single contact point with regard to all matters related to the application of this Regulation for the Commission, the Board, the Digital Services Coordinators of other Member States, as well as for other competent authorities of the Member State in question. In particular, where several competent authorities are entrusted with tasks under this Regulation in a given Member State, the Digital Services Coordinator should coordinate and cooperate with those authorities in accordance with the national law setting their respective tasks and without prejudice to the independent assessment of the other competent authorities. While not entailing any hierarchical supraordination over other competent authorities in the exercise of their tasks, the Digital Services Coordinator should ensure effective involvement of all relevant competent authorities and should timely report their assessment in the context of cooperation on supervision and enforcement at Union level. Moreover, in addition to the specific mechanisms provided for in this Regulation as regards cooperation at Union level, Member State should also ensure cooperation among the Digital Services Coordinator and other competent authorities designated at national level, where applicable, through appropriate tools, such as by pooling of resources, joint task forces, joint investigations and mutual assistance mechanisms.
(111) The Digital Services Coordinator, as well as other competent authorities designated under this Regulation, play a crucial role in ensuring the effectiveness of the rights and obligations laid down in this Regulation and the achievement of its objectives. Accordingly, it is necessary to ensure that those authorities have the necessary means, including financial and human resources, to supervise all the providers of intermediary services falling within their competence, in the interest of all Union citizens. Given the variety of providers of intermediary services and their use of advanced technology in providing their services, it is also essential that the Digital Services Coordinator and the relevant competent authorities are equipped with the necessary number of staff and experts with specialised skills and advanced technical means, and that they autonomously manage financial resources to carry out their tasks. Furthermore, the level of resources should take into account the size, complexity and potential societal impact of the providers of intermediary services falling within their competence, as well as the reach of their services across the Union. This Regulation is without prejudice to the possibility for Member States to establish funding mechanisms based on a supervisory fee charged to providers of intermediary services under national law in compliance with Union law, to the extent that it is levied on providers of intermediary services having their main establishment in the Member State in question, that it is strictly limited to what is necessary and proportionate to cover the costs for the fulfilment of the tasks conferred upon the competent authorities pursuant to this Regulation, with the exclusion of the tasks conferred upon the Commission, and that adequate transparency is ensured regarding the levying and the use of such a supervisory fee.
(112) The competent authorities designated under this Regulation should also act in complete independence from private and public bodies, without the obligation or possibility to seek or receive instructions, including from the government, and without prejudice to the specific duties to cooperate with other competent authorities, the Digital Services Coordinators, the Board and the Commission. On the other hand, the independence of those authorities should not mean that they cannot be subject, in accordance with national constitutions and without endangering the achievement of the objectives of this Regulation, to proportionate accountability mechanisms regarding the general activities of the Digital Services Coordinators, such as their financial expenditure or reporting to the national parliaments. The requirement of independence should also not prevent the exercise of judicial review, or the possibility to consult or regularly exchange views with other national authorities, including law enforcement authorities, crisis management authorities or consumer protection authorities, where appropriate, in order to inform each other about ongoing investigations, without affecting the exercise of their respective powers.
(113) Member States can designate an existing national authority with the function of the Digital Services Coordinator, or with specific tasks to supervise the application and enforce this Regulation, provided that any such appointed authority complies with the requirements laid down in this Regulation, such as in relation to its independence. Moreover, Member States are in principle not precluded from merging functions within an existing authority, in accordance with Union law. The measures to that effect may include, inter alia, the preclusion to dismiss the president or a board member of a collegiate body of an existing authority before the expiry of their terms of office, on the sole ground that an institutional reform has taken place involving the merger of different functions within one authority, in the absence of any rules guaranteeing that such dismissals do not jeopardise the independence and impartiality of such members.
(114) Member States should provide the Digital Services Coordinator, and any other competent authority designated under this Regulation, with sufficient powers and means to ensure effective investigation and enforcement, in accordance with the tasks conferred on them. This includes the power of competent authorities to adopt interim measures in accordance with national law in case of risk of serious harm. Such interim measures, which may include orders to terminate or remedy a given alleged infringement, should not go beyond what is necessary to ensure that serious harm is prevented pending the final decision. The Digital Services Coordinators should in particular be able to search for and obtain information which is located in its territory, including in the context of joint investigations, with due regard to the fact that oversight and enforcement measures concerning a provider under the jurisdiction of another Member State or the Commission should be adopted by the Digital Services Coordinator of that other Member State, where relevant in accordance with the procedures relating to cross-border cooperation, or, where applicable, by the Commission.
(115) Member States should set out in their national law, in accordance with Union law and in particular this Regulation and the Charter, the detailed conditions and limits for the exercise of the investigatory and enforcement powers of their Digital Services Coordinators, and other competent authorities where relevant, under this Regulation.
(116) In the course of the exercise of those powers, the competent authorities should comply with the applicable national rules regarding procedures and matters such as the need for a prior judicial authorisation to enter certain premises and legal professional privilege. Those provisions should in particular ensure respect for the fundamental rights to an effective remedy and to a fair trial, including the rights of defence, and, the right to respect for private life. In this regard, the guarantees provided for in relation to the proceedings of the Commission pursuant to this Regulation could serve as an appropriate point of reference. A prior, fair and impartial procedure should be guaranteed before taking any final decision, including the right to be heard of the persons concerned, and the right to have access to the file, while respecting confidentiality and professional and business secrecy, as well as the obligation to give meaningful reasons for the decisions. This should not preclude the taking of measures, however, in duly substantiated cases of urgency and subject to appropriate conditions and procedural arrangements. The exercise of powers should also be proportionate to, inter alia the nature and the overall actual or potential harm caused by the infringement or suspected infringement. The competent authorities should take all relevant facts and circumstances of the case into account, including information gathered by competent authorities in other Member States.
(117) Member States should ensure that violations of the obligations laid down in this Regulation can be sanctioned in a manner that is effective, proportionate and dissuasive, taking into account the nature, gravity, recurrence and duration of the violation, in view of the public interest pursued, the scope and kind of activities carried out, as well as the economic capacity of the infringer. In particular, penalties should take into account whether the provider of intermediary services concerned systematically or recurrently fails to comply with its obligations stemming from this Regulation, as well as, where relevant, the number of recipients of the service affected, the intentional or negligent character of the infringement and whether the provider is active in several Member States. Where this Regulation provides for a maximum amount of fines or of a periodic penalty payment, this maximum amount should apply per infringement of this Regulation and without prejudice to the modulation of the fines or periodic penalty payments for specific infringements. Member States should ensure that the imposition of fines or periodic penalty payments in respect of infringements should in each individual case be effective, proportionate and dissuasive by setting up national rules and procedures in accordance with this Regulation, taking into account all the criteria concerning the general conditions for imposing the fines or periodic penalty payments.
(118) In order to ensure effective enforcement of the obligations laid down in this Regulation, individuals or representative organisations should be able to lodge any complaint related to compliance with those obligations with the Digital Services Coordinator in the territory where they received the service, without prejudice to this Regulation’s rules on allocation of competences and to the applicable rules on handling of complaints in accordance with national principles of good administration. Complaints could provide a faithful overview of concerns related to a particular intermediary service provider’s compliance and could also inform the Digital Services Coordinator of any more cross-cutting issues. The Digital Services Coordinator should involve other national competent authorities as well as the Digital Services Coordinator of another Member State, and in particular the one of the Member State where the provider of intermediary services concerned is established, if the issue requires cross-border cooperation.
(119) Member States should ensure that Digital Services Coordinators can take measures that are effective in addressing and proportionate to certain particularly serious and persistent infringements of this Regulation. Especially where those measures can affect the rights and interests of third parties, as may be the case in particular where the access to online interfaces is restricted, it is appropriate to require that the measures are subject to additional safeguards. In particular, third parties potentially affected should be afforded the opportunity to be heard and such orders should only be issued when powers to take such measures as provided by other acts of Union law or by national law, for instance to protect collective interests of consumers, to ensure the prompt removal of web pages containing or disseminating child pornography, or to disable access to services that are being used by a third party to infringe an intellectual property right, are not reasonably available.
(120) Such an order to restrict access should not go beyond what is necessary to achieve its objective. For that purpose, it should be temporary and be addressed in principle to a provider of intermediary services, such as the relevant hosting service provider, internet service provider or domain registry or registrar, which is in a reasonable position to achieve that objective without unduly restricting access to lawful information.
(121) Without prejudice to the provisions on the exemption from liability provided for in this Regulation as regards the information transmitted or stored at the request of a recipient of the service, a provider of intermediary services should be liable for the damages suffered by recipients of the service that are caused by an infringement of the obligations set out in this Regulation by that provider. Such compensation should be in accordance with the rules and procedures set out in the applicable national law and without prejudice to other possibilities for redress available under consumer protection rules.
(122) The Digital Services Coordinator should regularly publish, for example on its website, a report on the activities carried out under this Regulation. In particular, the report should be published in a machine-readable format and include an overview of complaints received and of their follow-up, such as the overall number of complaints received and the number of complaints that led to the opening of a formal investigation or to the transmission to other Digital Services Coordinators, without referring to any personal data. Given that the Digital Services Coordinator is also made aware of orders to take action against illegal content or to provide information regulated by this Regulation through the information sharing system, the Digital Services Coordinator should include in its annual report the number and categories of such orders addressed to providers of intermediary services issued by judicial and administrative authorities in its Member State.
(123) In the interest of clarity, simplicity and effectiveness, the powers to supervise and enforce the obligations under this Regulation should be conferred to the competent authorities in the Member State where the main establishment of the provider of intermediary services is located, that is, where the provider has its head office or registered office within which the principal financial functions and operational control are exercised. In respect of providers that are not established in the Union, but that offer services in the Union and therefore fall within the scope of this Regulation, the Member State where those providers appointed their legal representative should have competence, considering the function of legal representatives under this Regulation. In the interest of the effective application of this Regulation, all Member States or the Commission, where applicable, should, however, have competence in respect of providers that failed to designate a legal representative. That competence may be exercised by any of the competent authorities or the Commission, provided that the provider is not subject to enforcement proceedings for the same facts by another competent authority or the Commission. In order to ensure that the principle of ne bis in idem is respected, and in particular to avoid that the same infringement of the obligations laid down in this Regulation is sanctioned more than once, each Member State that intends to exercise its competence in respect of such providers should, without undue delay, inform all other authorities, including the Commission, through the information sharing system established for the purpose of this Regulation.
(124) In view of their potential impact and the challenges involved in effectively supervising them, special rules are needed regarding the supervision and enforcement in respect of providers of very large online platforms and of very large online search engines. The Commission should be responsible, with the support of national competent authorities where relevant, for oversight and public enforcement of systemic issues, such as issues with a wide impact on collective interests of recipients of the service. Therefore, the Commission should have exclusive powers of supervision and enforcement of the additional obligations to manage systemic risks imposed on providers of very large online platforms and of very large online search engines by this Regulation. The exclusive powers of the Commission should be without prejudice to certain administrative tasks assigned by this Regulation to the competent authorities of the Member State of establishment, such as the vetting of researchers.
(125) The powers of supervision and enforcement of due diligence obligations, other than the additional obligations to manage systemic risks imposed on providers of very large online platforms and of very large online search engines by this Regulation, should be shared by the Commission and by the national competent authorities. On the one hand, the Commission could in many instances be better placed to address systemic infringements committed by those providers, such as those affecting multiple Member States or serious repeated infringements or concerning a failure to establish effective mechanisms required by this Regulation. On the other hand, the competent authorities in the Member State where the main establishment of a provider of very large online platform or of very large online search engine is located could be better placed to address individual infringements committed by those providers, that do not raise any systemic or cross-border issues. In the interest of efficiency, to avoid duplication and to ensure compliance with the principle of ne bis in idem, it should be for the Commission to assess whether it deems it appropriate to exercise those shared competences in a given case and, once it has initiated proceedings, Member States should no longer have the ability to do so. Member States should cooperate closely both with each other and with the Commission, and the Commission should cooperate closely with the Member States, in order to ensure that the system of supervision and enforcement set up by this Regulation functions smoothly and effectively.
(126) The rules of this Regulation on the allocation of competence should be without prejudice to the provisions of Union law and national rules on private international law concerning jurisdiction and applicable law in civil and commercial matters, such as proceedings brought by consumers in the courts of the Member State where they are domiciled in accordance with relevant provisions of Union law. Regarding the obligations imposed by this Regulation on providers of intermediary services to inform the issuing authority of the effect given to the orders to act against illegal content and orders to provide information, the rules on allocation of competence should only apply to the supervision of enforcement of those obligations, but not to other matters related to the order, such as the competence to issue the order.
(127) Given the cross-border and cross-sectoral relevance of intermediary services, a high level of cooperation is necessary to ensure the consistent application of this Regulation and the availability of relevant information for the exercise of enforcement tasks through the information sharing system. Cooperation may take different forms depending on the issues at stake, without prejudice to specific joint investigation exercises. It is in any case necessary that the Digital Services Coordinator of establishment of a provider of intermediary services informs other Digital Services Coordinators about issues, investigations and actions which are going to be taken vis à vis such a provider. Moreover, when a competent authority in a Member State holds relevant information for an investigation carried out by the competent authorities in the Member State of establishment, or is able to gather such information located in its territory to which the competent authorities in the Member State of establishment do not have access, the Digital Services Coordinator of destination should assist the Digital Services Coordinator of establishment in a timely manner, including through the exercise of its powers of investigation in accordance with the applicable national procedures and the Charter. The addressee of such investigatory measures should comply with them and be liable in case of failure to comply, and the competent authorities in the Member State of establishment should be able to rely on the information gathered through mutual assistance, in order to ensure compliance with this Regulation.
(128) The Digital Services Coordinator of destination, in particular on the basis of complaints received or of the input of other national competent authorities where appropriate, or the Board in case of issues involving at least three Member States, should be able to ask the Digital Services Coordinator of establishment to take investigatory or enforcement actions with regard to a provider under its competence. Such requests for action should be based on well-substantiated evidence showing the existence of an alleged infringement with negative impact on collective interests of the recipients of the service in its Member State or having a negative societal impact. The Digital Services Coordinator of establishment should be able to rely on mutual assistance or invite the requesting Digital Services Coordinator to a joint investigation in case further information is needed to take a decision, without prejudice to the possibility to request the Commission to assess the matter if it has reason to suspect that a systemic infringement by a very large online platform or a very large online search engine may be at stake.
(129) The Board should be able to refer the matter to the Commission in case of any disagreement as to the assessments or the measures taken or proposed or of a failure to adopt any measures in accordance with this Regulation following a cross-border cooperation request or a joint investigation. Where the Commission, on the basis of the information made available by the concerned authorities, considers that the proposed measures, including the proposed level of fines, cannot ensure the effective enforcement of the obligations laid down in this Regulation, it should accordingly be able to express its serious doubts and request the competent Digital Services Coordinator to re-assess the matter and take the necessary measures to ensure compliance with this Regulation within a defined period. This possibility is without prejudice to the Commission’s general duty to oversee the application of, and where necessary enforce, Union law under the control of the Court of Justice of the European Union in accordance with the Treaties.
(130) In order to facilitate cross-border supervision and investigations of obligations laid down in this Regulation involving several Member States, the Digital Services Coordinators of establishment should be able, through the information sharing system, to invite other Digital Services Coordinators to a joint investigation concerning an alleged infringement of this Regulation. Other Digital Services Coordinators, and other competent authorities, where appropriate, should be able to join the investigation proposed by the Digital Services Coordinator of establishment, unless the latter considers that an excessive number of participating authorities may affect the effectiveness of the investigation taking into account the features of the alleged infringement and the lack of direct effects on the recipients of the service in those Member States. Joint investigation activities may include a variety of actions to be coordinated by the Digital Services Coordinator of establishment in accordance with the availabilities of the participating authorities, such as coordinated data gathering exercises, pooling of resources, task forces, coordinated requests for information or common inspections of premises. All competent authorities participating in a joint investigation should cooperate with the Digital Services Coordinator of establishment, including by exercising their powers of investigation within their territory, in accordance with the applicable national procedures. The joint investigation should be concluded within a given timeframe with a final report taking into account the contribution of all participating competent authorities. Also the Board, where this is requested by at least three Digital Services Coordinators of destination, may recommend to a Digital Services Coordinator of establishment to launch such joint investigation and give indications on its organisation. In order to avoid deadlocks, the Board should be able to refer the matter to the Commission in specific cases, including where the Digital Services Coordinator of establishment refuses to launch the investigation and the Board does not agree with the justification given.
(131) In order to ensure a consistent application of this Regulation, it is necessary to set up an independent advisory group at Union level, a European Board for Digital Services, which should support the Commission and help coordinate the actions of Digital Services Coordinators. The Board should consist of the Digital Services Coordinators, where these have been appointed, without prejudice to the possibility for Digital Services Coordinators to invite in its meetings or appoint ad hoc delegates from other competent authorities entrusted with specific tasks under this Regulation, where that is required pursuant to their national allocation of tasks and competences. In case of multiple participants from one Member State, the voting right should remain limited to one representative per Member State.
(132) The Board should contribute to achieving a common Union perspective on the consistent application of this Regulation and to the cooperation among competent authorities, including by advising the Commission and the Digital Services Coordinators about appropriate investigation and enforcement measures, in particular vis à vis the providers of very large online platforms or of very large online search engines and having regard, in particular, to the freedom of the providers of intermediary services to provide services across the Union. The Board should also contribute to the drafting of relevant templates and codes of conduct and to the analysis of emerging general trends in the development of digital services in the Union, including by issuing opinions or recommendations on matters related to standards.
(133) For that purpose, the Board should be able to adopt opinions, requests and recommendations addressed to Digital Services Coordinators or other competent national authorities. While not legally binding, the decision to deviate therefrom should be properly explained and could be taken into account by the Commission in assessing the compliance of the Member State concerned with this Regulation.
(134) The Board should bring together the representatives of the Digital Services Coordinators and possible other competent authorities under the chairmanship of the Commission, with a view to ensuring an assessment of matters submitted to it in a fully European dimension. In view of possible cross-cutting elements that may be of relevance for other regulatory frameworks at Union level, the Board should be allowed to cooperate with other Union bodies, offices, agencies and advisory groups with responsibilities in fields such as equality, including gender equality, and non-discrimination, data protection, electronic communications, audiovisual services, detection and investigation of frauds against the Union budget as regards custom duties, consumer protection, or competition law, as necessary for the performance of its tasks.
(135) The Commission, through the Chair, should participate in the Board without voting rights. Through the Chair, the Commission should ensure that the agenda of the meetings is set in accordance with the requests of the members of the Board as laid down in the rules of procedure and in compliance with the duties of the Board laid down in this Regulation.
(136) In view of the need to ensure support for the Board’s activities, the Board should be able to rely on the expertise and human resources of the Commission and of the competent national authorities. The specific operational arrangements for the internal functioning of the Board should be further specified in the rules of procedure of the Board.
(137) Given the importance of very large online platforms or very large online search engines, in view of their reach and impact, their failure to comply with the specific obligations applicable to them may affect a substantial number of recipients of the services across different Member States and may cause large societal harms, while such failures may also be particularly complex to identify and address. For this reason the Commission, in cooperation with the Digital Services Coordinators and the Board, should develop the Union expertise and capabilities as regards the supervision of very large online platforms or very large online search engines. The Commission should therefore be able to coordinate and rely on the expertise and resources of such authorities, for example by analysing, on a permanent or temporary basis, specific trends or issues emerging with regard to one or more very large online platforms or very large online search engines. Member States should cooperate with the Commission in developing such capabilities, including through secondment of personnel where appropriate, and contributing to the creation of a common Union supervisory capacity. In order to develop the Union expertise and capabilities, the Commission may also draw on the expertise and capabilities of the Observatory on the Online Platform Economy as set up in Commission Decision of 26 April 2018 on setting up the group of experts for the Observatory on the Online Platform Economy, relevant expert bodies, as well as centres of excellence. The Commission may invite experts with specific expertise, including in particular vetted researchers, representatives of Union agencies and bodies, industry representatives, associations representing users or civil society, international organisations, experts from the private sector, as well as other stakeholders.
(138) The Commission should be able to investigate infringements on its own initiative in accordance with the powers provided for in this Regulation, including by asking access to data, by requesting information or by performing inspections, as well as by relying on the support of the Digital Services Coordinators. Where supervision by the competent national authorities of individual alleged infringements by providers of very large online platforms or very large online search engines points to systemic issues, such as issues with a wide impact on collective interests of recipients of the service, the Digital Services Coordinators should be able to, on the basis of a duly reasoned request, refer such issues to the Commission. Such a request should contain, at least, all the necessary facts and circumstances supporting the alleged infringement and its systemic nature. Depending on the outcome of its own assessment, the Commission should be able to take the necessary investigative and enforcement measures pursuant to this Regulation, including, where relevant, launching an investigation or adopting interim measures.
(139) In order to effectively perform its tasks, the Commission should maintain a margin of discretion as to the decision to initiate proceedings against providers of very large online platforms or of very large online search engine. Once the Commission initiated the proceedings, the Digital Services Coordinators of establishment concerned should be precluded from exercising their investigative and enforcement powers in respect of the concerned conduct of the provider of the very large online platform or of very large online search engine, so as to avoid duplication, inconsistencies and risks from the viewpoint of the principle of ne bis in idem. The Commission, however, should be able to ask for the individual or joint contribution of the Digital Services Coordinators to the investigation. In accordance with the duty of sincere cooperation, the Digital Services Coordinator should make its best efforts in fulfilling justified and proportionate requests by the Commission in the context of an investigation. Moreover, the Digital Services Coordinator of establishment, as well as the Board and any other Digital Services Coordinators where relevant, should provide the Commission with all necessary information and assistance to allow it to perform its tasks effectively, including information gathered in the context of data gathering or data access exercises, to the extent that this is not precluded by the legal basis according to which the information has been gathered. Conversely, the Commission should keep the Digital Services Coordinator of establishment and the Board informed on the exercise of its powers and in particular when it intends to initiate the proceeding and exercise its investigatory powers. Moreover, when the Commission communicates its preliminary findings, including any matter to which it objects, to providers of very large online platforms or of very large online search engines concerned, it should also communicate them to the Board. The Board should provide its views on the objections and assessment made by the Commission, which should take this opinion into account in the reasoning underpinning Commission’s final decision.
(140) In view of both the particular challenges that may arise in seeking to ensure compliance by providers of very large online platforms or of very large online search engines and the importance of doing so effectively, considering their size and impact and the harms that they may cause, the Commission should have strong investigative and enforcement powers to allow it to investigate, enforce and monitor compliance with the rules laid down in this Regulation, in full respect of the fundamental right to be heard and to have access to the file in the context of enforcement proceedings, the principle of proportionality and the rights and interests of the affected parties.
(141) The Commission should be able to request information necessary for the purpose of ensuring the effective implementation of and compliance with the obligations laid down in this Regulation, throughout the Union. In particular, the Commission should have access to any relevant documents, data and information necessary to open and conduct investigations and to monitor the compliance with the relevant obligations laid down in this Regulation, irrespective of who possesses the documents, data or information in question, and regardless of their form or format, their storage medium, or the precise place where they are stored. The Commission should be able to directly require by means of a duly substantiated request for information that the provider of the very large online platform or of the very large online search engine concerned as well as any other natural or legal persons acting for purposes related to their trade, business, craft or profession that may be reasonably aware of information relating to the suspected infringement or the infringement, as applicable, provide any relevant evidence, data and information. In addition, the Commission should be able to request any relevant information from any public authority, body or agency within the Member State for the purpose of this Regulation. The Commission should be able to require access to, and explanations by means of exercise of investigatory powers, such as requests for information or interviews, relating to documents, data, information, data-bases and algorithms of relevant persons, and to interview, with their consent, any natural or legal persons who may be in possession of useful information and to record the statements made by any technical means. The Commission should also be empowered to undertake such inspections as are necessary to enforce the relevant provisions of this Regulation. Those investigatory powers aim to complement the Commission’s possibility to ask Digital Services Coordinators and other Member States’ authorities for assistance, for instance by providing information or in the exercise of those powers.
(142) Interim measures can be an important tool to ensure that, while an investigation is ongoing, the infringement being investigated does not lead to the risk of serious damage for the recipients of the service. This tool is important to avoid developments that could be very difficult to reverse by a decision taken by the Commission at the end of the proceedings. The Commission should therefore have the power to impose interim measures by decision in the context of proceedings opened in view of the possible adoption of a decision of non-compliance. This power should apply in cases where the Commission has made a prima facie finding of infringement of obligations under this Regulation by the provider of very large online platform or of very large online search engine. A decision imposing interim measures should only apply for a specified period, either one ending with the conclusion of the proceedings by the Commission, or for a fixed period which can be renewed insofar as it is necessary and appropriate.
(143) The Commission should be able to take the necessary actions to monitor the effective implementation of and compliance with the obligations laid down in this Regulation. Such actions should include the ability to appoint independent external experts and auditors to assist the Commission in this process, including where applicable from competent authorities of the Member States, such as data or consumer protection authorities. When appointing auditors, the Commission should ensure sufficient rotation.
(144) Compliance with the relevant obligations imposed under this Regulation should be enforceable by means of fines and periodic penalty payments. To that end, appropriate levels of fines and periodic penalty payments should also be laid down for non-compliance with the obligations and breach of the procedural rules, subject to appropriate limitation periods in accordance with the principles of proportionality and ne bis in idem. The Commission and the relevant national authorities should coordinate their enforcement efforts in order to ensure that those principles are respected. In particular, the Commission should take into account any fines and penalties imposed on the same legal person for the same facts through a final decision in proceedings relating to an infringement of other Union or national rules, so as to ensure that the overall fines and penalties imposed are proportionate and correspond to the seriousness of the infringements committed. All decisions taken by the Commission under this Regulation are subject to review by the Court of Justice of the European Union in accordance with the TFEU. The Court of Justice of the European Union should have unlimited jurisdiction in respect of fines and penalty payments in accordance with Article 261 TFEU.
(145) Given the potential significant societal effects of an infringement of the additional obligations to manage systemic risks that solely apply to very large online platforms and very large online search engines and in order to address those public policy concerns, it is necessary to provide for a system of enhanced supervision of any action undertaken to effectively terminate and remedy infringements of this Regulation. Therefore, once an infringement of one of the provisions of this Regulation that solely apply to very large online platforms or very large online search engines has been ascertained and, where necessary, sanctioned, the Commission should request the provider of such platform or of such search engine to draw a detailed action plan to remedy any effect of the infringement for the future and communicate such action plan within a timeline set by the Commission, to the Digital Services Coordinators, the Commission and the Board. The Commission, taking into account the opinion of the Board, should establish whether the measures included in the action plan are sufficient to address the infringement, taking also into account whether adherence to relevant code of conduct is included among the measures proposed. The Commission should also monitor any subsequent measure taken by the provider of a very large online platform or of a very large online search engine concerned as set out in its action plan, taking into account also an independent audit of the provider. If following the implementation of the action plan the Commission still considers that the infringement has not been fully remedied, or if the action plan has not been provided or is not considered suitable, it should be able to use any investigative or enforcement powers pursuant to this Regulation, including the power to impose periodic penalty payments and initiating the procedure to disable access to the infringing service.
(146) The provider of the very large online platform or of the very large online search engine concerned and other persons subject to the exercise of the Commission’s powers whose interests may be affected by a decision should be given the opportunity of submitting their observations beforehand, and the decisions taken should be widely publicised. While ensuring the rights of defence of the parties concerned, in particular, the right of access to the file, it is essential that confidential information be protected. Furthermore, while respecting the confidentiality of the information, the Commission should ensure that any information relied on for the purpose of its decision is disclosed to an extent that allows the addressee of the decision to understand the facts and considerations that led up to the decision.
(147) In order to safeguard the harmonised application and enforcement of this Regulation, it is important to ensure that national authorities, including national courts, have all necessary information to ensure that their decisions do not run counter to a decision adopted by the Commission under this Regulation. This is without prejudice to Article 267 TFEU.
(148) The effective enforcement and monitoring of this Regulation requires a seamless and real-time exchange of information among the Digital Services Coordinators, the Board and the Commission, based on the information flows and procedures set out in this Regulation. This may also warrant access to this system by other competent authorities, where appropriate. At the same time, given that the information exchanged may be confidential or involving personal data, it should remain protected from unauthorised access, in accordance with the purposes for which the information has been gathered. For this reason, all communications between those authorities should take place on the basis of a reliable and secure information sharing system, whose details should be laid down in an implementing act. The information sharing system may be based on existing internal market tools, to the extent that they can meet the objectives of this Regulation in a cost-effective manner.
(149) Without prejudice to the rights of recipients of services to turn to a representative in accordance with the Directive (EU) 2020/1828 of the European Parliament and of the Council [^33] or to any other type of representation under national law, recipients of the services should also have the right to mandate a legal person or a public body to exercise their rights provided for in this Regulation. Such rights may include the rights related to the submission of notices, the challenging of the decisions taken by providers of intermediary services, and the lodging of complaints against the providers for infringing this Regulation. Certain bodies, organisations and associations have particular expertise and competence in detecting and flagging erroneous or unjustified content moderation decisions, and their complaints on behalf of recipients of the service may have a positive impact on freedom of expression and of information in general, therefore, providers of online platforms should treat those complaints without undue delay.
(150) In the interest of effectiveness and efficiency, the Commission should carry out a general evaluation of this Regulation. In particular, that general evaluation should address, inter alia, the scope of the services covered by this Regulation, the interplay with other legal acts, the impact of this Regulation on the functioning of the internal market, in particular regarding digital services, the implementation of codes of conduct, the obligation to designate a legal representative established in the Union, the effect of the obligations on small and micro enterprises, the effectiveness of the supervision and enforcement mechanism and the impact on the right to freedom of expression and of information. In addition, to avoid disproportionate burdens and ensure the continued effectiveness of this Regulation, the Commission should perform an evaluation of the impact of the obligations set out in this Regulation on small and medium-sized enterprises within three years from the start of its application and an evaluation on the scope of the services covered by this Regulation, particularly for very large online platforms and for very large online search engines, and the interplay with other legal acts within three years from its entry into force.
(151) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to lay down templates concerning the form, content and other details of reports on content moderation, to establish the amount of the annual supervisory fee charged on providers of very large online platforms and of very large online search engines, to lay down the practical arrangements for the proceedings, the hearings and the negotiated disclosure of information carried out in the context of supervision, investigation, enforcement and monitoring in respect of providers of very large online platforms and of very large online search engines, as well as to lay down the practical and operational arrangements for the functioning of the information sharing system and its interoperability with other relevant systems. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council [^34].
(152) In order to fulfil the objectives of this Regulation, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to supplement this Regulation, in respect of criteria for the identification of very large online platforms and of very large online search engines, the procedural steps, methodologies and reporting templates for the audits, the technical specifications for access requests and the detailed methodology and procedures for setting the supervisory fee. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making [^35]. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
(153) This Regulation respects the fundamental rights recognised by the Charter and the fundamental rights constituting general principles of Union law. Accordingly, this Regulation should be interpreted and applied in accordance with those fundamental rights, including the freedom of expression and of information, as well as the freedom and pluralism of the media. When exercising the powers set out in this Regulation, all public authorities involved should achieve, in situations where the relevant fundamental rights conflict, a fair balance between the rights concerned, in accordance with the principle of proportionality.
(154) Given the scope and impact of societal risks that may be caused by very large online platforms and very large online search engines, the need to address those risks as a matter of priority and the capacity to take the necessary measures, it is justified to limit the period after which this Regulation starts to apply to the providers of those services.
(155) Since the objectives of this Regulation, namely to contribute to the proper functioning of the internal market and to ensure a safe, predictable and trusted online environment in which the fundamental rights enshrined in the Charter are duly protected, cannot be sufficiently achieved by the Member States because they cannot achieve the necessary harmonisation and cooperation by acting alone, but can rather, by reason of territorial and personal scope, be better achieved at the Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.
(156) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council [^36] and delivered an opinion on 10 February 2021 [^37],
HAVE ADOPTED THIS REGULATION:
For the purpose of this Regulation, the following definitions shall apply:
Providers of intermediary services shall not be deemed ineligible for the exemptions from liability referred to in Articles 4, 5 and 6 solely because they, in good faith and in a diligent manner, carry out voluntary own-initiative investigations into, or take other measures aimed at detecting, identifying and removing, or disabling access to, illegal content, or take the necessary measures to comply with the requirements of Union law and national law in compliance with Union law, including the requirements set out in this Regulation.
No general obligation to monitor the information which providers of intermediary services transmit or store, nor actively to seek facts or circumstances indicating illegal activity shall be imposed on those providers.
Providers of online platforms shall provide recipients of the service, including individuals or entities that have submitted a notice, for a period of at least six months following the decision referred to in this paragraph, with access to an effective internal complaint-handling system that enables them to lodge complaints, electronically and free of charge, against the decision taken by the provider of the online platform upon the receipt of a notice or against the following decisions taken by the provider of the online platform on the grounds that the information provided by the recipients constitutes illegal content or is incompatible with its terms and conditions: (a) decisions whether or not to remove or disable access to or restrict visibility of the information; (b) decisions whether or not to suspend or terminate the provision of the service, in whole or in part, to the recipients; (c) decisions whether or not to suspend or terminate the recipients’ account; (d) decisions whether or not to suspend, terminate or otherwise restrict the ability to monetise information provided by the recipients.
The period of at least six months referred to in paragraph 1 of this Article shall start on the day on which the recipient of the service is informed about the decision in accordance with Article 16(5) or Article 17.
Providers of online platforms shall ensure that their internal complaint-handling systems are easy to access, user-friendly and enable and facilitate the submission of sufficiently precise and adequately substantiated complaints.
Providers of online platforms shall handle complaints submitted through their internal complaint-handling system in a timely, non-discriminatory, diligent and non-arbitrary manner. Where a complaint contains sufficient grounds for the provider of the online platform to consider that its decision not to act upon the notice is unfounded or that the information to which the complaint relates is not illegal and is not incompatible with its terms and conditions, or contains information indicating that the complainant’s conduct does not warrant the measure taken, it shall reverse its decision referred to in paragraph 1 without undue delay.
Providers of online platforms shall inform complainants without undue delay of their reasoned decision in respect of the information to which the complaint relates and of the possibility of out-of-court dispute settlement provided for in Article 21 and other available possibilities for redress.
Providers of online platforms shall ensure that the decisions, referred to in paragraph 5, are taken under the supervision of appropriately qualified staff, and not solely on the basis of automated means.
In addition to the requirements set out in Article 27, providers of very large online platforms and of very large online search engines that use recommender systems shall provide at least one option for each of their recommender systems which is not based on profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679.
Recipients of the service and any body, organisation or association mandated to exercise the rights conferred by this Regulation on their behalf shall have the right to lodge a complaint against providers of intermediary services alleging an infringement of this Regulation with the Digital Services Coordinator of the Member State where the recipient of the service is located or established. The Digital Services Coordinator shall assess the complaint and, where appropriate, transmit it to the Digital Services Coordinator of establishment, accompanied, where considered appropriate, by an opinion. Where the complaint falls under the responsibility of another competent authority in its Member State, the Digital Services Coordinator receiving the complaint shall transmit it to that authority. During these proceedings, both parties shall have the right to be heard and receive appropriate information about the status of the complaint, in accordance with national law.
Recipients of the service shall have the right to seek, in accordance with Union and national law, compensation from providers of intermediary services, in respect of any damage or loss suffered due to an infringement by those providers of their obligations under this Regulation.
In accordance with Article 261 TFEU, the Court of Justice of the European Union has unlimited jurisdiction to review decisions by which the Commission has imposed fines or periodic penalty payments. It may cancel, reduce or increase the fine or periodic penalty payment imposed.
In relation to the Commission intervention covered by this Section, the Commission may adopt implementing acts concerning the practical arrangements for: (a) the proceedings pursuant to Articles 69 and 72; (b) the hearings provided for in Article 79; (c) the negotiated disclosure of information provided for in Article 79. Before the adoption of any measures pursuant to the first paragraph of this Article, the Commission shall publish a draft thereof and invite all interested parties to submit their comments within the period set out therein, which shall not be less than one month. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 88.
Without prejudice to the exchange and to the use of information referred to in this Chapter, the Commission, the Board, Member States’ competent authorities and their respective officials, servants and other persons working under their supervision, and any other natural or legal person involved, including auditors and experts appointed pursuant to Article 72(2), shall not disclose information acquired or exchanged by them pursuant to this Regulation and of the kind covered by the obligation of professional secrecy.
In Annex I to Directive (EU) 2020/1828, the following point is added: ‘(68) Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ L 277, 27.10.2022, p. 1).’.
This Regulation shall apply to providers of very large online platforms and of very large online search engines designated pursuant to Article 33(4) from four months after the notification to the provider concerned referred to in Article 33(6) where that date is earlier than 17 February 2024.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Strasbourg, 19 October 2022. For the European Parliament The President R. METSOLA For the Council The President M. BEK
[^1] OJ C 286, 16.7.2021, p. 70. [^2] OJ C 440, 29.10.2021, p. 67. [^3] Position of the European Parliament of 5 July 2022 (not yet published in the Official Journal) and decision of the Council of 4 October 2022. [^4] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1). [^5] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1). [^6] Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (OJ L 351, 20.12.2012, p. 1). [^7] Directive 2010/13/EU of the European Parliament and of the Council of 10 March 2010 on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive) (OJ L 95, 15.4.2010, p. 1). [^8] Regulation (EU) 2019/1148 of the European Parliament and of the Council of 20 June 2019 on the marketing and use of explosives precursors, amending Regulation (EC) No 1907/2006 and repealing Regulation (EU) No 98/2013 (OJ L 186, 11.7.2019, p. 1). [^9] Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). [^10] Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of the terrorist content online (OJ L 172, 17.5.2021, p. 79). [^11] Regulation (EU) 2021/1232 of the European Parliament and of the Council of 14 July 2021 on temporary derogation from certain provisions of Directive 2002/58/EC as regards the use of technologies by providers of number-independent interpersonal communications services for the processing of personal and other data for the purpose of combating online child sexual abuse (OJ L 274, 30.7.2021, p. 41). [^12] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37). [^13] Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 (OJ L 345, 27.12.2017, p. 1). [^14] Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (OJ L 169, 25.6.2019, p. 1). [^15] Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety (OJ L 11, 15.1.2002, p. 4). [^16] Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ L 149, 11.6.2005, p. 22). [^17] Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council (OJ L 304, 22.11.2011, p. 64). [^18] Directive 2013/11/EU of the European Parliament and of the Council of 21 May 2013 on alternative dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (OJ L 165, 18.6.2013, p. 63). [^19] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). [^20] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). [^21] Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (OJ L 167, 22.6.2001, p. 10). [^22] Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights (OJ L 157, 30.4.2004, p. 45). [^23] Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (OJ L 130, 17.5.2019, p. 92). [^24] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (OJ L 321, 17.12.2018, p. 36). [^25] Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36). [^26] Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, p. 1). [^27] Directive 2011/36/EU of the European Parliament and of the Council of 5 April 2011 on preventing and combating trafficking in human beings and protecting its victims, and replacing Council Framework Decision 2002/629/JHA (OJ L 101, 15.4.2011, p. 1). [^28] Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6). [^29] Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53). [^30] Council Directive (EU) 2021/514 of 22 March 2021 amending Directive 2011/16/EU on administrative cooperation in the field of taxation (OJ L 104, 25.3.2021, p. 1). [^31] Directive 98/6/EC of the European Parliament and of the Council of 16 February 1998 on consumer protection in the indication of the prices of products offered to consumers (OJ L 80, 18.3.1998, p. 27). [^32] Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1). [^33] Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1). [^34] Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13). [^35] OJ L 123, 12.5.2016, p. 1. [^36] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). [^37] OJ C 149, 27.4.2021, p. 3. [^38] Directive (EU) 2019/882 of the European Parliament and of the Council of 17 April 2019 on the accessibility requirements for products and services (OJ L 151, 7.6.2019, p. 70). [^39] Council Regulation (EC) No 139/2004 of 20 January 2004 on the control of concentrations between undertakings (OJ L 24, 29.1.2004, p. 1). [^40] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73). [^41] Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1).
4.5.2016
EN
Official Journal of the European Union
L 119/1
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee [^1],
Having regard to the opinion of the Committee of the Regions [^2],
Acting in accordance with the ordinary legislative procedure [^3],
Whereas:
The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.
Directive 95/46/EC of the European Parliament and of the Council [^4] seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States.
The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. The exchange of personal data between public and private actors, including natural persons, associations and undertakings across the Union has increased. National authorities in the Member States are being called upon by Union law to cooperate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State.
Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.
Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.
Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.
The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.
In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.
Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.
Article 16(2) TFEU mandates the European Parliament and the Council to lay down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data.
In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC [^5].
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.
This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.
Regulation (EC) No 45/2001 of the European Parliament and of the Council [^6] applies to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data should be adapted to the principles and rules established in this Regulation and applied in the light of this Regulation. In order to provide a strong and coherent data protection framework in the Union, the necessary adaptations of Regulation (EC) No 45/2001 should follow after the adoption of this Regulation, in order to allow application at the same time as this Regulation.
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for those purposes, be governed by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council [^7]. Member States may entrust competent authorities within the meaning of Directive (EU) 2016/680 with tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, falls within the scope of this Regulation.
With regard to the processing of personal data by those competent authorities for purposes falling within scope of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of this Regulation. Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State. When the processing of personal data by private bodies falls within the scope of this Regulation, this Regulation should provide for the possibility for Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific important interests including public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is relevant for instance in the framework of anti-money laundering or the activities of forensic laboratories.
While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.
This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council [^8], in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.
Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State’s diplomatic mission or consular post.
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.
The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.
In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law. The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.
Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.
Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council [^9] to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.
The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion should not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union. In cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment, but the supervisory authority of the processor should be considered to be a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.
A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings.
Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.
Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC [^10] a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.
Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.
The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.
Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.
Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.
The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council [^11], namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.
Moreover, the processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognised religious associations, is carried out on grounds of public interest.
Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people’s political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.
If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.
The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.
A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.
A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject’s request.
Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.
To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability. That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. The data subject’s right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible. Where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation. Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract. Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another.
Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.
Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child.
In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect. Automated decision-making and profiling based on special categories of personal data should be allowed only under specific conditions.
Profiling is subject to the rules of this Regulation governing the processing of personal data, such as the legal grounds for processing or data protection principles. The European Data Protection Board established by this Regulation (the ‘Board’) should be able to issue guidance in that context.
Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.
The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.
The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.
Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.
The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.
The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.
To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.
In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.
The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.
It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.
In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.
Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.
In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.
This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights. A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale. The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory.
There are circumstances under which it may be reasonable and economical for the subject of a data protection impact assessment to be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity.
In the context of the adoption of the Member State law on which the performance of the tasks of the public authority or public body is based and which regulates the specific processing operation or set of operations in question, Member States may deem it necessary to carry out such assessment prior to the processing activities.
Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory authority should be consulted prior to the start of processing activities. Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person. The supervisory authority should respond to the request for consultation within a specified period. However, the absence of a reaction of the supervisory authority within that period should be without prejudice to any intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit processing operations. As part of that consultation process, the outcome of a data protection impact assessment carried out with regard to the processing at issue may be submitted to the supervisory authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.
The processor should assist the controller, where necessary and upon request, in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority.
A consultation of the supervisory authority should also take place in the course of the preparation of a legislative or regulatory measure which provides for the processing of personal data, in order to ensure compliance of the intended processing with this Regulation and in particular to mitigate the risk involved for the data subject.
Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.
Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.
When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.
In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.
Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.
The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.
In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors. In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States’ data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.
Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country’s or international organisation’s participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country’s accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.
The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organisation, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission should provide for a periodic review mechanism of their functioning. That periodic review should be conducted in consultation with the third country or international organisation in question and take into account all relevant developments in the third country or international organisation. For the purposes of monitoring and of carrying out the periodic reviews, the Commission should take into consideration the views and findings of the European Parliament and of the Council as well as of other relevant bodies and sources. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any relevant findings to the Committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council [^12] as established under this Regulation, to the European Parliament and to the Council.
The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organisations. The Commission should, in a timely manner, inform the third country or international organisation of the reasons and enter into consultations with it in order to remedy the situation.
In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.
The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.
A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies. Provision should also be made for the possibility for transfers where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In the latter case, such a transfer should not involve the entirety of the personal data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.
Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport. A transfer of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the data subject’s or another person’s vital interests, including physical integrity or life, if the data subject is incapable of giving consent. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international organisation. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organisation of personal data of a data subject who is physically or legally incapable of giving consent, with a view to accomplishing a task incumbent under the Geneva Conventions or to complying with international humanitarian law applicable in armed conflicts, could be considered to be necessary for an important reason of public interest or because it is in the vital interest of the data subject.
Transfers which can be qualified as not repetitive and that only concern a limited number of data subjects, could also be possible for the purposes of the compelling legitimate interests pursued by the controller, when those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller has assessed all the circumstances surrounding the data transfer. The controller should give particular consideration to the nature of the personal data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and should provide suitable safeguards to protect fundamental rights and freedoms of natural persons with regard to the processing of their personal data. Such transfers should be possible only in residual cases where none of the other grounds for transfer are applicable. For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration. The controller should inform the supervisory authority and the data subject about the transfer.
In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.
Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.
When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints. Therefore, there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts. For the purposes of developing international cooperation mechanisms to facilitate and provide international mutual assistance for the enforcement of legislation for the protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with competent authorities in third countries, based on reciprocity and in accordance with this Regulation.
The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.
The independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review.
Where a Member State establishes several supervisory authorities, it should establish by law mechanisms for ensuring the effective participation of those supervisory authorities in the consistency mechanism. That Member State should in particular designate the supervisory authority which functions as a single contact point for the effective participation of those authorities in the mechanism, to ensure swift and smooth cooperation with other supervisory authorities, the Board and the Commission.
Each supervisory authority should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of their tasks, including those related to mutual assistance and cooperation with other supervisory authorities throughout the Union. Each supervisory authority should have a separate, public annual budget, which may be part of the overall state or national budget.
The general conditions for the member or members of the supervisory authority should be laid down by law in each Member State and should in particular provide that those members are to be appointed, by means of a transparent procedure, either by the parliament, government or the head of State of the Member State on the basis of a proposal from the government, a member of the government, the parliament or a chamber of the parliament, or by an independent body entrusted under Member State law. In order to ensure the independence of the supervisory authority, the member or members should act with integrity, refrain from any action that is incompatible with their duties and should not, during their term of office, engage in any incompatible occupation, whether gainful or not. The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority.
Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.
The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. For that purpose, the supervisory authorities should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.
Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority with which such complaint has been lodged should also be a supervisory authority concerned. Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.
The lead authority should be competent to adopt binding decisions regarding measures applying the powers conferred on it in accordance with this Regulation. In its capacity as lead authority, the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process. Where the decision is to reject the complaint by the data subject in whole or in part, that decision should be adopted by the supervisory authority with which the complaint has been lodged.
The decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned and should be directed towards the main or single establishment of the controller or processor and be binding on the controller and processor. The controller or processor should take the necessary measures to ensure compliance with this Regulation and the implementation of the decision notified by the lead supervisory authority to the main establishment of the controller or processor as regards the processing activities in the Union.
Each supervisory authority not acting as the lead supervisory authority should be competent to handle local cases where the controller or processor is established in more than one Member State, but the subject matter of the specific processing concerns only processing carried out in a single Member State and involves only data subjects in that single Member State, for example, where the subject matter concerns the processing of employees’ personal data in the specific employment context of a Member State. In such cases, the supervisory authority should inform the lead supervisory authority without delay about the matter. After being informed, the lead supervisory authority should decide, whether it will handle the case pursuant to the provision on cooperation between the lead supervisory authority and other supervisory authorities concerned (‘one-stop-shop mechanism’), or whether the supervisory authority which informed it should handle the case at local level. When deciding whether it will handle the case, the lead supervisory authority should take into account whether there is an establishment of the controller or processor in the Member State of the supervisory authority which informed it in order to ensure effective enforcement of a decision vis-à-vis the controller or processor. Where the lead supervisory authority decides to handle the case, the supervisory authority which informed it should have the possibility to submit a draft for a decision, of which the lead supervisory authority should take utmost account when preparing its draft decision in that one-stop-shop mechanism.
The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases the only supervisory authority competent to exercise the powers conferred to it in accordance with this Regulation should be the supervisory authority of the Member State where the public authority or private body is established.
In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.
Where the supervisory authority with which the complaint has been lodged is not the lead supervisory authority, the lead supervisory authority should closely cooperate with the supervisory authority with which the complaint has been lodged in accordance with the provisions on cooperation and consistency laid down in this Regulation. In such cases, the lead supervisory authority should, when taking measures intended to produce legal effects, including the imposition of administrative fines, take utmost account of the view of the supervisory authority with which the complaint has been lodged and which should remain competent to carry out any investigation on the territory of its own Member State in liaison with the competent supervisory authority.
Where another supervisory authority should act as a lead supervisory authority for the processing activities of the controller or processor but the concrete subject matter of a complaint or the possible infringement concerns only processing activities of the controller or processor in the Member State where the complaint has been lodged or the possible infringement detected and the matter does not substantially affect or is not likely to substantially affect data subjects in other Member States, the supervisory authority receiving a complaint or detecting or being informed otherwise of situations that entail possible infringements of this Regulation should seek an amicable settlement with the controller and, if this proves unsuccessful, exercise its full range of powers. This should include: specific processing carried out in the territory of the Member State of the supervisory authority or with regard to data subjects on the territory of that Member State; processing that is carried out in the context of an offer of goods or services specifically aimed at data subjects in the territory of the Member State of the supervisory authority; or processing that has to be assessed taking into account relevant legal obligations under Member State law.
Awareness-raising activities by supervisory authorities addressed to the public should include specific measures directed at controllers and processors, including micro, small and medium-sized enterprises, as well as natural persons in particular in the educational context.
The supervisory authorities should assist each other in performing their tasks and provide mutual assistance, so as to ensure the consistent application and enforcement of this Regulation in the internal market. A supervisory authority requesting mutual assistance may adopt a provisional measure if it receives no response to a request for mutual assistance within one month of the receipt of that request by the other supervisory authority.
Each supervisory authority should, where appropriate, participate in joint operations with other supervisory authorities. The requested supervisory authority should be obliged to respond to the request within a specified time period.
In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for cooperation between the supervisory authorities should be established. That mechanism should in particular apply where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States. It should also apply where any supervisory authority concerned or the Commission requests that such matter should be handled in the consistency mechanism. That mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties.
In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majority of its members so decides or if so requested by any supervisory authority concerned or the Commission. The Board should also be empowered to adopt legally binding decisions where there are disputes between supervisory authorities. For that purpose, it should issue, in principle by a two-thirds majority of its members, legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation.
There may be an urgent need to act in order to protect the rights and freedoms of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded. A supervisory authority should therefore be able to adopt duly justified provisional measures on its territory with a specified period of validity which should not exceed three months.
The application of such mechanism should be a condition for the lawfulness of a measure intended to produce legal effects by a supervisory authority in those cases where its application is mandatory. In other cases of cross-border relevance, the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned should be applied and mutual assistance and joint operations might be carried out between the supervisory authorities concerned on a bilateral or multilateral basis without triggering the consistency mechanism.
In order to promote the consistent application of this Regulation, the Board should be set up as an independent body of the Union. To fulfil its objectives, the Board should have legal personality. The Board should be represented by its Chair. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of the head of a supervisory authority of each Member State and the European Data Protection Supervisor or their respective representatives. The Commission should participate in the Board’s activities without voting rights and the European Data Protection Supervisor should have specific voting rights. The Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international organisations, and promoting cooperation of the supervisory authorities throughout the Union. The Board should act independently when performing its tasks.
The Board should be assisted by a secretariat provided by the European Data Protection Supervisor. The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation should perform its tasks exclusively under the instructions of, and report to, the Chair of the Board.
Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.
Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data to lodge a complaint on his or her behalf with a supervisory authority, exercise the right to a judicial remedy on behalf of data subjects or, if provided for in Member State law, exercise the right to receive compensation on behalf of data subjects. A Member State may provide for such a body, organisation or association to have the right to lodge a complaint in that Member State, independently of a data subject’s mandate, and the right to an effective judicial remedy where it has reasons to consider that the rights of a data subject have been infringed as a result of the processing of personal data which infringes this Regulation. That body, organisation or association may not be allowed to claim compensation on a data subject’s behalf independently of the data subject’s mandate.
Any natural or legal person has the right to bring an action for annulment of decisions of the Board before the Court of Justice under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the supervisory authorities concerned which wish to challenge them have to bring action within two months of being notified of them, in accordance with Article 263 TFEU. Where decisions of the Board are of direct and individual concern to a controller, processor or complainant, the latter may bring an action for annulment against those decisions within two months of their publication on the website of the Board, in accordance with Article 263 TFEU. Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State where the supervisory authority is established and should be conducted in accordance with that Member State’s procedural law. Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them.
Where a complaint has been rejected or dismissed by a supervisory authority, the complainant may bring proceedings before the courts in the same Member State. In the context of judicial remedies relating to the application of this Regulation, national courts which consider a decision on the question necessary to enable them to give judgment, may, or in the case provided for in Article 267 TFEU, must, request the Court of Justice to give a preliminary ruling on the interpretation of Union law, including this Regulation. Furthermore, where a decision of a supervisory authority implementing a decision of the Board is challenged before a national court and the validity of the decision of the Board is at issue, that national court does not have the power to declare the Board’s decision invalid but must refer the question of validity to the Court of Justice in accordance with Article 267 TFEU as interpreted by the Court of Justice, where it considers the decision invalid. However, a national court may not refer a question on the validity of the decision of the Board at the request of a natural or legal person which had the opportunity to bring an action for annulment of that decision, in particular if it was directly and individually concerned by that decision, but had not done so within the period laid down in Article 263 TFEU.
Where a court seized of proceedings against a decision by a supervisory authority has reason to believe that proceedings concerning the same processing, such as the same subject matter as regards processing by the same controller or processor, or the same cause of action, are brought before a competent court in another Member State, it should contact that court in order to confirm the existence of such related proceedings. If related proceedings are pending before a court in another Member State, any court other than the court first seized may stay its proceedings or may, on request of one of the parties, decline jurisdiction in favour of the court first seized if that court has jurisdiction over the proceedings in question and its law permits the consolidation of such related proceedings. Proceedings are deemed to be related where they are so closely connected that it is expedient to hear and determine them together in order to avoid the risk of irreconcilable judgments resulting from separate proceedings.
For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.
The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage. However, where they are joined to the same judicial proceedings, in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured. Any controller or processor which has paid full compensation may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.
Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a controller or processor, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council [^13] should not prejudice the application of such specific rules.
In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.
Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.
In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.
The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.
Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by Member State law.
Member States law should reconcile the rules governing freedom of expression and information, including journalistic, academic, artistic and or literary expression with the right to the protection of personal data pursuant to this Regulation. The processing of personal data solely for journalistic purposes, or for the purposes of academic, artistic or literary expression should be subject to derogations or exemptions from certain provisions of this Regulation if necessary to reconcile the right to the protection of personal data with the right to freedom of expression and information, as enshrined in Article 11 of the Charter. This should apply in particular to the processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures which lay down the exemptions and derogations necessary for the purpose of balancing those fundamental rights. Member States should adopt such exemptions and derogations on general principles, the rights of the data subject, the controller and the processor, the transfer of personal data to third countries or international organisations, the independent supervisory authorities, cooperation and consistency, and specific data-processing situations. Where such exemptions or derogations differ from one Member State to another, the law of the Member State to which the controller is subject should apply. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.
This Regulation allows the principle of public access to official documents to be taken into account when applying this Regulation. Public access to official documents may be considered to be in the public interest. Personal data in documents held by a public authority or a public body should be able to be publicly disclosed by that authority or body if the disclosure is provided for by Union or Member State law to which the public authority or public body is subject. Such laws should reconcile public access to official documents and the reuse of public sector information with the right to the protection of personal data and may therefore provide for the necessary reconciliation with the right to the protection of personal data pursuant to this Regulation. The reference to public authorities and bodies should in that context include all authorities or other bodies covered by Member State law on public access to documents. Directive 2003/98/EC of the European Parliament and of the Council [^14] leaves intact and in no way affects the level of protection of natural persons with regard to the processing of personal data under the provisions of Union and Member State law, and in particular does not alter the obligations and rights set out in this Regulation. In particular, that Directive should not apply to documents to which access is excluded or restricted by virtue of the access regimes on the grounds of protection of personal data, and parts of documents accessible by virtue of those regimes which contain personal data the re-use of which has been provided for by law as being incompatible with the law concerning the protection of natural persons with regard to the processing of personal data.
Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees’ personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation. The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal data in pursuance of the proportionality and necessity principles. The processing of personal data for scientific purposes should also comply with other relevant legislation such as on clinical trials.
By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. On the basis of registries, research results can be enhanced, as they draw on a larger population. Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions. Research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services. In order to facilitate scientific research, personal data can be processed for scientific research purposes, subject to appropriate conditions and safeguards set out in Union or Member State law.
Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes.
Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing. For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union’s objective under Article 179(1) TFEU of achieving a European Research Area. Scientific research purposes should also include studies conducted in the public interest in the area of public health. To meet the specificities of processing personal data for scientific research purposes, specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes. If the result of scientific research in particular in the health context gives reason for further measures in the interest of the data subject, the general rules of this Regulation should apply in view of those measures.
Where personal data are processed for historical research purposes, this Regulation should also apply to that processing. This should also include historical research and research for genealogical purposes, bearing in mind that this Regulation should not apply to deceased persons.
For the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council [^15] should apply.
Where personal data are processed for statistical purposes, this Regulation should apply to that processing. Union or Member State law should, within the limits of this Regulation, determine statistical content, control of access, specifications for the processing of personal data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and for ensuring statistical confidentiality. Statistical purposes mean any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose. The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person.
The confidential information which the Union and national statistical authorities collect for the production of official European and official national statistics should be protected. European statistics should be developed, produced and disseminated in accordance with the statistical principles as set out in Article 338(2) TFEU, while national statistics should also comply with Member State law. Regulation (EC) No 223/2009 of the European Parliament and of the Council [^16] provides further specifications on statistical confidentiality for European statistics.
As regards the powers of the supervisory authorities to obtain from the controller or processor access to personal data and access to their premises, Member States may adopt by law, within the limits of this Regulation, specific rules in order to safeguard the professional or other equivalent secrecy obligations, in so far as necessary to reconcile the right to the protection of personal data with an obligation of professional secrecy. This is without prejudice to existing Member State obligations to adopt rules on professional secrecy where required by Union law.
This Regulation respects and does not prejudice the status under existing constitutional law of churches and religious associations or communities in the Member States, as recognised in Article 17 TFEU.
In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.
In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. In that context, the Commission should consider specific measures for micro, small and medium-sized enterprises.
The examination procedure should be used for the adoption of implementing acts on standard contractual clauses between controllers and processors and between processors; codes of conduct; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation; standard protection clauses; formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules; mutual assistance; and arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board.
The Commission should adopt immediately applicable implementing acts where available evidence reveals that a third country, a territory or a specified sector within that third country, or an international organisation does not ensure an adequate level of protection, and imperative grounds of urgency so require.
Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed.
The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 7 March 2012 [^17].
This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council [^18], including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation,
HAVE ADOPTED THIS REGULATION:
This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
This Regulation does not apply to the processing of personal data:
For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
For the purposes of this Regulation:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
‘main establishment’ means:
‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
‘cross-border processing’ means either:
‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council [^19];
‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Personal data shall be:
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
Paragraph 1 shall not apply if one of the following applies:
Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.
Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
The controller shall provide the information referred to in paragraphs 1 and 2:
Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
Paragraphs 1 to 4 shall not apply where and insofar as:
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Paragraph 1 shall not apply if the decision:
In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.
Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
The obligation laid down in paragraph 1 of this Article shall not apply to:
The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.
The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
The notification referred to in paragraph 1 shall at least:
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.
The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board.
Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.
The assessment shall contain at least:
Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.
Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.
Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.
The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.
When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with:
Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.
Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.
The controller and the processor shall designate a data protection officer in any case where:
A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
The data protection officer shall have at least the following tasks:
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.
Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.
Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.
Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.
The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.
The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.
Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.
A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:
The competent supervisory authority shall submit the draft criteria for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.
Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.
The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.
This Article shall not apply to processing carried out by public authorities and bodies.
The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
The certification shall be voluntary and available via a process that is transparent.
A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.
A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.
The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.
Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for the certification are not or are no longer met.
The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.
Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:
Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:
The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of criteria approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63. In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.
The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.
The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification.
The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit those requirements and criteria to the Board. The Board shall collate all certification mechanisms and data protection seals in a register and shall make them publicly available by any appropriate means.
Without prejudice to Chapter VIII, the competent supervisory authority or the national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.
The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).
The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.
When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:
The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).
The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.
The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).
The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.
A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.
The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.
Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.
In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:
Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.
Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.
The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:
The binding corporate rules referred to in paragraph 1 shall specify at least:
The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.
Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.
The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.
In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.
The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.
In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to: - (a) develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data; - (b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms; - (c) engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data; - (d) promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.
Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).
Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.
Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.
Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.
The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.
Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.
Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.
Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.
Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.
Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by:
Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.
The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement, in accordance with the law of the Member State concerned.
A member shall be dismissed only in cases of serious misconduct or if the member no longer fulfils the conditions required for the performance of the duties.
Each Member State shall provide by law for all of the following:
The member or members and the staff of each supervisory authority shall, in accordance with Union or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers. During their term of office, that duty of professional secrecy shall in particular apply to reporting by natural persons of infringements of this Regulation.
Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.
Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.
Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.
Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.
By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.
In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.
Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).
Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.
The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.
Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:
Each supervisory authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.
The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer.
Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Each supervisory authority shall have all of the following investigative powers:
Each supervisory authority shall have all of the following corrective powers:
Each supervisory authority shall have all of the following authorisation and advisory powers:
The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.
Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.
Each Member State may provide by law that its supervisory authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.
Each supervisory authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2). Those reports shall be transmitted to the national parliament, the government and other authorities as designated by Member State law. They shall be made available to the public, to the Commission and to the Board.
The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.
The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.
The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.
Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.
Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.
Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.
The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.
By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.
Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.
After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.
Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.
The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.
Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.
Each supervisory authority shall take all appropriate measures required to reply to a request of another supervisory authority without undue delay and no later than one month after receiving the request. Such measures may include, in particular, the transmission of relevant information on the conduct of an investigation.
Requests for assistance shall contain all the necessary information, including the purpose of and reasons for the request. Information exchanged shall be used only for the purpose for which it was requested.
The requested supervisory authority shall not refuse to comply with the request unless:
The requested supervisory authority shall inform the requesting supervisory authority of the results or, as the case may be, of the progress of the measures taken in order to respond to the request. The requested supervisory authority shall provide reasons for any refusal to comply with a request pursuant to paragraph 4.
Requested supervisory authorities shall, as a rule, supply the information requested by other supervisory authorities by electronic means, using a standardised format.
Requested supervisory authorities shall not charge a fee for any action taken by them pursuant to a request for mutual assistance. Supervisory authorities may agree on rules to indemnify each other for specific expenditure arising from the provision of mutual assistance in exceptional circumstances.
Where a supervisory authority does not provide the information referred to in paragraph 5 of this Article within one month of receiving the request of another supervisory authority, the requesting supervisory authority may adopt a provisional measure on the territory of its Member State in accordance with Article 55(1). In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an urgent binding decision from the Board pursuant to Article 66(2).
The Commission may, by means of implementing acts, specify the format and procedures for mutual assistance referred to in this Article and the arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board, in particular the standardised format referred to in paragraph 6 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.
Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in joint operations. The supervisory authority which is competent pursuant to Article 56(1) or (4) shall invite the supervisory authority of each of those Member States to take part in the joint operations and shall respond without delay to the request of a supervisory authority to participate.
A supervisory authority may, in accordance with Member State law, and with the seconding supervisory authority’s authorisation, confer powers, including investigative powers on the seconding supervisory authority’s members or staff involved in joint operations or, in so far as the law of the Member State of the host supervisory authority permits, allow the seconding supervisory authority’s members or staff to exercise their investigative powers in accordance with the law of the Member State of the seconding supervisory authority. Such investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory authority. The seconding supervisory authority’s members or staff shall be subject to the Member State law of the host supervisory authority.
Where, in accordance with paragraph 1, staff of a seconding supervisory authority operate in another Member State, the Member State of the host supervisory authority shall assume responsibility for their actions, including liability, for any damage caused by them during their operations, in accordance with the law of the Member State in whose territory they are operating.
The Member State in whose territory the damage was caused shall make good such damage under the conditions applicable to damage caused by its own staff. The Member State of the seconding supervisory authority whose staff has caused damage to any person in the territory of another Member State shall reimburse that other Member State in full any sums it has paid to the persons entitled on their behalf.
Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in paragraph 4.
Where a joint operation is intended and a supervisory authority does not, within one month, comply with the obligation laid down in the second sentence of paragraph 2 of this Article, the other supervisory authorities may adopt a provisional measure on the territory of its Member State in accordance with Article 55. In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an opinion or an urgent binding decision from the Board pursuant to Article 66(2).
In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.
The Board shall issue an opinion where a competent supervisory authority intends to adopt any of the measures below. To that end, the competent supervisory authority shall communicate the draft decision to the Board, when it:
Any supervisory authority, the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62.
In the cases referred to in paragraphs 1 and 2, the Board shall issue an opinion on the matter submitted to it provided that it has not already issued an opinion on the same matter. That opinion shall be adopted within eight weeks by simple majority of the members of the Board. That period may be extended by a further six weeks, taking into account the complexity of the subject matter. Regarding the draft decision referred to in paragraph 1 circulated to the members of the Board in accordance with paragraph 5, a member which has not objected within a reasonable period indicated by the Chair, shall be deemed to be in agreement with the draft decision.
Supervisory authorities and the Commission shall, without undue delay, communicate by electronic means to the Board, using a standardised format any relevant information, including as the case may be a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary, and the views of other supervisory authorities concerned.
The Chair of the Board shall, without undue, delay inform by electronic means:
The competent supervisory authority shall not adopt its draft decision referred to in paragraph 1 within the period referred to in paragraph 3.
The supervisory authority referred to in paragraph 1 shall take utmost account of the opinion of the Board and shall, within two weeks after receiving the opinion, communicate to the Chair of the Board by electronic means whether it will maintain or amend its draft decision and, if any, the amended draft decision, using a standardised format.
Where the supervisory authority concerned informs the Chair of the Board within the period referred to in paragraph 7 of this Article that it does not intend to follow the opinion of the Board, in whole or in part, providing the relevant grounds, Article 65(1) shall apply.
In order to ensure the correct and consistent application of this Regulation in individual cases, the Board shall adopt a binding decision in the following cases:
The decision referred to in paragraph 1 shall be adopted within one month from the referral of the subject-matter by a two-thirds majority of the members of the Board. That period may be extended by a further month on account of the complexity of the subject-matter. The decision referred to in paragraph 1 shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them.
Where the Board has been unable to adopt a decision within the periods referred to in paragraph 2, it shall adopt its decision within two weeks following the expiration of the second month referred to in paragraph 2 by a simple majority of the members of the Board. Where the members of the Board are split, the decision shall by adopted by the vote of its Chair.
The supervisory authorities concerned shall not adopt a decision on the subject matter submitted to the Board under paragraph 1 during the periods referred to in paragraphs 2 and 3.
The Chair of the Board shall notify, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities concerned. It shall inform the Commission thereof. The decision shall be published on the website of the Board without delay after the supervisory authority has notified the final decision referred to in paragraph 6.
The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged shall adopt its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and at the latest by one month after the Board has notified its decision. The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged, shall inform the Board of the date when its final decision is notified respectively to the controller or the processor and to the data subject. The final decision of the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph will be published on the website of the Board in accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in paragraph 1 of this Article.
In exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months. The supervisory authority shall, without delay, communicate those measures and the reasons for adopting them to the other supervisory authorities concerned, to the Board and to the Commission.
Where a supervisory authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such opinion or decision.
Any supervisory authority may request an urgent opinion or an urgent binding decision, as the case may be, from the Board where a competent supervisory authority has not taken an appropriate measure in a situation where there is an urgent need to act, in order to protect the rights and freedoms of data subjects, giving reasons for requesting such opinion or decision, including for the urgent need to act.
By derogation from Article 64(3) and Article 65(2), an urgent opinion or an urgent binding decision referred to in paragraphs 2 and 3 of this Article shall be adopted within two weeks by simple majority of the members of the Board.
The Commission may adopt implementing acts of general scope in order to specify the arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board, in particular the standardised format referred to in Article 64.
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
The European Data Protection Board (the ‘Board’) is hereby established as a body of the Union and shall have legal personality.
The Board shall be represented by its Chair.
The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.
Where in a Member State more than one supervisory authority is responsible for monitoring the application of the provisions pursuant to this Regulation, a joint representative shall be appointed in accordance with that Member State’s law.
The Commission shall have the right to participate in the activities and meetings of the Board without voting right. The Commission shall designate a representative. The Chair of the Board shall communicate to the Commission the activities of the Board.
In the cases referred to in Article 65, the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies which correspond in substance to those of this Regulation.
The Board shall act independently when performing its tasks or exercising its powers pursuant to Articles 70 and 71.
Without prejudice to requests by the Commission referred to in point (b) of Article 70(1) and in Article 70(2), the Board shall, in the performance of its tasks or the exercise of its powers, neither seek nor take instructions from anybody.
The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:
Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.
The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.
The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.
The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission.
The annual report shall include a review of the practical application of the guidelines, recommendations and best practices referred to in point (l) of Article 70(1) as well as of the binding decisions referred to in Article 65.
The Board shall take decisions by a simple majority of its members, unless otherwise provided for in this Regulation.
The Board shall adopt its own rules of procedure by a two-thirds majority of its members and organise its own operational arrangements.
The Board shall elect a chair and two deputy chairs from amongst its members by simple majority.
The term of office of the Chair and of the deputy chairs shall be five years and be renewable once.
The Chair shall have the following tasks:
The Board shall lay down the allocation of tasks between the Chair and the deputy chairs in its rules of procedure.
The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.
The secretariat shall perform its tasks exclusively under the instructions of the Chair of the Board.
The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation shall be subject to separate reporting lines from the staff involved in carrying out tasks conferred on the European Data Protection Supervisor.
Where appropriate, the Board and the European Data Protection Supervisor shall establish and publish a Memorandum of Understanding implementing this Article, determining the terms of their cooperation, and applicable to the staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation.
The secretariat shall provide analytical, administrative and logistical support to the Board.
The secretariat shall be responsible in particular for:
The discussions of the Board shall be confidential where the Board deems it necessary, as provided for in its rules of procedure.
Access to documents submitted to members of the Board, experts and representatives of third parties shall be governed by Regulation (EC) No 1049/2001 of the European Parliament and of the Council [^21].
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.
Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.
Where a competent court of a Member State has information on proceedings, concerning the same subject matter as regards processing by the same controller or processor, that are pending in a court in another Member State, it shall contact that court in the other Member State to confirm the existence of such proceedings.
Where proceedings concerning the same subject matter as regards processing of the same controller or processor are pending in a court in another Member State, any competent court other than the court first seized may suspend its proceedings.
Where those proceedings are pending at first instance, any court other than the court first seized may also, on the application of one of the parties, decline jurisdiction if the court first seized has jurisdiction over the actions in question and its law permits the consolidation thereof.
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.
Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.
Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.
For processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, Member States shall provide for exemptions or derogations from Chapter II (principles), Chapter III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries or international organisations), Chapter VI (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX (specific data processing situations) if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.
Each Member State shall notify to the Commission the provisions of its law which it has adopted pursuant to paragraph 2 and, without delay, any subsequent amendment law or amendment affecting them.
Personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation.
Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.
Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
Those rules shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.
Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
Where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
Where processing referred to in paragraphs 2 and 3 serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs.
Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. Those rules shall apply only with regard to personal data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.
Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are brought into line with this Regulation.
Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 of this Article shall be subject to the supervision of an independent supervisory authority, which may be specific, provided that it fulfils the conditions laid down in Chapter VI of this Regulation.
The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
The delegation of power referred to in Article 12(8) and Article 43(8) shall be conferred on the Commission for an indeterminate period of time from 24 May 2016.
The delegation of power referred to in Article 12(8) and Article 43(8) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
A delegated act adopted pursuant to Article 12(8) and Article 43(8) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.
The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
Where reference is made to this paragraph, Article 8 of Regulation (EU) No 182/2011, in conjunction with Article 5 thereof, shall apply.
Directive 95/46/EC is repealed with effect from 25 May 2018.
References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by this Regulation.
This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.
International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States prior to 24 May 2016, and which comply with Union law as applicable prior to that date, shall remain in force until amended, replaced or revoked.
By 25 May 2020 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.
In the context of the evaluations and reviews referred to in paragraph 1, the Commission shall examine, in particular, the application and functioning of:
For the purpose of paragraph 1, the Commission may request information from Member States and supervisory authorities.
In carrying out the evaluations and reviews referred to in paragraphs 1 and 2, the Commission shall take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources.
The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, in particular taking into account of developments in information technology and in the light of the state of progress in the information society.
The Commission shall, if appropriate, submit legislative proposals with a view to amending other Union legal acts on the protection of personal data, in order to ensure uniform and consistent protection of natural persons with regard to processing. This shall in particular concern the rules relating to the protection of natural persons with regard to processing by Union institutions, bodies, offices and agencies and on the free movement of such data.
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 25 May 2018.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 27 April 2016.
For the European Parliament
The President
M. SCHULZ
For the Council
The President
J.A. HENNIS-PLASSCHAERT
[^1] OJ C 229, 31.7.2012, p. 90.
[^2] OJ C 391, 18.12.2012, p. 127.
[^3] Position of the European Parliament of 12 March 2014 (not yet published in the Official Journal) and position of the Council at first reading of 8 April 2016 (not yet published in the Official Journal). Position of the European Parliament of 14 April 2016.
[^4] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
[^5] Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (C(2003) 1422) (OJ L 124, 20.5.2003, p. 36).
[^6] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
[^7] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA (see page 89 of this Official Journal).
[^8] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).
[^9] Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).
[^10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29).
[^11] Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70).
[^12] Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
[^13] Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (OJ L 351, 20.12.2012, p. 1).
[^14] Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information (OJ L 345, 31.12.2003, p. 90).
[^15] Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC (OJ L 158, 27.5.2014, p. 1).
[^16] Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities (OJ L 87, 31.3.2009, p. 164).
[^17] OJ C 192, 30.6.2012, p. 7.
[^18] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
[^19] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).
[^20] Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).
[^21] Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
9.6.2023
EN
Official Journal of the European Union
L 150/40
REGULATION (EU) 2023/1114 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 31 May 2023
on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Central Bank,
Having regard to the opinion of the European Economic and Social Committee,
Acting in accordance with the ordinary legislative procedure,
Whereas:
It is important to ensure that Union legislative acts on financial services are fit for the digital age, and contribute to a future-proof economy that works for people, including by enabling the use of innovative technologies. The Union has a policy interest in developing and promoting the uptake of transformative technologies in the financial sector, including the uptake of distributed ledger technology (DLT). It is expected that many applications of distributed ledger technology, including blockchain technology, that have not yet been fully studied will continue to result in new types of business activity and business models that, together with the crypto-asset sector itself, will lead to economic growth and new employment opportunities for Union citizens.
Crypto-assets are one of the main applications of distributed ledger technology. Crypto-assets are digital representations of value or of rights that have the potential to bring significant benefits to market participants, including retail holders of crypto-assets. Representations of value include external, non-intrinsic value attributed to a crypto-asset by the parties concerned or by market participants, meaning the value is subjective and based only on the interest of the purchaser of the crypto-asset. By streamlining capital-raising processes and enhancing competition, offers of crypto-assets could allow for an innovative and inclusive way of financing, including for small and medium-sized enterprises (SMEs). When used as a means of payment, crypto-assets can present opportunities in terms of cheaper, faster and more efficient payments, in particular on a cross-border basis, by limiting the number of intermediaries.
Some crypto-assets, in particular those that qualify as financial instruments as defined in Directive 2014/65/EU of the European Parliament and of the Council, fall within the scope of existing Union legislative acts on financial services. Therefore, a full set of Union rules already applies to issuers of such crypto-assets and to firms conducting activities related to such crypto-assets.
Other crypto-assets, however, fall outside of the scope of Union legislative acts on financial services. At present, there are no rules, other than those in respect of anti-money laundering, for the provision of services related to such unregulated crypto-assets, including for the operation of trading platforms for crypto-assets, the exchange of crypto-assets for funds or other crypto-assets, and providing custody and administration of crypto-assets on behalf of clients. The absence of such rules leaves holders of those crypto-assets exposed to risks, in particular in fields not covered by consumer protection rules. The absence of such rules can also result in substantial risks to market integrity, including in terms of market abuse as well as in terms of financial crime. To address those risks, some Member States have put in place specific rules for all, or a subset of, crypto-assets that fall outside the scope of Union legislative acts on financial services, and other Member States are considering whether to legislate in the field of crypto-assets.
The absence of an overall Union framework for markets in crypto-assets can lead to a lack of user confidence in those assets, which could significantly hinder the development of a market in those assets and lead to missed opportunities in terms of innovative digital services, alternative payment instruments or new funding sources for Union companies. In addition, companies using crypto-assets would have no legal certainty on how their crypto-assets would be treated in the various Member States, which would undermine their efforts to use crypto-assets for digital innovation. The lack of an overall Union framework for markets in crypto-assets could also lead to regulatory fragmentation, which would distort competition in the internal market, make it more difficult for crypto-asset service providers to scale up their activities on a cross-border basis and would give rise to regulatory arbitrage. Markets in crypto-assets are still modest in size and do not at present pose a threat to financial stability. It is, however, possible that types of crypto-assets that aim to stabilise their price in relation to a specific asset or a basket of assets could in the future be widely adopted by retail holders, and such a development could raise additional challenges in terms of financial stability, the smooth operation of payment systems, monetary policy transmission or monetary sovereignty.
A dedicated and harmonised framework for markets in crypto-assets is therefore necessary at Union level in order to provide specific rules for crypto-assets and related services and activities that are not yet covered by Union legislative acts on financial services. Such a framework should support innovation and fair competition, while ensuring a high level of protection of retail holders and the integrity of markets in crypto-assets. A clear framework should enable crypto-asset service providers to scale up their businesses on a cross-border basis and facilitate their access to banking services to enable them to run their activities smoothly. A Union framework for markets in crypto-assets should provide for the proportionate treatment of issuers of crypto-assets and crypto-asset service providers, thereby giving rise to equal opportunities in respect of market entry and the ongoing and future development of markets in crypto-assets. It should also promote financial stability and the smooth operation of payment systems, and address monetary policy risks that could arise from crypto-assets that aim to stabilise their price in relation to a specific asset or basket of assets. Proper regulation maintains the competitiveness of the Member States on international financial and technological markets and provides clients with significant benefits in terms of access to cheaper, faster and safer financial services and asset management. The Union framework for markets in crypto-assets should not regulate the underlying technology. Union legislative acts should avoid imposing an unnecessary and disproportionate regulatory burden on the use of technology, since the Union and the Member States seek to maintain competitiveness on a global market.
The consensus mechanisms used for the validation of transactions in crypto-assets might have principal adverse impacts on the climate and other environment-related adverse impacts. Such consensus mechanisms should therefore deploy more environmentally-friendly solutions and ensure that any principal adverse impact that they might have on the climate, and any other environment-related adverse impact, are adequately identified and disclosed by issuers of crypto-assets and crypto-asset service providers. When determining whether adverse impacts are principal, account should be taken of the principle of proportionality and the size and volume of the crypto-asset issued. The European Supervisory Authority (European Securities and Markets Authority) (ESMA) established by Regulation (EU) No 1095/2010 of the European Parliament and of the Council, in cooperation with the European Supervisory Authority (European Banking Authority) (EBA) established by Regulation (EU) No 1093/2010 of the European Parliament and of the Council, should therefore be mandated to develop draft regulatory technical standards to further specify the content, methodologies and presentation of information in relation to sustainability indicators with regard to adverse impacts on climate and other environment‐related adverse impacts, and to outline key energy indicators. The draft regulatory technical standards should also ensure coherence of disclosures by issuers of crypto-assets and by crypto-asset service providers. When developing the draft regulatory technical standards, ESMA should take into account the various types of consensus mechanisms used for the validation of transactions in crypto-assets, their characteristics and the differences between them. ESMA should also take into account existing disclosure requirements, ensure complementarity and consistency, and avoid increasing the burden on companies.
Markets in crypto-assets are global and thus inherently cross-border. Therefore, the Union should continue to support international efforts to promote convergence in the treatment of crypto-assets and crypto-asset services through international organisations or bodies such as the Financial Stability Board, the Basel Committee on Banking Supervision and the Financial Action Task Force.
Union legislative acts on financial services should be guided by the principles of ‘same activities, same risks, same rules’ and of technology neutrality. Therefore, crypto-assets that fall under existing Union legislative acts on financial services should remain regulated under the existing regulatory framework, regardless of the technology used for their issuance or their transfer, rather than this Regulation. Accordingly, this Regulation expressly excludes from its scope crypto-assets that qualify as financial instruments as defined in Directive 2014/65/EU, those that qualify as deposits as defined in Directive 2014/49/EU of the European Parliament and of the Council, including structured deposits as defined in Directive 2014/65/EU, those that qualify as funds as defined in Directive (EU) 2015/2366 of the European Parliament and of the Council, except if they qualify as electronic money tokens (‘e-money tokens’), those that qualify as securitisation positions as defined in Regulation (EU) 2017/2402 of the European Parliament and of the Council, and those that qualify as non-life or life insurance contracts, pension products or schemes and social security schemes. Having regard to the fact that electronic money and funds received in exchange for electronic money should not be treated as deposits in accordance with Directive 2009/110/EC of the European Parliament and of the Council, e-money tokens cannot be treated as deposits that are excluded from the scope of this Regulation.
This Regulation should not apply to crypto-assets that are unique and not fungible with other crypto-assets, including digital art and collectibles. The value of such unique and non-fungible crypto-assets is attributable to each crypto-asset’s unique characteristics and the utility it gives to the holder of the token. Nor should this Regulation apply to crypto-assets representing services or physical assets that are unique and non-fungible, such as product guarantees or real estate. While unique and non-fungible crypto-assets might be traded on the marketplace and be accumulated speculatively, they are not readily interchangeable and the relative value of one such crypto-asset in relation to another, each being unique, cannot be ascertained by means of comparison to an existing market or equivalent asset. Such features limit the extent to which those crypto-assets can have a financial use, thus limiting risks to holders and the financial system and justifying their exclusion from the scope of this Regulation.
The fractional parts of a unique and non-fungible crypto-asset should not be considered unique and non-fungible. The issuance of crypto-assets as non-fungible tokens in a large series or collection should be considered an indicator of their fungibility. The mere attribution of a unique identifier to a crypto-asset is not, in and of itself, sufficient to classify it as unique and non-fungible. The assets or rights represented should also be unique and non-fungible in order for the crypto-asset to be considered unique and non-fungible. The exclusion of crypto-assets that are unique and non-fungible from the scope of this Regulation is without prejudice to the qualification of such crypto-assets as financial instruments. This Regulation should also apply to crypto-assets that appear to be unique and non-fungible, but whose de facto features or whose features that are linked to their de facto uses, would make them either fungible or not unique. In that regard, when assessing and classifying crypto-assets, competent authorities should adopt a substance over form approach whereby the features of the crypto-asset in question determine the classification and not its designation by the issuer.
It is appropriate to exclude certain intragroup transactions and some public entities from the scope of this Regulation as they do not pose risks to investor protection, market integrity, financial stability, the smooth operation of payment systems, monetary policy transmission or monetary sovereignty. Public international organisations that are exempt include the International Monetary Fund and the Bank for International Settlements.
Digital assets issued by central banks acting in their monetary authority capacity, including central bank money in digital form, or crypto-assets issued by other public authorities, including central, regional and local administrations, should not be subject to the Union framework for markets in crypto-assets. Nor should related services provided by such central banks when acting in their monetary authority capacity or other public authorities be subject to that Union framework.
For the purposes of ensuring a clear delineation between, on the one hand, crypto-assets covered by this Regulation and, on the other hand, financial instruments, ESMA should be mandated to issue guidelines on the criteria and conditions for the qualification of crypto-assets as financial instruments. Those guidelines should also allow for a better understanding of the cases where crypto-assets that are otherwise considered unique and not fungible with other crypto-assets might qualify as financial instruments. In order to promote a common approach towards the classification of crypto-assets, EBA, ESMA and the European Supervisory Authority (European Insurance and Occupational Pensions Authority) (EIOPA), established by Regulation (EU) No 1094/2010 of the European Parliament and of the Council(the ‘European Supervisory Authorities’ or ‘ESAs’) should promote discussions on such classification. Competent authorities should be able to request opinions from the ESAs on the classification of crypto-assets, including classifications proposed by offerors or persons seeking admission to trading. Offerors or persons seeking admission to trading are primarily responsible for the correct classification of crypto-assets, which might be challenged by the competent authorities, both before the date of publication of the offer and at any time thereafter. Where the classification of a crypto-asset appears to be inconsistent with this Regulation or other relevant Union legislative acts on financial services, the ESAs should make use of their powers under Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 in order to ensure a consistent and coherent approach to such classification.
Pursuant to Article 127(2), fourth indent, of the Treaty on the Functioning of the European Union (TFEU), one of the basic tasks to be carried out through the European System of Central Banks (ESCB) is to promote the smooth operation of payment systems. The European Central Bank (ECB) may, pursuant to Article 22 of Protocol No 4 on the Statute of the European System of Central Banks and of the European Central Bank attached to the Treaties, make regulations to ensure efficient and sound clearing and payment systems within the Union and with other countries. To that end, the ECB has adopted regulations concerning requirements for systemically important payment systems. This Regulation is without prejudice to the responsibilities of the ECB and the national central banks in the ESCB to ensure efficient and sound clearing and payment systems within the Union and with third countries. Consequently, and in order to prevent the possible creation of parallel sets of rules, EBA, ESMA and the ECB should cooperate closely when preparing the relevant draft technical standards under this Regulation. Furthermore, it is crucial for the ECB and the national central banks to have access to information when fulfilling their tasks relating to the oversight of payment systems, including clearing of payments. In addition, this Regulation should be without prejudice to Council Regulation (EU) No 1024/2013and should be interpreted in such a way that it is not in conflict with that Regulation.
Any legislative act adopted in the field of crypto-assets should be specific and future-proof, be able to keep pace with innovation and technological developments and be founded on an incentive-based approach. The terms ‘crypto-assets’ and ‘distributed ledger technology’ should therefore be defined as widely as possible to capture all types of crypto-assets that currently fall outside the scope of Union legislative acts on financial services. Any legislative act adopted in the field of crypto-assets should also contribute to the objective of combating money laundering and terrorist financing. For that reason, entities offering services falling within the scope of this Regulation should also comply with applicable anti-money laundering and counter-terrorist financing rules of the Union, which integrate international standards.
Digital assets that cannot be transferred to other holders do not fall within the definition of crypto-assets. Therefore, digital assets that are accepted only by the issuer or the offeror and that are technically impossible to transfer directly to other holders should be excluded from the scope of this Regulation. An example of such digital assets includes loyalty schemes where the loyalty points can be exchanged for benefits only with the issuer or offeror of those points.
This Regulation classifies crypto-assets into three types, which should be distinguished from one another and subject to different requirements depending on the risks they entail. The classification is based on whether the crypto-assets seek to stabilise their value by reference to other assets. The first type consists of crypto-assets that aim to stabilise their value by referencing only one official currency. The function of such crypto-assets is very similar to the function of electronic money as defined in Directive 2009/110/EC. Like electronic money, such crypto-assets are electronic surrogates for coins and banknotes and are likely to be used for making payments. Those crypto-assets should be defined in this Regulation as ‘e-money tokens’. The second type of crypto-assets concerns ‘asset-referenced tokens’, which aim to stabilise their value by referencing another value or right, or combination thereof, including one or several official currencies. That second type covers all other crypto-assets, other than e-money tokens, whose value is backed by assets, so as to avoid circumvention and to make this Regulation future-proof. Finally, the third type consists of crypto-assets other than asset-referenced tokens and e-money tokens, and covers a wide variety of crypto-assets, including utility tokens.
At present, despite their similarities, electronic money and crypto-assets referencing an official currency differ in some important aspects. Holders of electronic money as defined in Directive 2009/110/EC are always provided with a claim against the electronic money issuer and have a contractual right to redeem, at any moment and at par value, the monetary value of the electronic money held. By contrast, some crypto-assets referencing an official currency do not provide their holders with such a claim against the issuers of such crypto-assets and could fall outside the scope of Directive 2009/110/EC. Other crypto-assets referencing an official currency do not provide a claim at par value with the currency they are referencing or they limit the redemption period. The fact that holders of such crypto-assets do not have a claim against the issuers of such crypto-assets, or that such claim is not at par value with the currency those crypto-assets are referencing, could undermine the confidence of holders of those crypto-assets. Accordingly, to avoid circumvention of the rules laid down in Directive 2009/110/EC, any definition of e-money tokens should be as wide as possible to capture all types of crypto-assets referencing a single official currency. In addition, strict conditions on the issuance of e-money tokens should be laid down, including an obligation for e-money tokens to be issued either by a credit institution authorised under Directive 2013/36/EU of the European Parliament and of the Council, or by an electronic money institution authorised under Directive 2009/110/EC. For the same reason, issuers of e-money tokens should ensure that holders of such tokens can exercise their right to redeem their tokens at any time and at par value against the currency referencing those tokens. Because e-money tokens are crypto-assets and can raise new challenges in terms of protection of retail holders and market integrity that are specific to crypto-assets, they should also be subject to the rules laid down in this Regulation to address those challenges.
Given the different risks and opportunities raised by crypto-assets, it is necessary to lay down rules for offerors and persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, as well as for issuers of asset-referenced tokens and e-money tokens. Issuers of crypto-assets are entities that have control over the creation of crypto-assets.
It is necessary to lay down specific rules for entities that provide services related to crypto-assets. A first category of such services consists of ensuring the operation of a trading platform for crypto-assets, exchanging crypto-assets for funds or other crypto-assets, providing custody and administration of crypto-assets on behalf of clients, and providing transfer services for crypto-assets on behalf of clients. A second category of such services consists of the placing of crypto-assets, the reception or transmission of orders for crypto-assets on behalf of clients, the execution of orders for crypto-assets on behalf of clients, providing advice on crypto-assets and providing portfolio management of crypto-assets. Any person that provides crypto-asset services on a professional basis in accordance with this Regulation should be deemed to be a ‘crypto-asset service provider’.
This Regulation should apply to natural and legal persons and certain other undertakings and to the crypto-asset services and activities performed, provided or controlled, directly or indirectly, by them, including when part of such activities or services is performed in a decentralised manner. Where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of this Regulation. This Regulation covers the rights and obligations of issuers of crypto-assets, offerors, persons seeking admission to trading of crypto-assets and crypto-asset service providers. Where crypto-assets have no identifiable issuer, they should not fall within the scope of Title II, III or IV of this Regulation. Crypto-asset service providers providing services in respect of such crypto-assets should, however, be covered by this Regulation.
To ensure that all offers to the public of crypto-assets other than asset-referenced tokens or e-money tokens, which can potentially have a financial use, or all admissions of crypto-assets to trading on a trading platform for crypto-assets (‘admission to trading’), in the Union, are properly monitored and supervised by competent authorities, all offerors or persons seeking admission to trading should be legal persons.
In order to ensure their protection, prospective retail holders of crypto-assets should be informed of the characteristics, functions and risks of the crypto-assets that they intend to purchase. When making an offer to the public of crypto-assets other than asset-referenced tokens or e-money tokens or when seeking admission to trading of such crypto-assets in the Union, offerors or persons seeking admission to trading should draw up, notify to their competent authority and publish an information document containing mandatory disclosures (‘a crypto-asset white paper’). A crypto-asset white paper should contain general information on the issuer, offeror or person seeking admission to trading, on the project to be carried out with the capital raised, on the offer to the public of crypto-assets or on their admission to trading, on the rights and obligations attached to the crypto-assets, on the underlying technology used for such crypto-assets and on the related risks. However, the crypto-asset white paper should not contain a description of risks that are unforeseeable and very unlikely to materialise. The information contained in the crypto-asset white paper as well as in the relevant marketing communications, such as advertising messages and marketing material, and including through new channels such as social media platforms, should be fair, clear and not misleading. Advertising messages and marketing material should be consistent with the information provided in the crypto-asset white paper.
Crypto-asset white papers, including their summaries, and the operating rules of trading platforms for crypto-assets should be drawn up in at least one of the official languages of the home Member State and of any host Member State or, alternatively, in a language customary in the sphere of international finance. At the time of adoption of this Regulation, the English language is the language customary in the sphere of international finance but that could evolve in the future.
In order to ensure a proportionate approach, no requirements of this Regulation should apply to offers to the public of crypto-assets other than asset-referenced tokens or e-money tokens that are offered for free or that are automatically created as a reward for the maintenance of a distributed ledger or the validation of transactions in the context of a consensus mechanism. In addition, no requirements should apply to offers of utility tokens providing access to an existing good or service, enabling the holder to collect the good or use the service, or when the holder of the crypto-assets has the right to use them only in exchange for goods and services in a limited network of merchants with contractual arrangements with the offeror. Such exemptions should not include crypto-assets representing stored goods that are not intended to be collected by the purchaser following the purchase. Neither should the limited network exemption apply to crypto-assets that are typically designed for a continuously growing network of service providers. The limited network exemption should be evaluated by the competent authority each time that an offer, or the aggregate value of more than one offer, exceeds a certain threshold, meaning that a new offer should not automatically benefit from an exemption of a previous offer. Those exemptions should cease to apply when the offeror, or another person acting on the offeror’s behalf, communicates the offeror’s intention of seeking admission to trading or the exempted crypto-assets are admitted to trading.
In order to ensure a proportionate approach, the requirements of this Regulation to draw up and publish a crypto-asset white paper should not apply to offers of crypto-assets other than asset-referenced tokens or e-money tokens that are made to fewer than 150 persons per Member State, or that are addressed solely to qualified investors where the crypto-assets can only be held by such qualified investors. SMEs and start-ups should not be subject to excessive and disproportionate administrative burden. Accordingly, offers to the public of crypto-assets other than asset-referenced tokens or e-money tokens in the Union whose total consideration does not exceed EUR 1 000 000 over a period of 12 months should also be exempt from the obligation to draw up a crypto-asset white paper.
The mere admission to trading or the publication of bid and offer prices should not, in and of itself, be regarded as an offer to the public of crypto-assets. Such admission or publication should only constitute an offer to the public of crypto-assets where it includes a communication constituting an offer to the public under this Regulation.
Even though some offers of crypto-assets other than asset-referenced tokens or e-money tokens are exempt from various obligations of this Regulation, Union legislative acts that ensure consumer protection, such as Directive 2005/29/EC of the European Parliament and of the Councilor Council Directive 93/13/EEC, including any information obligations contained therein, remain applicable to offers to the public of crypto-assets where they concern business-to-consumer relationships.
Where an offer to the public concerns utility tokens for goods that do not yet exist or services that are not yet in operation, the duration of the offer to the public as described in the crypto-asset white paper should not exceed 12 months. That limitation on the duration of the offer to the public is unrelated to the moment when the goods or services come into existence or become operational and can be used by the holder of a utility token after the expiry of the offer to the public.
In order to enable supervision, offerors and persons seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens should, before making any offer to the public of crypto-assets in the Union or before those crypto-assets are admitted to trading, notify their crypto-asset white paper and, upon request of the competent authority, their marketing communications, to the competent authority of the Member State where they have their registered office or, where they have no registered office in the Union, of the Member State where they have a branch. Offerors that are established in a third country should notify their crypto-asset white paper and, upon request of the competent authority, their marketing communications, to the competent authority of the Member State where they intend to offer the crypto-assets.
The operator of a trading platform should be responsible for complying with the requirements of Title II of this Regulation where crypto-assets are admitted to trading on its own initiative and the crypto-asset white paper has not already been published in the cases required by this Regulation. The operator of a trading platform should also be responsible for complying with those requirements where it has concluded a written agreement to that end with the person seeking admission to trading. The person seeking admission to trading should remain responsible when it provides misleading information to the operator of the trading platform. The person seeking admission to trading should also remain responsible for matters not delegated to the operator of the trading platform.
In order to avoid undue administrative burden, competent authorities should not be required to approve a crypto-asset white paper before its publication. Competent authorities should, however, have the power to request amendments to the crypto-asset white paper and to any marketing communications and, where necessary, to request the inclusion of additional information in the crypto-asset white paper.
Competent authorities should be able to suspend or prohibit an offer to the public of crypto-assets other than asset-referenced tokens or e-money tokens, or the admission of such crypto-assets to trading, where such an offer to the public or admission to trading does not comply with the applicable requirements of this Regulation, including where the crypto-asset white paper or the marketing communications are not fair, not clear or are misleading. Competent authorities should also have the power to publish a warning that the offeror or person seeking admission to trading has failed to meet those requirements, either on its website or through a press release.
Crypto-asset white papers that have been duly notified to a competent authority and marketing communications should be published. After such publication, offerors and persons seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens should be allowed to offer those crypto-assets throughout the Union and to seek admission to trading of such crypto-assets in the Union.
Offerors of crypto-assets other than asset-referenced tokens or e-money tokens should have effective arrangements in place to monitor and safeguard the funds or other crypto-assets raised during their offer to the public. Those arrangements should also ensure that any funds or other crypto-assets collected from holders or prospective holders are duly returned as soon as possible where an offer to the public is cancelled for any reason. The offeror should ensure that the funds or other crypto-assets collected during the offer to the public are safeguarded by a third party.
In order to further ensure protection of retail holders of crypto-assets, retail holders that acquire crypto-assets other than asset-referenced tokens or e-money tokens directly from the offeror, or from a crypto-asset service provider placing the crypto-assets on behalf of the offeror, should be provided with a right of withdrawal during a period of 14 days after their acquisition. In order to ensure the smooth completion of a time-limited offer to the public of crypto-assets, the right of withdrawal should not be exercised by retail holders after the end of the subscription period. Furthermore, the right of withdrawal should not apply where crypto-assets other than asset-referenced tokens or e-money tokens are admitted to trading prior to the purchase by the retail holder because, in such a case, the price of such crypto-assets depends on the fluctuations of the markets in crypto-assets. Where the retail holder has a right of withdrawal under this Regulation, the right of withdrawal under Directive 2002/65/EC of the European Parliament and of the Councilshould not apply.
Offerors and persons seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens should act honestly, fairly and professionally, should communicate with holders and prospective holders of crypto-assets in a manner that is fair, clear and not misleading, should identify, prevent, manage and disclose conflicts of interest, and should have effective administrative arrangements to ensure that their systems and security protocols meet Union standards. In order to assist competent authorities in their supervisory tasks, ESMA, in close cooperation with EBA, should be mandated to issue guidelines on those systems and security protocols in order to further specify those Union standards.
To further protect holders of crypto-assets, civil liability rules should apply to offerors and persons seeking admission to trading and to the members of their management body for the information provided to the public in the crypto-asset white paper.
Asset-referenced tokens could be widely adopted by holders to transfer value or as a means of exchange and thus pose increased risks in terms of protection of holders of crypto-assets, in particular retail holders, and in terms of market integrity, as compared to other crypto-assets. Issuers of asset-referenced tokens should therefore be subject to more stringent requirements than issuers of other crypto-assets.
Where a crypto-asset falls within the definition of an asset-referenced token or e-money token, Title III or IV of this Regulation should apply, irrespective of how the issuer intends to design the crypto-asset, including the mechanism for maintaining a stable value of the crypto-asset. The same applies to so-called algorithmic ‘stablecoins’ that aim to maintain a stable value in relation to an official currency, or in relation to one or several assets, via protocols, that provide for the increase or decrease in the supply of such crypto-assets in response to changes in demand. Offerors or persons seeking admission to trading of algorithmic crypto-assets that do not aim to stabilise the value of the crypto-assets by referencing one or several assets should in any event comply with Title II of this Regulation.
To ensure the proper supervision and monitoring of offers to the public of asset-referenced tokens, issuers of asset-referenced tokens should have a registered office in the Union.
Offers to the public of asset-referenced tokens in the Union or seeking admission to trading of such crypto-assets should be permitted only where the competent authority has authorised the issuer of such crypto-assets to do so and has approved the relevant crypto-asset white paper. The authorisation requirement should however not apply where the asset-referenced tokens are addressed solely to qualified investors or where the offer to the public of the asset-referenced tokens is below EUR 5 000 000. In those cases, the issuer of the asset-referenced tokens should still be required to draw up a crypto-asset white paper to inform buyers about the characteristics and risks of the asset-referenced tokens and should also be required to notify the crypto-asset white paper to the competent authority before its publication.
Credit institutions authorised under Directive 2013/36/EU should not need another authorisation under this Regulation in order to offer or seek the admission to trading of asset-referenced tokens. National procedures established under that Directive should apply but should be complemented by a requirement to notify the competent authority of the home Member State designated under this Regulation of the elements that enable that authority to verify the issuer’s ability to offer or seek the admission to trading of asset-referenced tokens. Credit institutions that offer or seek the admission to trading of asset-referenced tokens should be subject to all requirements that apply to issuers of asset-referenced tokens with the exception of authorisation requirements, own funds requirements and the approval procedure with respect to qualifying shareholders, as those matters are covered by Directive 2013/36/EU and by Regulation (EU) No 575/2013 of the European Parliament and of the Council. A crypto-asset white paper drawn up by such credit institution should be approved by the competent authority of the home Member State before publication. Credit institutions authorised under the provisions of national law transposing Directive 2013/36/EU and which offer or seek the admission to trading of asset-referenced tokens should be subject to the administrative powers set out under that Directive and also those under this Regulation, including a restriction or limitation of a credit institution’s business and a suspension or prohibition of an offer to the public of asset-referenced tokens. Where the obligations applying to such credit institutions under this Regulation overlap with those of Directive 2013/36/EU, the credit institutions should comply with the more specific or stricter requirements, thereby ensuring compliance with both sets of rules. The notification procedure for credit institutions intending to offer or seek the admission to trading of asset-referenced tokens under this Regulation should be without prejudice to the provisions of national law transposing Directive 2013/36/EU that set out procedures for the authorisation of credit institutions to provide the services listed in Annex I to that Directive.
A competent authority should refuse authorisation on objective and demonstrable grounds, including where the business model of the applicant issuer of asset-referenced tokens might pose a serious threat to market integrity, financial stability or the smooth operation of payment systems. The competent authority should consult EBA, ESMA, the ECB and, where the issuer is established in a Member State whose official currency is not the euro or where an official currency of a Member State that is not the euro is referenced by the asset-referenced token, the central bank of that Member State before granting or refusing an authorisation. Non-binding opinions of EBA and ESMA should address the classification of the crypto-asset, while the ECB and, where applicable, the central bank of the Member State concerned should provide the competent authority with an opinion on the risks to financial stability, the smooth operation of payment systems, monetary policy transmission or monetary sovereignty. The competent authorities should refuse authorisation in cases where the ECB or the central bank of a Member State gives a negative opinion on the grounds of a risk posed to the smooth operation of payment systems, monetary policy transmission, or monetary sovereignty. Where authorisation is granted to an applicant issuer of asset-referenced tokens, the crypto-asset white paper drawn up by that issuer should also be deemed approved. The authorisation by the competent authority should be valid throughout the Union and should allow the issuer of asset-referenced tokens to offer those crypto-assets on the internal market and to seek an admission to trading. In the same way, the crypto-asset white paper should also be valid for the entire Union, without any possibility for Member States to impose additional requirements.
In several cases where the ECB is consulted under this Regulation, its opinion should be binding insofar as it obliges a competent authority to refuse, withdraw or limit an authorisation of the issuer of asset-referenced tokens or to impose specific measures on the issuer of asset-referenced tokens. Article 263, first paragraph, TFEU provides that the Court of Justice of the European Union (the ‘Court of Justice’) should review the legality of acts of the ECB other than recommendations or opinions. It should be recalled, however, that it is for the Court of Justice to interpret that provision in light of the substance and effects of an opinion of the ECB.
To ensure protection of retail holders, issuers of asset-referenced tokens should always provide holders of such tokens with information that is complete, fair, clear and not misleading. Crypto-asset white papers for asset-referenced tokens should include information on the stabilisation mechanism, on the investment policy of the reserve assets, on the custody arrangements for the reserve assets and on the rights provided to holders.
In addition to the information provided in the crypto-asset white paper, issuers of asset-referenced tokens should also provide holders of such tokens with information on an ongoing basis. In particular, they should disclose on their website the amount of asset-referenced tokens in circulation and the value and composition of the reserve assets. Issuers of asset-referenced tokens should also disclose any event that has or is likely to have a significant impact on the value of the asset-referenced tokens or on the reserve assets, irrespective of whether such crypto-assets are admitted to trading.
To ensure protection of retail holders, issuers of asset-referenced tokens should always act honestly, fairly and professionally and in the best interests of the holders of asset-referenced tokens. Issuers of asset-referenced tokens should also put in place a clear procedure for handling complaints received from holders of asset-referenced tokens.
Issuers of asset-referenced tokens should put in place a policy to identify, prevent, manage and disclose conflicts of interest that can arise from their relationships with their shareholders or members, or with any shareholder or member, whether direct or indirect, that has a qualifying holding in the issuers, or with the members of their management body, their employees, holders of asset-referenced tokens or third-party service providers.
Issuers of asset-referenced tokens should have robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility and effective processes to identify, manage, monitor and report the risks to which they are or to which they might be exposed. The members of the management body of such issuers should be fit and proper and should, in particular, not have been convicted of any offence in the field of money laundering or terrorist financing or of any other offence that would affect their good repute. The shareholders or members, whether direct or indirect, natural or legal persons, that have qualifying holdings in such issuers, should be of sufficiently good repute and should, in particular, not have been convicted of any offence in the field of money laundering or terrorist financing or of any other offence that would affect their good repute. Issuers of asset-referenced tokens should also employ resources proportionate to the scale of their activities and should always ensure continuity and regularity in the performance of their activities. For that purpose, issuers of asset-referenced tokens should establish a business continuity policy that aims to ensure, in the case of an interruption to their systems and procedures, the performance of their core activities related to the asset-referenced tokens. Issuers of asset-referenced tokens should also have strong internal control mechanisms and effective procedures for risk management, as well as a system that guarantees the integrity and confidentiality of information received. Those obligations aim to ensure the protection of holders of asset-referenced tokens, in particular retail holders, while not creating unnecessary barriers.
Issuers of asset-referenced tokens are usually at the centre of a network of entities that ensure the issuance of such crypto-assets, their transfer and their distribution to holders. Issuers of asset-referenced tokens should therefore be required to establish and maintain appropriate contractual arrangements with third-party entities for ensuring the stabilisation mechanism and the investment of the reserve assets backing the value of the tokens, the custody of such reserve assets and, where applicable, the distribution of the asset-referenced tokens to the public.
To address the risks to the financial stability of the wider financial system, issuers of asset-referenced tokens should be subject to own funds requirements. Those requirements should be proportionate to the issuance size of the asset-referenced tokens and therefore calculated as a percentage of the reserve of assets that back the value of the asset-referenced tokens. Competent authorities should however be able to increase the amount of own funds required based on, inter alia, the evaluation of the risk-management process and internal control mechanisms of the issuer, the quality and volatility of the reserve assets backing the asset-referenced tokens, or the aggregate value and number of transactions settled in asset-referenced tokens.
In order to cover their liability against holders of asset-referenced tokens, issuers of asset-referenced tokens should constitute and maintain a reserve of assets matching the risks reflected in such liability. The reserve of assets should be used for the benefit of the holders of the asset-referenced tokens when the issuer is not able to fulfil its obligations towards the holders, such as in insolvency. The reserve of assets should be composed and managed in such a way that market and currency risks are covered. Issuers of asset-referenced tokens should ensure the prudent management of the reserve of assets and should, in particular, ensure that the value of the reserve amounts at least to the corresponding value of tokens in circulation and that changes in the reserve are adequately managed to avoid adverse impacts on the markets of the reserve assets. Issuers of asset-referenced tokens should therefore have clear and detailed policies that describe, inter alia, the composition of the reserve of assets, the allocation of assets included therein, a comprehensive assessment of the risks raised by the reserve assets, the procedure for the issuance and redemption of the asset-referenced tokens, the procedure to increase and decrease the reserve assets and, where the reserve assets are invested, the investment policy that is followed by the issuers. Issuers of asset-referenced tokens that are marketed both in the Union and in third countries should ensure that their reserve of assets is available to cover the issuers’ liability towards Union holders. The requirement to hold the reserve of assets with firms subject to Union law should therefore apply in proportion to the share of asset-referenced tokens that is expected to be marketed in the Union.
To prevent the risk of loss for asset-referenced tokens and to preserve the value of those assets, issuers of asset-referenced tokens should have an adequate custody policy for their reserve assets. That policy should ensure that the reserve assets are fully segregated from the issuer’s own assets at all times, that the reserve assets are not encumbered or pledged as collateral, and that the issuer of asset-referenced tokens has prompt access to those reserve assets. The reserve assets should, depending on their nature, be held in custody by a crypto-asset service provider, by a credit institution authorised under Directive 2013/36/EU or by an investment firm authorised under Directive 2014/65/EU. That should not exclude the possibility of delegating the holding of the physical assets to another entity. Crypto-asset service providers, credit institutions or investment firms that act as custodians of reserve assets should be responsible for the loss of such reserve assets vis-à-vis the issuer or the holders of the asset-referenced tokens, unless they prove that such loss has arisen as a result of an external event beyond their reasonable control. Concentrations of the custodians of reserve assets should be avoided. However, in certain situations, that might not be possible due to a lack of suitable alternatives. In such cases, a temporary concentration should be deemed acceptable.
To protect holders of asset-referenced tokens against a decrease in value of the assets backing the value of the tokens, issuers of asset-referenced tokens should only invest the reserve assets in secure, low-risk assets with minimal market, concentration and credit risk. As the asset-referenced tokens could be used as a means of exchange, all profits or losses resulting from the investment of the reserve assets should be borne by the issuer of the asset-referenced tokens.
Holders of asset-referenced tokens should have a permanent right of redemption so that the issuer is required to redeem the asset-referenced tokens at any time, upon request by the holders of the asset-referenced tokens. The issuer of asset-referenced tokens should redeem either by paying an amount in funds, other than electronic money, equivalent to the market value of the assets referenced by the asset-referenced tokens, or by delivering the assets referenced by the tokens. The issuer of asset-referenced tokens should always provide the holder with the option of redeeming the asset-referenced tokens in funds other than electronic money denominated in the same official currency that the issuer accepted when selling the tokens. The issuer should provide sufficiently detailed and easily understandable information on the different forms of redemption available.
To reduce the risk that asset-referenced tokens are used as a store of value, issuers of asset-referenced tokens and crypto-asset service providers, when providing crypto-asset services related to asset-referenced tokens, should not grant interest to holders of asset-referenced tokens related to the length of time during which such holders are holding those asset-referenced tokens.
Asset-referenced tokens and e-money tokens should be deemed significant when they meet, or are likely to meet, certain criteria, including a large customer base, a high market capitalisation, or a large number of transactions. As such, they could be used by a large number of holders and their use could raise specific challenges in terms of financial stability, monetary policy transmission or monetary sovereignty. Those significant asset-referenced tokens and e-money tokens should, therefore, be subject to more stringent requirements than asset-referenced tokens or e-money tokens that are not deemed significant. In particular, issuers of significant asset-referenced tokens should be subject to higher capital requirements, to interoperability requirements and they should establish a liquidity management policy. The appropriateness of the thresholds to classify an asset-referenced token or e-money token as significant should be reviewed by the Commission as part of its review of the application of this Regulation. That review should, where appropriate, be accompanied by a legislative proposal.
A comprehensive monitoring of the entire ecosystem of issuers of asset-referenced tokens is important in order to determine the true size and impact of such tokens. To capture all transactions that are conducted in relation to any given asset-referenced token, the monitoring of such tokens therefore includes the monitoring of all transactions that are settled, whether they are settled on the distributed ledger (‘on-chain’) or outside the distributed ledger (‘off-chain’), and including transactions between clients of the same crypto-asset service provider.
It is particularly important to estimate transactions settled with asset-referenced tokens associated to uses as a means of exchange within a single currency area, namely, those associated to payments of debts including in the context of transactions with merchants. Those transactions should not include transactions associated with investment functions and services, such as a means of exchange for funds or other crypto-assets, unless there is evidence that the asset-referenced token is used for settlement of transactions in other crypto-assets. A use for settlement of transactions in other crypto-assets would be present in cases where a transaction involving two legs of crypto-assets, which are different from the asset-referenced tokens, is settled in the asset-referenced tokens. Moreover, where asset-referenced tokens are used widely as a means of exchange within a single currency area, issuers should be required to reduce the level of activity. An asset-referenced token should be considered to be used widely as a means of exchange when the average number and average aggregate value of transactions per day associated to uses as a means of exchange within a single currency area is higher than 1 million transactions and EUR 200 000 000 respectively.
Where asset-referenced tokens pose a serious threat to the smooth operation of payment systems, monetary policy transmission or monetary sovereignty, central banks should be able to request the competent authority to withdraw the authorisation of the issuer of those asset-referenced tokens. Where asset-referenced tokens pose a threat to the smooth operation of payment systems, monetary policy transmission or monetary sovereignty, central banks should be able to request the competent authority to limit the amount of those asset-referenced tokens to be issued, or to impose a minimum denomination amount.
This Regulation is without prejudice to national law regulating the use of domestic and foreign currencies in operations between residents, adopted by non-euro area Member States in exercising their prerogative of monetary sovereignty.
Issuers of asset-referenced tokens should prepare a recovery plan providing for measures to be taken by the issuer to restore compliance with the requirements applicable to the reserve of assets, including in cases where the fulfilment of requests for redemption creates temporary unbalances in the reserve of assets. The competent authority should have the power to temporarily suspend the redemption of asset-referenced tokens in order to protect the interests of the holders of the asset-referenced tokens and financial stability.
Issuers of asset-referenced tokens should have a plan for the orderly redemption of the tokens to ensure that the rights of the holders of the asset-referenced tokens are protected where the issuers are not able to comply with their obligations, including in the event of discontinuation of issuing of the asset-referenced tokens. Where the issuer of asset-referenced tokens is a credit institution or an entity falling within the scope of Directive 2014/59/EU of the European Parliament and of the Council, the competent authority should consult the responsible resolution authority. That resolution authority should be permitted to examine the redemption plan with a view to identifying any elements in it that might adversely affect the resolvability of the issuer, the resolution strategy of the issuer, or any actions foreseen in the resolution plan of the issuer, and make recommendations to the competent authority with regard to those matters. In doing so, the resolution authority should also be permitted to consider whether any changes are required to the resolution plan or the resolution strategy, in accordance with the provisions of Directive 2014/59/EU and Regulation (EU) No 806/2014 of the European Parliament and of the Council, as applicable. Such examination by the resolution authority should not affect the powers of the prudential supervisory authority or of the resolution authority, as applicable, to take crisis prevention measures or crisis management measures.
Issuers of e-money tokens should be authorised either as a credit institution under Directive 2013/36/EU or as an electronic money institution under Directive 2009/110/EC. E-money tokens should be deemed to be ‘electronic money’ as that term is defined in Directive 2009/110/EC and their issuers should, unless specified otherwise in this Regulation, comply with the relevant requirements set out in Directive 2009/110/EC for the taking up, pursuit and prudential supervision of the business of electronic money institutions and the requirements on issuance and redeemability of e-money tokens. Issuers of e-money tokens should draw up a crypto-asset white paper and notify it to their competent authority. Exemptions regarding limited networks, regarding certain transactions by providers of electronic communications networks and regarding electronic money institutions issuing only a limited maximum amount of electronic money, based on the optional exemptions specified in Directive 2009/110/EC, should also apply to e-money tokens. However, issuers of e-money tokens should still be required to draw up a crypto-asset white paper in order to inform buyers about the characteristics and risks of the e-money tokens and should also be required to notify the crypto-asset white paper to the competent authority before its publication.
Holders of e-money tokens should be provided with a claim against the issuer of the e-money tokens. Holders of e-money tokens should always be granted a right of redemption at par value for funds denominated in the official currency that the e-money token is referencing. The provisions of Directive 2009/110/EC on the possibility of charging a fee in relation to redemption are not relevant in the context of e-money tokens.
To reduce the risk that e-money tokens are used as store of value, issuers of e-money tokens and crypto-asset service providers when they provide crypto-asset services related to e-money tokens, should not grant interest to holders of e-money tokens, including interest not related to the length of time that such holders hold those e-money tokens.
The crypto-asset white paper drawn up by an issuer of e-money tokens should contain all information concerning that issuer and the offer of e-money tokens or their admission to trading that is necessary to enable prospective buyers to make an informed purchase decision and understand the risks relating to the offer of e-money tokens. The crypto-asset white paper should also expressly refer to the right of holders of e-money tokens to redeem their e-money tokens for funds denominated in the official currency that the e-money tokens reference at par value and at any time.
Where an issuer of e-money tokens invests the funds received in exchange for e-money tokens, such funds should be invested in assets denominated in the same official currency as the one that the e-money token is referencing in order to avoid cross-currency risks.
Significant e-money tokens could pose greater risks to financial stability than e-money tokens that are not significant and traditional electronic money. Issuers of significant e-money tokens that are electronic money institutions should therefore be subject to additional requirements. Such issuers of significant e-money tokens should in particular be subject to higher capital requirements than issuers of other e-money tokens, be subject to interoperability requirements and establish a liquidity management policy. They should also comply with some of the same requirements that apply to issuers of asset-referenced tokens with regard to reserve of assets, such as those on custody and investment of the reserve of assets. Those requirements for issuers of significant e-money tokens should apply instead of Articles 5 and 7 of Directive 2009/110/EC. As those provisions of Directive 2009/110/EC do not apply to credit institutions when issuing e-money, neither should the additional requirements for significant e-money tokens under this Regulation.
Issuers of e-money tokens should have in place recovery and redemption plans to ensure that the rights of the holders of the e-money tokens are protected when issuers are not able to comply with their obligations.
In most Member States, the provision of crypto-asset services is not yet regulated despite the potential risks that they pose to investor protection, market integrity and financial stability. To address such risks, this Regulation provides operational, organisational and prudential requirements at Union level applicable to crypto-asset service providers.
In order to enable effective supervision and to eliminate the possibility of evading or circumventing supervision, crypto-asset services should only be provided by legal persons that have a registered office in a Member State in which they carry out substantive business activities, including the provision of crypto-asset services. Undertakings that are not legal persons, such as commercial partnerships, should under certain conditions also be permitted to provide crypto-asset services. It is essential that providers of crypto-asset services maintain effective management of their activities in the Union in order to avoid undermining effective prudential supervision and to ensure the enforcement of requirements under this Regulation intended to ensure investor protection, market integrity and financial stability. Regular close direct contact between supervisors and the responsible management of crypto-asset service providers should be an essential element of such supervision. Crypto-asset service providers should therefore have their place of effective management in the Union, and at least one of the directors should be resident in the Union. The place of effective management means the place where the key management and commercial decisions that are necessary for the conduct of the business are taken.
This Regulation should not affect the possibility for persons established in the Union to receive crypto-asset services by a third-country firm on their own initiative. Where a third-country firm provides crypto-asset services on the own initiative of a person established in the Union, the crypto-asset services should not be deemed to be provided in the Union. Where a third-country firm solicits clients or prospective clients in the Union or promotes or advertises crypto-asset services or activities in the Union, its services should not be deemed to be crypto-asset services provided on the own initiative of the client. In such a case, the third-country firm should be authorised as a crypto-asset service provider.
Given the relatively small scale to date of crypto-asset service providers, the power to authorise and supervise such service providers should be conferred upon national competent authorities. Authorisation as a crypto-asset service provider should be granted, refused or withdrawn by the competent authority of the Member State where the entity has its registered office. Where an authorisation is granted, it should indicate the crypto-asset services for which the crypto-asset service provider is authorised and should be valid for the entire Union.
In order to ensure the continued protection of the financial system of the Union against the risks of money laundering and terrorist financing, it is necessary to ensure that crypto-asset service providers carry out increased checks on financial operations involving customers and financial institutions from third countries listed as high-risk third countries because they are jurisdictions which have strategic deficiencies in their national anti-money laundering and counter-terrorist financing regimes that pose significant threats to the financial system of the Union as referred to in Directive (EU) 2015/849 of the European Parliament and of the Council.
Certain firms subject to Union legislative acts on financial services should be allowed to provide all or some crypto-asset services without being required to obtain an authorisation as a crypto-asset service provider under this Regulation if they notify their competent authorities with certain information before providing those services for the first time. In such cases, those firms should be deemed to be crypto-asset service providers and the relevant administrative powers provided in this Regulation, including the power to suspend or prohibit certain crypto-asset services, should apply with respect to them. Those firms should be subject to all requirements applicable to crypto-asset service providers under this Regulation with the exception of authorisation requirements, own funds requirements and the approval procedure regarding shareholders and members that have qualifying holdings, as those matters are covered by the respective Union legislative acts under which they were authorised. The notification procedure for credit institutions intending to provide crypto-asset services under this Regulation should be without prejudice to the provisions of national law transposing Directive 2013/36/EU that set out procedures for the authorisation of credit institutions to provide the services listed in Annex I to that Directive.
In order to ensure consumer protection, market integrity and financial stability, crypto-asset service providers should always act honestly, fairly and professionally and in the best interests of their clients. Crypto-asset services should be deemed ‘financial services’ as defined in Directive 2002/65/EC in cases where they meet the criteria of that Directive. Where marketed at distance, the contracts between crypto-asset service providers and consumers should be subject to Directive 2002/65/EC as well, unless expressly stated otherwise in this Regulation. Crypto-asset service providers should provide their clients with information that is complete, fair, clear and not misleading and warn them about the risks associated with crypto-assets. Crypto-asset service providers should make their pricing policies public, should establish complaints-handling procedures and should have a robust policy for the identification, prevention, management and disclosure of conflicts of interest.
To ensure consumer protection, crypto-asset service providers authorised under this Regulation should comply with certain prudential requirements. Those prudential requirements should be set as a fixed amount or in proportion to the fixed overheads of crypto-asset service providers of the preceding year, depending on the types of services they provide.
Crypto-asset service providers should be subject to strong organisational requirements. The members of the management body of crypto-asset service providers should be fit and proper and should, in particular, not have been convicted of any offence in the field of money laundering or terrorist financing or of any other offence that would affect their good repute. The shareholders or members, whether direct or indirect, natural or legal persons, that have qualifying holdings in crypto-asset service providers should be of sufficiently good repute and should, in particular, not have been convicted of any offence in the field of money laundering or terrorist financing or of any other offence that would affect their good repute. In addition, where the influence exercised by shareholders and members that have qualifying holdings in crypto-asset service providers is likely to be prejudicial to the sound and prudent management of the crypto-asset service provider taking into account, amongst others, their previous activities, the risk of them engaging in illicit activities, or the influence or control by a government of a third country, competent authorities should have the power to address those risks. Crypto-asset service providers should employ management and staff with adequate knowledge, skills and expertise and should take all reasonable steps to perform their functions, including through the preparation of a business continuity plan. They should have sound internal control and risk assessment mechanisms as well as adequate systems and procedures to ensure the integrity and confidentiality of the information received. Crypto-asset service providers should have appropriate arrangements to keep records of all transactions, orders and services related to the crypto-asset services that they provide. They should also have systems in place to detect potential market abuse committed by clients.
In order to ensure protection of their clients, crypto-asset service providers should have adequate arrangements to safeguard the clients’ ownership rights with respect to the crypto-assets they hold. Where their business model requires them to hold funds as defined in Directive (EU) 2015/2366 in the form of banknotes, coins, scriptural money or electronic money belonging to their clients, crypto-asset service providers should place such funds with a credit institution or a central bank, where an account with the central bank is available. Crypto-asset service providers should be authorised to make payment transactions in connection with the crypto-asset services they offer only where they are authorised as payment institutions in accordance with that Directive.
Depending on the services they provide and due to the specific risks raised by each type of services, crypto-asset service providers should be subject to requirements specific to those services. Crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients should conclude an agreement with their clients with certain mandatory provisions and should establish and implement a custody policy, which should be made available to clients upon their request in an electronic format. Such agreement should specify, inter alia, the nature of the service provided, which could include the holding of crypto-assets belonging to clients or the means of access to such crypto-assets, in which case the client might keep control of the crypto-assets in custody. Alternatively, the crypto-assets or the means of access to them could be transferred to the full control of the crypto-asset service provider. Crypto-asset service providers that hold crypto-assets belonging to clients, or the means of access to such crypto-assets, should ensure that those crypto-assets are not used for their own account. The crypto-asset service providers should ensure that all crypto-assets held are always unencumbered. Those crypto-asset service providers should also be held liable for any losses resulting from an incident related to information and communication technology (‘ICT’), including an incident resulting from a cyber-attack, theft or any malfunctions. Hardware or software providers of non-custodial wallets should not fall within the scope of this Regulation.
To ensure the orderly functioning of markets in crypto-assets, crypto-asset service providers operating a trading platform for crypto-assets should have detailed operating rules, should ensure that their systems and procedures are sufficiently resilient, should be subject to pre-trade and post-trade transparency requirements adapted to the markets in crypto-assets, and should set transparent and non-discriminatory rules, based on objective criteria, governing access to their platforms. Crypto-asset service providers operating a trading platform for crypto-assets should also have a transparent fee structure for the services provided to avoid the placing of orders that could contribute to market abuse or disorderly trading conditions. Crypto-asset service providers operating a trading platform for crypto-assets should be able to settle transactions executed on trading platforms on-chain and off-chain, and should ensure a timely settlement. The settlement of transactions should be initiated within 24 hours of a transaction being executed on the trading platform. In the case of an off-chain settlement, the settlement should be initiated on the same business day whereas in the case of an on-chain settlement, the settlement might take longer as it is not controlled by the crypto-asset service provider operating the trading platform.
To ensure consumer protection, crypto-asset service providers that exchange crypto-assets for funds or other crypto-assets by using their own capital should draw up a non-discriminatory commercial policy. They should publish either firm quotes or the methodology they are using for determining the price of the crypto-assets they wish to exchange, and they should publish any limits they wish to establish on the amount to be exchanged. They should also be subject to post-trade transparency requirements.
Crypto-asset service providers that execute orders for crypto-assets on behalf of clients should draw up an execution policy and should always aim to obtain the best possible result for their clients, including when they act as a client’s counterparty. They should take all necessary steps to avoid the misuse by their employees of information related to client orders. Crypto-asset service providers that receive orders and transmit those orders to other crypto-asset service providers should implement procedures for the prompt and proper sending of those orders. Crypto-asset service providers should not receive any monetary or non-monetary benefits for transmitting those orders to any particular trading platform for crypto-assets or any other crypto-asset service providers. They should monitor the effectiveness of their order execution arrangements and execution policy, assessing whether the execution venues included in the order execution policy provide for the best possible result for the client or whether they need to make changes to their execution arrangements, and should notify clients with whom they have an ongoing client relationship of any material changes to their order execution arrangements or execution policy.
When a crypto-asset service provider executing orders for crypto-assets on behalf of clients is the client’s counterparty, there might be similarities with the services of exchanging crypto-assets for funds or other crypto-assets. However, in exchanging crypto-assets for funds or other crypto-assets, the price for such exchanges is freely determined by the crypto-asset service provider as a currency exchange. Yet in the execution of orders for crypto-assets on behalf of clients, the crypto-asset service provider should always ensure that it obtains the best possible result for its client, including when it acts as the client’s counterparty, in line with its best execution policy. The exchange of crypto-assets for funds or other crypto-assets when made by the issuer or offeror should not be a crypto-asset service.
Crypto-asset service providers that place crypto-assets for potential holders should, before the conclusion of a contract, communicate to those persons information on how they intend to perform their service. To ensure the protection of their clients, crypto-asset service providers that are authorised for the placing of crypto-assets should have in place specific and adequate procedures to prevent, monitor, manage and disclose any conflicts of interest arising from the placing of crypto-assets with their own clients and arising where the proposed price for the placing of crypto-assets has been overestimated or underestimated. The placing of crypto-assets on behalf of an offeror should not be deemed to be a separate offer.
To ensure consumer protection, crypto-asset service providers that provide advice on crypto-assets, either at the request of a client or on their own initiative, or that provide portfolio management of crypto-assets, should make an assessment whether those crypto-asset services or crypto-assets are suitable for the clients, having regard to their clients’ experience, knowledge, objectives and ability to bear losses. Where the clients do not provide information to the crypto-asset service providers on their experience, knowledge, objectives and ability to bear losses, or it is clear that the crypto-assets are not suitable for the clients, the crypto-asset service providers should not recommend such crypto-asset services or crypto-assets to those clients, nor begin providing portfolio management of crypto-assets. When providing advice on crypto-assets, crypto-asset service providers should provide clients with a report, which should include the suitability assessment specifying the advice given and how it meets the preferences and objectives of clients. When providing portfolio management of crypto-assets, crypto-asset service providers should provide periodic statements to their clients, which should include a review of their activities and of the performance of the portfolio as well as an updated statement on the suitability assessment.
Some crypto-asset services, in particular providing custody and administration of crypto-assets on behalf of clients, the placing of crypto-assets, and transfer services for crypto-assets on behalf of clients, might overlap with payment services as defined in Directive (EU) 2015/2366.
The tools provided by issuers of electronic money to their clients to manage an e-money token might not be distinguishable from the activity of providing custody and administration services as regulated by this Regulation. Electronic money institutions should therefore be able to provide custody services, without prior authorisation under this Regulation to provide crypto-asset services, only in relation to the e-money tokens issued by them.
The activity of traditional electronic money distributors, namely, that of distributing electronic money on behalf of issuers, would amount to the activity of placing of crypto-assets for the purposes of this Regulation. However, natural or legal persons allowed to distribute electronic money under Directive 2009/110/EC should also be able to distribute e-money tokens on behalf of issuers of e-money tokens without being required to obtain prior authorisation under this Regulation to provide crypto-asset services. Such distributors should, therefore, be exempt from the requirement to seek authorisation as a crypto-asset service provider for the activity of the placing of crypto-assets.
A provider of transfer services for crypto-assets should be an entity that provides for the transfer, on behalf of a client, of crypto-assets from one distributed ledger address or account to another. Such transfer service should not include the validators, nodes or miners that might be part of confirming a transaction and updating the state of the underlying distributed ledger. Many crypto-asset service providers also offer some kind of transfer service for crypto-assets as part of, for example, the service of providing custody and administration of crypto-assets on behalf of clients, exchange of crypto-assets for funds or other crypto-assets, or execution of orders for crypto-assets on behalf of clients. Depending on the precise features of the services associated to the transfer of e-money tokens, such services could fall under the definition of payment services in Directive (EU) 2015/2366. In such cases, those transfers should be provided by an entity authorised to provide such payment services in accordance with that Directive.
This Regulation should not address the lending and borrowing of crypto-assets, including e-money tokens, and therefore should not prejudice applicable national law. The feasibility and necessity of regulating such activities should be further assessed.
It is important to ensure confidence in markets in crypto-assets and the integrity of those markets. It is therefore necessary to lay down rules to deter market abuse for crypto-assets that are admitted to trading. However, as issuers of crypto-assets and crypto-asset service providers are very often SMEs, it would be disproportionate to apply all of the provisions of Regulation (EU) No 596/2014 of the European Parliament and of the Councilto them. It is therefore necessary to lay down specific rules prohibiting certain behaviours that are likely to undermine user confidence in markets in crypto-assets and the integrity of those markets, including insider dealing, unlawful disclosure of inside information and market manipulation related to crypto-assets. Those bespoke rules on market abuse committed in relation to crypto-assets should also be applied in cases where crypto-assets are admitted to trading.
Legal certainty for participants in markets in crypto-assets should be enhanced through a characterisation of two elements essential to the specification of inside information, namely, the precise nature of that information and the significance of its potential effect on the prices of crypto-assets. Those elements should also be considered for the prevention of market abuse in the context of markets in crypto-assets and their functioning, taking into account, for instance, the use of social media, the use of smart contracts for order executions and the concentration of mining pools.
Derivatives that qualify as financial instruments as defined in Directive 2014/65/EU, and whose underlying asset is a crypto-asset, are subject to Regulation (EU) No 596/2014 when traded on a regulated market, multilateral trading facility or organised trading facility. Crypto-assets falling within the scope of this Regulation, which are underlying assets of those derivatives, should be subject to the market abuse provisions of this Regulation.
Competent authorities should be conferred with sufficient powers to supervise the issuance, offer to the public and admission to trading of crypto-assets, including asset-referenced tokens or e-money tokens, as well as to supervise crypto-asset service providers. Those powers should include the power to suspend or prohibit an offer to the public or an admission to trading of crypto-assets or the provision of a crypto-asset service, and to investigate infringements of the rules on market abuse. Issuers of crypto-assets other than asset-referenced tokens or e-money tokens should not be subject to supervision under this Regulation when the issuer is not an offeror or a person seeking admission to trading.
Competent authorities should also have the power to impose penalties on issuers, offerors or persons seeking admission to trading of crypto-assets, including asset-referenced tokens or e-money tokens, and on crypto-asset service providers. When determining the type and level of an administrative penalty or other administrative measure, competent authorities should take into account all relevant circumstances, including the gravity and the duration of the infringement and whether it was committed intentionally.
Given the cross-border nature of markets in crypto-assets, competent authorities should cooperate with each other to detect and deter any infringements of this Regulation.
To facilitate transparency regarding crypto-assets and crypto-asset service providers, ESMA should establish a register of crypto-asset white papers, issuers of asset-referenced tokens, issuers of e-money tokens and crypto-asset service providers.
Significant asset-referenced tokens can be used as a means of exchange and to make large volumes of payment transactions. Since such large volumes can pose specific risks to monetary transmission channels and monetary sovereignty, it is appropriate to assign to EBA the task of supervising the issuers of asset-referenced tokens, once such tokens have been classified as significant. Such assignment should address the very specific nature of the risks posed by asset-referenced tokens, and should not set a precedent for any other Union legislative acts on financial services.
Competent authorities in charge of supervision under Directive 2009/110/EC should supervise issuers of e-money tokens. However, given the potential widespread use of significant e-money tokens as a means of payment and the risks they can pose to financial stability, a dual supervision both by competent authorities and by EBA of issuers of significant e-money tokens is necessary. EBA should supervise the compliance by issuers of significant e-money tokens with the specific additional requirements set out in this Regulation for such tokens. Since the specific additional requirements should apply only to electronic money institutions issuing significant e-money tokens, credit institutions issuing significant e-money tokens, to which such requirements do not apply, should remain supervised by their respective competent authorities. The dual supervision should address the very specific nature of the risks posed by e-money tokens, and should not set a precedent for any other Union legislative acts on financial services.
Significant e-money tokens denominated in an official currency of a Member State other than the euro which are used as a means of exchange and in order to settle large volumes of payment transactions can, although unlikely to occur, pose specific risks to the monetary sovereignty of the Member State in whose official currency they are denominated. Where at least 80 % of the number of holders and of the volume of transactions of those significant e-money tokens are concentrated in the home Member State, the supervisory responsibilities should not be transferred to EBA.
EBA should establish a college of supervisors for each issuer of significant asset-referenced tokens and of significant e-money tokens. Since issuers of significant asset-referenced tokens and of significant e-money tokens are usually at the centre of a network of entities that ensure the issuance, transfer and distribution of such crypto-assets, the members of the college of supervisors for each issuer should therefore include, amongst others, the competent authorities of the most relevant trading platforms for crypto-assets, in cases where the significant asset-referenced tokens or the significant e-money tokens are admitted to trading, and the competent authorities of the most relevant entities and crypto-asset service providers ensuring the custody and administration of the significant asset-referenced tokens and of significant e-money tokens on behalf of holders. The college of supervisors for issuers of significant asset-referenced tokens and of significant e-money tokens should facilitate the cooperation and exchange of information among its members and should issue non-binding opinions on, amongst others, changes to the authorisation of, or supervisory measures concerning, such issuers.
To supervise issuers of significant asset-referenced tokens and of significant e-money tokens, EBA should have the powers, amongst others, to carry out on-site inspections, take supervisory measures and impose fines.
EBA should charge fees to issuers of significant asset-referenced tokens and of significant e-money tokens to cover its costs, including for overheads. For issuers of significant asset-referenced tokens, the fee should be proportionate to the size of their reserve of assets. For issuers of significant e-money tokens, the fee should be proportionate to the amount of funds received in exchange for the significant e-money tokens.
In order to ensure the effectiveness of this Regulation, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of further specifying technical elements of the definitions set out in this Regulation in order to adjust them to market and technological developments, further specifying certain criteria to determine whether an asset-referenced token or an e-money token should be classified as significant, determining when there is a significant investor protection concern or a threat to the proper functioning and integrity of markets in crypto-assets or to the stability of the whole or part of the financial system of the Union, further specifying the procedural rules for the exercise of the power of EBA to impose fines or periodic penalty payments, including provisions on the rights of the defence, temporal provisions, and the collection of fines or periodic penalty payments, and the limitation periods for the imposition and enforcement of fines and periodic penalty payments, and further specifying the type and amount of supervisory fees that EBA can charge to the issuers of significant asset-referenced tokens or significant e-money tokens. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
In order to promote the consistent application of this Regulation across the Union, including the adequate protection of holders of crypto-assets and clients of crypto-asset service providers, in particular when they are consumers, technical standards should be developed. It is efficient and appropriate to entrust EBA and ESMA, as bodies with highly specialised expertise, with the development of draft regulatory technical standards, which do not involve policy choices, for submission to the Commission.
The Commission should be empowered to adopt regulatory technical standards developed by EBA and ESMA with regard to: the content, methodologies and presentation of information in a crypto-asset white paper on principal adverse impacts on the climate and other environment‐related adverse impacts of the consensus mechanism used to issue the crypto-asset; the procedure for approval of crypto-asset white papers submitted by credit institutions when issuing asset-referenced tokens; the information that an application for authorisation as an issuer of asset-referenced tokens should contain; the methodology to estimate the quarterly average number and average aggregate value of transactions per day associated to uses of asset-referenced tokens and e-money tokens denominated in a currency which is not an official currency of a Member State as a means of exchange in each single currency area; the requirements, templates and procedures for handling complaints of holders of asset-referenced tokens and of clients of crypto-asset service providers; the requirements for the policies and procedures to identify, prevent, manage and disclose conflicts of interest of issuers of asset-referenced tokens and the details and methodology for the content of that disclosure; the procedure and timeframe for an issuer of asset-referenced tokens and significant e-money tokens to adjust to higher own funds requirements, the criteria for requiring higher own funds, the minimum requirements for the design of stress testing programmes; the liquidity requirements for the reserve of assets; the financial instruments into which the reserve of assets can be invested; detailed content of information necessary to carry out the assessment of the proposed acquisition of the qualifying holding in an issuer of asset-referenced tokens; requirements for additional obligations for issuers of significant asset-referenced tokens; the information that credit institutions, central securities depositories, investment firms, market operators, electronic money institutions, UCITS management companies and alternative investment fund managers who intend to provide crypto-asset services notify to competent authorities; the information that an application for the authorisation of crypto-asset service provider contains; the content, methodologies and presentation of information that the crypto-assets service provider makes publicly available and that is related to principal adverse impacts on the climate and other environment-related adverse impacts of the consensus mechanism used to issue each crypto-asset in relation to which they provide services; measures ensuring continuity and regularity in the performance of the crypto-asset services and the records to be kept of all crypto-asset services, orders and transactions that they undertake; the requirements for the policies to identify, prevent, manage and disclose conflicts of interest of crypto-asset service providers and the details and methodology for the content of that disclosure; the manner in which transparency data of the operator of a trading platform is to be offered and the content and format of order book records regarding the trading platform; the detailed content of the information necessary to carry out the assessment of the proposed acquisition of the qualifying holding in a crypto-asset service provider; the appropriate arrangements, systems and procedures for monitoring and detecting market abuse; the notification template for reporting suspicions of market abuse and coordination procedures between the relevant competent authorities for the detection of market abuse; the information to be exchanged between the competent authorities; a template document for cooperation arrangements between the competent authorities of Member States and supervisory authorities of third countries; the data necessary for the classification of crypto-asset white papers in ESMA’s register and the practical arrangements to ensure that such data is machine-readable; the conditions under which certain members of college of supervisors for issuers of significant asset-referenced tokens and issuers of significant e-money tokens are to be considered most relevant in their category; and the conditions under which it is considered that asset-referenced tokens or e-money tokens are used at a large scale for the purposes of qualifying certain members of that college and details of the practical arrangements for the functioning of that college. The Commission should adopt those regulatory technical standards by means of delegated acts pursuant to Article 290 TFEU and in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010 and of (EU) No 1095/2010, respectively.
The Commission should be empowered to adopt implementing technical standards developed by EBA and ESMA, with regard to: establishing standard forms, formats and templates for crypto-asset white papers; establishing standard forms, templates and procedures to transmit information for the purposes of the application for authorisation as an issuer of asset-referenced tokens; establishing standard forms, formats and templates for the purposes of reporting on asset-referenced tokens and e-money tokens denominated in a currency which is not an official currency of a Member State that are issued with a value higher than EUR 100 000 000; establishing standard forms, templates and procedures for the notification of information to competent authorities by credit institutions, central securities depositories, investment firms, market operators, electronic money institutions, UCITS management companies and alternative investment fund managers who intend to provide crypto-asset services; establishing standard forms, templates and procedures for the application for authorisation as crypto-asset service providers; determining the technical means for public disclosure of inside information and for delaying the public disclosure of inside information; and establishing standard forms, templates and procedures for the cooperation and exchange of information between competent authorities and between competent authorities, EBA and ESMA. The Commission should adopt those implementing technical standards by means of implementing acts pursuant to Article 291 TFEU and in accordance with Article 15 of Regulation (EU) No 1093/2010 and Article 15 of Regulation (EU) No 1095/2010.
Since the objectives of this Regulation, namely addressing the fragmentation of the legal framework applicable to offerors or persons seeking the admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, to issuers of asset-referenced tokens and e-money tokens and to crypto-asset service providers, and ensuring the proper functioning of markets in crypto-assets while ensuring the protection of holders of crypto-assets and clients of crypto-asset service providers, in particular retail holders, as well as the protection of market integrity and financial stability, cannot be sufficiently achieved by the Member States but can rather, by creating a framework on which a larger cross-border market in crypto-assets and crypto-asset service providers could develop, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.
In order to avoid disrupting market participants that provide services and activities in relation to crypto-assets other than asset-referenced tokens and e-money tokens that have been issued before the date of application of this Regulation, issuers of such crypto-assets should be exempt from the obligation to publish a crypto-asset white paper and certain other requirements of this Regulation. However, certain obligations should apply when such crypto-assets were admitted to trading before the date of application of this Regulation. In order to avoid disruption to existing market participants, transitional provisions are necessary for issuers of asset-referenced tokens that were in operation at the time of entry into application of this Regulation.
Since the national regulatory frameworks applicable to crypto-asset service providers before the entry into application of this Regulation differ among Member States, it is essential that those Member States that do not, at present, have in place strong prudential requirements for crypto-asset service providers currently operating under their regulatory frameworks have the possibility of requiring such crypto-asset service providers to be subject to stricter requirements than those under the national regulatory frameworks. In such cases, Member States should be permitted to not apply, or to reduce, the 18-month transitional period that would otherwise allow crypto-asset service providers to provide services based on their existing national regulatory framework. Such an option for Member States should not set a precedent for any other Union legislative acts on financial services.
Whistleblowers should be able to bring new information to the attention of competent authorities that helps them in detecting infringements of this Regulation and imposing penalties. This Regulation should therefore ensure that adequate arrangements are in place to enable whistleblowers to alert competent authorities to actual or potential infringements of this Regulation and to protect them from retaliation. That should be done by amending Directive (EU) 2019/1937 of the European Parliament and of the Councilin order to make it applicable to infringements of this Regulation.
Given that EBA should be mandated with the direct supervision of issuers of significant asset-referenced tokens and of significant e-money tokens, and ESMA should be mandated to make use of its powers in relation to significant crypto-asset service providers, it is necessary to ensure that EBA and ESMA are able to exercise all of their powers and tasks in order to fulfil their objectives of protecting the public interest by contributing to the short-, medium- and long-term stability and effectiveness of the financial system for the Union economy, its citizens and businesses and to ensure that issuers of crypto-assets and crypto-asset service providers are covered by Regulations (EU) No 1093/2010 and (EU) No 1095/2010. Those Regulations should therefore be amended accordingly.
The issuance, offer or seeking of admission to trading of crypto-assets and the provision of crypto-asset services could involve the processing of personal data. Any processing of personal data under this Regulation should be carried out in accordance with applicable Union law on the protection of personal data. This Regulation is without prejudice to the rights and obligations under Regulation (EU) 2016/679 of the European Parliament and of the Counciland Regulation (EU) 2018/1725 of the European Parliament and of the Council.
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 24 June 2021.
The date of application of this Regulation should be deferred in order to allow for the adoption of regulatory technical standards, implementing technical standards and delegated acts that are necessary to further specify certain elements of this Regulation,
HAVE ADOPTED THIS REGULATION:
This Regulation lays down uniform requirements for the offer to the public and admission to trading on a trading platform of crypto-assets other than asset-referenced tokens and e-money tokens, of asset-referenced tokens and of e-money tokens, as well as requirements for crypto-asset service providers.
In particular, this Regulation lays down the following:
(a) transparency and disclosure requirements for the issuance, offer to the public and admission of crypto-assets to trading on a trading platform for crypto-assets (‘admission to trading’);
(b) requirements for the authorisation and supervision of crypto-asset service providers, issuers of asset-referenced tokens and issuers of e-money tokens, as well as for their operation, organisation and governance;
(c) requirements for the protection of holders of crypto-assets in the issuance, offer to the public and admission to trading of crypto-assets;
(d) requirements for the protection of clients of crypto-asset service providers;
(e) measures to prevent insider dealing, unlawful disclosure of inside information and market manipulation related to crypto-assets, in order to ensure the integrity of markets in crypto-assets.
This Regulation applies to natural and legal persons and certain other undertakings that are engaged in the issuance, offer to the public and admission to trading of crypto-assets or that provide services related to crypto-assets in the Union.
This Regulation does not apply to:
(a) persons who provide crypto-asset services exclusively for their parent companies, for their own subsidiaries or for other subsidiaries of their parent companies;
(b) a liquidator or an administrator acting in the course of an insolvency procedure, except for the purposes of Article 47;
(c) the ECB, central banks of the Member States when acting in their capacity as monetary authorities, or other public authorities of the Member States;
(d) the European Investment Bank and its subsidiaries;
(e) the European Financial Stability Facility and the European Stability Mechanism;
(f) public international organisations.
This Regulation does not apply to crypto-assets that are unique and not fungible with other crypto-assets.
This Regulation does not apply to crypto-assets that qualify as one or more of the following:
(a) financial instruments;
(b) deposits, including structured deposits;
(c) funds, except if they qualify as e-money tokens;
(d) securitisation positions in the context of a securitisation as defined in Article 2, point (1), of Regulation (EU) 2017/2402;
(e) non-life or life insurance products falling within the classes of insurance listed in Annexes I and II to Directive 2009/138/EC of the European Parliament and of the Councilor reinsurance and retrocession contracts referred to in that Directive;
(f) pension products that, under national law, are recognised as having the primary purpose of providing the investor with an income in retirement and that entitle the investor to certain benefits;
(g) officially recognised occupational pension schemes falling within the scope of Directive (EU) 2016/2341 of the European Parliament and of the Councilor Directive 2009/138/EC;
(h) individual pension products for which a financial contribution from the employer is required by national law and where the employer or the employee has no choice as to the pension product or provider;
(i) a pan-European Personal Pension Product as defined in Article 2, point (2), of Regulation (EU) 2019/1238 of the European Parliament and of the Council;
(j) social security schemes covered by Regulations (EC) No 883/2004and (EC) No 987/2009 of the European Parliament and of the Council.
By 30 December 2024, ESMA shall, for the purposes of paragraph 4, point (a), of this Article issue guidelines in accordance with Article 16 of Regulation (EU) No 1095/2010 on the conditions and criteria for the qualification of crypto-assets as financial instruments.
This Regulation shall be without prejudice to Regulation (EU) No 1024/2013.
For the purposes of this Regulation, the following definitions apply:
‘distributed ledger technology’ or ‘DLT’ means a technology that enables the operation and use of distributed ledgers;
‘distributed ledger’ means an information repository that keeps records of transactions and that is shared across, and synchronised between, a set of DLT network nodes using a consensus mechanism;
‘consensus mechanism’ means the rules and procedures by which an agreement is reached, among DLT network nodes, that a transaction is validated;
‘DLT network node’ means a device or process that is part of a network and that holds a complete or partial replica of records of all transactions on a distributed ledger;
‘crypto-asset’ means a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;
‘asset-referenced token’ means a type of crypto-asset that is not an electronic money token and that purports to maintain a stable value by referencing another value or right or a combination thereof, including one or more official currencies;
‘electronic money token’ or ‘e-money token’ means a type of crypto-asset that purports to maintain a stable value by referencing the value of one official currency;
‘official currency’ means an official currency of a country that is issued by a central bank or other monetary authority;
‘utility token’ means a type of crypto-asset that is only intended to provide access to a good or a service supplied by its issuer;
‘issuer’ means a natural or legal person, or other undertaking, who issues crypto-assets;
‘applicant issuer’ means an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets;
‘offer to the public’ means a communication to persons in any form, and by any means, presenting sufficient information on the terms of the offer and the crypto-assets to be offered so as to enable prospective holders to decide whether to purchase those crypto-assets;
‘offeror’ means a natural or legal person, or other undertaking, or the issuer, who offers crypto-assets to the public;
‘funds’ means funds as defined in Article 4, point (25), of Directive (EU) 2015/2366;
‘crypto-asset service provider’ means a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59;
‘crypto-asset service’ means any of the following services and activities relating to any crypto-asset:
(a) providing custody and administration of crypto-assets on behalf of clients;
(b) operation of a trading platform for crypto-assets;
(c) exchange of crypto-assets for funds;
(d) exchange of crypto-assets for other crypto-assets;
(e) execution of orders for crypto-assets on behalf of clients;
(f) placing of crypto-assets;
(g) reception and transmission of orders for crypto-assets on behalf of clients;
(h) providing advice on crypto-assets;
(i) providing portfolio management on crypto-assets;
(j) providing transfer services for crypto-assets on behalf of clients;
‘providing custody and administration of crypto-assets on behalf of clients’ means the safekeeping or controlling, on behalf of clients, of crypto-assets or of the means of access to such crypto-assets, where applicable in the form of private cryptographic keys;
‘operation of a trading platform for crypto-assets’ means the management of one or more multilateral systems, which bring together or facilitate the bringing together of multiple third-party purchasing and selling interests in crypto-assets, in the system and in accordance with its rules, in a way that results in a contract, either by exchanging crypto-assets for funds or by the exchange of crypto-assets for other crypto-assets;
‘exchange of crypto-assets for funds’ means the conclusion of purchase or sale contracts concerning crypto-assets with clients for funds by using proprietary capital;
‘exchange of crypto-assets for other crypto-assets’ means the conclusion of purchase or sale contracts concerning crypto-assets with clients for other crypto-assets by using proprietary capital;
‘execution of orders for crypto-assets on behalf of clients’ means the conclusion of agreements, on behalf of clients, to purchase or sell one or more crypto-assets or the subscription on behalf of clients for one or more crypto-assets, and includes the conclusion of contracts to sell crypto-assets at the moment of their offer to the public or admission to trading;
‘placing of crypto-assets’ means the marketing, on behalf of or for the account of the offeror or a party related to the offeror, of crypto-assets to purchasers;
‘reception and transmission of orders for crypto-assets on behalf of clients’ means the reception from a person of an order to purchase or sell one or more crypto-assets or to subscribe for one or more crypto-assets and the transmission of that order to a third party for execution;
‘providing advice on crypto-assets’ means offering, giving or agreeing to give personalised recommendations to a client, either at the client’s request or on the initiative of the crypto-asset service provider providing the advice, in respect of one or more transactions relating to crypto-assets, or the use of crypto-asset services;
‘providing portfolio management of crypto-assets’ means managing portfolios in accordance with mandates given by clients on a discretionary client-by-client basis where such portfolios include one or more crypto-assets;
‘providing transfer services for crypto-assets on behalf of clients’ means providing services of transfer, on behalf of a natural or legal person, of crypto-assets from one distributed ledger address or account to another;
‘management body’ means the body or bodies of an issuer, offeror or person seeking admission to trading, or of a crypto-asset service provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making in the entity and include the persons who effectively direct the business of the entity;
‘credit institution’ means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 and authorised under Directive 2013/36/EU;
‘investment firm’ means an investment firm as defined in Article 4(1), point (2), of Regulation (EU) No 575/2013 and authorised under Directive 2014/65/EU;
‘qualified investors’ means persons or entities that are listed in Section I, points (1) to (4), of Annex II to Directive 2014/65/EU;
‘close links’ means close links as defined in Article 4(1), point (35), of Directive 2014/65/EU;
‘reserve of assets’ means the basket of reserve assets securing the claim against the issuer;
‘home Member State’ means:
(a) where the offeror or person seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens has its registered office in the Union, the Member State where that offeror or person has its registered office;
(b) where the offeror or person seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens has no registered office in the Union but does have one or more branches in the Union, the Member State chosen by that offeror or person from among the Member States where it has branches;
(c) where the offeror or person seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens is established in a third country and has no branch in the Union, either the Member State where the crypto-assets are intended to be offered to the public for the first time or, at the choice of the offeror or person seeking admission to trading, the Member State where the first application for admission to trading of those crypto-assets is made;
(d) in the case of an issuer of asset-referenced tokens, the Member State where the issuer of asset-referenced tokens has its registered office;
(e) in the case of an issuer of e-money tokens, the Member State where the issuer of e-money tokens is authorised as a credit institution under Directive 2013/36/EU or as an electronic money institution under Directive 2009/110/EC;
(f) in the case of crypto-asset service providers, the Member State where the crypto-asset service provider has its registered office;
‘host Member State’ means the Member State where an offeror or person seeking admission to trading has made an offer to the public of crypto-assets or is seeking admission to trading, or where a crypto-asset service provider provides crypto-asset services, where different from the home Member State;
‘competent authority’ means one or more authorities:
(a) designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;
(b) designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens;
‘qualifying holding’ means any direct or indirect holding in an issuer of asset-referenced tokens or in a crypto-asset service provider which represents at least 10 % of the capital or of the voting rights, as set out in Articles 9 and 10 of Directive 2004/109/EC of the European Parliament and of the Council, respectively, taking into account the conditions for the aggregation thereof laid down in Article 12(4) and (5) of that Directive, or which makes it possible to exercise a significant influence over the management of the issuer of asset-referenced tokens or the management of the crypto-asset service provider in which that holding subsists;
‘retail holder’ means any natural person who is acting for purposes which are outside that person’s trade, business, craft or profession;
‘online interface’ means any software, including a website, part of a website or an application, that is operated by or on behalf of an offeror or crypto-asset service provider, and which serves to give holders of crypto-assets access to their crypto-assets and to give clients access to crypto-asset services;
‘client’ means any natural or legal person to whom a crypto-asset service provider provides crypto-asset services;
‘matched principal trading’ means matched principal trading as defined in Article 4(1), point (38), of Directive 2014/65/EU;
‘payment services’ means payment services as defined in Article 4, point (3), of Directive (EU) 2015/2366;
‘payment service provider’ means a payment service provider as defined in Article 4, point (11), of Directive (EU) 2015/2366;
‘electronic money institution’ means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC;
‘electronic money’ means electronic money as defined in Article 2, point (2), of Directive 2009/110/EC;
‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;
‘payment institution’ means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;
‘UCITS management company’ means a management company as defined in Article 2(1), point (b), of Directive 2009/65/EC of the European Parliament and of the Council;
‘alternative investment fund manager’ means an AIFM as defined in Article 4(1), point (b), of Directive 2011/61/EU of the European Parliament and of the Council;
‘financial instrument’ means financial instruments as defined in Article 4(1), point (15), of Directive 2014/65/EU;
‘deposit’ means a deposit as defined in Article 2(1), point (3), of Directive 2014/49/EU;
‘structured deposit’ means a structured deposit as defined in Article 4(1), point (43), of Directive 2014/65/EU.
The Commission shall adopt delegated acts in accordance with Article 139 to supplement this Regulation by further specifying technical elements of the definitions laid down in paragraph 1 of this Article, and to adjust those definitions to market developments and technological developments.
(a) is a legal person;
(b) has drawn up a crypto-asset white paper in respect of that crypto-asset in accordance with Article 6;
(c) has notified the crypto-asset white paper in accordance with Article 8;
(d) has published the crypto-asset white paper in accordance with Article 9;
(e) has drafted the marketing communications, if any, in respect of that crypto-asset in accordance with Article 7;
(f) has published the marketing communications, if any, in respect of that crypto-asset in accordance with Article 9;
(g) complies with the requirements for offerors laid down in Article 14.
(a) an offer to fewer than 150 natural or legal persons per Member State where such persons are acting on their own account;
(b) over a period of 12 months, starting with the beginning of the offer, the total consideration of an offer to the public of a crypto-asset in the Union does not exceed EUR 1 000 000, or the equivalent amount in another official currency or in crypto-assets;
(c) an offer of a crypto-asset addressed solely to qualified investors where the crypto-asset can only be held by such qualified investors.
(a) the crypto-asset is offered for free;
(b) the crypto-asset is automatically created as a reward for the maintenance of the distributed ledger or the validation of transactions;
(c) the offer concerns a utility token providing access to a good or service that exists or is in operation;
(d) the holder of the crypto-asset has the right to use it only in exchange for goods and services in a limited network of merchants with contractual arrangements with the offeror.
For the purposes of point (a) of the first subparagraph, a crypto-asset shall not be considered to be offered for free where purchasers are required to provide, or to undertake to provide, personal data to the offeror in exchange for that crypto-asset, or where the offeror of a crypto-asset receives from prospective holders of that crypto-asset any fees, commissions, or monetary or non-monetary benefits in exchange for that crypto-asset.
Where, for each 12-month period starting from the beginning of the initial offer to the public, the total consideration of an offer to the public of a crypto-asset in the circumstances referred to in the first subparagraph, point (d), in the Union exceeds EUR 1 000 000, the offeror shall send a notification to the competent authority containing a description of the offer and explaining why the offer is exempt from this Title pursuant to the first subparagraph, point (d).
Based on the notification referred to in the third subparagraph, the competent authority shall take a duly justified decision where it considers that the activity does not qualify for an exemption as a limited network under the first subparagraph, point (d), and shall inform the offeror accordingly.
The exemptions listed in paragraphs 2 and 3 shall not apply where the offeror, or another person acting on the offeror’s behalf, makes known in any communication its intention to seek admission to trading of a crypto-asset other than an asset-referenced token or e-money token.
Authorisation as a crypto-asset service provider pursuant to Article 59 is not required for providing custody and administration of crypto-assets on behalf of clients or for providing transfer services for crypto-assets in relation to crypto-assets whose offers to the public are exempt pursuant to paragraph 3 of this Article, unless:
(a) there exists another offer to the public of the same crypto-asset and that offer does not benefit from the exemption; or
(b) the crypto-asset offered is admitted to a trading platform.
Where the offer to the public of the crypto-asset other than an asset-referenced token or e-money token concerns a utility token providing access to goods and services that do not yet exist or are not yet in operation, the duration of the offer to the public as described in the crypto-asset white paper shall not exceed 12 months from the date of publication of the crypto-asset white paper.
Any subsequent offer to the public of the crypto-asset other than an asset-referenced token or e-money token shall be deemed a separate offer to the public to which the requirements of paragraph 1 apply, without prejudice to the possible application of paragraph 2 or 3 to the subsequent offer to the public.
No additional crypto-asset white paper shall be required for any subsequent offer to the public of the crypto-asset other than an asset-referenced token or e-money token so long as a crypto-asset white paper has been published in accordance with Articles 9 and 12, and the person responsible for drawing up such white paper consents to its use in writing.
(a) is a legal person;
(b) has drawn up a crypto-asset white paper in respect of that crypto-asset in accordance with Article 6;
(c) has notified the crypto-asset white paper in accordance with Article 8;
(d) has published the crypto-asset white paper in accordance with Article 9;
(e) has drafted the marketing communications, if any, in respect of that crypto-asset in accordance with Article 7;
(f) has published the marketing communications, if any, in respect of that crypto-asset in accordance with Article 9;
(g) complies with the requirements for persons seeking admission to trading laid down in Article 14.
When a crypto-asset is admitted to trading on the initiative of the operator of a trading platform and a crypto-asset white paper has not been published in accordance with Article 9 in the cases required by this Regulation, the operator of that trading platform for crypto-assets shall comply with the requirements set out in paragraph 1 of this Article.
By way of derogation from paragraph 1, a person seeking admission to trading of a crypto-asset other than an asset-referenced token or e-money token and the respective operator of the trading platform may agree in writing that it shall be the operator of the trading platform who is required to comply with all or part of the requirements referred to in paragraph 1, points (b) to (g).
The agreement in writing referred to in the first subparagraph of this paragraph shall clearly state that the person seeking admission to trading is required to provide the operator of the trading platform with all necessary information to enable that operator to satisfy the requirements referred to in paragraph 1, points (b) to (g), as applicable.
(a) the crypto-asset is already admitted to trading on another trading platform for crypto-assets in the Union; and
(b) the crypto-asset white paper is drawn up in accordance with Article 6, updated in accordance with Article 12, and the person responsible for drawing up such white paper consents to its use in writing.
(a) information about the offeror or the person seeking admission to trading;
(b) information about the issuer, if different from the offeror or person seeking admission to trading;
(c) information about the operator of the trading platform in cases where it draws up the crypto-asset white paper;
(d) information about the crypto-asset project;
(e) information about the offer to the public of the crypto-asset or its admission to trading;
(f) information about the crypto-asset;
(g) information on the rights and obligations attached to the crypto-asset;
(h) information on the underlying technology;
(i) information on the risks;
(j) information on the principal adverse impacts on the climate and other environment-related adverse impacts of the consensus mechanism used to issue the crypto-asset.
In cases where the crypto-asset white paper is not drawn up by the persons referred to in the first subparagraph, points (a), (b) and (c), the crypto-asset white paper shall also include the identity of the person that drew up the crypto-asset white paper and the reason why that particular person drew it up.
All of the information listed in paragraph 1 shall be fair, clear and not misleading. The crypto-asset white paper shall not contain material omissions and shall be presented in a concise and comprehensible form.
The crypto-asset white paper shall contain the following clear and prominent statement on the first page:
‘This crypto-asset white paper has not been approved by any competent authority in any Member State of the European Union. The offeror of the crypto-asset is solely responsible for the content of this crypto-asset white paper.’.
Where the crypto-asset white paper is drawn up by the person seeking admission to trading or by an operator of a trading platform, then, instead of ‘offeror’, a reference to ‘person seeking admission to trading’ or ‘operator of the trading platform’ shall be included in the statement referred to in the first subparagraph.
The crypto-asset white paper shall not contain any assertions as regards the future value of the crypto-asset, other than the statement referred to in paragraph 5.
The crypto-asset white paper shall contain a clear and unambiguous statement that:
(a) the crypto-asset may lose its value in part or in full;
(b) the crypto-asset may not always be transferable;
(c) the crypto-asset may not be liquid;
(d) where the offer to the public concerns a utility token, that utility token may not be exchangeable against the good or service promised in the crypto-asset white paper, especially in the case of a failure or discontinuation of the crypto-asset project;
(e) the crypto-asset is not covered by the investor compensation schemes under Directive 97/9/EC of the European Parliament and of the Council;
(f) the crypto-asset is not covered by the deposit guarantee schemes under Directive 2014/49/EU.
The crypto-asset white paper shall contain a statement from the management body of the offeror, the person seeking admission to trading or the operator of the trading platform. That statement, which shall be inserted after the statement referred to in paragraph 3, shall confirm that the crypto-asset white paper complies with this Title and that, to the best of the knowledge of the management body, the information presented in the crypto-asset white paper is fair, clear and not misleading and the crypto-asset white paper makes no omission likely to affect its import.
The crypto-asset white paper shall contain a summary, inserted after the statement referred to in paragraph 6, which shall in brief and non-technical language provide key information about the offer to the public of the crypto-asset or the intended admission to trading. The summary shall be easily understandable and presented and laid out in a clear and comprehensive format, using characters of readable size. The summary of the crypto-asset white paper shall provide appropriate information about the characteristics of the crypto-asset concerned in order to help prospective holders of the crypto-asset to make an informed decision.
The summary shall contain a warning that:
(a) it should be read as an introduction to the crypto-asset white paper;
(b) the prospective holder should base any decision to purchase the crypto-asset on the content of the crypto-asset white paper as a whole and not on the summary alone;
(c) the offer to the public of the crypto-asset does not constitute an offer or solicitation to purchase financial instruments and that any such offer or solicitation can be made only by means of a prospectus or other offer documents pursuant to the applicable national law;
(d) the crypto-asset white paper does not constitute a prospectus as referred to in Regulation (EU) 2017/1129 of the European Parliament and of the Councilor any other offer document pursuant to Union or national law.
The crypto-asset white paper shall contain the date of its notification and a table of contents.
The crypto-asset white paper shall be drawn up in an official language of the home Member State, or in a language customary in the sphere of international finance.
Where the crypto-asset is also offered in a Member State other than the home Member State, the crypto-asset white paper shall also be drawn up in an official language of the host Member State, or in a language customary in the sphere of international finance.
The crypto-asset white paper shall be made available in a machine-readable format.
ESMA, in cooperation with EBA, shall develop draft implementing technical standards to establish standard forms, formats and templates for the purposes of paragraph 10.
ESMA shall submit the draft implementing technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph in accordance with Article 15 of Regulation (EU) No 1095/2010.
When developing the draft regulatory technical standards referred to in the first subparagraph, ESMA shall consider the various types of consensus mechanisms used to validate transactions in crypto-assets, their incentive structures and the use of energy, renewable energy and natural resources, the production of waste and greenhouse gas emissions. ESMA shall update those regulatory technical standards in the light of regulatory and technological developments.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
(a) the marketing communications are clearly identifiable as such;
(b) the information in the marketing communications is fair, clear and not misleading;
(c) the information in the marketing communications is consistent with the information in the crypto-asset white paper, where such crypto-asset white paper is required pursuant to Article 4 or 5;
(d) the marketing communications clearly state that a crypto-asset white paper has been published and clearly indicate the address of the website of the offeror, the person seeking admission to trading, or the operator of the trading platform for the crypto-asset concerned, as well as a telephone number and an email address to contact that person;
(e) the marketing communications contain the following clear and prominent statement:
‘This crypto-asset marketing communication has not been reviewed or approved by any competent authority in any Member State of the European Union. The offeror of the crypto-asset is solely responsible for the content of this crypto-asset marketing communication.’.
Where the marketing communication is prepared by the person seeking admission to trading or the operator of a trading platform, then, instead of ‛offeror’, a reference to ‘person seeking admission to trading’ or ‘operator of the trading platform’ shall be included in the statement referred to in the first subparagraph, point (e).
Where a crypto-asset white paper is required pursuant to Article 4 or 5, no marketing communications shall be disseminated prior to the publication of the crypto-asset white paper. The ability of the offeror, the person seeking admission to trading or the operator of a trading platform, to conduct market soundings shall not be affected.
The competent authority of the Member State where the marketing communications are disseminated shall have the power to assess compliance with paragraph 1 in respect of those marketing communications.
Where necessary, the competent authority of the home Member State shall assist the competent authority of the Member State where the marketing communications are disseminated with assessing the consistency of the marketing communications with the information in the crypto-asset white paper.
Offerors, persons seeking admission to trading, or operators of trading platforms for crypto-assets other than asset-referenced tokens or e-money tokens shall notify their crypto-asset white paper to the competent authority of their home Member State.
Marketing communications shall, upon request, be notified to the competent authority of the home Member State and to the competent authority of the host Member State, when addressing prospective holders of crypto-assets other than asset-referenced tokens or e-money tokens in those Member States.
Competent authorities shall not require prior approval of crypto-asset white papers, nor of any marketing communications relating thereto, before their respective publication.
The notification of the crypto-asset white paper referred to in paragraph 1 shall be accompanied by an explanation of why the crypto-asset described in the crypto-asset white paper should not be considered to be:
(a) a crypto-asset excluded from the scope of this Regulation pursuant to Article 2(4);
(b) an e-money token; or
(c) an asset-referenced token.
The elements referred in paragraphs 1 and 4 shall be notified to the competent authority of the home Member State at least 20 working days before the date of publication of the crypto-asset white paper.
Offerors and persons seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens shall, together with the notification referred to in paragraph 1, provide the competent authority of their home Member State with a list of the host Member States, if any, where they intend to offer their crypto-assets to the public or intend to seek admission to trading. They shall also inform the competent authority of their home Member State of the starting date of the intended offer to the public or intended admission to trading and of any change to that date.
The competent authority of the home Member State shall notify the single point of contact of the host Member States of the intended offer to the public or the intended admission to trading and communicate to that single point of contact the corresponding crypto-asset white paper within five working days of receipt of the list of host Member States referred to in the first subparagraph.
ESMA shall make the crypto-asset white paper available in the register, under Article 109(2), by the starting date of the offer to the public or admission to trading.
Offerors and persons seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens shall publish their crypto-asset white papers and, where applicable, their marketing communications, on their website, which shall be publicly accessible, at a reasonable time in advance of, and in any event before the starting date of, the offer to the public of those crypto-assets or the admission to trading of those crypto-assets. The crypto-asset white papers and, where applicable, the marketing communications, shall remain available on the website of the offerors or persons seeking admission trading for as long as the crypto-assets are held by the public.
The published crypto-asset white papers and, where applicable, the marketing communications, shall be identical to the version notified to the competent authority in accordance with Article 8 or, where applicable, to the version modified in accordance with Article 12.
Offerors of crypto-assets other than asset-referenced tokens or e-money tokens that set a time limit on their offer to the public of those crypto-assets shall publish on their website the result of the offer to the public within 20 working days of the end of the subscription period.
Offerors of crypto-assets other than asset-referenced tokens or e-money tokens that do not set a time limit on their offer to the public of those crypto-assets shall publish on their website on an ongoing basis, at least monthly, the number of units of the crypto-assets in circulation.
Offerors of crypto-assets other than asset-referenced tokens or e-money tokens that set a time limit on their offer to the public of crypto-assets shall have effective arrangements in place to monitor and safeguard the funds or other crypto-assets raised during the offer to the public. For that purpose, those offerors shall ensure that the funds or crypto-assets collected during the offer to the public are kept in custody by one or both of the following:
(a) a credit institution, where funds are raised during the offer to the public;
(b) a crypto-asset service provider providing custody and administration of crypto-assets on behalf of clients.
After publication of the crypto-asset white paper in accordance with Article 9 and, where applicable, of the modified crypto-asset white paper in accordance with Article 12, offerors may offer crypto-assets other than asset-referenced tokens or e-money tokens throughout the Union and such crypto-assets may be admitted to trading on a trading platform for crypto-assets in the Union.
Offerors and persons seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens that have published a crypto-asset white paper in accordance with Article 9 and, where applicable, a modified crypto-asset white paper pursuant to Article 12, shall not be subject to any further information requirements with regard to the offer to the public or the admission to trading of that crypto-asset.
Offerors, persons seeking admission to trading or operators of a trading platform for crypto-assets other than asset-referenced tokens or e-money tokens shall modify their published crypto-asset white papers and, where applicable, their published marketing communications, whenever there is a significant new factor, material mistake or material inaccuracy that is capable of affecting the assessment of the crypto-assets. That requirement shall apply for the duration of the offer to the public or for as long as the crypto-asset is admitted to trading.
Offerors, persons seeking admission to trading or operators of a trading platform for crypto-assets other than asset-referenced tokens or e-money tokens shall notify their modified crypto-asset white papers and, where applicable, modified marketing communications, and the intended publication date, to the competent authority of their home Member State, including the reasons for such modification, at least seven working days before their publication.
On the date of publication, or earlier if required by the competent authority, the offeror, the person seeking admission to trading or the operator of the trading platform shall immediately inform the public on its website of the notification of a modified crypto-asset white paper with the competent authority of its home Member State and shall provide a summary of the reasons for which it has notified a modified crypto-asset white paper.
The order of the information in a modified crypto-asset white paper and, where applicable, in modified marketing communications, shall be consistent with that of the crypto-asset white paper or marketing communications published in accordance with Article 9.
Within five working days of receipt of the modified crypto-asset white paper and, where applicable, of the modified marketing communications, the competent authority of the home Member State shall notify the modified crypto-asset white paper and, where applicable, the modified marketing communications to the competent authority of the host Member States referred to in Article 8(6) and communicate the notification and the date of publication to ESMA.
ESMA shall make the modified crypto-asset white paper available in the register, under Article 109(2), upon publication.
Offerors, persons seeking admission to trading or operators of trading platforms for crypto-assets other than asset-referenced tokens or e-money tokens shall publish the modified crypto-asset white paper and, where applicable, the modified marketing communications, including the reasons for such modification, on their website in accordance with Article 9.
The modified crypto-asset white paper and, where applicable, the modified marketing communications, shall be time-stamped. The most recent modified crypto-asset white paper and, where applicable, the modified marketing communications shall be marked as the applicable version. All modified crypto-asset white papers and, where applicable, modified marketing communications shall remain available for as long as the crypto-assets are held by the public.
Where the offer to the public concerns a utility token providing access to goods and services that do not yet exist or are not yet in operation, changes made in the modified crypto-asset white paper and, where applicable, the modified marketing communications, shall not extend the time limit of 12 months referred to in Article 4(6).
Older versions of the crypto-asset white paper and the marketing communications shall remain publicly available on the website of the offerors, persons seeking admission to trading, or operators of trading platforms, for at least 10 years after the date of publication of those older versions, with a prominent warning stating that they are no longer valid and with a hyperlink to the dedicated section on the website where the most recent version of those documents is published.
Retail holders shall have a period of 14 calendar days within which to withdraw from their agreement to purchase crypto-assets other than asset-referenced tokens and e-money tokens without incurring any fees or costs and without being required to give reasons. The period of withdrawal shall begin from the date of the agreement of the retail holder to purchase those crypto-assets.
Such reimbursement shall be carried out using the same means of payment as that used by the retail holder for the initial transaction, unless the retail holder expressly agrees otherwise and provided that the retail holder does not incur any fees or costs as a result of such reimbursement.
Offerors of crypto-assets shall provide information on the right of withdrawal referred to in paragraph 1 in their crypto-asset white paper.
The right of withdrawal referred to in paragraph 1 shall not apply where the crypto-assets have been admitted to trading prior to their purchase by the retail holder.
Where offerors have set a time limit on their offer to the public of such crypto-assets in accordance with Article 10, the right of withdrawal shall not be exercised after the end of the subscription period.
(a) act honestly, fairly and professionally;
(b) communicate with holders and prospective holders of the crypto-assets in a fair, clear and not misleading manner;
(c) identify, prevent, manage and disclose any conflicts of interest that might arise;
(d) maintain all of their systems and security access protocols in conformity with the appropriate Union standards.
For the purposes of point (d) of the first subparagraph, ESMA, in cooperation with EBA, shall by 30 December 2024 issue guidelines in accordance with Article 16 of Regulation (EU) No 1095/2010 to specify those Union standards.
Offerors and persons seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens shall act in the best interests of the holders of such crypto-assets and shall treat them equally, unless any preferential treatment of specific holders and the reasons for that preferential treatment are disclosed in the crypto-asset white paper and, where applicable, the marketing communications.
Where an offer to the public of a crypto-asset other than an asset-referenced token or e-money token is cancelled, offerors of such crypto-asset shall ensure that any funds collected from holders or prospective holders are duly returned to them no later than 25 calendar days after the date of cancellation.
Where an offeror, person seeking admission to trading or operator of a trading platform, has infringed Article 6 by providing in its crypto-asset white paper or in a modified crypto-asset white paper information that is not complete, fair or clear or that is misleading, that offeror, person seeking admission to trading or operator of a trading platform and the members of its administrative, management or supervisory body shall be liable to a holder of the crypto-asset for any loss incurred due to that infringement.
Any contractual exclusion or limitation of civil liability as referred to in paragraph 1 shall be deprived of legal effect.
Where the crypto-asset white paper and marketing communications are prepared by the operator of the trading platform in accordance with Article 5(3), the person seeking admission to trading shall also be held responsible when it provides information that is not complete, fair or clear, or that is misleading to the operator of the trading platform.
It shall be the responsibility of the holder of the crypto-asset to present evidence indicating that the offeror, person seeking admission to trading, or operator of the trading platform for crypto-assets other than asset-referenced tokens or e-money tokens has infringed Article 6 by providing information that is not complete, fair or clear, or that is misleading and that reliance on such information had an impact on the holder’s decision to purchase, sell or exchange that crypto-asset.
The offeror, person seeking admission to trading, or operator of the trading platform and the members of its administrative, management or supervisory body shall not be liable to a holder of a crypto-asset for loss incurred as a result of reliance on the information provided in a summary as referred to in Article 6(7), including any translation thereof, except where the summary:
(a) is misleading, inaccurate or inconsistent when read together with the other parts of the crypto-asset white paper; or
(b) does not provide, when read together with the other parts of the crypto-asset white paper, key information in order to aid prospective holders of the crypto-asset when considering whether to purchase such crypto-asset.
(a) a legal person or other undertaking that is established in the Union and has been authorised in accordance with Article 21 by the competent authority of its home Member State; or
(b) a credit institution that complies with Article 17.
Notwithstanding the first subparagraph, upon the written consent of the issuer of an asset-referenced token, other persons may offer to the public or seek the admission to trading of that asset-referenced token. Those persons shall comply with Articles 27, 29 and 40.
For the purposes of point (a) of the first subparagraph, other undertakings may issue asset-referenced tokens only if their legal form ensures a level of protection for third parties’ interests equivalent to that afforded by legal persons and if they are subject to equivalent prudential supervision appropriate to their legal form.
(a) over a period of 12 months, calculated at the end of each calendar day, the average outstanding value of the asset-referenced token issued by an issuer never exceeds EUR 5 000 000, or the equivalent amount in another official currency, and the issuer is not linked to a network of other exempt issuers; or
(b) the offer to the public of the asset-referenced token is addressed solely to qualified investors and the asset-referenced token can only be held by such qualified investors.
Where this paragraph applies, issuers of asset-referenced tokens shall draw up a crypto-asset white paper as provided for in Article 19 and notify that crypto-asset white paper and, upon request, any marketing communications, to the competent authority of their home Member State.
The authorisation granted by the competent authority to a person referred to in paragraph 1, first subparagraph, point (a), shall be valid for the entire Union and shall allow an issuer of an asset-referenced token to offer to the public, throughout the Union, the asset-referenced token for which it has been authorised, or to seek an admission to trading of such asset-referenced token.
The approval granted by the competent authority of an issuer’s crypto-asset white paper under Article 17(1) or Article 21(1) or of the modified crypto-asset white paper under Article 25 shall be valid for the entire Union.
(a) draws up a crypto-asset white paper as referred to in Article 19 for the asset-referenced token, submits that crypto-asset white paper for approval by the competent authority of its home Member State in accordance with the procedure set out in the regulatory technical standards adopted pursuant to paragraph 8 of this Article, and has the crypto-asset white paper approved by the competent authority;
(b) notifies the respective competent authority, at least 90 working days before issuing the asset-referenced token for the first time, by providing it with the following information:
(i) a programme of operations, setting out the business model that the credit institution intends to follow;
(ii) a legal opinion that the asset-referenced token does not qualify as either of the following:
a crypto-asset excluded from the scope of this Regulation pursuant to Article 2(4);
an e-money token;
(iii) a detailed description of the governance arrangements referred to in Article 34(1);
(iv) the policies and procedures listed in Article 34(5), first subparagraph;
(v) a description of the contractual arrangements with third-party entities as referred to in Article 34(5), second subparagraph;
(vi) a description of the business continuity policy referred to in Article 34(9);
(vii) a description of the internal control mechanisms and risk management procedures referred to in Article 34(10);
(viii) a description of the systems and procedures in place to safeguard the availability, authenticity, integrity and confidentiality of data referred to in Article 34(11).
A credit institution that has previously notified the competent authority in accordance with paragraph 1, point (b), when issuing another asset-referenced token shall not be required to submit any information that was previously submitted by it to the competent authority where such information would be identical. When submitting the information listed in paragraph 1, point (b), the credit institution shall expressly confirm that any information not resubmitted is still up-to-date.
The competent authority receiving a notification referred to in paragraph 1, point (b), shall, within 20 working days of receipt of the information listed therein, assess whether the information required under that point has been provided. Where the competent authority concludes that a notification is not complete because information is missing, it shall immediately inform the notifying credit institution thereof and set a deadline by which that credit institution is required to provide the missing information.
The deadline for providing any missing information shall not exceed 20 working days from the date of the request. Until the expiry of that deadline, the period set by paragraph 1, point (b), shall be suspended. Any further requests by the competent authority for completion or clarification of the information shall be at its discretion but shall not result in a suspension of the period set by paragraph 1, point (b).
The credit institution shall not make an offer to the public or seek the admission to trading of the asset-referenced token as long as the notification is incomplete.
A credit institution that issues asset-referenced tokens, including significant asset-referenced tokens, shall not be subject to Articles 16, 18, 20, 21, 24, 35, 41 and 42.
The competent authority shall communicate to the ECB without delay the complete information received under paragraph 1 and, where the credit institution is established in a Member State whose official currency is not the euro or where an official currency of a Member State that is not the euro is referenced by the asset-referenced token, also to the central bank of that Member State.
The ECB and, where applicable, the central bank of the Member State as referred to in the first subparagraph shall, within 20 working days of receipt of the complete information, issue an opinion on that information and transmit that opinion to the competent authority.
The competent authority shall require the credit institution not to offer to the public or seek the admission to trading of the asset-referenced token in cases where the ECB or, where applicable, the central bank of the Member State as referred to in first subparagraph, gives a negative opinion on the grounds of a risk posed to the smooth operation of payment systems, monetary policy transmission or monetary sovereignty.
ESMA shall make such information available in the register, under Article 109(3), by the starting date of the offer to the public or admission to trading.
The relevant competent authority shall, within two working days of withdrawing authorisation, communicate to ESMA the withdrawal of authorisation of a credit institution that issues asset-referenced tokens. ESMA shall make the information on such withdrawal available in the register, under Article 109(3), without undue delay.
EBA, in close cooperation with ESMA and the ECB, shall develop draft regulatory technical standards to further specify the procedure for the approval of a crypto-asset white paper referred to in paragraph 1, point (a).
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
Legal persons or other undertakings that intend to offer to the public or seek the admission to trading of asset-referenced tokens shall submit their application for an authorisation referred to in Article 16 to the competent authority of their home Member State.
The application referred to in paragraph 1 shall contain all of the following information:
(a) the address of the applicant issuer;
(b) the legal entity identifier of the applicant issuer;
(c) the articles of association of the applicant issuer, where applicable;
(d) a programme of operations, setting out the business model that the applicant issuer intends to follow;
(e) a legal opinion that the asset-referenced token does not qualify as either of the following:
(i) a crypto-asset excluded from the scope of this Regulation pursuant to Article 2(4); or
(ii) an e-money token;
(f) a detailed description of the applicant issuer’s governance arrangements as referred to in Article 34(1);
(g) where cooperation arrangements with specific crypto-asset service providers exist, a description of their internal control mechanisms and procedures to ensure compliance with the obligations in relation to the prevention of money laundering and terrorist financing under Directive (EU) 2015/849;
(h) the identity of the members of the management body of the applicant issuer;
(i) proof that the persons referred to in point (h) are of sufficiently good repute and possess the appropriate knowledge, skills and experience to manage the applicant issuer;
(j) proof that any shareholder or member, whether direct or indirect, that has a qualifying holding in the applicant issuer is of sufficiently good repute;
(k) a crypto-asset white paper as referred to in Article 19;
(l) the policies and procedures referred to in Article 34(5), first subparagraph;
(m) a description of the contractual arrangements with the third-party entities as referred to in Article 34(5), second subparagraph;
(n) a description of the applicant issuer’s business continuity policy referred to in Article 34(9);
(o) a description of the internal control mechanisms and risk management procedures referred to in Article 34(10);
(p) a description of the systems and procedures in place to safeguard the availability, authenticity, integrity and confidentiality of data as referred to in Article 34(11);
(q) a description of the applicant issuer’s complaints-handling procedures as referred to in Article 31;
(r) where applicable, a list of host Member States where the applicant issuer intends to offer the asset-referenced token to the public or intends to seek admission to trading of the asset-referenced token.
Issuers that have already been authorised in respect of one asset-referenced token shall not be required to submit, for the purposes of authorisation in respect of another asset-referenced token, any information that was previously submitted by them to the competent authority where such information would be identical. When submitting the information listed in paragraph 2, the issuer shall expressly confirm that any information not resubmitted is still up-to-date.
The competent authority shall promptly, and in any event within two working days of receipt of an application pursuant to paragraph 1, acknowledge receipt thereof in writing to the applicant issuer.
For the purposes of paragraph 2, points (i) and (j), the applicant issuer of the asset-referenced token shall provide proof of all of the following:
(a) for all members of the management body, the absence of a criminal record in respect of convictions or the absence of penalties imposed under the applicable commercial law, insolvency law and financial services law, or in relation to anti-money laundering and counter-terrorist financing, to fraud or to professional liability;
(b) that the members of the management body of the applicant issuer of the asset-referenced token collectively possess the appropriate knowledge, skills and experience to manage the issuer of the asset-referenced token and that those persons are required to commit sufficient time to perform their duties;
(c) for all shareholders and members, whether direct or indirect, that have qualifying holdings in the applicant issuer, the absence of a criminal record in respect of convictions and the absence of penalties imposed under the applicable commercial law, insolvency law and financial services law, or in relation to anti-money laundering and counter-terrorist financing, to fraud or to professional liability.
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
EBA shall submit the draft implementing technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph in accordance with Article 15 of Regulation (EU) No 1093/2010.
(a) information about the issuer of the asset-referenced token;
(b) information about the asset-referenced token;
(c) information about the offer to the public of the asset-referenced token or its admission to trading;
(d) information on the rights and obligations attached to the asset-referenced token;
(e) information on the underlying technology;
(f) information on the risks;
(g) information on the reserve of assets;
(h) information on the principal adverse impacts on the climate and other environment-related adverse impacts of the consensus mechanism used to issue the asset-referenced token.
The crypto-asset white paper shall also include the identity of the person other than the issuer that offers to the public or seeks admission to trading pursuant to Article 16(1), second subparagraph, and the reason why that particular person offers that asset-referenced token or seeks its admission to trading. In cases where the crypto-asset white paper is not drawn up by the issuer, the crypto-asset white paper shall also include the identity of the person that drew up the crypto-asset white paper and the reason why that particular person drew it up.
All information listed in paragraph 1 shall be fair, clear and not misleading. The crypto-asset white paper shall not contain material omissions and shall be presented in a concise and comprehensible form.
The crypto-asset white paper shall not contain any assertions as regards the future value of the crypto-assets, other than the statement referred to in paragraph 4.
The crypto-asset white paper shall contain a clear and unambiguous statement that:
(a) the asset-referenced token may lose its value in part or in full;
(b) the asset-referenced token may not always be transferable;
(c) the asset-referenced token may not be liquid;
(d) the asset-referenced token is not covered by the investor compensation schemes under Directive 97/9/EC;
(e) the asset-referenced token is not covered by the deposit guarantee schemes under Directive 2014/49/EU.
The crypto-asset white paper shall contain a statement from the management body of the issuer of the asset-referenced token. That statement shall confirm that the crypto-asset white paper complies with this Title and that, to the best of the knowledge of the management body, the information presented in the crypto-asset white paper is fair, clear and not misleading and the crypto-asset white paper makes no omission likely to affect its import.
The crypto-asset white paper shall contain a summary, inserted after the statement referred to in paragraph 5, which shall in brief and non-technical language provide key information about the offer to the public of the asset-referenced token or the intended admission to trading of the asset-referenced token. The summary shall be easily understandable and presented and laid out in a clear and comprehensive format, using characters of readable size. The summary of the crypto-asset white paper shall provide appropriate information about the characteristics of the asset-referenced token concerned in order to help prospective holders of that asset-referenced token to make an informed decision.
The summary shall contain a warning that:
(a) it should be read as an introduction to the crypto-asset white paper;
(b) the prospective holder should base any decision to purchase the asset-referenced token on the content of the crypto-asset white paper as a whole and not on the summary alone;
(c) the offer to the public of the asset-referenced token does not constitute an offer or solicitation to purchase financial instruments and that any such offer or solicitation can be made only by means of a prospectus or other offer documents pursuant to the applicable national law;
(d) the crypto-asset white paper does not constitute a prospectus as referred to in Regulation (EU) 2017/1129 or any other offer document pursuant to Union or national law.
The summary shall state that the holders of asset-referenced tokens have a right of redemption at any time, and the conditions for such redemption.
The crypto-asset white paper shall contain the date of its notification and a table of contents.
The crypto-asset white paper shall be drawn up in an official language of the home Member State, or in a language customary in the sphere of international finance.
Where the asset-referenced token is also offered in a Member State other than the issuer’s home Member State, the crypto-asset white paper shall also be drawn up in an official language of the host Member State, or in a language customary in the sphere of international finance.
The crypto-asset white paper shall be made available in a machine-readable format.
ESMA, in cooperation with EBA, shall develop draft implementing technical standards to establish standard forms, formats and templates for the purposes of paragraph 9.
ESMA shall submit the draft implementing technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph in accordance with Article 15 of Regulation (EU) No 1095/2010.
When developing the draft regulatory technical standards referred to in the first subparagraph, ESMA shall consider the various types of consensus mechanisms used to validate transactions in crypto-assets, their incentive structures and the use of energy, renewable energy and natural resources, the production of waste and greenhouse gas emissions. ESMA shall update those regulatory technical standards in the light of regulatory and technological developments.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
Competent authorities receiving an application for authorisation as referred to in Article 18 shall, within 25 working days of receipt of such application, assess whether that application, including the crypto-asset white paper referred to in Article 19, comprises all of the required information. They shall immediately notify the applicant issuer whether the application, including the crypto-asset white paper, is missing required information. Where the application, including the crypto-asset white paper, is not complete, competent authorities shall set a deadline by which the applicant issuer is to provide any missing information.
Competent authorities shall, within 60 working days of receipt of a complete application, assess whether the applicant issuer complies with the requirements of this Title and take a fully reasoned draft decision granting or refusing authorisation. Within those 60 working days, competent authorities may request from the applicant issuer any information on the application, including on the crypto-asset white paper referred in Article 19.
During the assessment process, competent authorities may cooperate with competent authorities for anti-money laundering and counter-terrorist financing, financial intelligence units or other public bodies.
The assessment period under paragraphs 1 and 2 shall be suspended for the period between the date of request for missing information by the competent authorities and the receipt by them of a response thereto from the applicant issuer. The suspension shall not exceed 20 working days. Any further requests by the competent authorities for completion or clarification of the information shall be at their discretion but shall not result in a suspension of the assessment period under paragraphs 1 and 2.
Competent authorities shall, after the period of 60 working days referred to in paragraph 2, transmit their draft decision and the application to EBA, ESMA and the ECB. Where the applicant issuer is established in a Member State whose official currency is not the euro, or where an official currency of a Member State that is not the euro is referenced by the asset-referenced token, the competent authorities shall transmit their draft decision and the application also to the central bank of that Member State.
EBA and ESMA shall, at the request of the competent authority, and within 20 working days of receipt of the draft decision and the application, issue an opinion as regards their evaluation of the legal opinion referred to in Article 18(2), point (e), and transmit their respective opinions to the competent authority concerned.
The ECB or, where applicable, the central bank referred to in paragraph 4 shall, within 20 working days of receipt of the draft decision and the application, issue an opinion as regards its evaluation of the risks that issuing that asset-referenced token might pose to financial stability, the smooth operation of payment systems, monetary policy transmission and monetary sovereignty, and transmit its opinion to the competent authority concerned.
Without prejudice to Article 21(4), the opinions referred to in the first and second subparagraphs of this paragraph shall be non-binding.
The competent authority shall, however, duly consider the opinions referred in the first and second subparagraphs of this paragraph.
Competent authorities shall, within 25 working days of receipt of the opinions referred to in Article 20(5), take a fully reasoned decision granting or refusing authorisation to the applicant issuer and, within five working days of taking that decision, notify it to the applicant issuer. Where an applicant issuer is authorised, its crypto-asset white paper shall be deemed to be approved.
Competent authorities shall refuse authorisation where there are objective and demonstrable grounds that:
(a) the management body of the applicant issuer might pose a threat to its effective, sound and prudent management and business continuity and to the adequate consideration of the interest of its clients and the integrity of the market;
(b) members of the management body do not meet the criteria set out in Article 34(2);
(c) shareholders and members, whether direct or indirect, that have qualifying holdings do not meet the criteria of sufficiently good repute set out in Article 34(4);
(d) the applicant issuer fails to meet or is likely to fail to meet any of the requirements of this Title;
(e) the applicant issuer’s business model might pose a serious threat to market integrity, financial stability, the smooth operation of payment systems, or exposes the issuer or the sector to serious risks of money laundering and terrorist financing.
EBA and ESMA shall, by 30 June 2024, jointly issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 and Article 16 of Regulation (EU) No 1095/2010, respectively, on the assessment of the suitability of the members of the management body of issuers of asset-referenced tokens and of the shareholders and members, whether direct or indirect, that have qualifying holdings in issuers of asset-referenced tokens.
Competent authorities shall also refuse authorisation if the ECB or, where applicable, the central bank gives a negative opinion under Article 20(5) on the grounds of a risk posed to the smooth operation of payment systems, monetary policy transmission, or monetary sovereignty.
Competent authorities shall, within two working days of granting authorisation, communicate to the single point of contact of the host Member States, to ESMA, to EBA, to the ECB and, where applicable, to the central bank referred to in Article 20(4), the information specified in Article 109(3).
ESMA shall make such information available in the register, under Article 109(3), by the starting date of the offer to the public or admission to trading.
(a) the number of holders;
(b) the value of the asset-referenced token issued and the size of the reserve of assets;
(c) the average number and average aggregate value of transactions per day during the relevant quarter;
(d) an estimate of the average number and average aggregate value of transactions per day during the relevant quarter that are associated to its uses as a means of exchange within a single currency area.
For the purposes of points (c) and (d) of the first subparagraph, ‘transaction’ shall mean any change of the natural or legal person entitled to the asset-referenced token as a result of the transfer of the asset-referenced token from one distributed ledger address or account to another.
Transactions that are associated with the exchange for funds or other crypto-assets with the issuer or with a crypto-asset service provider shall not be considered associated to uses of the asset-referenced token as a means of exchange, unless there is evidence that the asset-referenced token is used for the settlement of transactions in other crypto-assets.
The competent authority may require issuers of asset-referenced tokens to comply with the reporting obligation referred to in paragraph 1 in respect of asset-referenced tokens issued with a value of less than EUR 100 000 000.
Crypto-asset service providers that provide services related to asset-referenced tokens shall provide the issuer of the asset-referenced token with the information necessary to prepare the report referred to in paragraph 1, including by reporting transactions outside the distributed ledger.
The competent authority shall share the information received with the ECB and, where applicable, the central bank referred to in Article 20(4) and the competent authorities of host Member States.
The ECB and, where applicable, the central bank referred to in Article 20(4) may provide to the competent authority their own estimates of the quarterly average number and average aggregate value of transactions per day that are associated to uses of the asset-referenced token as a means of exchange within a single currency area.
EBA, in close cooperation with the ECB, shall develop draft regulatory technical standards to specify the methodology to estimate the quarterly average number and average aggregate value of transactions per day that are associated to uses of the asset-referenced token as a means of exchange within a single currency area.
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
EBA shall submit the draft implementing technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph of this paragraph in accordance with Article 15 of Regulation (EU) No 1093/2010.
(a) stop issuing that asset-referenced token; and
(b) within 40 working days of reaching that threshold, submit a plan to the competent authority to ensure that the estimated quarterly average number and average aggregate value of those transactions per day is kept below 1 million transactions and EUR 200 000 000 respectively.
The competent authority shall use the information provided by the issuer, its own estimates, or the estimates provided by the ECB or, where applicable, by the central bank referred to in Article 20(4), whichever is higher, in order to assess whether the threshold referred to in paragraph 1 is reached.
Where several issuers issue the same asset-referenced token, the criteria referred in paragraph 1 shall be assessed by the competent authority after aggregating the data from all issuers.
The issuer shall submit the plan referred to in paragraph 1, point (b), for approval to the competent authority. Where necessary, the competent authority shall require modifications, such as imposing a minimum denomination amount, in order to ensure a timely decrease of the use as a means of exchange of the asset-referenced token.
The competent authority shall only allow the issuer to issue the asset-referenced token again when it has evidence that the estimated quarterly average number and average aggregated value of transactions per day associated to its uses as a means of exchange within a single currency area is lower than 1 million transactions and EUR 200 000 000 respectively.
(a) the issuer has ceased to engage in business for six consecutive months, or has not used its authorisation for 12 consecutive months;
(b) the issuer has obtained its authorisation by irregular means, such as by making false statements in the application for authorisation referred to in Article 18 or in any crypto-asset white paper modified in accordance with Article 25;
(c) the issuer no longer meets the conditions under which the authorisation was granted;
(d) the issuer has seriously infringed the provisions of this Title;
(e) the issuer has been subject to a redemption plan;
(f) the issuer has expressly renounced its authorisation or has decided to cease operations;
(g) the issuer’s activity poses a serious threat to market integrity, financial stability, the smooth operation of payment systems or exposes the issuer or the sector to serious risks of money laundering and terrorist financing.
The issuer of the asset-referenced token shall notify its competent authority of any of the situations referred to in the first subparagraph, points (e) and (f).
Competent authorities shall also withdraw the authorisation of an issuer of an asset-referenced token when the ECB or, where applicable, the central bank referred to in Article 20(4), issues an opinion that the asset-referenced token poses a serious threat to the smooth operation of payment systems, monetary policy transmission or monetary sovereignty.
Competent authorities shall limit the amount of an asset-referenced token to be issued or impose a minimum denomination amount in respect of the asset-referenced token when the ECB or, where applicable, the central bank referred to in Article 20(4), issues an opinion that the asset-referenced token poses a threat to the smooth operation of payment systems, monetary policy transmission or monetary sovereignty, and specify the applicable limit or minimum denomination amount.
The relevant competent authorities shall notify the competent authority of an issuer of an asset-referenced token, without delay, of the following situations:
(a) a third-party entity as referred to in Article 34(5), first subparagraph, point (h), of this Regulation has lost its authorisation as a credit institution as referred to in Article 8 of Directive 2013/36/EU, as a crypto-asset service provider as referred to in Article 59 of this Regulation, as a payment institution, or as an electronic money institution;
(b) the members of the issuer’s management body or shareholders or members, whether direct or indirect, that have qualifying holdings in the issuer have infringed the provisions of national law transposing Directive (EU) 2015/849.
When the authorisation is withdrawn, the issuer of the asset-referenced token shall implement the procedure under Article 47.
(a) the governance arrangements, including reporting lines to the management body and risk management framework;
(b) the reserve assets and the custody of the reserve assets;
(c) the rights granted to the holders of asset-referenced tokens;
(d) the mechanism through which an asset-referenced token is issued and redeemed;
(e) the protocols for validating the transactions in asset-referenced tokens;
(f) the functioning of issuers’ proprietary distributed ledger technology, where the asset-referenced tokens are issued, transferred and stored using such a distributed ledger technology;
(g) the mechanisms to ensure the liquidity of asset-referenced tokens, including the liquidity management policy and procedures for issuers of significant asset-referenced tokens referred to in Article 45;
(h) the arrangements with third-party entities, including for managing the reserve assets and the investment of the reserve, the custody of reserve assets, and, where applicable, the distribution of the asset-referenced tokens to the public;
(i) the complaints-handling procedures;
(j) the money laundering and terrorist financing risk assessment and general policies and procedures related thereto.
Issuers of asset-referenced tokens shall notify the competent authority of their home Member State at least 30 working days before the intended changes take effect.
The issuer of the asset-referenced token shall notify the draft modified crypto-asset white paper to the competent authority of the home Member State.
The competent authority shall electronically acknowledge receipt of the draft modified crypto-asset white paper as soon as possible, and at the latest five working days from receipt thereof.
The competent authority shall grant approval of, or refuse to approve, the draft modified crypto-asset white paper within 30 working days of acknowledgement of receipt thereof. During the examination of the draft modified crypto-asset white paper, the competent authority may request any additional information, explanations or justifications concerning the draft modified crypto-asset white paper. When the competent authority makes such request, the time limit of 30 working days shall commence only when the competent authority has received the additional information requested.
The ECB or the relevant central bank and, where applicable, EBA and ESMA, shall provide an opinion within 20 working days of receipt of the consultation referred to in the first subparagraph.
(a) to put in place mechanisms to ensure the protection of holders of the asset-referenced token, when a potential modification of the issuer’s operations can have a material effect on the value, stability, or risks of the asset-referenced token or the reserve assets;
(b) to take any appropriate corrective measures to address concerns related to market integrity, financial stability or the smooth operation of payment systems.
The competent authority shall require the issuer of the asset-referenced token to take any appropriate corrective measures to address concerns related to the smooth operation of payment systems, monetary policy transmission, or monetary sovereignty, if such corrective measures are proposed by the ECB or, where applicable, the central bank referred to in Article 20(4) in the consultations referred to in paragraph 3 of this Article.
Where the ECB or the central bank referred to in Article 20(4) has proposed different measures than the ones required by the competent authority, the measures proposed shall be combined or, if not possible, the more stringent measure shall be required.
ESMA shall make the modified crypto-asset white paper available in the register referred to in Article 109 without undue delay.
Where an issuer has infringed Article 19 by providing in its crypto-asset white paper or in a modified crypto-asset white paper information that is not complete, fair or clear, or that is misleading, that issuer and the members of its administrative, management or supervisory body shall be liable to a holder of such asset-referenced token for any loss incurred due to that infringement.
Any contractual exclusion or limitation of civil liability as referred to in paragraph 1 shall be deprived of legal effect.
It shall be the responsibility of the holder of the asset-referenced token to present evidence indicating that the issuer of that asset-referenced token has infringed Article 19 by providing in its crypto-asset white paper or in a modified crypto-asset white paper information that is not complete, fair or clear, or that is misleading and that reliance on such information had an impact on the holder’s decision to purchase, sell or exchange that asset-referenced token.
The issuer and the members of its administrative, management or supervisory body shall not be liable for loss suffered as a result of reliance on the information provided in a summary pursuant to Article 19, including any translation thereof, except where the summary:
(a) is misleading, inaccurate or inconsistent when read together with the other parts of the crypto-asset white paper; or
(b) does not provide, when read together with the other parts of the crypto-asset white paper, key information in order to aid prospective holders when considering whether to purchase the asset-referenced token.
Issuers of asset-referenced tokens shall act honestly, fairly and professionally and shall communicate with the holders and prospective holders of asset-referenced tokens in a fair, clear and not misleading manner.
Issuers of asset-referenced tokens shall act in the best interests of the holders of such tokens and shall treat them equally, unless any preferential treatment is disclosed in the crypto-asset white paper and, where applicable, the marketing communications.
An issuer of an asset-referenced token shall publish on its website the approved crypto-asset white paper referred to in Article 17(1) or Article 21(1) and, where applicable, the modified crypto-asset white paper referred to in Article 25. The approved crypto-asset white paper shall be publicly accessible by the starting date of the offer to the public of the asset-referenced token or the admission to trading of that token. The approved crypto-asset white paper and, where applicable, the modified crypto-asset white paper shall remain available on the issuer’s website for as long as the asset-referenced token is held by the public.
(a) the marketing communications are clearly identifiable as such;
(b) the information in the marketing communications is fair, clear and not misleading;
(c) the information in the marketing communications is consistent with the information in the crypto-asset white paper;
(d) the marketing communications clearly state that a crypto-asset white paper has been published and clearly indicate the address of the website of the issuer of the asset-referenced token, as well as a telephone number and an email address to contact the issuer.
Marketing communications shall contain a clear and unambiguous statement that the holders of the asset-referenced token have a right of redemption against the issuer at any time.
Marketing communications and any modifications thereto shall be published on the issuer’s website.
Competent authorities shall not require prior approval of marketing communications before their publication.
Marketing communications shall be notified to competent authorities upon request.
No marketing communications shall be disseminated prior to the publication of the crypto-asset white paper. Such restriction does not affect the ability of the issuer of the asset-referenced token to conduct market soundings.
Issuers of asset-referenced tokens shall in a clear, accurate and transparent manner disclose, in a publicly and easily accessible place on their website, the amount of asset-referenced tokens in circulation, and the value and composition of the reserve of assets referred to in Article 36. Such information shall be updated at least monthly.
Issuers of asset-referenced tokens shall publish as soon as possible in a publicly and easily accessible place on their website a brief, clear, accurate and transparent summary of the audit report, as well as the full and unredacted audit report, in relation to the reserve of assets referred to in Article 36.
Without prejudice to Article 88, issuers of asset-referenced tokens shall as soon as possible and in a clear, accurate and transparent manner disclose, in a publicly and easily accessible place, on their website any event that has or is likely to have a significant effect on the value of the asset-referenced tokens or on the reserve of assets referred to in Article 36.
Issuers of asset-referenced tokens shall establish and maintain effective and transparent procedures for the prompt, fair and consistent handling of complaints received from holders of asset-referenced tokens and other interested parties, including consumer associations that represent holders of asset-referenced tokens, and shall publish descriptions of those procedures. Where the asset-referenced tokens are distributed, totally or partially, by third-party entities as referred to in Article 34(5), first subparagraph, point (h), issuers of the asset-referenced tokens shall establish procedures to also facilitate the handling of such complaints between holders of the asset-referenced tokens and such third-party entities.
Holders of asset-referenced tokens shall be able to file complaints free of charge with the issuers of their asset-referenced tokens or, where applicable, with the third-party entities as referred to in paragraph 1.
Issuers of asset-referenced tokens and, where applicable, the third-party entities as referred to in paragraph 1, shall develop and make available to holders of asset-referenced tokens a template for filing complaints and shall keep a record of all complaints received and any measures taken in response thereto.
Issuers of asset-referenced tokens shall investigate all complaints in a timely and fair manner and communicate the outcome of such investigations to the holders of their asset-referenced tokens within a reasonable period.
EBA, in close cooperation with ESMA, shall develop draft regulatory technical standards to further specify the requirements, templates and procedures for handling complaints.
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
(a) their shareholders or members;
(b) any shareholder or member, whether direct or indirect, that has a qualifying holding in the issuers;
(c) the members of their management body;
(d) their employees;
(e) the holders of asset-referenced tokens; or
(f) any third party providing one of the functions as referred in Article 34(5), first subparagraph, point (h).
Issuers of asset-referenced tokens shall, in particular, take all appropriate steps to identify, prevent, manage and disclose conflicts of interest arising from the management and investment of the reserve of assets referred to in Article 36.
Issuers of asset-referenced tokens shall, in a prominent place on their website, disclose to the holders of their asset-referenced tokens the general nature and sources of conflicts of interest referred to in paragraph 1 and the steps taken to mitigate them.
The disclosure referred to in paragraph 3 shall be sufficiently precise to enable the prospective holders of their asset-referenced tokens to take an informed purchasing decision about the asset-referenced tokens.
EBA shall develop draft regulatory technical standards to further specify:
(a) the requirements for the policies and procedures referred to in paragraph 1;
(b) the details and methodology for the content of the disclosure referred to in paragraph 3.
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
Issuers of asset-referenced tokens shall notify immediately their competent authority of any changes to their management body, and shall provide their competent authority with all of the necessary information to assess compliance with Article 34(2).
Issuers of asset-referenced tokens shall have robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks to which they are or might be exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures.
Members of the management body of issuers of asset-referenced tokens shall be of sufficiently good repute and possess the appropriate knowledge, skills and experience, both individually and collectively, to perform their duties. In particular, they shall not have been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute. They shall also demonstrate that they are capable of committing sufficient time to effectively perform their duties.
The management body of issuers of asset-referenced tokens shall assess and periodically review the effectiveness of the policy arrangements and procedures put in place to comply with Chapters 2, 3, 5 and 6 of this Title and take appropriate measures to address any deficiencies in that respect.
Shareholders or members, whether direct or indirect, that have qualifying holdings in issuers of asset-referenced tokens shall be of sufficiently good repute and, in particular, shall not have been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute.
Issuers of asset-referenced tokens shall adopt policies and procedures that are sufficiently effective to ensure compliance with this Regulation. Issuers of asset-referenced tokens shall establish, maintain and implement, in particular, policies and procedures on:
(a) the reserve of assets referred to in Article 36;
(b) the custody of the reserve assets, including the segregation of assets, as specified in Article 37;
(c) the rights granted to the holders of asset-referenced tokens, as specified in Article 39;
(d) the mechanism through which asset-referenced tokens are issued and redeemed;
(e) the protocols for validating transactions in asset-referenced tokens;
(f) the functioning of the issuers’ proprietary distributed ledger technology, where the asset-referenced tokens are issued, transferred and stored using such distributed ledger technology or similar technology that is operated by the issuers or a third party acting on their behalf;
(g) the mechanisms to ensure the liquidity of asset-referenced tokens, including the liquidity management policy and procedures for issuers of significant asset-referenced tokens referred to in Article 45;
(h) arrangements with third-party entities for operating the reserve of assets, and for the investment of the reserve assets, the custody of the reserve assets and, where applicable, the distribution of the asset-referenced tokens to the public;
(i) the written consent of the issuers of asset-referenced tokens given to other persons that might offer or seek the admission to trading of the asset-referenced tokens;
(j) complaints-handling, as specified in Article 31;
(k) conflicts of interest, as specified in Article 32.
Where issuers of asset-referenced tokens enter into arrangements as referred to in the first subparagraph, point (h), those arrangements shall be set out in a contract with the third-party entities. Those contractual arrangements shall set out the roles, responsibilities, rights and obligations both of the issuers of asset-referenced tokens and of the third-party entities. Any contractual arrangement with cross-jurisdictional implications shall provide for an unambiguous choice of applicable law.
Unless they have initiated a redemption plan referred to in Article 47, issuers of asset-referenced tokens shall employ appropriate and proportionate systems, resources and procedures to ensure the continued and regular performance of their services and activities. To that end, issuers of asset-referenced tokens shall maintain all of their systems and security access protocols in conformity with the appropriate Union standards.
If the issuer of an asset-referenced token decides to discontinue the provision of its services and activities, including by discontinuing the issue of that asset-referenced token, it shall submit a plan to the competent authority for approval of such discontinuation.
Issuers of asset-referenced tokens shall identify sources of operational risk and minimise those risks through the development of appropriate systems, controls and procedures.
Issuers of asset-referenced tokens shall establish a business continuity policy and plans to ensure, in the case of an interruption of their ICT systems and procedures, the preservation of essential data and functions and the maintenance of their activities or, where that is not possible, the timely recovery of such data and functions and the timely resumption of their activities.
Issuers of asset-referenced tokens shall have in place internal control mechanisms and effective procedures for risk management, including effective control and safeguard arrangements for managing ICT systems as required by Regulation (EU) 2022/2554 of the European Parliament and of the Council. The procedures shall provide for a comprehensive assessment relating to the reliance on third-party entities as referred to in paragraph 5, first subparagraph, point (h), of this Article. Issuers of asset-referenced tokens shall monitor and evaluate on a regular basis the adequacy and effectiveness of the internal control mechanisms and procedures for risk assessment and take appropriate measures to address any deficiencies in that respect.
Issuers of asset-referenced tokens shall have systems and procedures in place that are adequate to safeguard the availability, authenticity, integrity and confidentiality of data as required by Regulation (EU) 2022/2554 and in line with Regulation (EU) 2016/679. Those systems shall record and safeguard relevant data and information collected and produced in the course of the issuers’ activities.
Issuers of asset-referenced tokens shall ensure that they are regularly audited by independent auditors. The results of those audits shall be communicated to the management body of the issuer concerned and made available to the competent authority.
By 30 June 2024, EBA, in close cooperation with ESMA and the ECB, shall issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 specifying the minimum content of the governance arrangements on:
(a) the monitoring tools for the risks referred to in paragraph 8;
(b) the business continuity plan referred to in paragraph 9;
(c) the internal control mechanism referred to in paragraph 10;
(d) the audits referred to in paragraph 12, including the minimum documentation to be used in the audit.
When issuing the guidelines referred to in the first subparagraph, EBA shall take into account the provisions on governance requirements in other Union legislative acts on financial services, including Directive 2014/65/EU.
(a) EUR 350 000;
(b) 2 % of the average amount of the reserve of assets referred to in Article 36;
(c) a quarter of the fixed overheads of the preceding year.
For the purposes of point (b) of the first subparagraph, the average amount of the reserve of assets shall mean the average amount of the reserve assets at the end of each calendar day, calculated over the preceding six months.
Where an issuer offers more than one asset-referenced token, the amount referred to in point (b) of the first subparagraph shall be the sum of the average amount of the reserve assets backing each asset-referenced token.
The amount referred to in point (c) of the first subparagraph shall be reviewed annually and calculated in accordance with Article 67(3).
The own funds referred to in paragraph 1 of this Article shall consist of the Common Equity Tier 1 items and instruments referred to in Articles 26 to 30 of Regulation (EU) No 575/2013 after the deductions in full pursuant to Article 36 of that Regulation, without the application of the threshold exemptions referred to in Article 46(4) and Article 48 of that Regulation.
The competent authority of the home Member State may require an issuer of an asset-referenced token to hold an amount of own funds which is up to 20 % higher than the amount resulting from the application of paragraph 1, first subparagraph, point (b), where an assessment of any of the following indicates a higher degree of risk:
(a) the evaluation of the risk-management processes and internal control mechanisms of the issuer of the asset-referenced token as referred to in Article 34(1), (8) and (10);
(b) the quality and volatility of the reserve of assets referred to in Article 36;
(c) the types of rights granted by the issuer of the asset-referenced token to holders of the asset-referenced token in accordance with Article 39;
(d) where the reserve of assets includes investments, the risks posed by the investment policy on the reserve of assets;
(e) the aggregate value and number of transactions settled in the asset-referenced token;
(f) the importance of the markets on which the asset-referenced token is offered and marketed;
(g) where applicable, the market capitalisation of the asset-referenced token.
The competent authority of the home Member State may require an issuer of an asset-referenced token that is not significant to comply with any requirement set out in Article 45, where necessary to address the higher degree of risks identified in accordance with paragraph 3 of this Article, or any other risks that Article 45 aims to address, such as liquidity risks.
Without prejudice to paragraph 3, issuers of asset-referenced tokens shall conduct, on a regular basis, stress testing that takes into account severe but plausible financial stress scenarios, such as interest rate shocks, and non-financial stress scenarios, such as operational risk. Based on the outcome of such stress testing, the competent authority of the home Member State shall require the issuer of the asset-referenced token to hold an amount of own funds that is between 20 % and 40 % higher than the amount resulting from the application of paragraph 1, first subparagraph, point (b), in certain circumstances having regard to the risk outlook and stress testing results.
EBA, in close cooperation with ESMA and the ECB, shall develop draft regulatory technical standards further specifying:
(a) the procedure and timeframe for an issuer of an asset-referenced token to adjust to higher own funds requirements as set out in paragraph 3;
(b) the criteria for requiring a higher amount of own funds as set out in paragraph 3;
(c) the minimum requirements for the design of stress testing programmes, taking into account the size, complexity and nature of the asset-referenced token, including but not limited to:
(i) the types of stress testing and their main objectives and applications;
(ii) the frequency of the different stress testing exercises;
(iii) the internal governance arrangements;
(iv) the relevant data infrastructure;
(v) the methodology and the plausibility of assumptions;
(vi) the application of the proportionality principle to all of the minimum requirements, whether quantitative or qualitative; and
(vii) the minimum periodicity of the stress tests and the common reference parameters of the stress test scenarios.
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
The reserve of assets shall be composed and managed in such a way that:
(a) the risks associated to the assets referenced by the asset-referenced tokens are covered; and
(b) the liquidity risks associated to the permanent rights of redemption of the holders are addressed.
The reserve of assets shall be legally segregated from the issuers’ estate, as well as from the reserve of assets of other asset-referenced tokens, in the interests of the holders of asset-referenced tokens in accordance with applicable law, so that creditors of the issuers have no recourse to the reserve of assets, in particular in the event of insolvency.
Issuers of asset-referenced tokens shall ensure that the reserve of assets is operationally segregated from their estate, as well as from the reserve of assets of other tokens.
EBA, in close cooperation with ESMA and the ECB, shall develop draft regulatory technical standards further specifying the liquidity requirements, taking into account the size, complexity and nature of the reserve of assets and of the asset-referenced token itself.
The regulatory technical standards shall establish in particular:
(a) the relevant percentage of the reserve of assets according to daily maturities, including the percentage of reverse repurchase agreements that are able to be terminated by giving prior notice of one working day, or the percentage of cash that is able to be withdrawn by giving prior notice of one working day;
(b) the relevant percentage of the reserve of assets according to weekly maturities, including the percentage of reverse repurchase agreements that are able to be terminated by giving prior notice of five working days, or the percentage of cash that is able to be withdrawn by giving prior notice of five working days;
(c) other relevant maturities, and overall techniques for liquidity management;
(d) the minimum amounts in each official currency referenced to be held as deposits in credit institutions, which cannot be lower than 30 % of the amount referenced in each official currency.
For the purposes of points (a), (b) and (c) of the second subparagraph, EBA shall take into account, amongst others, the relevant thresholds laid down in Article 52 of Directive 2009/65/EC.
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
Where different issuers of asset-referenced tokens offer the same asset-referenced token to the public, those issuers shall operate and maintain only one reserve of assets for that asset-referenced token.
The management bodies of issuers of asset-referenced tokens shall ensure the effective and prudent management of the reserve of assets. The issuers shall ensure that the issuance and redemption of asset-referenced tokens is always matched by a corresponding increase or decrease in the reserve of assets.
The issuer of an asset-referenced token shall determine the aggregate value of the reserve of assets by using market prices. Its aggregate value shall be at least equal to the aggregate value of the claims against the issuer from the holders of the asset-referenced token in circulation.
Issuers of asset-referenced tokens shall have a clear and detailed policy describing the stabilisation mechanism of such tokens. That policy shall in particular:
(a) list the assets referenced by the asset-referenced tokens and the composition of those assets;
(b) describe the type of assets and the precise allocation of assets that are included in the reserve of assets;
(c) contain a detailed assessment of the risks, including credit risk, market risk, concentration risk and liquidity risk resulting from the reserve of assets;
(d) describe the procedure by which the asset-referenced tokens are issued and redeemed, and the procedure by which such issuance and redemption will result in a corresponding increase and decrease in the reserve of assets;
(e) mention whether a part of the reserve of assets is invested as provided in Article 38;
(f) where issuers of asset-referenced tokens invest a part of the reserve of assets as provided in Article 38, describe in detail the investment policy and contain an assessment of how that investment policy can affect the value of the reserve of assets;
(g) describe the procedure to purchase asset-referenced tokens and to redeem such tokens against the reserve of assets, and list the persons or categories of persons who are entitled to do so.
Without prejudice to Article 34(12), issuers of asset-referenced tokens shall mandate an independent audit of the reserve of assets every six months, assessing compliance with the rules of this Chapter, as of the date of their authorisation pursuant to Article 21 or as of the date of approval of the crypto-asset white paper pursuant to Article 17.
The issuer shall notify the results of the audit referred to in paragraph 9 to the competent authority without delay, and at the latest within six weeks of the reference date of the valuation. The issuer shall publish the result of the audit within two weeks of the date of notification to the competent authority. The competent authority may instruct an issuer to delay the publication of the results of the audit in the event that:
(a) the issuer has been required to implement a recovery arrangement or measures in accordance with Article 46(3);
(b) the issuer has been required to implement a redemption plan in accordance with Article 47;
(c) it is deemed necessary to protect the economic interests of holders of the asset-referenced token;
(d) it is deemed necessary to avoid a significant adverse effect on the financial system of the home Member State or another Member State.
When using mark-to-market valuation the reserve asset shall be valued at the more prudent side of the bid and offer unless the reserve asset can be closed out at mid-market. Only market data of good quality shall be used, and such data shall be assessed based on all of the following factors:
(a) the number and quality of the counterparties;
(b) the volume and turnover in the market of the reserve asset;
(c) the size of the reserve of assets.
The model shall accurately estimate the intrinsic value of the reserve asset, based on all of the following up-to-date key factors:
(a) the volume and turnover in the market of that reserve asset;
(b) the size of the reserve of assets;
(c) the market risk, interest rate risk and credit risk attached to the reserve asset.
When using mark-to-model, the amortised cost method, as defined in Article 2, point (10), of Regulation (EU) 2017/1131, shall not be used.
(a) the reserve assets are not encumbered nor pledged as a financial collateral arrangement as defined in Article 2(1), point (a), of Directive 2002/47/EC of the European Parliament and of the Council;
(b) the reserve assets are held in custody in accordance with paragraph 6 of this Article;
(c) the issuers of asset-referenced tokens have prompt access to the reserve assets to meet any requests for redemption from the holders of asset-referenced tokens;
(d) concentrations of the custodians of reserve assets are avoided;
(e) risk of concentration of reserve assets is avoided.
Issuers of asset-referenced tokens that issue two or more asset-referenced tokens in the Union shall have a custody policy in place for each pool of reserve of assets. Different issuers of asset-referenced tokens that have issued the same asset-referenced token shall operate and maintain a single custody policy.
The reserve assets shall be held in custody by no later than five working days after the date of issuance of the asset-referenced token by one or more of the following:
(a) a crypto-asset service provider providing custody and administration of crypto-assets on behalf of clients, where the reserve assets take the form of crypto-assets;
(b) a credit institution, for all types of reserve assets;
(c) an investment firm that provides the ancillary service of safekeeping and administration of financial instruments for the account of clients as referred to in Section B, point (1), of Annex I to Directive 2014/65/EU, where the reserve assets take the form of financial instruments.
Issuers of asset-referenced tokens shall ensure that the crypto-asset service providers, credit institutions and investment firms appointed as custodians of the reserve assets as referred to in paragraph 3 have the necessary expertise and market reputation to act as custodians of such reserve assets, taking into account the accounting practices, safekeeping procedures and internal control mechanisms of those crypto-asset service providers, credit institutions and investment firms. The contractual arrangements between the issuers of asset-referenced tokens and the custodians shall ensure that the reserve assets held in custody are protected against claims of the custodians’ creditors.
Issuers of asset-referenced tokens shall review the appointment of crypto-asset service providers, credit institutions or investment firms as custodians of the reserve assets on a regular basis. For the purpose of that review, issuers of asset-referenced tokens shall evaluate their exposures to such custodians, taking into account the full scope of their relationship with them, and monitor the financial conditions of such custodians on an ongoing basis.
(a) credit institutions shall hold in custody funds in an account opened in the credit institutions’ books;
(b) for financial instruments that can be held in custody, credit institutions or investment firms shall hold in custody all financial instruments that can be registered in a financial instruments account opened in the credit institutions’ or investments firms’ books and all financial instruments that can be physically delivered to such credit institutions or investment firms;
(c) for crypto-assets that can be held in custody, the crypto-asset service providers shall hold in custody the crypto-assets included in the reserve assets or the means of access to such crypto-assets, where applicable, in the form of private cryptographic keys;
(d) for other assets, the credit institutions shall verify the ownership of the issuers of the asset-referenced tokens and shall maintain a record of those reserve assets for which they are satisfied that the issuers of the asset-referenced tokens own those reserve assets.
For the purposes of point (a) of the first subparagraph, credit institutions shall ensure that funds are registered in the credit institutions’ books on a segregated account in accordance with the provisions of national law transposing Article 16 of Commission Directive 2006/73/EC. That account shall be opened in the name of the issuer of the asset-referenced tokens for the purposes of managing the reserve assets of each asset-referenced token, so that the funds held in custody can be clearly identified as belonging to each reserve of assets.
For the purposes of point (b) of the first subparagraph, credit institutions and investment firms shall ensure that all financial instruments that can be registered in a financial instruments account opened in the credit institutions’ books and investment firms’ books are registered in the credit institutions’ and investment firms’ books on segregated accounts in accordance with the provisions of national law transposing Article 16 of Directive 2006/73/EC. The financial instruments account shall be opened in the name of the issuers of the asset-referenced tokens for the purposes of managing the reserve assets of each asset-referenced token, so that the financial instruments held in custody can be clearly identified as belonging to each reserve of assets.
For the purposes of point (c) of the first subparagraph, crypto-asset service providers shall open a register of positions in the name of the issuers of the asset-referenced tokens for the purposes of managing the reserve assets of each asset-referenced token, so that the crypto-assets held in custody can be clearly identified as belonging to each reserve of assets.
For the purposes of point (d) of the first subparagraph, the assessment whether issuers of asset-referenced tokens own the reserve assets shall be based on information or documents provided by the issuers of the asset-referenced tokens and, where available, on external evidence.
The appointment of crypto-asset service providers, credit institutions or investment firms as custodians of the reserve assets as referred to in paragraph 4 of this Article shall be evidenced by a contractual arrangement as referred to in Article 34(5), second subparagraph. Those contractual arrangements shall, amongst others, regulate the flow of information necessary to enable the issuers of the asset-referenced tokens and the crypto-asset service providers, credit institutions and investment firms to perform their functions as custodians.
The crypto-asset service providers, credit institutions and investment firms appointed as custodians in accordance with paragraph 4 shall act honestly, fairly, professionally, independently and in the interest of the issuers of the asset-referenced tokens and the holders of such tokens.
The crypto-asset service providers, credit institutions and investment firms appointed as custodians in accordance with paragraph 4 shall not carry out activities with regard to the issuers of the asset-referenced tokens that might create conflicts of interest between those issuers, the holders of the asset-referenced tokens and themselves unless all of the following conditions are met:
(a) the crypto-asset service providers, credit institutions or investment firms have functionally and hierarchically separated the performance of their custody tasks from their potentially conflicting tasks;
(b) the potential conflicts of interest have been properly identified, monitored, managed and disclosed by the issuers of the asset-referenced tokens to the holders of the asset-referenced tokens, in accordance with Article 32.
Issuers of asset-referenced tokens that invest a part of the reserve of assets shall only invest those assets in highly liquid financial instruments with minimal market risk, credit risk and concentration risk. The investments shall be capable of being liquidated rapidly with minimal adverse price effect.
Units in an undertaking for collective investment in transferable securities (UCITS) shall be deemed to be assets with minimal market risk, credit risk and concentration risk for the purposes of paragraph 1, where that UCITS invests solely in assets as further specified by EBA in accordance with paragraph 5 and where the issuer of the asset-referenced token ensures that the reserve of assets is invested in such a way that the concentration risk is minimised.
The financial instruments in which the reserve of assets is invested shall be held in custody in accordance with Article 37.
All profits or losses, including fluctuations in the value of the financial instruments referred to in paragraph 1, and any counterparty or operational risks that result from the investment of the reserve of assets shall be borne by the issuer of the asset-referenced token.
EBA, in cooperation with ESMA and the ECB, shall develop draft regulatory technical standards specifying the financial instruments that can be considered highly liquid and bearing minimal market risk, credit risk and concentration risk as referred to in paragraph 1. When specifying those financial instruments, EBA shall take into account:
(a) the various types of assets that can be referenced by an asset-referenced token;
(b) the correlation between the assets referenced by the asset-referenced token and the highly liquid financial instruments that the issuer might invest in;
(c) the liquidity coverage requirement as referred to in Article 412 of Regulation (EU) No 575/2013 and as further specified in Commission Delegated Regulation (EU) 2015/61;
(d) constraints on concentration preventing the issuer from:
(i) investing more than a certain percentage of reserve assets in highly liquid financial instruments with minimal market risk, credit risk and concentration risk issued by a single entity;
(ii) holding in custody more than a certain percentage of crypto-assets or assets with crypto-asset service providers or credit institutions which belong to the same group, as defined in Article 2, point (11), of Directive 2013/34/EU of the European Parliament and of the Council, or investment firms.
For the purposes of point (d)(i) of the first subparagraph, EBA shall devise suitable limits to determine concentration requirements. Those limits shall take into account, amongst others, the relevant thresholds laid down in Article 52 of Directive 2009/65/EC.
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
Holders of asset-referenced tokens shall have a right of redemption at all times against the issuers of the asset-referenced tokens, and in respect of the reserve assets when issuers are not able to meet their obligations as referred to in Chapter 6 of this Title. Issuers shall establish, maintain and implement clear and detailed policies and procedures in respect of such permanent right of redemption.
Upon request by a holder of an asset-referenced token, an issuer of such token shall redeem either by paying an amount in funds, other than electronic money, equivalent to the market value of the assets referenced by the asset-referenced token held or by delivering the assets referenced by the token. Issuers shall establish a policy on such permanent right of redemption setting out:
(a) the conditions, including thresholds, periods and timeframes, for holders of asset-referenced tokens to exercise such right of redemption;
(b) the mechanisms and procedures to ensure the redemption of the asset-referenced tokens, including in stressed market circumstances, as well as in the context of the implementation of the recovery plan set out in Article 46 or, in the case of an orderly redemption of asset-referenced tokens, under Article 47;
(c) the valuation, or the principles of valuation, of the asset-referenced tokens and of the reserve assets when the right of redemption is exercised by the holder of asset-referenced tokens, including by using the valuation methodology set out in Article 36(11);
(d) the conditions for settlement of the redemption; and
(e) measures that the issuers take to adequately manage increases or decreases in the reserve of assets in order to avoid any adverse impacts on the market of the reserve assets.
Where issuers, when selling an asset-referenced token, accept a payment in funds other than electronic money, denominated in an official currency, they shall always provide an option to redeem the token in funds other than electronic money, denominated in the same official currency.
Issuers of asset-referenced tokens shall not grant interest in relation to asset-referenced tokens.
Crypto-asset service providers shall not grant interest when providing crypto-asset services related to asset-referenced tokens.
For the purposes of paragraphs 1 and 2, any remuneration or any other benefit related to the length of time during which a holder of asset-referenced tokens holds such asset-referenced tokens shall be treated as interest. That includes net compensation or discounts, with an effect equivalent to that of interest received by the holder of asset-referenced tokens, directly from the issuer or from third parties, and directly associated to the asset-referenced tokens or from the remuneration or pricing of other products.
Any natural or legal persons or such persons acting in concert who intend to acquire, directly or indirectly (the ‘proposed acquirer’), a qualifying holding in an issuer of an asset-referenced token or to increase, directly or indirectly, such a qualifying holding so that the proportion of the voting rights or of the capital held would reach or exceed 20 %, 30 % or 50 %, or so that the issuer of the asset-referenced token would become its subsidiary, shall notify the competent authority of that issuer thereof in writing, indicating the size of the intended holding and the information required by the regulatory technical standards adopted by the Commission in accordance with Article 42(4).
Any natural or legal person who has taken a decision to dispose, directly or indirectly, of a qualifying holding in an issuer of an asset-referenced token shall, prior to disposing of that holding, notify in writing the competent authority of its decision and indicate the size of such holding. That person shall also notify the competent authority where it has taken a decision to reduce a qualifying holding so that the proportion of the voting rights or of the capital held would fall below 10 %, 20 %, 30 % or 50 %, or so that the issuer of the asset-referenced token would cease to be that person’s subsidiary.
The competent authority shall promptly and in any event within two working days following receipt of a notification pursuant to paragraph 1 acknowledge receipt thereof in writing.
The competent authority shall assess the proposed acquisition referred to in paragraph 1 of this Article and the information required by the regulatory technical standards adopted by the Commission in accordance with Article 42(4), within 60 working days of the date of the written acknowledgement of receipt referred to in paragraph 3 of this Article. When acknowledging receipt of the notification, the competent authority shall inform the proposed acquirer of the date of expiry of the assessment period.
When performing the assessment referred to in paragraph 4, the competent authority may request from the proposed acquirer any additional information that is necessary to complete that assessment. Such request shall be made before the assessment is finalised, and in any case no later than on the 50th working day from the date of the written acknowledgement of receipt referred to in paragraph 3. Such requests shall be made in writing and shall specify the additional information needed.
The competent authority shall suspend the assessment period referred to in paragraph 4 until it has received the additional information referred to in the first subparagraph of this paragraph. The suspension shall not exceed 20 working days. Any further requests by the competent authority for additional information or for clarification of the information received shall not result in an additional suspension of the assessment period.
The competent authority may extend the suspension referred to in the second subparagraph of this paragraph by up to 30 working days if the proposed acquirer is situated outside the Union or regulated under the law of a third country.
A competent authority that, upon completion of the assessment referred to in paragraph 4, decides to oppose the proposed acquisition referred to in paragraph 1 shall notify the proposed acquirer thereof within two working days, and in any event before the date referred to in paragraph 4 extended, where applicable, in accordance with paragraph 5, second and third subparagraphs. The notification shall provide the reasons for such a decision.
Where the competent authority does not oppose the proposed acquisition referred to in paragraph 1 before the date referred to in paragraph 4 extended, where applicable, in accordance with paragraph 5, second and third subparagraphs, the proposed acquisition shall be deemed to be approved.
The competent authority may set a maximum period for concluding the proposed acquisition referred to in paragraph 1, and extend that maximum period where appropriate.
(a) the reputation of the proposed acquirer;
(b) the reputation, knowledge, skills and experience of any person who will direct the business of the issuer of the asset-referenced token as a result of the proposed acquisition;
(c) the financial soundness of the proposed acquirer, in particular in relation to the type of business envisaged and pursued in respect of the issuer of the asset-referenced token in which the acquisition is proposed;
(d) whether the issuer of the asset-referenced token will be able to comply and continue to comply with the provisions of this Title;
(e) whether there are reasonable grounds to suspect that, in connection with the proposed acquisition, money laundering or terrorist financing within the meaning of, respectively, Article 1(3) and (5) of Directive (EU) 2015/849 is being or has been committed or attempted, or that the proposed acquisition could increase the risk thereof.
The competent authority may oppose the proposed acquisition only where there are reasonable grounds for doing so based on the criteria set out in paragraph 1 of this Article or where the information provided in accordance with Article 41(4) is incomplete or false.
Member States shall not impose any prior conditions in respect of the level of qualifying holding that is required to be acquired under this Regulation nor allow their competent authorities to examine the proposed acquisition in terms of the economic needs of the market.
EBA, in close cooperation with ESMA, shall develop draft regulatory technical standards specifying the detailed content of the information that is necessary to carry out the assessment referred to in Article 41(4), first subparagraph. The information required shall be relevant for a prudential assessment, proportionate and adapted to the nature of the proposed acquirer and the proposed acquisition referred to in Article 41(1).
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
(a) the number of holders of the asset-referenced token is larger than 10 million;
(b) the value of the asset-referenced token issued, its market capitalisation or the size of the reserve of assets of the issuer of the asset-referenced token is higher than EUR 5 000 000 000;
(c) the average number and average aggregate value of transactions in that asset-referenced token per day during the relevant period, is higher than 2,5 million transactions and EUR 500 000 000 respectively;
(d) the issuer of the asset-referenced token is a provider of core platform services designated as a gatekeeper in accordance with Regulation (EU) 2022/1925 of the European Parliament and of the Council;
(e) the significance of the activities of the issuer of the asset-referenced token on an international scale, including the use of the asset-referenced token for payments and remittances;
(f) the interconnectedness of the asset-referenced token or its issuers with the financial system;
(g) the fact that the same issuer issues at least one additional asset-referenced token or e-money token, and provides at least one crypto-asset service.
(a) during the period covered by the first report of information as referred to in paragraph 4 of this Article, following authorisation pursuant to Article 21 or after approval of the crypto-asset white paper pursuant to Article 17; or
(b) during the period covered by at least two consecutive reports of information as referred to in paragraph 4 of this Article.
Where several issuers issue the same asset-referenced token, the fulfilment of the criteria set out in paragraph 1 shall be assessed after aggregating the data from those issuers.
Competent authorities of the issuer’s home Member State shall report to EBA and the ECB information relevant for the assessment of the fulfilment of the criteria set out in paragraph 1 of this Article, including, if applicable, the information received under Article 22, at least twice a year.
Where the issuer is established in a Member State whose official currency is not the euro, or where an official currency of a Member State that is not the euro is referenced by the asset-referenced token, competent authorities shall transmit the information referred to in the first subparagraph also to the central bank of that Member State.
Issuers of such asset-referenced tokens, their competent authorities, the ECB and, where applicable, the central bank of the Member State concerned shall have 20 working days from the date of notification of EBA’s draft decision to provide observations and comments in writing. EBA shall duly consider those observations and comments before adopting a final decision.
EBA shall take its final decision on whether to classify an asset-referenced token as a significant asset-referenced token within 60 working days of the date of notification referred to in paragraph 5 and immediately notify that decision to the issuer of such asset-referenced token and its competent authority.
Where an asset-referenced token has been classified as significant pursuant to a decision of EBA taken in accordance with paragraph 6, the supervisory responsibilities with respect to the issuer of that significant asset-referenced token shall be transferred from the competent authority of the issuer’s home Member State to EBA within 20 working days of the date of notification of that decision.
EBA and the competent authority shall cooperate in order to ensure the smooth transition of supervisory competences.
Where EBA concludes that certain asset-referenced tokens no longer fulfil the criteria set out in paragraph 1 in accordance with paragraph 2, EBA shall prepare a draft decision to no longer classify the asset-referenced tokens as significant and notify that draft decision to the issuers of those asset-referenced tokens and the competent authority of their home Member State, to the ECB and, in the cases referred to in paragraph 4, second subparagraph, to the central bank of the Member State concerned.
Issuers of such asset-referenced tokens, their competent authorities, the ECB and the central bank referred in paragraph 4 shall have 20 working days from the date of notification of that draft decision to provide observations and comments in writing. EBA shall duly consider those observations and comments before adopting a final decision.
EBA shall take its final decision on whether to no longer classify an asset-referenced token as significant within 60 working days from the date of the notification referred to in paragraph 8 and immediately notify that decision to the issuer of such asset-referenced tokens and its competent authority.
Where an asset-referenced token is no longer classified as significant pursuant to a decision of EBA taken in accordance with paragraph 9, the supervisory responsibilities with respect to the issuer of that asset-referenced token shall be transferred from EBA to the competent authority of the issuer’s home Member State within 20 working days from the date of notification of that decision.
EBA and the competent authority shall cooperate in order to ensure the smooth transition of supervisory competences.
(a) the circumstances under which the activities of the issuer of the asset-referenced token are deemed significant on an international scale outside the Union;
(b) the circumstances under which asset-referenced tokens and their issuers shall be considered to be interconnected with the financial system;
(c) the content and format of information provided by competent authorities to EBA and the ECB under paragraph 4 of this Article and Article 56(3).
In order for an asset-referenced token to be classified as significant under this Article, the applicant issuer of the asset-referenced token shall demonstrate, through a detailed programme of operations referred to in Article 17(1), point (b)(i), and Article 18(2), point (d), that it is likely to fulfil at least three of the criteria set out in Article 43(1).
Competent authorities of issuers of such asset-referenced tokens, the ECB and, where applicable, the central bank of the Member State concerned, shall have 20 working days from the date of notification of that draft decision to provide observations and comments in writing. EBA shall duly consider those observations and comments before adopting a final decision.
EBA shall take its final decision on whether to classify an asset-referenced token as a significant asset-referenced token within 60 working days of the notification referred to in paragraph 1 and immediately notify that decision to the applicant issuer of such asset-referenced token and its competent authority.
Where asset-referenced tokens have been classified as significant pursuant to a decision of EBA taken in accordance with paragraph 3 of this Article, the supervisory responsibilities with respect to issuers of those asset-referenced tokens shall be transferred from the competent authority to EBA on the date of the decision of the competent authority to grant the authorisation referred to in Article 21(1) or on the date of approval of the crypto-asset white paper pursuant to Article 17.
Issuers of significant asset-referenced tokens shall adopt, implement and maintain a remuneration policy that promotes the sound and effective risk management of such issuers and that does not create incentives to relax risk standards.
Issuers of significant asset-referenced tokens shall ensure that such tokens can be held in custody by different crypto-asset service providers authorised for providing custody and administration of crypto-assets on behalf of clients, including by crypto-asset service providers that do not belong to the same group, as defined in Article 2, point (11), of Directive 2013/34/EU, on a fair, reasonable and non-discriminatory basis.
Issuers of significant asset-referenced tokens shall assess and monitor the liquidity needs to meet requests for redemption of asset-referenced tokens by their holders. For that purpose, issuers of significant asset-referenced tokens shall establish, maintain and implement a liquidity management policy and procedures. That policy and those procedures shall ensure that the reserve assets have a resilient liquidity profile that enables issuers of significant asset-referenced tokens to continue operating normally, including under scenarios of liquidity stress.
Issuers of significant asset-referenced tokens shall, on a regular basis, conduct liquidity stress testing. Depending on the outcome of such tests, EBA may decide to strengthen the liquidity requirements referred to in paragraph 7, first subparagraph, point (b), of this Article and in Article 36(6).
Where issuers of significant asset-referenced tokens offer two or more asset-referenced tokens or provide crypto-asset services, those stress tests shall cover all of those activities in a comprehensive and holistic manner.
The percentage referred to in Article 35(1), first subparagraph, point (b), shall be set at 3 % of the average amount of the reserve assets for issuers of significant asset-referenced tokens.
Where several issuers offer the same significant asset-referenced token, paragraphs 1 to 5 shall apply to each issuer.
Where an issuer offers two or more asset-referenced tokens in the Union and at least one of those asset-referenced tokens is classified as significant, paragraphs 1 to 5 shall apply to that issuer.
(a) the minimum content of the governance arrangements on the remuneration policy referred to in paragraph 1;
(b) the minimum contents of the liquidity management policy and procedures as set out in paragraph 3, and liquidity requirements, including by specifying the minimum amount of deposits in each official currency referenced, which cannot be lower than 60 % of the amount referenced in each official currency;
(c) the procedure and timeframe for an issuer of a significant asset-referenced token to adjust the amount of its own funds as required by paragraph 5.
In the case of credit institutions, EBA shall calibrate the technical standards taking into consideration any possible interactions between the regulatory requirements established by this Regulation and the regulatory requirements established by other Union legislative acts.
EBA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
The recovery plan shall also include the preservation of the issuer’s services related to the asset-referenced token, the timely recovery of operations and the fulfilment of the issuer’s obligations in the case of events that pose a significant risk of disrupting operations.
The recovery plan shall include appropriate conditions and procedures to ensure the timely implementation of recovery actions as well as a wide range of recovery options, including:
(a) liquidity fees on redemptions;
(b) limits on the amount of the asset-referenced token that can be redeemed on any working day;
(c) suspension of redemptions.
Where applicable, the issuer shall also notify the recovery plan to its resolution and prudential supervisory authorities in parallel to the competent authority.
Where the issuer fails to comply with the requirements applicable to the reserve of assets as referred to in Chapter 3 of this Title or, due to a rapidly deteriorating financial condition, is likely in the near future to not comply with those requirements, the competent authority, in order to ensure compliance with the applicable requirements, shall have the power to require the issuer to implement one or more of the arrangements or measures set out in the recovery plan or to update such a recovery plan when the circumstances are different from the assumptions set out in the initial recovery plan and implement one or more of the arrangements or measures set out in the updated plan within a specific timeframe.
In the circumstances referred to in paragraph 3, the competent authority shall have the power to temporarily suspend the redemption of asset-referenced tokens, provided that the suspension is justified having regard to the interests of the holders of asset-referenced tokens and financial stability.
Where applicable, the competent authority shall notify the issuer’s resolution and prudential supervisory authorities of any measure taken pursuant to paragraphs 3 and 4.
EBA, after consultation with ESMA, shall issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 to specify the format of the recovery plan and the information to be provided in the recovery plan.
An issuer of an asset-referenced token shall draw up and maintain an operational plan to support the orderly redemption of each asset-referenced token, which is to be implemented upon a decision by the competent authority that the issuer is unable or likely to be unable to fulfil its obligations, including in the case of insolvency or, where applicable, resolution or in the case of withdrawal of authorisation of the issuer, without prejudice to the commencement of a crisis prevention measure or crisis management measure as defined in Article 2(1), points (101) and (102), respectively, of Directive 2014/59/EU or a resolution action as defined in Article 2, point (11), of Regulation (EU) 2021/23 of the European Parliament and of the Council.
The redemption plan shall demonstrate the ability of the issuer of the asset-referenced token to carry out the redemption of the outstanding asset-referenced token issued without causing undue economic harm to its holders or to the stability of the markets of the reserve assets.
The redemption plan shall include contractual arrangements, procedures and systems, including the designation of a temporary administrator in accordance with applicable law, to ensure the equitable treatment of all holders of asset-referenced tokens and to ensure that holders of asset-referenced tokens are paid in a timely manner with the proceeds from the sale of the remaining reserve assets.
The redemption plan shall ensure the continuity of any critical activities that are necessary for the orderly redemption and that are performed by issuers or by any third-party entity.
The issuer of the asset-referenced token shall notify the redemption plan to the competent authority within six months of the date of authorisation pursuant to Article 21 or within six months of the date of approval of the crypto-asset white paper pursuant to Article 17. The competent authority shall require amendments to the redemption plan where necessary to ensure its proper implementation and shall notify its decision requesting those amendments to the issuer within 40 working days of the date of notification of that plan. That decision shall be implemented by the issuer within 40 working days of the date of notification of that decision. The issuer shall regularly review and update the redemption plan.
Where applicable, the competent authority shall notify the redemption plan to the resolution authority and prudential supervisory authority of the issuer.
The resolution authority may examine the redemption plan with a view to identifying any actions in the redemption plan that might adversely impact the resolvability of the issuer, and may make recommendations to the competent authority in respect thereof.
(a) the content of the redemption plan and the periodicity for review, taking into account the size, complexity and nature of the asset-referenced token and the business model of its issuer; and
(b) the triggers for implementation of the redemption plan.
(a) is authorised as a credit institution or as an electronic money institution; and
(b) has notified a crypto-asset white paper to the competent authority and has published that crypto-asset white paper in accordance with Article 51.
Notwithstanding the first subparagraph, upon the written consent of the issuer, other persons may offer to the public or seek the admission to trading of the e-money token. Those persons shall comply with Articles 50 and 53.
An e-money token that references an official currency of a Member State shall be deemed to be offered to the public in the Union.
Titles II and III of Directive 2009/110/EC shall apply with respect to e-money tokens unless otherwise stated in this Title.
Paragraph 1 of this Article shall not apply to issuers of e-money tokens exempted in accordance with Article 9(1) of Directive 2009/110/EC.
This Title, with the exception of paragraph 7 of this Article and Article 51, shall not apply in respect of e-money tokens exempt pursuant to Article 1(4) and (5) of Directive 2009/110/EC.
Issuers of e-money tokens shall, at least 40 working days before the date on which they intend to offer to the public those e-money tokens or seek their admission to trading, notify their competent authority of that intention.
Where paragraph 4 or 5 applies, the issuers of e-money tokens shall draw up a crypto-asset white paper and notify such crypto-asset white paper to the competent authority in accordance with Article 51.
By way of derogation from Article 11 of Directive 2009/110/EC, in respect of the issuance and redeemability of e-money tokens only the requirements set out in this Article shall apply to issuers of e-money tokens.
Holders of e-money tokens shall have a claim against the issuers of those e-money tokens.
Issuers of e-money tokens shall issue e-money tokens at par value and on the receipt of funds.
Upon request by a holder of an e-money token, the issuer of that e-money token shall redeem it, at any time and at par value, by paying in funds, other than electronic money, the monetary value of the e-money token held to the holder of the e-money token.
Issuers of e-money tokens shall prominently state the conditions for redemption in the crypto-asset white paper as referred to in Article 51(1), first subparagraph, point (d).
Without prejudice to Article 46, the redemption of e-money tokens shall not be subject to a fee.
Notwithstanding Article 12 of Directive 2009/110/EC, issuers of e-money tokens shall not grant interest in relation to e-money tokens.
Crypto-asset service providers shall not grant interest when providing crypto-asset services related to e-money tokens.
For the purposes of paragraphs 1 and 2, any remuneration or any other benefit related to the length of time during which a holder of an e-money token holds such e-money token shall be treated as interest. That includes net compensation or discounts, with an effect equivalent to that of interest received by the holder of the e-money token, directly from the issuer or from third parties, and directly associated to the e-money token or from the remuneration or pricing of other products.
(a) information about the issuer of the e-money token;
(b) information about the e-money token;
(c) information about the offer to the public of the e-money token or its admission to trading;
(d) information on the rights and obligations attached to the e-money token;
(e) information on the underlying technology;
(f) information on the risks;
(g) information on the principal adverse impacts on the climate and other environment-related adverse impacts of the consensus mechanism used to issue the e-money token.
The crypto-asset white paper shall also include the identity of the person other than the issuer that offers the e-money token to the public or seeks its admission to trading pursuant to Article 48(1), second subparagraph, and the reason why that particular person offers that e-money token or seeks its admission to trading.
All the information listed in paragraph 1 shall be fair, clear and not misleading. The crypto-asset white paper shall not contain material omissions and shall be presented in a concise and comprehensible form.
The crypto-asset white paper shall contain the following clear and prominent statement on the first page:
‘This crypto-asset white paper has not been approved by any competent authority in any Member State of the European Union. The issuer of the crypto-asset is solely responsible for the content of this crypto-asset white paper.’.
(a) the e-money token is not covered by the investor compensation schemes under Directive 97/9/EC;
(b) the e-money token is not covered by the deposit guarantee schemes under Directive 2014/49/EU.
The crypto-asset white paper shall contain a statement from the management body of the issuer of the e-money token. That statement, which shall be inserted after the statement referred to in paragraph 3, shall confirm that the crypto-asset white paper complies with this Title and that, to the best of the knowledge of the management body, the information presented in the crypto-asset white paper is complete, fair, clear and not misleading and that the crypto-asset white paper makes no omission likely to affect its import.
The crypto-asset white paper shall contain a summary, inserted after the statement referred to in paragraph 5, which shall in brief and non-technical language provide key information about the offer to the public of the e-money token or the intended admission to trading of such e-money token. The summary shall be easily understandable and presented and laid out in a clear and comprehensive format, using characters of readable size. The summary of the crypto-asset white paper shall provide appropriate information about the characteristics of the crypto-assets concerned in order to help prospective holders of the crypto-assets to make an informed decision.
The summary shall contain a warning that:
(a) it should be read as an introduction to the crypto-asset white paper;
(b) the prospective holder should base any decision to purchase the e-money token on the content of the crypto-asset white paper as a whole and not on the summary alone;
(c) the offer to the public of the e-money token does not constitute an offer or solicitation to purchase financial instruments and that any such offer or solicitation can be made only by means of a prospectus or other offer documents pursuant to the applicable national law;
(d) the crypto-asset white paper does not constitute a prospectus as referred to in Regulation (EU) 2017/1129 or any other offer document pursuant to Union or national law.
The summary shall state that holders of the e-money token have a right of redemption at any time and at par value as well as the conditions for redemption.
The crypto-asset white paper shall contain the date of its notification and a table of contents.
The crypto-asset white paper shall be drawn up in an official language of the home Member State or in a language customary in the sphere of international finance.
Where the e-money token is also offered in a Member State other than the home Member State, the crypto-asset white paper shall also be drawn up in an official language of the host Member State or in a language customary in the sphere of international finance.
The crypto-asset white paper shall be made available in a machine-readable format.
ESMA, in cooperation with EBA, shall develop draft implementing technical standards to establish standard forms, formats and templates for the purposes of paragraph 9.
ESMA shall submit the draft implementing technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph of this paragraph in accordance with Article 15 of Regulation (EU) No 1095/2010.
Competent authorities shall not require prior approval of crypto-asset white papers before their publication.
Any significant new factor, any material mistake or any material inaccuracy that is capable of affecting the assessment of the e-money token shall be described in a modified crypto-asset white paper drawn up by the issuers, notified to the competent authorities and published on the issuers’ websites.
Before offering the e-money token to the public in the Union or seeking an admission to trading of the e-money token, the issuer of such e-money token shall publish a crypto-asset white paper on its website.
The issuer of the e-money token shall together with the notification of the crypto-asset white paper pursuant to paragraph 11 of this Article provide the competent authority with the information referred to in Article 109(4). The competent authority shall communicate to ESMA, within five working days of receipt of the information from the issuer, the information specified in Article 109(4).
The competent authority shall also communicate to ESMA any modified crypto-asset white paper and any withdrawal of the authorisation of the issuer of the e-money token.
ESMA shall make such information available in the register, under Article 109(4), by the starting date of the offer to the public or admission to trading or, in the case of a modified crypto-asset white paper, or withdrawal of the authorisation, without undue delay.
When developing the draft regulatory technical standards referred to in the first subparagraph, ESMA shall consider the various types of consensus mechanisms used to validate transactions in crypto-assets, their incentive structures and the use of energy, renewable energy and natural resources, the production of waste, and greenhouse gas emissions. ESMA shall update the regulatory technical standards in the light of regulatory and technological developments.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
Where an issuer of an e-money token has infringed Article 51, by providing in its crypto-asset white paper or in a modified crypto-asset white paper, information that is not complete, fair or clear, or that is misleading, that issuer and the members of its administrative, management or supervisory body shall be liable to a holder of such e-money token for any loss incurred due to that infringement.
Any contractual exclusion or limitation of civil liability as referred to in paragraph 1 shall be deprived of legal effect.
It shall be the responsibility of the holder of the e-money token to present evidence indicating that the issuer of that e-money token has infringed Article 51 by providing in its crypto-asset white paper or in a modified crypto-asset white paper information that is not complete, fair or clear, or that is misleading and that reliance on such information had an impact on the holder’s decision to purchase, sell or exchange that e-money token.
The issuer and the members of its administrative, management or supervisory bodies shall not be liable for loss suffered as a result of reliance on the information provided in a summary pursuant to Article 51(6), including any translation thereof, except where the summary:
(a) is misleading, inaccurate or inconsistent when read together with the other parts of the crypto-asset white paper; or
(b) does not provide, when read together with the other parts of the crypto-asset white paper, key information in order to aid prospective holders when considering whether to purchase such e-money tokens.
(a) the marketing communications are clearly identifiable as such;
(b) the information in the marketing communications is fair, clear and not misleading;
(c) the information in the marketing communications is consistent with the information in the crypto-asset white paper;
(d) the marketing communications clearly state that a crypto-asset white paper has been published and clearly indicate the address of the website of the issuer of the e-money token, as well as a telephone number and an email address to contact the issuer.
Marketing communications shall contain a clear and unambiguous statement that the holders of the e-money token have a right of redemption against the issuer at any time and at par value.
Marketing communications and any modifications thereto shall be published on the issuer’s website.
Competent authorities shall not require prior approval of marketing communications before their publication.
Marketing communications shall be notified to the competent authorities upon request.
No marketing communications shall be disseminated prior to the publication of the crypto-asset white paper. Such restriction does not affect the ability of the issuer of the e-money token to conduct market soundings.
Funds received by issuers of e-money tokens in exchange for e-money tokens and safeguarded in accordance with Article 7(1) of Directive 2009/110/EC shall comply with the following:
(a) at least 30 % of the funds received is always deposited in separate accounts in credit institutions;
(b) the remaining funds received are invested in secure, low-risk assets that qualify as highly liquid financial instruments with minimal market risk, credit risk and concentration risk, in accordance with Article 38(1) of this Regulation, and are denominated in the same official currency as the one referenced by the e-money token.
Title III, Chapter 6 shall apply mutatis mutandis to issuers of e-money tokens.
By way of derogation from Article 46(2), the date by which the recovery plan is to be notified to the competent authority shall, in respect of issuers of e-money tokens, be within six months of the date of the offer to the public or admission to trading.
By way of derogation from Article 47(3), the date by which the redemption plan is to be notified to the competent authority shall, in respect of issuers of e-money tokens, be within six months of the date of the offer to the public or admission to trading.
(a) during the period covered by the first report of information as referred to in paragraph 3 of this Article, following the offer to the public or the seeking admission to trading of those tokens; or
(b) during the period covered by at least two consecutive reports of information as referred to in paragraph 3 of this Article.
Where several issuers issue the same e-money token, the fulfilment of the criteria set out in Article 43(1) shall be assessed after aggregating the data from those issuers.
Competent authorities of the issuer’s home Member State shall report to EBA and the ECB information relevant for the assessment of the fulfilment of the criteria set out in Article 43(1), including, if applicable, the information received under Article 22, at least twice a year.
Where the issuer is established in a Member State whose official currency is not the euro, or where an official currency of a Member State that is not the euro is referenced by the e-money token, competent authorities shall transmit the information referred to in the first subparagraph also to the central bank of that Member State.
Issuers of such e-money tokens, their competent authorities, the ECB and, where applicable, the central bank of the Member State concerned shall have 20 working days from the date of notification of that draft decision to provide observations and comments in writing. EBA shall duly consider those observations and comments before adopting a final decision.
EBA shall take its final decision on whether to classify an e-money token as a significant e-money token within 60 working days from the date of notification referred to in paragraph 4 and immediately notify that decision to the issuer of such e-money token and its competent authority.
Where an e-money token has been classified as significant pursuant to a decision of EBA taken in accordance with paragraph 5, the supervisory responsibilities with respect to the issuer of that e e-money token shall be transferred from the competent authority of the issuer’s home Member State to EBA in accordance with Article 117(4) within 20 working days from the date of notification of that decision.
EBA and the competent authority shall cooperate in order to ensure the smooth transition of supervisory competences.
The competent authority of the issuer’s home Member State shall provide EBA annually with information on any cases where the derogation referred to in the first subparagraph is applied.
For the purposes of the first subparagraph, a transaction shall be considered to take place in the home Member State when the payer or the payee is established in that Member State.
Where EBA concludes that certain e-money tokens no longer meet the criteria set out in Article 43(1), in accordance with paragraph 1 of this Article, EBA shall prepare a draft decision to no longer classify the e-money token as significant and notify that draft decision to the issuers of those e-money tokens, to the competent authorities of their home Member State, to the ECB and, in the cases referred to in paragraph 3, second subparagraph, of this Article, to the central bank of the Member State concerned.
Issuers of such e-money tokens, their competent authorities, the ECB and the central bank of the Member State concerned shall have 20 working days from the date of notification of that draft decision to provide observations and comments in writing. EBA shall duly consider those observations and comments before adopting a final decision.
EBA shall take its final decision on whether to no longer classify an e-money token as significant within 60 working days from the date of the notification referred to in paragraph 8 and immediately notify that decision to the issuer of that e-money token and its competent authority.
Where an e-money token is no longer classified as significant pursuant to a decision of EBA taken in accordance with paragraph 9, the supervisory responsibilities with respect to the issuer of that e-money token shall be transferred from EBA to the competent authority of the issuer’s home Member State within 20 working days from the date of notification of that decision.
EBA and the competent authority shall cooperate in order to ensure the smooth transition of supervisory competences.
In order for the e-money token to be classified as significant under this Article, the issuer of the e-money token shall demonstrate, through a detailed programme of operations, that it is likely to meet at least three of the criteria set out in Article 43(1).
The competent authorities of issuers of such e-money tokens, the ECB and, where applicable, the central bank of the Member State concerned shall have 20 working days from the date of notification of that draft decision to provide observations and comments in writing. EBA shall duly consider those observations and comments before adopting a final decision.
EBA shall take its final decision on whether to classify an e-money token as a significant e-money token within 60 working days of the date of notification referred to in paragraph 1 and immediately notify that decision to the issuer of such e-money token and its competent authority.
Where an e-money token has been classified as significant pursuant to a decision of EBA taken in accordance with paragraph 3 of this Article, the supervisory responsibilities with respect to issuers of those e-money tokens shall be transferred from the competent authority to EBA in accordance with Article 117(4) within 20 working days from the date of notification of that decision.
EBA and the competent authorities shall cooperate in order to ensure the smooth transition of supervisory competences.
The competent authority of the issuer’s home Member State shall provide EBA annually with information on the application of the derogation referred to in the first subparagraph.
For the purposes of the first subparagraph, a transaction shall be considered to take place in the home Member State when the payer or the payee are established in that Member State.
(a) the requirements referred to in Articles 36, 37, 38 and Article 45, (1) to (4) of this Regulation, instead of Article 7 of Directive 2009/110/EC;
(b) the requirements referred to in Article 35(2), (3) and (5) and Article 45(5) of this Regulation, instead of Article 5 of Directive 2009/110/EC.
By way of derogation from Article 36(9), the independent audit shall, in respect of issuers of significant e-money tokens, be mandated every six months as of the date of the decision to classify the e-money tokens as significant pursuant to Article 56 or 57, as applicable.
Competent authorities of the home Member States may require electronic money institutions issuing e-money tokens that are not significant to comply with any requirement referred to in paragraph 1 where necessary to address the risks that those provisions aim to address, such as liquidity risks, operational risks, or risks arising from non-compliance with requirements for management of reserve of assets.
Articles 22, 23 and 24(3) shall apply to e-money tokens denominated in a currency that is not an official currency of a Member State.
(a) a legal person or other undertaking that has been authorised as crypto-asset service provider in accordance with Article 63; or
(b) a credit institution, central securities depository, investment firm, market operator, electronic money institution, UCITS management company, or an alternative investment fund manager that is allowed to provide crypto-asset services pursuant to Article 60.
Crypto-asset service providers authorised in accordance with Article 63 shall have a registered office in a Member State where they carry out at least part of their crypto-asset services. They shall have their place of effective management in the Union and at least one of the directors shall be resident in the Union.
For the purposes of paragraph 1, point (a), other undertakings that are not legal persons shall only provide crypto-asset services if their legal form ensures a level of protection for third parties’ interests equivalent to that afforded by legal persons and if they are subject to equivalent prudential supervision appropriate to their legal form.
Crypto-asset service providers authorised in accordance with Article 63 shall at all times meet the conditions for their authorisation.
A person who is not a crypto-asset service provider shall not use a name, or a corporate name, or issue marketing communications or undertake any other process suggesting that it is a crypto-asset service provider or that is likely to create confusion in that respect.
Competent authorities that grant authorisations in accordance with Article 63 shall ensure that such authorisations specify the crypto-asset services that crypto-asset service providers are authorised to provide.
Crypto-asset service providers shall be allowed to provide crypto-asset services throughout the Union, either through the right of establishment, including through a branch, or through the freedom to provide services. Crypto-asset service providers that provide crypto-asset services on a cross-border basis shall not be required to have a physical presence in the territory of a host Member State.
Crypto-asset service providers seeking to add crypto-asset services to their authorisation as referred to in Article 63 shall request the competent authorities that granted their initial authorisation for an extension of their authorisation by complementing and updating the information referred to in Article 62. The request for extension shall be processed in accordance with Article 63.
A credit institution may provide crypto-asset services if it notifies the information referred to in paragraph 7 to the competent authority of its home Member State at least 40 working days before providing those services for the first time.
A central securities depository authorised under Regulation (EU) No 909/2014 of the European Parliament and of the Councilshall only provide custody and administration of crypto-assets on behalf of clients if it notifies the information referred to in paragraph 7 of this Article to the competent authority of the home Member State, at least 40 working days before providing that service for the first time.
For the purposes of the first subparagraph of this paragraph, providing custody and administration of crypto-assets on behalf of clients is deemed equivalent to providing, maintaining or operating securities accounts in relation to the settlement service referred to in Section B, point (3), of the Annex to Regulation (EU) No 909/2014.
For the purposes of this paragraph:
(a) providing custody and administration of crypto-assets on behalf of clients is deemed equivalent to the ancillary service referred to in Section B, point (1), of Annex I to Directive 2014/65/EU;
(b) the operation of a trading platform for crypto-assets is deemed equivalent to the operation of a multilateral trading facility and operation of an organised trading facility referred to in Section A, points (8) and (9), respectively, of Annex I to Directive 2014/65/EU;
(c) the exchange of crypto-assets for funds and other crypto-assets is deemed equivalent to dealing on own account referred to in Section A, point (3), of Annex I to Directive 2014/65/EU;
(d) the execution of orders for crypto-assets on behalf of clients is deemed equivalent to the execution of orders on behalf of clients referred to in Section A, point (2), of Annex I to Directive 2014/65/EU;
(e) the placing of crypto-assets is deemed equivalent to the underwriting or placing of financial instruments on a firm commitment basis and placing of financial instruments without a firm commitment basis referred to in Section A, points (6) and (7), respectively, of Annex I to Directive 2014/65/EU;
(f) the reception and transmission of orders for crypto-assets on behalf of clients is deemed equivalent to the reception and transmission of orders in relation to one or more financial instruments referred to in Section A, point (1), of Annex I to Directive 2014/65/EU;
(g) providing advice on crypto-assets is deemed equivalent to investment advice referred to in Section A, point (5), of Annex I to Directive 2014/65/EU;
(h) providing portfolio management on crypto-assets is deemed equivalent to portfolio management referred to in Section A, point (4), of Annex I to Directive 2014/65/EU.
An electronic money institution authorised under Directive 2009/110/EC shall only provide custody and administration of crypto-assets on behalf of clients and transfer services for crypto-assets on behalf of clients with regard to the e-money tokens it issues if it notifies the competent authority of the home Member State of the information referred to in paragraph 7 of this Article at least 40 working days before providing those services for the first time.
A UCITS management company or an alternative investment fund manager may provide crypto-asset services equivalent to the management of portfolios of investment and non-core services for which it is authorised under Directive 2009/65/EC or Directive 2011/61/EU if it notifies the competent authority of the home Member State of the information referred to in paragraph 7 of this Article at least 40 working days before providing those services for the first time.
For the purposes of this paragraph:
(a) the reception and transmission of orders for crypto-assets on behalf of clients is deemed equivalent to the reception and transmission of orders in relation to financial instruments referred in Article 6(4), point (b)(iii), of Directive 2011/61/EU;
(b) providing advice on crypto-assets is deemed equivalent to investment advice referred to in Article 6(4), point (b)(i), of Directive 2011/61/EU and in Article 6(3), point (b)(i), of Directive 2009/65/EC;
(c) providing portfolio management on crypto-assets is deemed equivalent to the services referred to in Article 6(4), point (a), of Directive 2011/61/EU and in Article 6(3), point (a), of Directive 2009/65/EC.
A market operator authorised under Directive 2014/65/EU may operate a trading platform for crypto-assets if it notifies the competent authority of the home Member State of the information referred to in paragraph 7 of this Article at least 40 working days before providing those services for the first time.
For the purposes of paragraphs 1 to 6, the following information shall be notified:
(a) a programme of operations setting out the types of crypto-asset services that the applicant crypto-asset service provider intends to provide, including where and how those services are to be marketed;
(b) a description of:
(i) the internal control mechanisms, policies and procedures to ensure compliance with the provisions of national law transposing Directive (EU) 2015/849;
(ii) the risk assessment framework for the management of money laundering and terrorist financing risks; and
(iii) the business continuity plan;
(c) the technical documentation of the ICT systems and security arrangements, and a description thereof in non-technical language;
(d) a description of the procedure for the segregation of clients’ crypto-assets and funds;
(e) a description of the custody and administration policy, where it is intended to provide custody and administration of crypto-assets on behalf of clients;
(f) a description of the operating rules of the trading platform and of the procedures and system to detect market abuse, where it is intended to operate a trading platform for crypto-assets;
(g) a description of the non-discriminatory commercial policy governing the relationship with clients as well as a description of the methodology for determining the price of the crypto-assets they propose to exchange for funds or other crypto-assets, where it is intended to exchange crypto-assets for funds or other crypto-assets;
(h) a description of the execution policy, where it is intended to execute orders for crypto-assets on behalf of clients;
(i) evidence that the natural persons giving advice on behalf of the applicant crypto-asset service provider or managing portfolios on behalf of the applicant crypto-asset service provider have the necessary knowledge and expertise to fulfil their obligations, where it is intended to provide advice on crypto-assets or provide portfolio management on crypto-assets;
(j) whether the crypto-asset service relates to asset-referenced tokens, e-money tokens or other crypto-assets;
(k) information on the manner in which such transfer services will be provided, where it is intended to provide transfer services for crypto-assets on behalf of clients.
The deadline for providing any missing information shall not exceed 20 working days from the date of the request. Until the expiry of that deadline, each period as set out in paragraphs 1 to 6 shall be suspended. Any further requests by the competent authority for completion or clarification of the information shall be at its discretion but shall not result in a suspension of any period set out in paragraphs 1 to 6.
The crypto-asset service provider shall not begin providing the crypto-asset services as long as the notification is incomplete.
The entities referred to in paragraphs 1 to 6 shall not be required to submit any information referred to in paragraph 7 that was previously submitted by them to the competent authority where such information would be identical. When submitting the information referred to in paragraph 7, the entities referred to in paragraphs 1 to 6 shall expressly state that any information that was submitted previously is still up-to-date.
Where the entities referred to in paragraphs 1 to 6 of this Article provide crypto-asset services, they shall not be subject to Articles 62, 63, 64, 67, 83 and 84.
The right to provide crypto-asset services referred to in paragraphs 1 to 6 of this Article shall be revoked upon the withdrawal of the relevant authorisation that enabled the respective entity to provide the crypto-asset services without being required to obtain an authorisation pursuant to Article 59.
Competent authorities shall communicate to ESMA the information specified in Article 109(5), after verifying the completeness of the information referred to in paragraph 7.
ESMA shall make such information available in the register referred to in Article 109 by the starting date of the intended provision of crypto-asset services.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
ESMA shall submit the draft implementing technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph of this paragraph in accordance with Article 15 of Regulation (EU) No 1095/2010.
Without prejudice to intragroup relationships, where a third‐country firm, including through an entity acting on its behalf or having close links with such third‐country firm or any other person acting on behalf of such entity, solicits clients or prospective clients in the Union, regardless of the means of communication used for the solicitation, promotion or advertising in the Union, it shall not be deemed to be a service provided on the client’s own exclusive initiative.
The second subparagraph shall apply notwithstanding any contractual clause or disclaimer purporting to state otherwise, including any clause or disclaimer that the provision of services by a third-country firm is deemed to be a service provided on the client’s own exclusive initiative.
A client’s own exclusive initiative as referred to in paragraph 1 shall not entitle a third‐country firm to market new types of crypto-assets or crypto-asset services to that client.
ESMA shall by 30 December 2024 issue guidelines in accordance with Article 16 of Regulation (EU) No 1095/2010 to specify the situations in which a third-country firm is deemed to solicit clients established or situated in the Union.
In order to foster convergence and promote consistent supervision in respect of the risk of abuse of this Article, ESMA shall also issue guidelines in accordance with Article 16 of Regulation (EU) No 1095/2010 on supervision practices to detect and prevent circumvention of this Regulation.
Legal persons or other undertakings that intend to provide crypto-asset services shall submit their application for an authorisation as a crypto-asset service provider to the competent authority of their home Member State.
The application referred to in paragraph 1 shall contain all of the following information:
(a) the name, including the legal name and any other commercial name used, the legal entity identifier of the applicant crypto-asset service provider, the website operated by that provider, a contact email address, a contact telephone number and its physical address;
(b) the legal form of the applicant crypto-asset service provider;
(c) the articles of association of the applicant crypto-asset service provider, where applicable;
(d) a programme of operations, setting out the types of crypto-asset services that the applicant crypto-asset service provider intends to provide, including where and how those services are to be marketed;
(e) proof that the applicant crypto-asset service provider meets the requirements for prudential safeguards set out in Article 67;
(f) a description of the applicant crypto-asset service provider’s governance arrangements;
(g) proof that members of the management body of the applicant crypto-asset service provider are of sufficiently good repute and possess the appropriate knowledge, skills and experience to manage that provider;
(h) the identity of any shareholders and members, whether direct or indirect, that have qualifying holdings in the applicant crypto-asset service provider and the amounts of those holdings, as well as proof that those persons are of sufficiently good repute;
(i) a description of the applicant crypto-asset service provider’s internal control mechanisms, policies and procedures to identify, assess and manage risks, including money laundering and terrorist financing risks, and business continuity plan;
(j) the technical documentation of the ICT systems and security arrangements, and a description thereof in non-technical language;
(k) a description of the procedure for the segregation of clients’ crypto-assets and funds;
(l) a description of the applicant crypto-asset service provider’s complaints-handling procedures;
(m) where the applicant crypto-asset service provider intends to provide custody and administration of crypto-assets on behalf of clients, a description of the custody and administration policy;
(n) where the applicant crypto-asset service provider intends to operate a trading platform for crypto-assets, a description of the operating rules of the trading platform and of the procedure and system to detect market abuse;
(o) where the applicant crypto-asset service provider intends to exchange crypto-assets for funds or other crypto-assets, a description of the commercial policy, which shall be non-discriminatory, governing the relationship with clients as well as a description of the methodology for determining the price of the crypto-assets that the applicant crypto-asset service provider proposes to exchange for funds or other crypto-assets;
(p) where the applicant crypto-asset service provider intends to execute orders for crypto-assets on behalf of clients, a description of the execution policy;
(q) where the applicant crypto-asset service provider intends to provide advice on crypto-assets or portfolio management of crypto-assets, proof that the natural persons giving advice on behalf of the applicant crypto-asset service provider or managing portfolios on behalf of the applicant crypto-asset service provider have the necessary knowledge and expertise to fulfil their obligations;
(r) where the applicant crypto-asset service provider intends to provide transfer services for crypto-assets on behalf of clients, information on the manner in which such transfer services will be provided;
(s) the type of crypto-asset to which the crypto-asset service relates.
(a) for all members of the management body of the applicant crypto-asset service provider, the absence of a criminal record in respect of convictions and the absence of penalties imposed under the applicable commercial law, insolvency law and financial services law, or in relation to anti-money laundering, and counter-terrorist financing, to fraud or to professional liability;
(b) that the members of the management body of the applicant crypto-asset service provider collectively possess the appropriate knowledge, skills and experience to manage the crypto-asset service provider and that those persons are required to commit sufficient time to perform their duties;
(c) for all shareholders and members, whether direct or indirect, that have qualifying holdings in the applicant crypto-asset service provider, the absence of a criminal record in respect of convictions or the absence of penalties imposed under the applicable commercial law, insolvency law and financial services law, or in relation to anti-money laundering and counter-terrorist financing, to fraud or to professional liability.
Competent authorities shall not require an applicant crypto-asset service provider to provide any information referred to in paragraphs 2 and 3 of this Article that they have already received under the respective authorisation procedures in accordance with Directive 2009/110/EC, 2014/65/EU or (EU) 2015/2366, or pursuant to national law applicable to crypto-asset services prior to 29 June 2023, provided that such previously submitted information or documents are still up-to-date.
ESMA, in close cooperation with EBA, shall develop draft regulatory technical standards to further specify the information referred to in paragraphs 2 and 3.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
ESMA shall submit the draft implementing technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph of this paragraph in accordance with Article 15 of Regulation (EU) No 1095/2010.
Competent authorities shall promptly, and in any event within five working days of receipt of an application under Article 62(1), acknowledge receipt thereof in writing to the applicant crypto-asset service provider.
Competent authorities shall, within 25 working days of receipt of an application under Article 62(1), assess whether that application is complete by checking that the information listed in Article 62(2) has been submitted.
Where the application is not complete, competent authorities shall set a deadline by which the applicant crypto-asset service provider is to provide any missing information.
Competent authorities may refuse to review applications where such applications remain incomplete after the expiry of the deadline set by them in accordance with paragraph 2, second subparagraph.
Once an application is complete, competent authorities shall promptly notify the applicant crypto-asset service provider thereof.
Before granting or refusing authorisation as a crypto-asset service provider, competent authorities shall consult the competent authorities of another Member State where the applicant crypto-asset service provider is in one of the following positions in relation to a credit institution, a central securities depository, an investment firm, a market operator, a UCITS management company, an alternative investment fund manager, a payment institution, an insurance undertaking, an electronic money institution or an institution for occupational retirement provision, authorised in that other Member State:
(a) it is its subsidiary;
(b) it is a subsidiary of the parent undertaking of that entity; or
(c) it is controlled by the same natural or legal persons who control that entity.
(a) may consult the competent authorities for anti-money laundering and counter-terrorist financing, and financial intelligence units, in order to verify that the applicant crypto-asset service provider has not been the subject of an investigation into conduct relating to money laundering or terrorist financing;
(b) shall ensure that the applicant crypto-asset service provider that operates establishments or relies on third parties established in high-risk third countries identified pursuant to Article 9 of Directive (EU) 2015/849 complies with the provisions of national law transposing Articles 26(2), 45(3) and 45(5) of that Directive;
(c) shall, where appropriate, ensure that the applicant crypto-asset service provider has put in place appropriate procedures to comply with the provisions of national law transposing Article 18a(1) and (3) of Directive (EU) 2015/849.
Where close links exist between the applicant crypto-asset service provider and other natural or legal persons, competent authorities shall grant authorisation only if those links do not prevent the effective exercise of their supervisory functions.
Competent authorities shall refuse authorisation if the laws, regulations or administrative provisions of a third country governing one or more natural or legal persons with which the applicant crypto-asset service provider has close links, or difficulties involved in their enforcement, prevent the effective exercise of their supervisory functions.
Competent authorities shall, within 40 working days from the date of receipt of a complete application, assess whether the applicant crypto-asset service provider complies with this Title and shall adopt a fully reasoned decision granting or refusing an authorisation as a crypto-asset service provider. Competent authorities shall notify the applicant of their decision within five working days of the date of that decision. That assessment shall take into account the nature, scale and complexity of the crypto-asset services that the applicant crypto-asset service provider intends to provide.
Competent authorities shall refuse authorisation as a crypto-asset service provider where there are objective and demonstrable grounds that:
(a) the management body of the applicant crypto-asset service provider poses a threat to its effective, sound and prudent management and business continuity, and to the adequate consideration of the interest of its clients and the integrity of the market, or exposes the applicant crypto-asset service provider to a serious risk of money laundering or terrorist financing;
(b) the members of the management body of the applicant crypto-asset service provider do not meet the criteria set out in Article 68(1);
(c) the shareholders or members, whether direct or indirect, that have qualifying holdings in the applicant crypto-asset service provider do not meet the criteria of sufficiently good repute set out in Article 68(2);
(d) the applicant crypto-asset service provider fails to meet or is likely to fail to meet any of the requirements of this Title.
ESMA and EBA shall issue the guidelines referred to in the first subparagraph by 30 June 2024.
The assessment period under paragraph 9 shall be suspended for the period between the date of request for missing information by the competent authorities and the receipt by them of a response thereto from the applicant crypto-asset service provider. The suspension shall not exceed 20 working days. Any further requests by the competent authorities for completion or clarification of the information shall be at their discretion but shall not result in a suspension of the assessment period under paragraph 9.
(a) has not used its authorisation within 12 months of the date of the authorisation;
(b) has expressly renounced its authorisation;
(c) has not provided crypto-asset services for nine consecutive months;
(d) has obtained its authorisation by irregular means, such as by making false statements in its application for authorisation;
(e) no longer meets the conditions under which the authorisation was granted and has not taken the remedial action requested by the competent authority within the specified timeframe;
(f) fails to have in place effective systems, procedures and arrangements to detect and prevent money laundering and terrorist financing in accordance with Directive (EU) 2015/849;
(g) has seriously infringed this Regulation, including the provisions relating to the protection of holders of crypto-assets or of clients of crypto-asset service providers, or market integrity.
(a) the crypto-asset service provider has infringed the provisions of national law transposing Directive (EU) 2015/849;
(b) the crypto-asset service provider has lost its authorisation as a payment institution or its authorisation as an electronic money institution, and that crypto-asset service provider has failed to remedy the situation within 40 calendar days.
Where a competent authority withdraws an authorisation as a crypto-asset service provider, it shall notify ESMA and the single points of contact of the host Member States without undue delay. ESMA shall make such information available in the register referred to in Article 109.
Competent authorities may limit the withdrawal of authorisation to a particular crypto-asset service.
Before withdrawing an authorisation as a crypto-asset service provider, competent authorities shall consult the competent authority of another Member State where the crypto-asset service provider concerned is:
(a) a subsidiary of a crypto-asset service provider authorised in that other Member State;
(b) a subsidiary of the parent undertaking of a crypto-asset service provider authorised in that other Member State;
(c) controlled by the same natural or legal persons who control a crypto-asset service provider authorised in that other Member State.
Before withdrawing an authorisation as a crypto-asset service provider, competent authorities may consult the authority competent for supervising compliance of the crypto-asset service provider with the rules on anti-money laundering and counter-terrorist financing.
EBA, ESMA and any competent authority of a host Member State may at any time request that the competent authority of the home Member State examine whether the crypto-asset service provider still complies with the conditions under which the authorisation was granted, when there are grounds to suspect it may no longer be the case.
Crypto-asset service providers shall establish, implement and maintain adequate procedures ensuring the timely and orderly transfer of their clients’ crypto-assets and funds to another crypto-asset service provider when an authorisation is withdrawn.
(a) a list of the Member States in which the crypto-asset service provider intends to provide crypto-asset services;
(b) the crypto-asset services that the crypto-asset service provider intends to provide on a cross-border basis;
(c) the starting date of the intended provision of the crypto-asset services;
(d) a list of all other activities provided by the crypto-asset service provider not covered by this Regulation.
The competent authority of the home Member State shall, within 10 working days of receipt of the information referred to in paragraph 1, communicate that information to the single points of contact of the host Member States, to ESMA and to EBA.
The competent authority of the Member State that granted authorisation shall inform the crypto-asset service provider concerned of the communication referred to in paragraph 2 without delay.
The crypto-asset service provider may begin to provide crypto-asset services in a Member State other than its home Member State from the date of receipt of the communication referred to in paragraph 3 or at the latest from the 15th calendar day after having submitted the information referred to in paragraph 1.
Crypto-asset service providers shall act honestly, fairly and professionally in accordance with the best interests of their clients and prospective clients.
Crypto-asset service providers shall provide their clients with information that is fair, clear and not misleading, including in marketing communications, which shall be identified as such. Crypto-asset service providers shall not, deliberately or negligently, mislead a client in relation to the real or perceived advantages of any crypto-assets.
Crypto-asset service providers shall warn clients of the risks associated with transactions in crypto-assets.
When operating a trading platform for crypto-assets, exchanging crypto-assets for funds or other crypto-assets, providing advice on crypto-assets or providing portfolio management on crypto-assets, crypto-asset service providers shall provide their clients with hyperlinks to any crypto-asset white papers for the crypto-assets in relation to which they are providing those services.
Crypto-asset service providers shall make their policies on pricing, costs and fees publicly available, in a prominent place on their website.
Crypto-asset service providers shall make publicly available, in a prominent place on their website, information related to the principal adverse impacts on the climate and other environment-related adverse impacts of the consensus mechanism used to issue each crypto-asset in relation to which they provide services. That information may be obtained from the crypto-asset white papers.
ESMA, in cooperation with EBA, shall develop draft regulatory technical standards on the content, methodologies and presentation of information referred to in paragraph 5 in respect of the sustainability indicators in relation to adverse impacts on the climate and other environment‐related adverse impacts.
When developing the draft regulatory technical standards referred to in the first subparagraph, ESMA shall consider the various types of consensus mechanisms used to validate crypto-asset transactions, their incentive structures and the use of energy, renewable energy and natural resources, the production of waste and greenhouse gas emissions. ESMA shall update the regulatory technical standards in the light of regulatory and technological developments.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
(a) the amount of permanent minimum capital requirements indicated in Annex IV, depending on the type of the crypto-asset services provided;
(b) one quarter of the fixed overheads of the preceding year, reviewed annually.
Crypto-asset service providers that have not been in business for one year from the date on which they began providing services shall use, for the calculation referred to in paragraph 1, point (b), the projected fixed overheads included in their projections for the first 12 months of service provision, as submitted with their application for authorisation.
For the purposes of paragraph 1, point (b), crypto-asset service providers shall calculate their fixed overheads for the preceding year, using figures resulting from the applicable accounting framework, by subtracting the following items from the total expenses after distribution of profits to shareholders or members in their most recently audited annual financial statements or, where audited statements are not available, in annual financial statements validated by national supervisors:
(a) staff bonuses and other remuneration, to the extent that those bonuses and that remuneration depend on a net profit of the crypto-asset service providers in the relevant year;
(b) employees’, directors’ and partners’ shares in profits;
(c) other appropriations of profits and other variable remuneration, to the extent that they are fully discretionary;
(d) non-recurring expenses from non-ordinary activities.
(a) own funds, consisting of Common Equity Tier 1 items and instruments referred to in Articles 26 to 30 of Regulation (EU) No 575/2013 after the deductions in full, pursuant to Article 36 of that Regulation, without the application of threshold exemptions pursuant to Articles 46 and 48 of that Regulation;
(b) an insurance policy covering the territories of the Union where crypto-asset services are provided or a comparable guarantee.
(a) it has an initial term of not less than one year;
(b) the notice period for its cancellation is at least 90 days;
(c) it is taken out from an undertaking authorised to provide insurance, in accordance with Union or national law;
(d) it is provided by a third-party entity.
(a) loss of documents;
(b) misrepresentations or misleading statements made;
(c) acts, errors or omissions resulting in a breach of:
(i) legal and regulatory obligations;
(ii) the obligation to act honestly, fairly and professionally towards clients;
(iii) obligations of confidentiality;
(d) failure to establish, implement and maintain appropriate procedures to prevent conflicts of interest;
(e) losses arising from business disruption or system failures;
(f) where applicable to the business model, gross negligence in the safeguarding of clients’ crypto-assets and funds;
(g) liability of the crypto-asset service providers towards clients pursuant to Article 75(8).
Members of the management body of crypto-asset service providers shall be of sufficiently good repute and possess the appropriate knowledge, skills and experience, both individually and collectively, to perform their duties. In particular, members of the management body of crypto-asset service providers shall not have been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute. They shall also demonstrate that they are capable of committing sufficient time to effectively perform their duties.
Shareholders and members, whether direct or indirect, that have qualifying holdings in crypto-asset service providers shall be of sufficiently good repute and, in particular, shall not have been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute.
Where the influence exercised by the shareholders or members, whether direct or indirect, that have qualifying holdings in a crypto-asset service provider is likely to be prejudicial to the sound and prudent management of that crypto-asset service provider, competent authorities shall take appropriate measures to address those risks.
Such measures may include applications for judicial orders or the imposition of penalties against directors and those responsible for management, or the suspension of the exercise of the voting rights attaching to the shares held by the shareholders or members, whether direct or indirect, that have the qualifying holdings.
Crypto-asset service providers shall adopt policies and procedures that are sufficiently effective to ensure compliance with this Regulation.
Crypto-asset service providers shall employ personnel with the knowledge, skills and expertise necessary for the discharge of the responsibilities allocated to them, taking into account the scale, nature and range of crypto-asset services provided.
The management body of crypto-asset service providers shall assess and periodically review the effectiveness of the policy arrangements and procedures put in place to comply with Chapters 2 and 3 of this Title and take appropriate measures to address any deficiencies in that respect.
Crypto-asset service providers shall take all reasonable steps to ensure continuity and regularity in the performance of their crypto-asset services. To that end, crypto-asset service providers shall employ appropriate and proportionate resources and procedures, including resilient and secure ICT systems as required by Regulation (EU) 2022/2554.
Crypto-asset service providers shall establish a business continuity policy, which shall include ICT business continuity plans as well as ICT response and recovery plans set up pursuant to Articles 11 and 12 of Regulation (EU) 2022/2554 that aim to ensure, in the case of an interruption to their ICT systems and procedures, the preservation of essential data and functions and the maintenance of crypto-asset services or, where that is not possible, the timely recovery of such data and functions and the timely resumption of crypto-asset services.
Crypto-asset service providers shall have systems and procedures to safeguard the availability, authenticity, integrity and confidentiality of data pursuant to Regulation (EU) 2022/2554.
The records kept pursuant to the first subparagraph shall be provided to clients upon request and shall be kept for a period of five years and, where requested by the competent authority before five years have elapsed, for a period of up to seven years.
(a) the measures ensuring continuity and regularity in the performance of the crypto-asset services referred to in paragraph 7;
(b) the records to be kept of all crypto-asset services, activities, orders and transactions undertaken referred to in paragraph 9.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
Crypto-asset service providers shall notify their competent authority without delay of any changes to their management body, prior to the exercise of activities by any new members, and shall provide their competent authority with all of the necessary information to assess compliance with Article 68.
Crypto-asset service providers that hold crypto-assets belonging to clients or the means of access to such crypto-assets shall make adequate arrangements to safeguard the ownership rights of clients, especially in the event of the crypto-asset service provider’s insolvency, and to prevent the use of clients’ crypto-assets for their own account.
Where their business models or the crypto-asset services require holding clients’ funds other than e-money tokens, crypto-asset service providers shall have adequate arrangements in place to safeguard the ownership rights of clients and prevent the use of clients’ funds for their own account.
Crypto-asset service providers shall, by the end of the business day following the day on which clients’ funds other than e-money tokens were received, place those funds with a credit institution or a central bank.
Crypto-asset service providers shall take all necessary steps to ensure that clients’ funds other than e-money tokens held with a credit institution or a central bank are held in an account separately identifiable from any accounts used to hold funds belonging to the crypto-asset service providers.
Where payment services are provided, crypto-asset service providers shall inform their clients of all of the following:
(a) the nature and terms and conditions of those services, including references to the applicable national law and to the rights of clients;
(b) whether those services are provided by them directly or by a third party.
Crypto-asset service providers shall establish and maintain effective and transparent procedures for the prompt, fair and consistent handling of complaints received from clients and shall publish descriptions of those procedures.
Clients shall be able to file complaints free of charge with crypto-asset service providers.
Crypto-asset service providers shall inform clients of the possibility of filing a complaint. Crypto-asset service providers shall make available to clients a template for filing complaints and shall keep a record of all complaints received and any measures taken in response thereto.
Crypto-asset service providers shall investigate all complaints in a timely and fair manner and communicate the outcome of such investigations to their clients within a reasonable period.
ESMA, in close cooperation with EBA, shall develop draft regulatory technical standards to further specify the requirements, templates and procedures for handling complaints.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
(a) themselves and:
(i) their shareholders or members;
(ii) any person directly or indirectly linked to the crypto-asset service providers or their shareholders or members by control;
(iii) members of their management body;
(iv) their employees; or
(v) their clients; or
(b) two or more clients whose mutual interests conflict.
Crypto-asset service providers shall, in a prominent place on their website, disclose to their clients and prospective clients the general nature and sources of conflicts of interest referred to in paragraph 1 and the steps taken to mitigate them.
The disclosure referred to in paragraph 2 shall be made in an electronic format and shall include sufficient detail, taking into account the nature of each client, in order to enable each client to take an informed decision about the crypto-asset service in the context of which the conflicts of interest arise.
Crypto-asset service providers shall assess and, at least annually, review their policy on conflicts of interest and take all appropriate measures to address any deficiencies in that respect.
ESMA, in close cooperation with EBA, shall develop draft regulatory technical standards to further specify:
(a) the requirements for the policies and procedures referred to in paragraph 1, taking into account the scale, the nature and the range of crypto-asset services provided;
(b) the details and methodology for the content of the disclosure referred to in paragraph 2.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
(a) outsourcing does not result in the delegation of the responsibility of the crypto-asset service providers;
(b) outsourcing does not alter the relationship between the crypto-asset service providers and their clients, nor the obligations of the crypto-asset service providers towards their clients;
(c) outsourcing does not alter the conditions for the authorisation of the crypto-asset service providers;
(d) third parties involved in the outsourcing cooperate with the competent authority of the crypto-asset service providers’ home Member State and the outsourcing does not prevent the exercise of the supervisory functions of competent authorities, including on-site access to acquire any relevant information needed to fulfil those functions;
(e) crypto-asset service providers retain the expertise and resources necessary for evaluating the quality of the services provided, for supervising the outsourced services effectively and for managing the risks associated with the outsourcing on an ongoing basis;
(f) crypto-asset service providers have direct access to the relevant information of the outsourced services;
(g) crypto-asset service providers ensure that third parties involved in the outsourcing meet the data protection standards of the Union.
For the purposes of point (g) of the first subparagraph, crypto-asset service providers are responsible for ensuring that the data protection standards are set out in the written agreements referred to in paragraph 3.
Crypto-asset service providers shall have a policy on their outsourcing, including on contingency plans and exit strategies, taking into account the scale, the nature and the range of crypto-asset services provided.
Crypto-asset service providers shall define in a written agreement their rights and obligations and those of the third parties to which they are outsourcing services or activities. Outsourcing agreements shall give crypto-asset service providers the right to terminate those agreements.
Crypto-asset service providers and third parties shall, upon request, make available to the competent authorities and other relevant authorities all information necessary to enable those authorities to assess compliance of the outsourced activities with the requirements of this Title.
Crypto-asset service providers that provide the services referred to in Articles 75 to 79 shall have in place a plan that is appropriate to support an orderly wind-down of their activities under applicable national law, including the continuity or recovery of any critical activities performed by those service providers. That plan shall demonstrate the ability of crypto-asset service providers to carry out an orderly wind-down without causing undue economic harm to their clients.
(a) the identity of the parties to the agreement;
(b) the nature of the crypto-asset service provided and a description of that service;
(c) the custody policy;
(d) the means of communication between the crypto-asset service provider and the client, including the client’s authentication system;
(e) a description of the security systems used by the crypto-asset service provider;
(f) the fees, costs and charges applied by the crypto-asset service provider;
(g) the applicable law.
Crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients shall keep a register of positions, opened in the name of each client, corresponding to each client’s rights to the crypto-assets. Where relevant, crypto-asset service providers shall record as soon as possible in that register any movements following instructions from their clients. In such cases, their internal procedures shall ensure that any movement affecting the registration of the crypto-assets is evidenced by a transaction regularly registered in the client’s register of positions.
Crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients shall establish a custody policy with internal rules and procedures to ensure the safekeeping or the control of such crypto-assets, or the means of access to the crypto-assets.
The custody policy referred to in the first subparagraph shall minimise the risk of a loss of clients’ crypto-assets or the rights related to those crypto-assets or the means of access to the crypto-assets due to fraud, cyber threats or negligence.
A summary of the custody policy shall be made available to clients at their request in an electronic format.
Where there are changes to the underlying distributed ledger technology or any other event likely to create or modify a client’s rights, the client shall be entitled to any crypto-assets or any rights newly created on the basis and to the extent of the client’s positions at the time of the occurrence of that change or event, except when a valid agreement signed with the crypto-asset service provider providing custody and administration of crypto-assets on behalf of clients pursuant to paragraph 1 prior to that change or event expressly provides otherwise.
Crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients shall provide their clients as soon as possible with any information about operations on crypto-assets that require a response from those clients.
Crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients shall ensure that necessary procedures are in place to return crypto-assets held on behalf of their clients, or the means of access, as soon as possible to those clients.
Crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients shall segregate holdings of crypto-assets on behalf of their clients from their own holdings and ensure that the means of access to crypto-assets of their clients is clearly identified as such. They shall ensure that, on the distributed ledger, their clients’ crypto-assets are held separately from their own crypto-assets.
The crypto-assets held in custody shall be legally segregated from the crypto-asset service provider’s estate in the interest of the clients of the crypto-asset service provider in accordance with applicable law, so that creditors of the crypto-asset service provider have no recourse to crypto-assets held in custody by the crypto-asset service provider, in particular in the event of insolvency.
Crypto-asset service provider shall ensure that the crypto-assets held in custody are operationally segregated from the crypto-asset service provider’s estate.
Incidents not attributable to the crypto-asset service provider include any event in respect of which the crypto-asset service provider demonstrates that it occurred independently of the provision of the relevant service, or independently of the operations of the crypto-asset service provider, such as a problem inherent in the operation of the distributed ledger that the crypto-asset service provider does not control.
Crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients and that make use of other crypto-asset service providers of that service shall inform their clients thereof.
(a) set the approval processes, including customer due diligence requirements commensurate to the money laundering or terrorist financing risk presented by the applicant in accordance with Directive (EU) 2015/849, that are applied before admitting crypto-assets to the trading platform;
(b) define exclusion categories, if any, of the types of crypto-assets that are not admitted to trading;
(c) set out the policies, procedures and the level of fees, if any, for the admission to trading;
(d) set objective, non-discriminatory rules and proportionate criteria for participation in the trading activities, which promote fair and open access to the trading platform for clients willing to trade;
(e) set non-discretionary rules and procedures to ensure fair and orderly trading and objective criteria for the efficient execution of orders;
(f) set conditions for crypto-assets to remain accessible for trading, including liquidity thresholds and periodic disclosure requirements;
(g) set conditions under which trading of crypto-assets can be suspended;
(h) set procedures to ensure efficient settlement of both crypto-assets and funds.
For the purposes of point (a) of the first subparagraph, the operating rules shall clearly state that a crypto-asset is not to be admitted to trading where no corresponding crypto-asset white paper has been published in the cases required by this Regulation.
Before admitting a crypto-asset to trading, crypto-asset service providers operating a trading platform for crypto-assets shall ensure that the crypto-asset complies with the operating rules of the trading platform and shall assess the suitability of the crypto-asset concerned. When assessing the suitability of a crypto-asset, the crypto-asset service providers operating a trading platform shall evaluate, in particular, the reliability of the technical solutions used and the potential association to illicit or fraudulent activities, taking into account the experience, track record and reputation of the issuer of those crypto-assets and its development team. The crypto-asset service providers operating a trading platform shall also assess the suitability of the crypto-assets other than asset-referenced tokens or e-money tokens referred to in Article 4(3), first subparagraph, points (a) to (d).
The operating rules of the trading platform for crypto-assets shall prevent the admission to trading of crypto-assets that have an inbuilt anonymisation function unless the holders of those crypto-assets and their transaction history can be identified by the crypto-asset service providers operating a trading platform for crypto-assets.
The operating rules referred to in paragraph 1 shall be drawn up in an official language of the home Member State, or in a language customary in the sphere of international finance.
If the operation of a trading platform for crypto-assets is provided in another Member State, the operating rules referred to in paragraph 1 shall be drawn up in an official language of the host Member State, or in a language customary in the sphere of international finance.
Crypto-asset service providers operating a trading platform for crypto-assets shall not deal on own account on the trading platform for crypto-assets they operate, including where they provide the exchange of crypto-assets for funds or other crypto-assets.
Crypto-asset service providers operating a trading platform for crypto-assets shall only be allowed to engage in matched principal trading where the client has consented to that process. Crypto-asset service providers shall provide the competent authority with information explaining their use of matched principal trading. The competent authority shall monitor the engagement of crypto-asset service providers in matched principal trading, and ensure that their engagement in matched principal trading continues to fall within the definition of such trading and does not give rise to conflicts of interest between the crypto-asset service providers and their clients.
Crypto-asset service providers operating a trading platform for crypto-assets shall have in place effective systems, procedures and arrangements to ensure that their trading systems:
(a) are resilient;
(b) have sufficient capacity to deal with peak order and message volumes;
(c) are able to ensure orderly trading under conditions of severe market stress;
(d) are able to reject orders that exceed pre-determined volume and price thresholds or are clearly erroneous;
(e) are fully tested to ensure that the conditions under points (a) to (d) are met;
(f) are subject to effective business continuity arrangements to ensure the continuity of their services if there is any failure of the trading system;
(g) are able to prevent or detect market abuse;
(h) are sufficiently robust to prevent their abuse for the purposes of money laundering or terrorist financing.
Crypto-asset service providers operating a trading platform for crypto-assets shall inform their competent authority when they identify cases of market abuse or attempted market abuse occurring on or through their trading systems.
Crypto-asset service providers operating a trading platform for crypto-assets shall make public any bid and ask prices and the depth of trading interests at those prices which are advertised for crypto-assets through their trading platforms. The crypto-asset service providers concerned shall make that information available to the public on a continuous basis during trading hours.
Crypto-asset service providers operating a trading platform for crypto-assets shall make public the price, volume and time of the transactions executed in respect of crypto-assets traded on their trading platforms. They shall make those details for all such transactions public as close to real-time as is technically possible.
Crypto-asset service providers operating a trading platform for crypto-assets shall make the information published in accordance with paragraphs 9 and 10 available to the public on a reasonable commercial basis and ensure non-discriminatory access to that information. That information shall be made available free of charge 15 minutes after publication in a machine-readable format and it shall remain published for at least two years.
Crypto-asset service providers operating a trading platform for crypto-assets shall initiate the final settlement of a crypto-asset transaction on the distributed ledger within 24 hours of the transaction being executed on the trading platform or, in the case of transactions settled outside the distributed ledger, by the closing of the day at the latest.
Crypto-asset service providers operating a trading platform for crypto-assets shall ensure that their fee structures are transparent, fair and non-discriminatory and that they do not create incentives to place, modify or cancel orders or to execute transactions in a way that contributes to disorderly trading conditions or market abuse as referred to in Title VI.
Crypto-asset service providers operating a trading platform for crypto-assets shall maintain resources and have back-up facilities in place to enable them to report to their competent authority at all times.
Crypto-asset service providers operating a trading platform shall keep at the disposal of the competent authority, for at least five years, the relevant data relating to all orders in crypto-assets that are advertised through their systems, or give the competent authority access to the order book so that the competent authority is able to monitor the trading activity. That relevant data shall contain the characteristics of the order, including those that link an order with the executed transactions that stem from that order.
ESMA shall develop draft regulatory technical standards to further specify:
(a) the manner in which transparency data, including the level of disaggregation of the data to be made available to the public as referred to in paragraphs 1, 9 and 10, is to be presented;
(b) the content and format of order book records to be maintained as specified in paragraph 15.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
Crypto-asset service providers exchanging crypto-assets for funds or other crypto-assets shall establish a non-discriminatory commercial policy that indicates, in particular, the type of clients they agree to transact with and the conditions that shall be met by such clients.
Crypto-asset service providers exchanging crypto-assets for funds or other crypto-assets shall publish a firm price of the crypto-assets or a method for determining the price of the crypto-assets that they propose to exchange for funds or other crypto-assets, and any applicable limit determined by that crypto-asset service provider on the amount to be exchanged.
Crypto-asset service providers exchanging crypto-assets for funds or other crypto-assets shall execute client orders at the prices displayed at the time when the order for exchange is final. Crypto-asset service providers shall inform their clients of the conditions for their order to be deemed final.
Crypto-asset service providers exchanging crypto-assets for funds or other crypto-assets shall publish information about the transactions concluded by them, such as transaction volumes and prices.
Notwithstanding the first subparagraph, crypto-asset service providers executing orders for crypto-assets on behalf of clients shall not be required to take the necessary steps as referred to in the first subparagraph in cases where they execute orders for crypto-assets following specific instructions given by its clients.
To ensure compliance with paragraph 1, crypto-asset service providers executing orders for crypto-assets on behalf of clients shall establish and implement effective execution arrangements. In particular, they shall establish and implement an order execution policy to allow them to comply with paragraph 1. The order execution policy shall, amongst others, provide for the prompt, fair and expeditious execution of client orders and prevent the misuse by the crypto-asset service providers’ employees of any information relating to client orders.
Crypto-asset service providers executing orders for crypto-assets on behalf of clients shall provide appropriate and clear information to their clients on their order execution policy referred to in paragraph 2 and any significant change thereto. That information shall explain clearly, in sufficient detail and in a way that can be easily understood by clients, how client orders are to be executed by crypto-asset service providers. Crypto-asset service providers shall obtain prior consent from each client regarding the order execution policy.
Crypto-asset service providers executing orders for crypto-assets on behalf of clients shall be able to demonstrate to their clients, at their request, that they have executed their orders in accordance with their order execution policy and shall be able to demonstrate to the competent authority, at the latter’s request, their compliance with this Article.
Where the order execution policy provides for the possibility that client orders might be executed outside a trading platform, crypto-asset service providers executing orders for crypto-assets on behalf of clients shall inform their clients about that possibility and shall obtain the prior express consent of their clients before proceeding to execute their orders outside a trading platform, either in the form of a general agreement or with respect to individual transactions.
Crypto-asset service providers executing orders for crypto-assets on behalf of clients shall monitor the effectiveness of their order execution arrangements and order execution policy in order to identify and, where appropriate, correct any deficiencies in that respect. In particular, they shall assess, on a regular basis, whether the execution venues included in the order execution policy provide for the best possible result for clients or whether they need to make changes to their order execution arrangements. Crypto-asset service providers executing orders for crypto-assets on behalf of clients shall notify clients with whom they have an ongoing client relationship of any material changes to their order execution arrangements or order execution policy.
(a) the type of placement under consideration, including whether a minimum amount of purchase is guaranteed or not;
(b) an indication of the amount of transaction fees associated with the proposed placing;
(c) the likely timing, process and price for the proposed operation;
(d) information about the targeted purchasers.
Crypto-asset service providers placing crypto-assets shall, before placing those crypto-assets, obtain the agreement of the issuers of those crypto-assets or any third party acting on their behalf as regards the information listed in the first subparagraph.
(a) crypto-asset service providers place the crypto-assets with their own clients;
(b) the proposed price for placing of crypto-assets has been overestimated or underestimated;
(c) incentives, including non-monetary incentives, are paid or granted by the offeror to crypto-asset service providers.
Crypto-asset service providers receiving and transmitting orders for crypto-assets on behalf of clients shall establish and implement procedures and arrangements that provide for the prompt and proper transmission of client orders for execution on a trading platform for crypto-assets or to another crypto-asset service provider.
Crypto-asset service providers receiving and transmitting orders for crypto-assets on behalf of clients shall not receive any remuneration, discount or non-monetary benefit in return for routing orders received from clients to a particular trading platform for crypto-assets or to another crypto-asset service provider.
Crypto-asset service providers receiving and transmitting orders for crypto-assets on behalf of clients shall not misuse information relating to pending client orders, and shall take all reasonable steps to prevent the misuse of such information by any of their employees.
Crypto-asset service providers providing advice on crypto-assets or providing portfolio management of crypto-assets shall assess whether the crypto-asset services or crypto-assets are suitable for their clients or prospective clients, taking into consideration their knowledge and experience in investing in crypto-assets, their investment objectives, including risk tolerance, and their financial situation including their ability to bear losses.
Crypto-asset service providers providing advice on crypto-assets shall, in good time before providing advice on crypto-assets, inform prospective clients whether the advice is:
(a) provided on an independent basis;
(b) based on a broad or on a more restricted analysis of different crypto-assets, including whether the advice is limited to crypto-assets issued or offered by entities having close links with the crypto-asset service provider or any other legal or economic relationships, such as contractual relationships, that risk impairing the independence of the advice provided.
(a) assess a sufficient range of crypto-assets available on the market which must be sufficiently diverse to ensure that the client’s investment objectives can be suitably met and which must not be limited to crypto-assets issued or provided by:
(i) that same crypto-asset service provider;
(ii) entities having close links with that same crypto-asset service provider; or
(iii) other entities with which that same crypto-asset service provider has such close legal or economic relationships, such as contractual relationships, as to pose a risk of impairing the independent basis of the advice provided;
(b) not accept and retain fees, commissions or any monetary or non-monetary benefits paid or provided by any third party or a person acting on behalf of a third party in relation to the provision of the service to clients.
Notwithstanding point (b) of the first subparagraph, minor non-monetary benefits that are capable of enhancing the quality of crypto-asset services provided to a client and that are of such a scale and nature that they do not impair compliance with a crypto-asset service provider’s obligation to act in the best interests of its client shall be permitted in cases where they are clearly disclosed to the client.
Crypto-asset service providers providing advice on crypto-assets shall also provide prospective clients with information on all costs and related charges, including the cost of advice, where applicable, the cost of crypto-assets recommended or marketed to the client and how the client is permitted to pay for the crypto-assets, also encompassing any third-party payments.
Crypto-asset service providers providing portfolio management of crypto-assets shall not accept and retain fees, commissions or any monetary or non-monetary benefits paid or provided by an issuer, offeror, person seeking admission to trading, or any third party, or a person acting on behalf of a third party, in relation to the provision of portfolio management of crypto-assets to their clients.
Where a crypto-asset service provider informs a prospective client that its advice is provided on a non-independent basis, that provider may receive inducements subject to the conditions that the payment or benefit:
(a) is designed to enhance the quality of the relevant service to the client; and
(b) does not impair compliance with the crypto-asset service provider’s obligation to act honestly, fairly and professionally in accordance with the best interests of its clients.
The existence, nature and amount of the payment or benefit referred to in paragraph 4, or, where the amount cannot be ascertained, the method of calculating that amount, shall be clearly disclosed to the client, in a manner that is comprehensive, accurate and understandable, prior to the provision of the relevant crypto-asset service.
Crypto-asset service providers providing advice on crypto-assets shall ensure that natural persons giving advice or information about crypto-assets, or a crypto-asset service, on their behalf possess the necessary knowledge and competence to fulfil their obligations. Member States shall publish the criteria to be used for assessing such knowledge and competence.
For the purposes of the suitability assessment referred to in paragraph 1, crypto-asset service providers providing advice on crypto-assets or providing portfolio management of crypto-assets shall obtain from their clients or prospective clients the necessary information regarding their knowledge of, and experience in, investing, including in crypto-assets, their investment objectives, including risk tolerance, their financial situation including their ability to bear losses, and their basic understanding of the risks involved in purchasing crypto-assets, so as to enable crypto-asset service providers to recommend to clients or prospective clients whether or not the crypto-assets are suitable for them and, in particular, are in accordance with their risk tolerance and ability to bear losses.
Crypto-asset service providers providing advice on crypto-assets or portfolio management of crypto-assets shall warn clients or prospective clients that:
(a) the value of crypto-assets might fluctuate;
(b) the crypto-assets might be subject to full or partial losses;
(c) the crypto-assets might not be liquid;
(d) where applicable, the crypto-assets are not covered by the investor compensation schemes under Directive 97/9/EC;
(e) the crypto-assets are not covered by the deposit guarantee schemes under Directive 2014/49/EU.
Crypto-asset service providers providing advice on crypto-assets or portfolio management of crypto-assets shall establish, maintain and implement policies and procedures to enable them to collect and assess all information necessary to conduct the assessment referred to in paragraph 1 for each client. They shall take all reasonable steps to ensure that the information collected about their clients or prospective clients is reliable.
Where clients do not provide the information required pursuant to paragraph 8, or where crypto-asset service providers providing advice on crypto-assets or portfolio management of crypto-assets consider that the crypto-asset services or crypto-assets are not suitable for their clients, they shall not recommend such crypto-asset services or crypto-assets, nor begin the provision of portfolio management of such crypto-assets.
Crypto-asset service providers providing advice on crypto-assets or portfolio management of crypto-assets shall regularly review for each client the suitability assessment referred to in paragraph 1 at least every two years after the initial assessment made in accordance with that paragraph.
Once the suitability assessment referred to in paragraph 1 or its review under paragraph 12 has been performed, crypto-asset service providers providing advice on crypto-assets shall provide clients with a report on suitability specifying the advice given and how that advice meets the preferences, objectives and other characteristics of clients. That report shall be made and communicated to clients in an electronic format. That report shall, as a minimum:
(a) include an updated information on the assessment referred to in paragraph 1; and
(b) provide an outline of the advice given.
The report on suitability referred to in the first subparagraph shall make clear that the advice is based on the client’s knowledge and experience in investing in crypto-assets, the client’s investment objectives, risk tolerance, financial situation and ability to bear losses.
The periodic statement referred to in the first subparagraph of this paragraph shall be provided every three months, except in cases where a client has access to an online system where up-to-date valuations of the client’s portfolio and updated information on the suitability assessment referred to in paragraph 1 can be accessed, and the crypto-asset service provider has evidence that the client has accessed a valuation at least once during the relevant quarter. Such online system shall be deemed an electronic format.
(a) the criteria for the assessment of client’s knowledge and competence in accordance with paragraph 2;
(b) the information referred to in paragraph 8; and
(c) the format of the periodic statement referred to in paragraph 14.
(a) the identity of the parties to the agreement;
(b) a description of the modalities of the transfer service provided;
(c) a description of the security systems used by the crypto-asset service provider;
(d) fees applied by the crypto-asset service provider;
(e) the applicable law.
Any natural or legal person or such persons acting in concert who have taken a decision either to acquire, directly or indirectly, (the ’ proposed acquirer’) a qualifying holding in a crypto-asset service provider or to increase, directly or indirectly, such a qualifying holding so that the proportion of the voting rights or of the capital held would reach or exceed 20 %, 30 % or 50 % or so that the crypto-asset service provider would become its subsidiary, shall notify the competent authority of that crypto-asset service provider thereof in writing indicating the size of the intended holding and the information required pursuant to the regulatory technical standards adopted by the Commission in accordance with Article 84(4).
Any natural or legal person who has taken a decision to dispose, directly or indirectly, of a qualifying holding in a crypto-asset service provider shall, prior to disposing of that holding, notify in writing the competent authority of its decision and indicate the size of such holding. That person shall also notify the competent authority where it has taken a decision to reduce a qualifying holding so that the proportion of the voting rights or of the capital held would fall below 10 %, 20 %, 30 % or 50 % or so that the crypto-asset service provider would cease to be that person’s subsidiary.
The competent authority shall, promptly and in any event within two working days following receipt of a notification pursuant to paragraph 1, acknowledge receipt thereof in writing.
The competent authority shall assess the proposed acquisition referred to in paragraph 1 of this Article and the information required pursuant to the regulatory technical standards adopted by the Commission in accordance with Article 84(4) within 60 working days of the date of the written acknowledgement of receipt referred to in paragraph 3 of this Article. When acknowledging receipt of the notification, the competent authority shall inform the proposed acquirer of the date of expiry of the assessment period.
For the purposes of the assessment referred to in paragraph 4, the competent authority may consult the competent authorities for anti-money laundering and counter-terrorist financing and financial intelligence units and shall duly consider their views.
When performing the assessment referred to in paragraph 4, the competent authority may request from the proposed acquirer any additional information that is necessary to complete that assessment. Such request shall be made before the assessment is finalised, and in any case no later than on the 50th working day from the date of the written acknowledgement of receipt referred to in paragraph 3. Such requests shall be made in writing and shall specify the additional information needed.
The competent authority shall suspend the assessment period referred to in paragraph 4, until they have received the additional information referred to in the first subparagraph of this paragraph. The suspension shall not exceed 20 working days. Any further requests by the competent authority for additional information or for clarification of the information received shall not result in an additional suspension of the assessment period.
The competent authority may extend the suspension referred to in the second subparagraph of this paragraph by up to 30 working days if the proposed acquirer is situated outside the Union or regulated under the law of a third country.
A competent authority that, upon completion of the assessment referred to in paragraph 4 decides to oppose the proposed acquisition referred to in paragraph 1, shall notify the proposed acquirer thereof within two working days and in any event before the date referred to in paragraph 4 extended, where applicable, in accordance with paragraph 6, second and third subparagraphs. The notification shall provide the reasons for such a decision.
Where the competent authority does not oppose the proposed acquisition referred to in paragraph 1 before the date referred to in paragraph 4 extended, where applicable, in accordance with paragraph 6, second and third subparagraphs, the proposed acquisition shall be deemed to be approved.
The competent authority may set a maximum period for concluding the proposed acquisition referred to in paragraph 1, and extend that maximum period where appropriate.
(a) the reputation of the proposed acquirer;
(b) the reputation, knowledge, skills and experience of any person who will direct the business of the crypto-asset service provider as a result of the proposed acquisition;
(c) the financial soundness of the proposed acquirer, in particular in relation to the type of business envisaged and pursued in respect of the crypto-asset service provider in which the acquisition is proposed;
(d) whether the crypto-asset service provider will be able to comply and continue to comply with the provisions of this Title;
(e) whether there are reasonable grounds to suspect that, in connection with the proposed acquisition, money laundering or terrorist financing within the meaning of, respectively, Article 1(3) and (5) of Directive (EU) 2015/849 is being or has been committed or attempted, or that the proposed acquisition could increase the risk thereof.
The competent authority may oppose the proposed acquisition only where there are reasonable grounds for doing so on the basis of the criteria set out in paragraph 1 of this Article or where the information provided in accordance with Article 83(4) is incomplete or false.
Member States shall not impose any prior conditions in respect of the level of qualifying holding that is required to be acquired under this Regulation nor allow their competent authorities to examine the proposed acquisition in terms of the economic needs of the market.
ESMA, in close cooperation with EBA, shall develop draft regulatory technical standards specifying the detailed content of the information that is necessary to carry out the assessment referred to in Article 83(4), first subparagraph. The information required shall be relevant for a prudential assessment, proportionate and adapted to the nature of the proposed acquirer and the proposed acquisition referred to in Article 83(1).
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
A crypto-asset service provider shall be deemed significant if it has in the Union at least 15 million active users, on average, in one calendar year, where the average is calculated as the average of the daily number of active users throughout the previous calendar year.
Crypto-asset service providers shall notify their competent authorities within two months of reaching the number of active users as set out in paragraph 1. Where the competent authority agrees that the threshold set out in paragraph 1 is met, it shall notify ESMA thereof.
Without prejudice to the responsibilities of competent authorities under this Regulation, the competent authorities of the home Member States shall provide ESMA’s Board of Supervisors with annual updates on the following supervisory developments in relation to significant crypto-asset service providers:
(a) ongoing or concluded authorisations as referred to in Article 59;
(b) ongoing or concluded processes of withdrawal of authorisations as referred to in Article 64;
(c) the exercise of supervisory powers set out in Article 94(1), first subparagraph, points (b), (c), (e), (f), (g), (y) and (aa).
The competent authority of the home Member State may provide ESMA’s Board of Supervisors with more frequent updates, or notify it prior to any decision taken by the competent authority of the home Member State with regard to the first subparagraph, point (a), (b) or (c).
The update referred to in paragraph 3, second subparagraph, may be followed by an exchange of views at ESMA’s Board of Supervisors.
Where appropriate, ESMA may make use of its powers under Articles 29, 30, 31 and 31b of Regulation (EU) No 1095/2010.
This Title shall apply to acts carried out by any person concerning crypto-assets that are admitted to trading or in respect of which a request for admission to trading has been made.
This Title shall also apply to any transaction, order or behaviour concerning crypto-assets as referred to in paragraph 1, irrespective of whether such transaction, order or behaviour takes place on a trading platform.
This Title shall apply to actions and omissions, in the Union and in third countries, concerning crypto-assets as referred to in paragraph 1.
(a) information of a precise nature, which has not been made public, relating, directly or indirectly, to one or more issuers, offerors or persons seeking admission to trading, or to one or more crypto-assets, and which, if it were made public, would likely have a significant effect on the prices of those crypto-assets or on the price of a related crypto-asset;
(b) for persons charged with the execution of orders for crypto-assets on behalf of clients, it also means information of a precise nature conveyed by a client and relating to the client’s pending orders in crypto-assets, relating, directly or indirectly, to one or more issuers, offerors or persons seeking admission to trading or to one or more crypto-assets, and which, if it were made public, would likely have a significant effect on the prices of those crypto-assets or on the price of a related crypto-asset.
For the purposes of paragraph 1, information shall be deemed to be of a precise nature if it indicates a set of circumstances which exists or which may reasonably be expected to come into existence, or an event which has occurred or which may reasonably be expected to occur, where it is specific enough to enable a conclusion to be drawn as to the possible effect of that set of circumstances or event on the prices of crypto-assets. In that respect, in the case of a protracted process that is intended to bring about, or that results in, particular circumstances or a particular event, those future circumstances or that future event, and also the intermediate steps of that process which are connected with bringing about or resulting in those future circumstances or that future event, may be deemed to be precise information.
An intermediate step in a protracted process shall be deemed to be inside information if, in and of itself, it satisfies the criteria of inside information referred to in paragraph 2.
For the purposes of paragraph 1, information which, if it were made public, would likely have a significant effect on the prices of crypto-assets shall mean information that a reasonable holder of crypto-assets would likely use as part of the basis of the holder’s investment decisions.
Issuers, offerors and persons seeking admission to trading shall inform the public as soon as possible of inside information referred to in Article 87 that directly concerns them, in a manner that enables fast access as well as complete, correct and timely assessment of the information by the public. Issuers, offerors and persons seeking admission to trading shall not combine the disclosure of inside information to the public with the marketing of their activities. Issuers, offerors and persons seeking admission to trading shall post and maintain on their website, for a period of at least five years, all inside information that they are required to disclose publicly.
Issuers, offerors and persons seeking admission to trading may, on their own responsibility, delay disclosure to the public of inside information referred to in Article 87 provided that all of the following conditions are met:
(a) immediate disclosure is likely to prejudice the legitimate interests of the issuers, offerors or persons seeking admission to trading;
(b) delay of disclosure is not likely to mislead the public;
(c) issuers, offerors or persons seeking admission to trading are able to ensure the confidentiality of that information.
Where an issuer, offeror or a person seeking admission to trading has delayed the disclosure of inside information in accordance with paragraph 2, it shall inform the competent authority that disclosure of the information was delayed and shall provide a written explanation of how the conditions set out in paragraph 2 were met, immediately after the information is disclosed to the public. Alternatively, Member States may provide that a record of such an explanation is to be provided only upon the request of the competent authority.
In order to ensure uniform conditions of application of this Article, ESMA shall develop draft implementing technical standards to determine the technical means for:
(a) appropriate public disclosure of inside information as referred to in paragraph 1; and
(b) delaying the public disclosure of inside information as referred to in paragraphs 2 and 3.
ESMA shall submit the draft implementing technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph of this paragraph in accordance with Article 15 of Regulation (EU) No 1095/2010.
For the purposes of this Regulation, insider dealing shall be deemed to arise where a person possesses inside information and uses that information by acquiring or disposing of, for its own account or for the account of a third party, directly or indirectly, crypto-assets to which that information relates. The use of inside information by cancelling or amending an order concerning a crypto-asset to which the information relates where the order was placed before the person concerned possessed the inside information, shall also be considered to be insider dealing. The use of inside information shall also comprise submitting, modifying or withdrawing a bid by a person for its own account or for the account of a third party.
No person shall engage or attempt to engage in insider dealing or use inside information about crypto-assets to acquire, or dispose of, those crypto-assets, directly or indirectly, whether for that person’s own account or for the account of a third party. No person shall recommend that another person engage in insider dealing or induce another person to engage in insider dealing.
No person in the possession of inside information about crypto-assets shall, based on that inside information, recommend or induce another person:
(a) to acquire or dispose of those crypto-assets; or
(b) to cancel or amend an order concerning those crypto-assets.
The use of a recommendation or inducement as referred to in paragraph 3 amounts to insider dealing within the meaning of this Article where the person using that recommendation or inducement knows or ought to know that it is based on inside information.
This Article applies to any person who possesses inside information as a result of:
(a) being a member of the administrative, management or supervisory bodies of the issuer, the offeror, or the person seeking admission to trading;
(b) having a holding in the capital of the issuer, the offeror, or the person seeking admission to trading;
(c) having access to the information through the exercise of an employment, profession or duties or in relation to its role in the distributed ledger technology or similar technology; or
(d) being involved in criminal activities.
This Article also applies to any person who possesses inside information under circumstances other than those referred to in the first subparagraph where that person knows or ought to know that it is inside information.
No person in possession of inside information shall unlawfully disclose inside information to any other person, except where such disclosure is made in the normal exercise of an employment, a profession or duties.
The onward disclosure of recommendations or inducements referred to in Article 89(4) amounts to unlawful disclosure of inside information where the person disclosing the recommendation or inducement knows or ought to know that it was based on inside information.
No person shall engage in or attempt to engage in market manipulation.
For the purposes of this Regulation, market manipulation shall comprise any of the following activities:
(a) unless carried out for legitimate reasons, entering into a transaction, placing an order to trade or engaging in any other behaviour which:
(i) gives, or is likely to give, false or misleading signals as to the supply of, demand for, or price of, a crypto-asset;
(ii) secures, or is likely to secure, the price of one or several crypto-assets at an abnormal or artificial level;
(b) entering into a transaction, placing an order to trade or any other activity or behaviour which affects or is likely to affect the price of one or several crypto-assets, while employing a fictitious device or any other form of deception or contrivance;
(c) disseminating information through the media, including the internet, or by any other means, which gives, or is likely to give, false or misleading signals as to the supply of, demand for, or price of one or several crypto-assets, or secures or is likely to secure, the price of one or several crypto-assets, at an abnormal or artificial level, including the dissemination of rumours, where the person who engaged in the dissemination knew, or ought to have known, that the information was false or misleading.
(a) securing a dominant position over the supply of, or demand for, a crypto-asset, which has, or is likely to have, the effect of fixing, directly or indirectly, purchase or sale prices or creates, or is likely to create, other unfair trading conditions;
(b) the placing of orders to a trading platform for crypto-assets, including any cancellation or modification thereof, by any available means of trading, and which has one of the effects referred to in paragraph 2, point (a), by:
(i) disrupting or delaying the functioning of the trading platform for crypto-assets or engaging into any activities that are likely to have that effect;
(ii) making it more difficult for other persons to identify genuine orders on the trading platform for crypto-assets or engaging into any activities that are likely to have that effect, including by entering orders which result in the destabilisation of the normal functioning of the trading platform for crypto-assets;
(iii) creating a false or misleading signal about the supply of, or demand for, or price of, a crypto-asset, in particular by entering orders to initiate or exacerbate a trend, or engaging into any activities that are likely to have that effect;
(c) taking advantage of occasional or regular access to the traditional or electronic media by voicing an opinion about a crypto-asset, while having previously taken positions on that crypto-asset, and profiting subsequently from the impact of the opinions voiced on the price of that crypto-asset, without having simultaneously disclosed that conflict of interest to the public in a proper and effective way.
The competent authorities receiving a report of suspicious orders or transactions shall transmit such information immediately to the competent authorities of the trading platforms concerned.
(a) appropriate arrangements, systems and procedures for persons to comply with paragraph 1;
(b) the template to be used by persons to comply with paragraph 1;
(c) for cross-border market abuse situations, coordination procedures between the relevant competent authorities for the detection and sanctioning of market abuse.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 December 2024.
Member States shall designate the competent authorities responsible for carrying out the functions and duties provided for in this Regulation. Member States shall notify those competent authorities to EBA and ESMA.
Where Member States designate more than one competent authority pursuant to paragraph 1, they shall determine their respective tasks and designate one competent authority as the single point of contact for cross-border administrative cooperation between competent authorities as well as with EBA and ESMA. Member States may designate a different single point of contact for each of those types of administrative cooperation.
ESMA shall publish on its website a list of the competent authorities designated in accordance with paragraphs 1 and 2.
(a) to require any person to provide information and documents which the competent authorities consider could be relevant for the performance of their duties;
(b) to suspend, or to require a crypto-asset service provider to suspend, the provision of crypto-asset services for a maximum of 30 consecutive working days on any single occasion where there are reasonable grounds for suspecting that this Regulation has been infringed;
(c) to prohibit the provision of crypto-asset services where they find that this Regulation has been infringed;
(d) to disclose, or to require a crypto-asset servicer provider to disclose, all material information which might have an effect on the provision of the crypto-asset services concerned, in order to ensure the protection of the interests of clients, in particular retail holders, or the smooth operation of the market;
(e) to make public the fact that a crypto-asset service provider fails to fulfil its obligations;
(f) to suspend, or to require a crypto-asset service provider to suspend, the provision of crypto-asset services where the competent authorities consider that the crypto-asset service provider’s situation is such that the provision of the crypto-asset service would be detrimental to the interests of clients, in particular retail holders;
(g) to require the transfer of existing contracts to another crypto-asset service provider in cases where a crypto-asset service provider’s authorisation is withdrawn in accordance with Article 64, subject to the agreement of the clients and the crypto-asset service provider to which the contracts are to be transferred;
(h) where there is a reason to assume that a person is providing crypto-asset services without authorisation, to order the immediate cessation of the activity without prior warning or imposition of a deadline;
(i) to require offerors, persons seeking admission to trading of crypto-assets, or issuers of asset-referenced tokens or e-money tokens to amend their crypto-asset white paper or further amend their modified crypto-asset white paper, where they find that the crypto-asset white paper or the modified crypto-asset white paper does not contain the information required by Article 6, 19 or 51;
(j) to require offerors, persons seeking admission to trading of crypto-assets, or issuers of asset-referenced tokens or e-money tokens, to amend their marketing communications, where they find that the marketing communications do not comply with the requirements set out in Article 7, 29 or 53 of this Regulation;
(k) to require offerors, persons seeking admission to trading of crypto-assets, or issuers of asset-referenced tokens or e-money tokens, to include additional information in their crypto-asset white papers, where necessary for financial stability or the protection of the interests of the holders of crypto-assets, in particular retail holders;
(l) to suspend an offer to the public or an admission to trading of crypto-assets for a maximum of 30 consecutive working days on any single occasion where there are reasonable grounds for suspecting that this Regulation has been infringed;
(m) to prohibit an offer to the public or an admission to trading of crypto-assets where they find that this Regulation has been infringed or where there are reasonable grounds for suspecting that it will be infringed;
(n) to suspend, or require a crypto-asset service provider operating a trading platform for crypto-assets to suspend, trading of the crypto-assets for a maximum of 30 consecutive working days on any single occasion where there are reasonable grounds for suspecting that this Regulation has been infringed;
(o) to prohibit trading of crypto-assets on a trading platform for crypto-assets where they find that this Regulation has been infringed or where there are reasonable grounds for suspecting that it will be infringed;
(p) to suspend or prohibit marketing communications where there are reasonable grounds for suspecting that this Regulation has been infringed;
(q) to require offerors, persons seeking admission to trading of crypto-assets, issuers of asset-referenced tokens or e-money tokens or relevant crypto-asset service providers to cease or suspend marketing communications for a maximum of 30 consecutive working days on any single occasion where there are reasonable grounds for suspecting that this Regulation has been infringed;
(r) to make public the fact that an offeror, a person seeking admission to trading of a crypto-asset or an issuer of an asset-referenced token or e-money token, fails to fulfil its obligations under this Regulation;
(s) to disclose, or to require the offeror, the person seeking admission to trading of a crypto-asset or the issuer of the asset-referenced token or e-money token, to disclose all material information which may have an effect on the assessment of the crypto-asset offered to the public or admitted to trading in order to ensure the protection of the interests of holders of crypto-assets, in particular retail holders, or the smooth operation of the market;
(t) to suspend, or require the relevant crypto-asset service provider operating the trading platform for crypto-assets to suspend, the crypto-assets from trading where they consider that the situation of the offeror, the person seeking admission to trading of a crypto-asset or the issuer of an asset-referenced token or an e-money token is such that trading would be detrimental to the interests of the holders of crypto-assets, in particular retail holders;
(u) where there is a reason to assume that a person is issuing asset-referenced tokens or e-money tokens without authorisation or a person is offering or seeking admission to trading of crypto-assets other than asset-referenced tokens or e-money tokens without a crypto-asset white paper notified in accordance with Article 8, to order the immediate cessation of the activity without prior warning or imposition of a deadline;
(v) to take any type of measure to ensure that an offeror or a person seeking admission to trading of crypto-assets, an issuer of an asset-referenced token or an e-money token or a crypto-asset service provider comply with this Regulation including to require the cessation of any practice or conduct that the competent authorities consider contrary to this Regulation;
(w) to carry out on-site inspections or investigations at sites other than the private residences of natural persons, and for that purpose to enter premises in order to access documents and other data in any form;
(x) to outsource verifications or investigations to auditors or experts;
(y) to require the removal of a natural person from the management body of an issuer of an asset-referenced token or of a crypto-asset service provider;
(z) to request any person to take steps to reduce the size of its position or exposure to crypto-assets;
(aa) where no other effective means are available to bring about the cessation of the infringement of this Regulation and in order to avoid the risk of serious harm to the interests of clients or holders of crypto-assets to take all necessary measures, including by requesting a third party or a public authority to implement such measures, to:
(i) remove content or restrict access to an online interface or to order the explicit display of a warning to clients and holders of crypto-assets when they access an online interface;
(ii) order a hosting service provider to remove, disable or restrict access to an online interface; or
(iii) order domain registries or registrars to delete a fully qualified domain name and allow the competent authority concerned to register it;
(ab) to require an issuer of an asset-referenced token or e-money token, in accordance with Article 23(4), 24(3) or 58(3), to introduce a minimum denomination amount or to limit the amount issued.
Supervisory and investigative powers exercised in relation to offerors, persons seeking admission to trading, issuers and crypto-asset service providers, are without prejudice to powers granted to the same or other supervisory authorities regarding those entities, including powers granted to relevant competent authorities under the provisions of national law transposing Directive 2009/110/EC and prudential supervisory powers granted to the ECB under Regulation (EU) No 1024/2013.
In order to fulfil their duties under Title VI, competent authorities shall have, in accordance with national law, at least the following supervisory and investigatory powers in addition to the powers referred to in paragraph 1:
(a) to access any document and data in any form, and to receive or take a copy thereof;
(b) to require or demand information from any person, including those who are successively involved in the transmission of orders or conduct of the operations concerned, as well as their principals, and if necessary, to summon and question any such person with a view to obtain information;
(c) to enter the premises of natural and legal persons in order to seize documents and data in any form where a reasonable suspicion exists that documents or data relating to the subject matter of the inspection or investigation might be relevant to prove a case of insider dealing or market manipulation;
(d) to refer matters for criminal prosecution;
(e) to require, insofar as permitted by national law, existing data traffic records held by a telecommunications operator, where there is a reasonable suspicion of an infringement and where such records may be relevant to the investigation of an infringement of Articles 88 to 91;
(f) to request the freezing or sequestration of assets, or both;
(g) to impose a temporary prohibition on the exercise of professional activity;
(h) to take all necessary measures to ensure that the public is correctly informed, inter alia, by correcting false or misleading disclosed information, including by requiring an offeror, person seeking admission to trading or issuer or other person who has published or disseminated false or misleading information to publish a corrective statement.
Where necessary under national law, the competent authority may ask the relevant court to decide on the use of the powers referred to in paragraphs 1 and 2.
Competent authorities shall exercise the powers referred to in paragraphs 1 and 2 in any of the following ways:
(a) directly;
(b) in collaboration with other authorities, including authorities competent for the prevention and fight against money laundering and terrorist financing;
(c) under their responsibility, by delegation to the authorities referred to in point (b);
(d) by application to the competent courts.
Member States shall ensure that appropriate measures are in place so that competent authorities can exercise the supervisory and investigatory powers that are necessary to perform their duties.
A person making information available to the competent authority in accordance with this Regulation shall not be considered to infringe any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, and shall not be subject to liability of any kind related to such notification.
Where Member States have, in accordance with Article 111(1), second subparagraph, laid down criminal penalties for the infringements of this Regulation referred to in Article 111(1), first subparagraph, they shall ensure that appropriate measures are in place so that competent authorities have all the necessary powers to liaise with judicial, prosecuting or criminal justice authorities within their jurisdiction to receive specific information related to criminal investigations or proceedings commenced for infringements of this Regulation and to provide the same information to other competent authorities as well as to EBA and ESMA, in order to fulfil their obligation to cooperate for the purposes of this Regulation.
(a) communication of relevant information could adversely affect the security of the Member State addressed, in particular with regard to the fight against terrorism and other serious crimes;
(b) where complying with the request is likely to adversely affect its own investigation, enforcement activities or, where applicable, a criminal investigation;
(c) where proceedings have already been initiated in respect of the same actions and against the same natural or legal persons before the courts of the Member State addressed;
(d) where a final judgment has already been delivered in respect of the same action and against the same natural or legal person in the Member State addressed.
Competent authorities shall, upon request, without undue delay provide any information required for the purposes of this Regulation.
A competent authority may request assistance from the competent authority of another Member State with regard to on-site inspections or investigations.
A requesting competent authority shall inform EBA and ESMA of any request made pursuant to the first subparagraph. Where a competent authority receives a request from a competent authority of another Member State to carry out an on-site inspection or investigation, it may:
(a) carry out the on-site inspection or investigation itself;
(b) allow the competent authority which submitted the request to participate in an on-site inspection or investigation;
(c) allow the competent authority which submitted the request to carry out the on-site inspection or investigation itself;
(d) share specific tasks related to supervisory activities with the other competent authorities.
Where the on-site inspection or investigation referred to in paragraph 4 concerns an issuer of an asset-referenced token or e-money token or concerns crypto-asset services related to asset-referenced tokens or e-money tokens, EBA shall, where requested to do so by one of the competent authorities, coordinate the inspection or investigation.
The competent authorities may bring the matter to the attention of ESMA in situations where a request for cooperation, in particular to exchange information, has been rejected or has not been acted upon within a reasonable time. Article 19(4) of Regulation (EU) No 1095/2010 shall apply in such situations mutatis mutandis.
By way of derogation from paragraph 6 of this Article, the competent authorities may bring the matter to the attention of EBA in situations where a request for cooperation, in particular for information concerning an issuer of an asset-referenced token or e-money token or concerning crypto-asset services related to asset-referenced tokens or e-money tokens, has been rejected or has not been acted upon within a reasonable time. Article 19(4) of Regulation (EU) No 1093/2010 shall apply in such situations mutatis mutandis.
Competent authorities shall closely coordinate their supervision in order to identify and remedy infringements of this Regulation, develop and promote best practices, facilitate collaboration, foster consistency of interpretation, and provide cross-jurisdictional assessments in the event of any disagreements.
For the purposes of the first subparagraph of this paragraph, EBA and ESMA shall fulfil a coordination role between competent authorities and across supervisory colleges as referred to in Article 119 with a view to building a common supervisory culture and consistent supervisory practices and ensuring uniform procedures.
Where a competent authority finds that any of the requirements under this Regulation has not been met or has reason to believe that to be the case, it shall inform the competent authority of the entity or entities suspected of such infringement of its findings in a sufficiently detailed manner.
ESMA, in close cooperation with EBA, shall develop draft regulatory technical standards to further specify the information to be exchanged between competent authorities pursuant to paragraph 1.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
ESMA shall submit the draft implementing technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph of this paragraph in accordance with Article 15 of Regulation (EU) No 1095/2010.
For the purposes of this Regulation, the competent authorities shall cooperate closely with ESMA in accordance with Regulation (EU) No 1095/2010 and with EBA in accordance with Regulation (EU) No 1093/2010. They shall exchange information in order to carry out their duties under this Chapter and Chapters 2 and 3 of this Title.
The competent authorities shall without delay provide EBA and ESMA with all information necessary to perform their duties, in accordance with Article 35 of Regulation (EU) No 1093/2010 and Article 35 of Regulation (EU) No 1095/2010 respectively.
ESMA, in close cooperation with EBA, shall develop draft implementing technical standards to establish standard forms, templates and procedures for the cooperation and exchange of information between competent authorities and EBA and ESMA.
ESMA shall submit the draft implementing technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph of this paragraph in accordance with Article 15 of Regulation (EU) No 1095/2010.
By 30 December 2024, the ESAs shall jointly issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010, Article 16 of Regulation (EU) No 1094/2010 and Article 16 of Regulation (EU) No 1095/2010 to specify the content and form of the explanation accompanying the crypto-asset white paper referred to in Article 8(4) and of the legal opinions on the qualification of asset-referenced tokens referred to in Article 17(1), point (b)(ii), and Article 18(2), point (e). The guidelines shall include a template for the explanation and the opinion and a standardised test for the classification of crypto-assets.
The ESAs shall, in accordance with Article 29 of Regulation (EU) No 1093/2010, Article 29 of Regulation (EU) No 1094/2010 and Article 29 of Regulation (EU) No 1095/2010, respectively, promote discussion among competent authorities on the classification of the crypto-assets, including on the classification of those crypto-assets that are excluded from the scope of this Regulation pursuant to Article 2(3). The ESAs shall also identify the sources of potential divergences in the approaches of the competent authorities to the classification of those crypto-assets and shall, to the extent possible, promote a common approach thereto.
Competent authorities of the home or the host Member States may request ESMA, EIOPA or EBA, as appropriate, for an opinion on the classification of crypto-assets, including those that are excluded from the scope of this Regulation pursuant to Article 2(3). ESMA, EIOPA or EBA, as applicable, shall provide such opinion in accordance with Article 29 of Regulation (EU) No 1093/2010, Article 29 of Regulation (EU) No 1094/2010 and Article 29 of Regulation (EU) No 1095/2010, as applicable, within 15 working days of receipt of the request from the competent authorities.
The ESAs shall jointly draw up an annual report based on the information contained in the register referred to in Article 109 and on the results of their work referred to in paragraphs 2 and 3 of this Article, identifying difficulties in the classification of crypto-assets and divergences in the approaches of the competent authorities.
Where an offeror, person seeking admission to trading, an issuer of an asset-referenced token or e-money token or a crypto-asset service provider engages in activities other than those covered by this Regulation, the competent authorities shall cooperate with the authorities responsible for the supervision or oversight of such other activities pursuant to Union or national law, including tax authorities and relevant supervisory authorities of third countries.
Member States shall notify the laws, regulations and administrative provisions implementing this Title, including any relevant criminal law provisions, to the Commission, EBA and ESMA by 30 June 2025. Member States shall notify the Commission, EBA and ESMA without undue delay of any subsequent amendments thereto.
All information exchanged between the competent authorities under this Regulation that concerns business or operational conditions and other economic or personal affairs shall be considered confidential and shall be subject to the requirements of professional secrecy, except where the competent authority states at the time of communication that such information may be disclosed or such disclosure is necessary for legal proceedings or cases covered by national taxation or criminal law.
The obligation of professional secrecy shall apply to all natural and legal persons who work or have worked for the competent authorities. Information covered by professional secrecy may not be disclosed to any other natural or legal person or authority except by virtue of Union or national legislative acts.
With regard to the processing of personal data within the framework of this Regulation, competent authorities shall carry out their tasks for the purposes of this Regulation in accordance with Regulation (EU) 2016/679.
The processing of personal data by EBA and ESMA for the purposes of this Regulation shall be carried out in accordance with Regulation (EU) 2018/1725.
Where the irregularities referred to in the first subparagraph concern an issuer of an asset-referenced token or e-money token, or a crypto-asset service related to asset-referenced tokens or e-money tokens, the competent authority of the host Member State shall also notify EBA.
Where, despite the measures taken by the competent authority of the home Member State, the irregularities referred to in paragraph 1 persist, amounting to an infringement of this Regulation, the competent authority of the host Member State, after informing the competent authority of the home Member State, ESMA and, where appropriate, EBA, shall take appropriate measures in order to protect clients of crypto-asset service providers and holders of crypto-assets, in particular retail holders. Such measures include preventing the offeror, person seeking admission to trading, the issuer of the asset-referenced token or e-money token or the crypto-asset service provider from conducting further activities in the host Member State. The competent authority shall inform ESMA and, where appropriate, EBA thereof without undue delay. ESMA, and, where involved, EBA, shall inform the Commission accordingly without undue delay.
Where a competent authority of the home Member State disagrees with any of the measures taken by a competent authority of the host Member State pursuant to paragraph 2 of this Article, it may bring the matter to the attention of ESMA. Article 19(4) of Regulation (EU) No 1095/2010 shall apply in such situations mutatis mutandis.
By way of derogation from the first subparagraph of this paragraph, where the measures referred to in paragraph 2 of this Article concern an issuer of an asset-referenced token or e-money token, or a crypto-asset service related to asset-referenced tokens or e-money tokens, the competent authority of the host Member State may bring the matter to the attention of EBA. Article 19(4) of Regulation (EU) No 1093/2010 shall apply in such situations mutatis mutandis.
(a) the marketing, distribution or sale of certain crypto-assets other than asset-referenced tokens or e-money tokens or crypto-assets other than asset-referenced tokens or e-money tokens with certain specified features; or
(b) a type of activity or practice related to crypto-assets other than asset-referenced tokens or e-money tokens.
A prohibition or restriction may apply in certain circumstances, or be subject to exceptions, specified by ESMA.
(a) the proposed prohibition or restriction addresses a significant investor protection concern or a threat to the orderly functioning and integrity of markets in crypto-assets or to the stability of the whole or part of the financial system in the Union;
(b) the regulatory requirements under Union law that are applicable to the relevant crypto-assets and crypto-asset services do not address the threat at issue;
(c) a relevant competent authority has not taken action to address the threat at issue or the actions that have been taken do not adequately address that threat.
(a) have a detrimental effect on the efficiency of markets in crypto-assets or on holders of crypto-assets or clients receiving crypto-asset services that is disproportionate to the benefits of the measure; and
(b) create a risk of regulatory arbitrage.
Where competent authorities have taken a measure pursuant to Article 105, ESMA may take any of the measures referred to in paragraph 1 of this Article without issuing an opinion pursuant to Article 106(2).
Before deciding to take a measure pursuant to paragraph 1, ESMA shall notify the relevant competent authorities of the measure it intends to take.
ESMA shall publish on its website a notice of a decision to take a measure pursuant to paragraph 1. That notice shall specify the details of the prohibition or restriction imposed and specify a time after the publication of the notice from which the measures will take effect. A prohibition or restriction shall only apply to activities after the measure has taken effect.
ESMA shall review a prohibition or restriction imposed pursuant to paragraph 1 at appropriate intervals, and at least every six months. Following at least two consecutive renewals and based on a proper analysis assessing the impact on consumers, ESMA may decide on the annual renewal of the prohibition or restriction.
Measures taken by ESMA pursuant to this Article shall prevail over any previous measure taken by the relevant competent authorities on the same matter.
The Commission shall adopt delegated acts in accordance with Article 139 to supplement this Regulation by specifying the criteria and factors to be taken into account by ESMA in determining whether there is a significant investor protection concern or a threat to the orderly functioning and integrity of markets in crypto-assets or to the stability of the whole or part of the financial system of the Union for the purposes of paragraph 2, point (a), of this Article.
(a) the marketing, distribution or sale of certain asset-referenced tokens or e-money tokens or asset-referenced tokens or e-money tokens with certain specified features; or
(b) a type of activity or practice related to asset-referenced tokens or e-money tokens.
A prohibition or restriction may apply in certain circumstances, or be subject to exceptions, specified by EBA.
(a) the proposed prohibition or restriction addresses a significant investor protection concern or a threat to the orderly functioning and integrity of markets in crypto-assets or to the stability of the whole or part of the financial system in the Union;
(b) the regulatory requirements under Union law that are applicable to the relevant asset-referenced tokens, e-money tokens or crypto-asset services related to them do not address the threat at issue;
(c) a relevant competent authority has not taken action to address the threat at issue or the actions that have been taken do not adequately address that threat.
(a) have a detrimental effect on the efficiency of markets in crypto-assets or on holders of asset-referenced tokens or e-money tokens or clients receiving crypto-asset services that is disproportionate to the benefits of the measure; and
(b) create a risk of regulatory arbitrage.
Where competent authorities have taken a measure pursuant to Article 105, EBA may take any of the measures referred to in paragraph 1 of this Article without issuing an opinion pursuant to Article 106(2).
Before deciding to take a measure pursuant to paragraph 1, EBA shall notify the relevant competent authorities of the measure it intends to take.
EBA shall publish on its website a notice of a decision to take a measure pursuant to paragraph 1. That notice shall specify the details of the prohibition or restriction imposed and specify a time after the publication of the notice from which the measures will take effect. A prohibition or restriction shall only apply to activities after the measure has taken effect.
EBA shall review a prohibition or restriction imposed pursuant to paragraph 1 at appropriate intervals, and at least every six months. Following at least two consecutive renewals and based on a proper analysis assessing the impact on consumers, EBA may decide on the annual renewal of the prohibition or restriction.
Measures taken by EBA pursuant to this Article shall prevail over any previous measure taken by the relevant competent authority on the same matter.
The Commission shall adopt delegated acts in accordance with Article 139 to supplement this Regulation by specifying the criteria and factors to be taken into account by EBA in determining whether there is a significant investor protection concern or a threat to the orderly functioning and integrity of markets in crypto-assets or to the stability of the whole or part of the financial system of the Union for the purposes of paragraph 2, point (a), of this Article.
(a) the marketing, distribution or sale of certain crypto-assets or crypto-assets with certain specified features; or
(b) a type of activity or practice related to crypto-assets.
(a) a crypto-asset gives rise to significant investor protection concerns or poses a threat to the orderly functioning and integrity of markets in crypto-assets or to the stability of the whole or part of the financial system within at least one Member State;
(b) existing regulatory requirements under Union law applicable to the crypto-asset or crypto-asset service concerned do not sufficiently address the risks referred to in point (a) and the issue would not be better addressed by improved supervision or enforcement of existing requirements;
(c) the measure is proportionate, taking into account the nature of the risks identified, the level of sophistication of investors or market participants concerned and the likely effect of the measure on investors and market participants who may hold, use or benefit from the crypto-asset or crypto-asset service concerned;
(d) the competent authority has properly consulted the competent authorities in other Member States that might be significantly affected by the measure; and
(e) the measure does not have a discriminatory effect on services or activities provided from another Member State.
Where the conditions set out in the first subparagraph of this paragraph are fulfilled, the competent authority may impose the prohibition or restriction referred to in paragraph 1 on a precautionary basis before a crypto-asset has been marketed, distributed or sold to clients.
The competent authority may decide to apply the prohibition or restriction referred to in paragraph 1 only in certain circumstances or to make it subject to exceptions.
(a) the crypto-asset or activity or practice to which the proposed measure relates;
(b) the precise nature of the proposed prohibition or restriction and when it is intended to take effect; and
(c) the evidence upon which it has based its decision and upon which it is satisfied that each of the conditions in paragraph 2, first subparagraph, are met.
In exceptional cases where the competent authority considers it necessary in order to prevent any detrimental effects arising from the crypto-asset or activity or practice referred to in paragraph 1, the competent authority may take an urgent measure on a provisional basis with no less than 24 hours’ written notice before the measure is intended to take effect to all other competent authorities and ESMA, provided that all of the criteria listed in this Article are met and, in addition, that it is clearly established that a one-month notification period would not adequately address the specific concern or threat. The duration of measures taken on a provisional basis shall not exceed three months.
The competent authority shall publish on its website a notice of a decision to impose a prohibition or restriction as referred to in paragraph 1. That notice shall specify the details of the prohibition or restriction imposed and specify a time after the publication of the notice from which the measures will take effect and the evidence upon which the competent authority has based its decision, and is satisfied that each of the conditions in paragraph 2, first subparagraph, is met. The prohibition or restriction shall only apply to activities after the measures have taken effect.
The competent authority shall revoke a prohibition or restriction if the conditions in paragraph 2 no longer apply.
The Commission shall adopt delegated acts in accordance with Article 139 to supplement this Regulation by specifying the criteria and factors to be taken into account by the competent authorities in determining whether there is a significant investor protection concern or a threat to the orderly functioning and integrity of markets in crypto-assets or to the stability of the whole or part of the financial system within at least one Member State as for the purposes of paragraph 2, first subparagraph, point (a).
ESMA or, for asset-referenced tokens and e-money tokens, EBA, shall perform a facilitating and coordinating role in relation to measures taken by competent authorities pursuant to Article 105. ESMA or, for asset-referenced tokens and e-money tokens, EBA, shall ensure that measures taken by a competent authority are justified and proportionate and that a consistent approach is taken by competent authorities, where appropriate.
After receiving notification in accordance with Article 105(3) of any measure to be taken pursuant to that Article, ESMA or, for asset-referenced tokens and e-money tokens, EBA, shall issue an opinion on whether the prohibition or restriction is justified and proportionate. If ESMA or, for asset-referenced tokens and e-money tokens, EBA, considers that the taking of a measure by other competent authorities is necessary to address the risk, it shall state this in its opinion. The opinion shall be published on the website of ESMA or, for asset-referenced tokens and e-money tokens, EBA.
Where a competent authority proposes to take, or takes or declines to take measures contrary to an opinion issued by ESMA or EBA pursuant to paragraph 2, it shall immediately publish on its website a notice fully explaining its reasons therefor.
A competent authority shall inform EBA, ESMA and the other competent authorities where it intends to conclude such an arrangement.
ESMA, in close cooperation with EBA, shall, where possible, facilitate and coordinate the development of cooperation arrangements between the competent authorities and the relevant supervisory authorities of third countries.
ESMA, in close cooperation with EBA, shall develop draft regulatory technical standards establishing a template document for cooperation arrangements referred to in paragraph 1 for use by competent authorities of Member States where possible.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
ESMA, in close cooperation with EBA, shall also, where possible, facilitate and coordinate the exchange between competent authorities of information obtained from supervisory authorities of third countries that might be relevant for taking measures under Chapter 3 of this Title.
The competent authorities shall conclude cooperation arrangements on exchange of information with the supervisory authorities of third countries only where the information disclosed is subject to guarantees of professional secrecy that are at least equivalent to those set out in Article 100. Such exchange of information shall be intended for the performance of the tasks under this Regulation of those competent authorities.
Competent authorities shall set up procedures that allow clients and other interested parties, including consumer associations, to submit complaints to them with regard to alleged infringements of this Regulation by offerors, persons seeking admission to trading, issuers of asset-referenced tokens or e-money tokens, or crypto-asset service providers. Complaints shall be accepted in writing, including electronically, and in an official language of the Member State in which the complaint is submitted, or in a language accepted by the competent authorities of that Member State.
Information on the complaints-handling procedures referred to in paragraph 1 of this Article shall be made available on the website of each competent authority and communicated to EBA and ESMA. ESMA shall publish hyperlinks to the sections of the websites of the competent authorities related to complaints-handling procedures in its crypto-asset register referred to in Article 109.
(a) crypto-asset white papers for crypto-assets other than asset-referenced tokens and e-money tokens;
(b) issuers of asset-referenced tokens;
(c) issuers of e-money tokens; and
(d) crypto-asset service providers.
ESMA’s register shall be publicly available on its website and shall be updated on a regular basis. In order to facilitate such updating, the competent authorities shall communicate to ESMA any changes notified to them regarding the information specified in paragraphs 2 to 5.
The competent authorities shall provide ESMA with the data necessary for the classification of crypto-asset white papers in the register, as specified in accordance with paragraph 8.
As regards crypto-asset white papers for crypto-assets other than asset-referenced tokens or e-money tokens, the register shall contain the crypto-asset white papers and any modified crypto-asset white papers. Any out-of-date versions of the crypto-asset white papers shall be kept in a separate archive and be clearly marked as out-of-date versions.
As regards issuers of asset-referenced tokens, the register shall contain the following information:
(a) the name, legal form and legal entity identifier of the issuer;
(b) the commercial name, physical address, telephone number, email and website of the issuer;
(c) the crypto-asset white papers and any modified crypto-asset white papers, with the out-of-date versions of the crypto-asset white paper kept in a separate archive and clearly marked as out-of-date;
(d) the list of host Member States where the applicant issuer intends to offer an asset-referenced token to the public or intends to seek admission to trading of the asset-referenced tokens;
(e) the starting date, or, if not available at the time of the notification by the competent authority, the intended starting date, of the offer to the public or the admission to trading;
(f) any other services provided by the issuer not covered by this Regulation, with a reference to the applicable Union or national law;
(g) the date of authorisation to offer to the public or seek the admission to trading of an asset-referenced token or of authorisation as a credit institution and, where applicable, of withdrawal of either authorisation.
(a) the name, legal form and legal entity identifier of the issuer;
(b) the commercial name, physical address, telephone number, email and website of the issuer;
(c) the crypto-asset white papers and any modified crypto-asset white papers, with the out-of-date versions of the crypto-asset white paper kept in a separate archive and clearly marked as out-of-date;
(d) the starting date, or, if not available at the time of the notification by the competent authority, the intended starting date, of the offer to the public or the admission to trading;
(e) any other services provided by the issuer not covered by this Regulation, with a reference to the applicable Union or national law;
(f) the date of authorisation as a credit institution or as an electronic money institution and, where applicable, of withdrawal of that authorisation.
(a) the name, legal form and legal entity identifier of the crypto-asset service provider and, where applicable, of the branches of the crypto-asset service provider;
(b) the commercial name, physical address, telephone number, email and website of the crypto-asset service provider and, where applicable, of the trading platform for crypto-assets operated by the crypto-asset service provider;
(c) the name and address of the competent authority that granted authorisation and its contact details;
(d) the list of crypto-asset services provided by the crypto-asset service provider;
(e) the list of host Member States in which the crypto-asset service provider intends to provide crypto-asset services;
(f) the starting date, or, if not available at the time of the notification by the competent authority, the intended starting date, of the provision of crypto-asset services;
(g) any other services provided by the crypto-asset service provider not covered by this Regulation with a reference to the applicable Union or national law;
(h) the date of authorisation and, where applicable, of the withdrawal of an authorisation.
Competent authorities shall notify ESMA without delay of the measures listed in Article 94(1), first subparagraph, point (b), (c), (f), (l), (m), (n), (o) or (t), and of any public precautionary measures taken pursuant to Article 102 affecting the provision of crypto-asset services or the issuance, offer to the public or use of crypto-assets. ESMA shall include such information in the register.
Any withdrawal of an authorisation of an issuer of an asset-referenced token, of an issuer of an e-money token, or of a crypto-asset service provider, and any measure notified in accordance with paragraph 6, shall remain published in the register for five years.
ESMA shall develop draft regulatory technical standards to further specify the data necessary for the classification, by type of crypto-asset, of crypto-asset white papers, including the legal entity identifiers, in the register and specify the practical arrangements to ensure that such data is machine-readable.
ESMA shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.
ESMA shall establish a non-exhaustive register of entities that provide crypto-asset services in violation of Article 59 or 61.
The register shall contain at least the commercial name or the website of a non-compliant entity and the name of the competent authority that submitted the information.
The register shall be publicly available on ESMA’s website in a machine-readable format and shall be updated on a regular basis to take into account any changes of circumstances or any information that is brought to ESMA’s attention concerning the registered non-compliant entities. The register shall enable centralised access to information submitted by competent authorities from the Member States or third countries, as well as by EBA.
ESMA shall update the register to include information on any case of infringement of this Regulation identified on its own initiative in accordance with Article 17 of Regulation (EU) No 1095/2010 in which it has adopted a decision under paragraph 6 of that Article addressed to a non-compliant entity providing crypto-asset services, or any information on entities providing crypto-asset services without the necessary authorisation or registration submitted by the relevant supervisory authorities of third countries.
In the cases referred to in paragraph 4 of this Article, ESMA may apply the relevant supervisory and investigative powers of competent authorities as referred to in Article 94(1) to non-compliant entities providing crypto-asset services.
(a) infringements of Articles 4 to 14;
(b) infringements of Articles 16, 17, 19, 22, 23, 25, Articles 27 to 41, Articles 46 and 47;
(c) infringements of Articles 48 to 51, Articles 53, 54 and 55;
(d) infringements of Articles 59, 60, 64 and Articles 65 to 83;
(e) infringements of Articles 88 to 92;
(f) failure to cooperate or to comply with an investigation, with an inspection or with a request as referred to in Article 94(3).
Member States may decide not to lay down rules for administrative penalties where the infringements referred to in the first subparagraph, point (a), (b), (c), (d) or (e), are already subject to criminal penalties in their national law by 30 June 2024. Where they so decide, Member States shall notify to the Commission, ESMA and to EBA, in detail, the relevant parts of their criminal law.
By 30 June 2024, Member States shall notify to the Commission, EBA and ESMA, in detail, the rules referred to in the first and second subparagraphs. They shall also notify the Commission, ESMA and EBA without delay of any subsequent amendment thereto.
(a) a public statement indicating the natural or legal person responsible and the nature of the infringement;
(b) an order requiring the natural or legal person responsible to cease the conduct constituting the infringement and to desist from a repetition of that conduct;
(c) maximum administrative fines of at least twice the amount of the profits gained or losses avoided because of the infringement where those can be determined, even if it exceeds the maximum amounts set out in point (d) of this paragraph, as regards natural persons, or in paragraph 3 as regards legal persons;
(d) in the case of a natural person, maximum administrative fines of at least EUR 700 000, or, in the Member States whose official currency is not the euro, the corresponding value in the official currency on 29 June 2023.
(a) EUR 5 000 000, or, in the Member States whose official currency is not the euro, the corresponding value in the official currency on 29 June 2023, for the infringements referred to in paragraph 1, first subparagraph, points (a) to (d);
(b) 3 % of the total annual turnover of the legal person according to the last available financial statements approved by the management body, for the infringements referred to in paragraph 1, first subparagraph, point (a);
(c) 5 % of the total annual turnover of the legal person according to the last available financial statements approved by the management body, for the infringements referred to in paragraph 1, first subparagraph, point (d);
(d) 12,5 % of the total annual turnover of the legal person according to the last available financial statements approved by the management body, for the infringements referred to in paragraph 1, first subparagraph, points (b) and (c).
Where the legal person referred to in the first subparagraph, points (a) to (d), is a parent undertaking or a subsidiary of a parent undertaking which is required to prepare consolidated financial statements in accordance with Directive 2013/34/EU, the relevant total annual turnover shall be the total annual turnover or the corresponding type of income in accordance with applicable Union law in the field of accounting according to the last available consolidated accounts approved by the management body of the ultimate parent undertaking.
In addition to the administrative penalties and other administrative measures as well as administrative fines referred to in paragraphs 2 and 3, Member States shall, in accordance with their national law, ensure that competent authorities have the power to impose, in the event of infringements referred to in paragraph 1, first subparagraph, point (d), a temporary ban preventing any member of the management body of the crypto-asset service provider, or any other natural person who is held responsible for the infringement, from exercising management functions in a crypto-asset service provider.
Member States shall, in accordance with their national law, ensure that, in the event of the infringements referred to in paragraph 1, first subparagraph, point (e), competent authorities have the power to impose at least the following administrative penalties and to take at least the following administrative measures:
(a) a public statement indicating the natural or legal person responsible and the nature of the infringement;
(b) an order requiring the natural or legal person responsible to cease the conduct constituting the infringement and to desist from a repetition of that conduct;
(c) the disgorgement of the profits gained or losses avoided due to the infringement insofar as they can be determined;
(d) withdrawal or suspension of the authorisation of a crypto-asset service provider;
(e) a temporary ban of any member of the management body of the crypto-asset service provider, or any other natural person who is held responsible for the infringement, from exercising management functions in crypto-asset service providers;
(f) in the event of a repeated infringement of Article 89, 90, 91 or 92, a ban of at least 10 years for any member of the management body of a crypto-asset service provider, or any other natural person who is held responsible for the infringement, from exercising management functions in a crypto-asset service provider;
(g) a temporary ban of any member of the management body of a crypto-asset service provider or any other natural person who is held responsible for the infringement, from dealing on own account;
(h) maximum administrative fines of at least three times the amount of the profits gained or losses avoided because of the infringement, where those can be determined, even if it exceeds the maximum amounts set out in point (i) or (j), as applicable;
(i) in respect of a natural person, maximum administrative fines of at least EUR 1 000 000 for infringements of Article 88 and EUR 5 000 000 for infringements of Articles 89 to 92 or in the Member States whose official currency is not the euro, the corresponding value in the official currency on 29 June 2023;
(j) in respect of legal persons, maximum administrative fines of at least EUR 2 500 000 for infringements of Article 88 and EUR 15 000 000 for infringements of Articles 89 to 92, or 2 % for infringements of Article 88 and 15 % for infringements of Articles 89 to 92 of the total annual turnover of the legal person according to the last available accounts approved by the management body, or in the Member States whose official currency is not the euro, the corresponding value in the official currency on 29 June 2023.
For the purpose of point (j) of the first subparagraph, where the legal person is a parent undertaking or a subsidiary of a parent undertaking which is required to prepare consolidated financial statements in accordance with Directive 2013/34/EU, the relevant total annual turnover shall be the total annual turnover or the corresponding type of income in accordance with applicable Union law in the field of accounting according to the last available consolidated accounts approved by the management body of the ultimate parent undertaking.
(a) the gravity and the duration of the infringement;
(b) whether the infringement has been committed intentionally or negligently;
(c) the degree of responsibility of the natural or legal person responsible for the infringement;
(d) the financial strength of the natural or legal person responsible for the infringement, as indicated by the total turnover of the responsible legal person or the annual income and net assets of the responsible natural person;
(e) the importance of the profits gained or losses avoided by the natural or legal person responsible for the infringement, insofar as those can be determined;
(f) the losses for third parties caused by the infringement, insofar as those can be determined;
(g) the level of cooperation of the natural or legal person responsible for the infringement with the competent authority, without prejudice to the need to ensure disgorgement of profits gained or losses avoided by that person;
(h) previous infringements of this Regulation by the natural or legal person responsible for the infringement;
(i) measures taken by the person responsible for the infringement to prevent its repetition;
(j) the impact of the infringement on the interests of holders of crypto-assets and clients of crypto-asset service providers, in particular retail holders.
Member States shall ensure that decisions taken by competent authorities under this Regulation are properly reasoned and subject to the right of appeal before a court. The right of appeal before a court shall also apply where, in respect of an application for authorisation which provides all of the required information, no decision is taken within six months of its submission.
Member States shall provide that one or more of the following bodies, as determined by national law, may, in the interests of consumers and in accordance with national law, take action before the courts or competent administrative bodies to ensure that this Regulation is applied:
(a) public bodies or their representatives;
(b) consumer organisations having a legitimate interest in protecting holders of crypto-assets;
(c) professional organisations having a legitimate interest in protecting their members.
A decision imposing administrative penalties and other administrative measures for an infringement of this Regulation in accordance with Article 111 shall be published by competent authorities on their official websites without undue delay after the natural or legal person subject to that decision has been informed of that decision. The publication shall include at least information on the type and nature of the infringement and the identity of the natural or legal persons responsible. Decisions imposing measures that are of an investigatory nature need not be published.
Where the publication of the identity of the legal entities, or the identity or personal data of natural persons, is considered by the competent authority to be disproportionate following a case-by-case assessment conducted on the proportionality of the publication of such data, or where such publication would jeopardise an ongoing investigation, competent authorities shall take one of the following actions:
(a) defer the publication of the decision to impose an administrative penalty or other administrative measure until the moment where the reasons for non-publication cease to exist;
(b) publish the decision to impose an administrative penalty or other administrative measure on an anonymous basis in a manner which is in conformity with national law, where such anonymous publication ensures the effective protection of the personal data concerned;
(c) not publish the decision to impose an administrative penalty or other administrative measure in the event that the options provided for in points (a) and (b) are considered insufficient to ensure:
(i) that the stability of financial markets is not jeopardised;
(ii) the proportionality of the publication of such a decision with regard to measures which are deemed to be of a minor nature.
In the case of a decision to publish an administrative penalty or other administrative measure on an anonymous basis, as referred to in the first subparagraph, point (b), the publication of the relevant data may be deferred for a reasonable period where it is foreseen that within that period the reasons for anonymous publication will cease to exist.
Where the decision to impose an administrative penalty or other administrative measure is under appeal before the relevant courts or administrative bodies, competent authorities shall publish, immediately, on their official website such information and any subsequent information on the outcome of such appeal. Moreover, any decision annulling a previous decision to impose administrative penalty or other administrative measure shall also be published.
Competent authorities shall ensure that any publication in accordance with this Article remains on their official website for a period of at least five years after its publication. Personal data contained in the publication shall be kept on the official website of the competent authority only for the period which is necessary in accordance with the applicable data protection rules.
Where Member States have, in accordance with Article 111(1), second subparagraph, laid down criminal penalties for the infringements of the provisions referred to therein, their competent authorities shall provide EBA and ESMA annually with anonymised and aggregated data regarding all relevant criminal investigations undertaken and criminal penalties imposed. ESMA shall publish data on criminal penalties imposed in an annual report.
Where the competent authority has disclosed administrative penalties, other administrative measures or criminal penalties to the public, it shall simultaneously report them to ESMA.
Competent authorities shall inform EBA and ESMA of all administrative penalties or other administrative measures imposed but not published, including any appeal in relation thereto and the outcome thereof. Member States shall ensure that competent authorities receive information and the final judgment in relation to any criminal penalty imposed and submit it to EBA and ESMA. ESMA shall maintain a central database of penalties and administrative measures communicated to it solely for the purposes of exchanging information between competent authorities. That database shall be only accessible to EBA, ESMA and the competent authorities and it shall be updated based on the information provided by the competent authorities.
Directive (EU) 2019/1937 shall apply to the reporting of infringements of this Regulation and the protection of persons reporting such infringements.
Without prejudice to the powers of national competent authorities under paragraph 2 of this Article, EBA shall exercise the powers of competent authorities conferred by Articles 22 to 25, 29, 33 Article 34(7) and (12), Article 35(3) and (5), Article 36(10) and Articles 41, 42, 46 and 47 as regards issuers of significant asset-referenced tokens.
Where an issuer of a significant asset-referenced token also provides crypto-asset services or issues crypto-assets that are not significant asset-referenced tokens, those services and activities shall remain under the supervision of the competent authority of the home Member State.
Where an asset-referenced token has been classified as significant in accordance with Article 43, EBA shall conduct a supervisory reassessment to ensure that the issuer complies with Title III.
Where an e-money token issued by an electronic money institution has been classified as significant in accordance with Article 56 or 57, EBA shall supervise the compliance of the issuer of such significant e-money token with Articles 55 and 58.
For the purposes of the supervision of compliance with Articles 55 and 58, EBA shall exercise the powers of the competent authorities conferred on them by Articles 22 and 23, Article 24(3), Article 35(3) and (5), Article 36(10) and Articles 46 and 47, as regards electronic money institutions issuing significant e-money tokens.
(a) the prudential supervisory authority, including, where applicable, the ECB under Regulation (EU) No 1024/2013;
(b) relevant competent authorities under national law transposing Directive 2009/110/EC, where applicable;
(c) the competent authorities referred to in Article 20(1).
EBA shall create a permanent internal committee pursuant to Article 41 of Regulation (EU) No 1093/2010 for the purposes of preparing EBA’s decisions to be taken in accordance with Article 44 thereof, including decisions relating to the supervisory tasks that have been conferred on EBA by this Regulation.
The crypto-asset committee may also prepare decisions in relation to draft regulatory technical standards and draft implementing technical standards relating to supervisory tasks that have been conferred on EBA by this Regulation.
EBA shall ensure that the crypto-asset committee performs only the activities referred to in paragraphs 1 and 2 and any other tasks necessary for the performance of its activities related to crypto-assets.
Within 30 calendar days of a decision to classify an asset-referenced token or e-money token as significant pursuant to Article 43, 44, 56 or 57, as applicable, EBA shall establish, manage and chair a consultative supervisory college for each issuer of a significant asset-referenced token or of a significant e-money token, to facilitate the exercise of supervisory tasks and act as a vehicle for the coordination of supervisory activities under this Regulation.
A college referred to in paragraph 1 shall consist of:
(a) EBA;
(b) ESMA;
(c) the competent authorities of the home Member State where the issuer of the significant asset-referenced token or of the significant e-money token is established;
(d) the competent authorities of the most relevant crypto-asset service providers, credit institutions or investment firms ensuring the custody of the reserve assets in accordance with Article 37 or of the funds received in exchange of the significant e-money tokens;
(e) where applicable, the competent authorities of the most relevant trading platforms for crypto-assets where the significant asset-referenced tokens or the significant e-money tokens are admitted to trading;
(f) the competent authorities of the most relevant payment service providers providing payment services in relation to the significant e-money tokens;
(g) where applicable, the competent authorities of the entities ensuring the functions as referred to in Article 34(5), first subparagraph, point (h);
(h) where applicable, the competent authorities of the most relevant crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients in relation to the significant asset-referenced tokens or with the significant e-money tokens;
(i) the ECB;
(j) where the issuer of the significant asset-referenced token is established in a Member State whose official currency is not the euro, or where an official currency that is not the euro is referenced by the significant asset-referenced token, the central bank of that Member State;
(k) where the issuer of the significant e-money token is established in a Member State whose official currency is not the euro, or where an official currency that is not the euro is referenced by the significant e-money token, the central bank of that Member State;
(l) competent authorities of Member States where the asset-referenced token or the e-money token is used at large scale, at their request;
(m) relevant supervisory authorities of third countries with which EBA has concluded administrative agreements in accordance with Article 126.
EBA may invite other authorities to be members of the college referred to in paragraph 1 where the entities they supervise are relevant to the work of the college.
The competent authority of a Member State which is not a member of the college may request from the college any information relevant for the performance of its supervisory duties under this Regulation.
A college referred to in paragraph 1 of this Article shall, without prejudice to the responsibilities of competent authorities under this Regulation, ensure:
(a) the preparation of the non-binding opinion referred to in Article 120;
(b) the exchange of information in accordance with this Regulation;
(c) agreement on the voluntary entrustment of tasks among its members.
In order to facilitate the performance of the tasks assigned to colleges pursuant to the first subparagraph of this paragraph, the members of the college referred to in paragraph 2 shall be entitled to contribute to the setting of the agenda of the college meetings, in particular by adding points to the agenda of a meeting.
The agreement referred to in the first subparagraph shall determine the practical arrangements for the functioning of the college, including detailed rules on:
(a) voting procedures as referred in Article 120(3);
(b) the procedures for setting the agenda of college meetings;
(c) the frequency of the college meetings;
(d) the appropriate minimum timeframes for the assessment of the relevant documentation by the members of the college;
(e) the modalities of communication between the members of the college;
(f) the creation of several colleges, one for each specific crypto-asset or group of crypto-assets.
The agreement may also determine tasks to be entrusted to EBA or another member of the college.
(a) establish written arrangements and procedures for the functioning of the college, after consulting the other members of the college;
(b) coordinate all activities of the college;
(c) convene and chair all its meetings and keep the members of the college fully informed in advance of the organisation of meetings of the college, of the main issues to be discussed and of the items to be considered;
(d) notify the members of the college of any planned meetings so that they can request to participate;
(e) keep the members of the college informed, in a timely manner, of the decisions and outcomes of those meetings.
(a) the conditions under which the entities referred to in paragraph 2, points (d), (e), (f) and (h), are to be considered the most relevant;
(b) the conditions under which it is considered that asset-referenced tokens or e-money tokens are used at large scale, as referred to in paragraph 2, point (l); and
(c) the details of the practical arrangements referred to in paragraph 6.
EBA shall submit the draft regulatory standards referred to in the first subparagraph to the Commission by 30 June 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Article 10 to 14 of Regulation (EU) No 1093/2010.
(a) the supervisory reassessment as referred to in Article 117(3);
(b) any decision to require an issuer of a significant asset-referenced token or a significant e-money token to hold a higher amount of own funds in accordance with Article 35(2), (3) and (5), Article 45(5) and Article 58(1), as applicable;
(c) any update of the recovery plan or redemption plan of an issuer of a significant asset-referenced token or an issuer of a significant e-money token pursuant to Articles 46, 47 and 55, as applicable;
(d) any change of the business model of an issuer of a significant asset-referenced token pursuant to Article 25(1);
(e) a draft modified crypto-asset white paper drawn up in accordance with Article 25(2);
(f) any envisaged appropriate corrective measures pursuant to Article 25(4);
(g) any envisaged supervisory measures pursuant to Article 130;
(h) any envisaged administrative agreement on the exchange of information with a supervisory authority of a third-country in accordance with Article 126;
(i) any delegation of supervisory tasks from EBA to a competent authority pursuant to Article 138;
(j) any envisaged change in the authorisation of, or any envisaged supervisory measure on, the members of the college referred to in Article 119(2), points (d) to (h);
(k) a draft modified crypto-asset white paper drawn up in accordance with Article 51(12).
Where the college issues an opinion in accordance with paragraph 1, at the request of any member of the college and upon adoption by a majority of the college in accordance with paragraph 3, the opinion may include any recommendations aimed at addressing shortcomings of the measure envisaged by EBA or the competent authorities.
An opinion of the college shall be adopted based on a simple majority of its members.
Where there are several members of the college per Member State, only one of those members shall have a vote.
Where the ECB is a member of the college in several capacities, including supervisory capacities, it shall have only one vote.
Supervisory authorities of third countries referred to in Article 119(2), point (m), shall have no voting right in respect of an opinion of the college.
The powers conferred on EBA by Articles 122 to 125, or on any official or other person authorised by EBA, shall not be used to require the disclosure of information which is subject to legal privilege.
(a) an issuer of a significant asset-referenced token or a person controlling or being directly or indirectly controlled by an issuer of a significant asset-referenced token;
(b) a third party as referred to in Article 34(5), first subparagraph, point (h), with which an issuer of a significant asset-referenced token has a contractual arrangement;
(c) a crypto-asset service provider, credit institution or investment firm ensuring the custody of the reserve assets in accordance with Article 37;
(d) an issuer of a significant e-money token or a person controlling or being directly or indirectly controlled by an issuer of a significant e-money token;
(e) a payment service provider that provides payment services in relation to significant e-money tokens;
(f) a natural or legal person in charge of distributing significant e-money tokens on behalf of an issuer of significant e-money tokens;
(g) a crypto-asset service provider providing custody and administration of crypto-assets on behalf of clients in relation to significant asset-referenced tokens or significant e-money tokens;
(h) an operator of a trading platform for crypto-assets that has admitted to trading a significant asset-referenced token or a significant e-money token;
(i) the management body of the persons referred to in points (a) to (h).
(a) refer to this Article as the legal basis of that request;
(b) state the purpose of the request;
(c) specify the information required;
(d) include a time limit within which the information is to be provided;
(e) inform the person from whom the information is requested that it is not obliged to provide the information but that, in the case of a voluntary reply to the request, the information provided is required to be correct and not misleading; and
(f) indicate the fine provided for in Article 131, where the answers to questions asked are incorrect or misleading.
(a) refer to this Article as the legal basis of that request;
(b) state the purpose of the request;
(c) specify the information required;
(d) set a time limit within which the information is to be provided;
(e) indicate the periodic penalty payments provided for in Article 132 where the production of information is required;
(f) indicate the fine provided for in Article 131, where the answers to questions asked are incorrect or misleading;
(g) indicate the right to appeal the decision before EBA’s Board of Appeal and to have the decision reviewed by the Court of Justice in accordance with Articles 60 and 61 of Regulation (EU) No 1093/2010.
The persons referred to in paragraph 1 or their representatives and, in the case of legal persons or associations having no legal personality, the persons authorised to represent them by law, shall provide the information requested.
EBA shall without delay send a copy of the simple request or of its decision to the competent authority of the Member State where the persons concerned by the request for information are domiciled or established.
(a) examine any records, data, procedures and any other material relevant to the execution of its tasks irrespective of the medium on which they are stored;
(b) take or obtain certified copies of or extracts from such records, data, procedures and other material;
(c) summon and ask any issuer of a significant asset-referenced token or issuer of a significant of e-money token, or their management body or staff, for oral or written explanations of facts or documents relating to the subject matter and purpose of the investigation and to record the answers;
(d) interview any other natural or legal person who consents to be interviewed for the purposes of collecting information relating to the subject matter of an investigation;
(e) request records of telephone and data traffic.
A college as referred to in Article 119(1) shall be informed without undue delay of any findings that might be relevant for the execution of its tasks.
The officials and other persons authorised by EBA for the purposes of the investigation referred to in paragraph 1 shall exercise their powers upon the production of a written authorisation specifying the subject matter and purpose of the investigation. That authorisation shall also indicate the periodic penalty payments provided for in Article 132 where the required records, data, procedures or any other material, or the answers to questions posed to issuers of significant asset-referenced tokens or issuers of significant e-money tokens, are not provided or are incomplete, and the fines provided for in Article 131, where the answers to questions posed to issuers of significant asset-referenced tokens or issuers of significant e-money tokens are incorrect or misleading.
The issuers of significant asset-referenced tokens and issuers of significant e-money tokens are required to submit to investigations launched based on a decision of EBA. The decision shall specify the subject matter and purpose of the investigation, the periodic penalty payments provided for in Article 132, the legal remedies available under Regulation (EU) No 1093/2010 and the right to have the decision reviewed by the Court of Justice.
Within a reasonable period before an investigation referred to in paragraph 1, EBA shall inform the competent authority of the Member State where the investigation is to be carried out of the investigation and of the identity of the authorised persons. Officials of the competent authority concerned shall, upon the request of EBA, assist those authorised persons in carrying out their duties. Officials of the competent authority concerned may also attend the investigations upon request.
If a request for records of telephone or data traffic referred to in paragraph 1, first subparagraph, point (e), requires authorisation from a court pursuant to applicable national law, EBA shall apply for such authorisation. Such authorisation may also be applied for as a precautionary measure.
Where a court in a Member State receives an application for the authorisation of a request for records of telephone or data traffic referred to in paragraph 1, first subparagraph, point (e), that court shall verify whether:
(a) the decision of EBA referred to in paragraph 3 is authentic;
(b) any measures to be taken are proportionate and not arbitrary or excessive.
The college referred to in Article 119 shall be informed without undue delay of any findings that might be relevant for the execution of its tasks.
The officials and other persons authorised by EBA to conduct an on-site inspection may enter any business premises of the persons subject to an investigation decision adopted by EBA and shall have all of the powers provided for in Article 123(1). They shall also have the power to seal any business premises and books or records for the period of, and to the extent necessary for, the inspection.
In due time before the inspection, EBA shall give notice of the inspection to the competent authority of the Member State where the inspection is to be conducted. Where the proper conduct and efficiency of the inspection so require, EBA, after informing that competent authority, may carry out the on-site inspection without giving prior notice to the issuer of the significant asset-referenced token or the issuer of the significant e-money token.
The officials and other persons authorised by EBA to conduct an on-site inspection shall exercise their powers upon production of a written authorisation specifying the subject matter and purpose of the inspection and the periodic penalty payments provided for in Article 132 where the persons concerned do not submit to the inspection.
The issuer of the significant asset-referenced token or the issuer of the significant e-money token shall submit to on-site inspections ordered by a decision of EBA. The decision shall specify the subject matter and purpose of the inspection, appoint the date on which it is to begin and indicate the periodic penalty payments provided for in Article 132, the legal remedies available under Regulation (EU) No 1093/2010 as well as the right to have the decision reviewed by the Court of Justice.
Officials of, as well as those authorised or appointed by, the competent authority of the Member State where the inspection is to be conducted shall, at the request of EBA, actively assist the officials and other persons authorised by EBA. Officials of the competent authority of the Member State concerned may also attend the on-site inspections.
EBA may also require competent authorities to carry out specific investigatory tasks and on-site inspections as provided for in this Article and in Article 123(1) on its behalf.
Where the officials and other accompanying persons authorised by EBA find that a person opposes an inspection ordered pursuant to this Article, the competent authority of the Member State concerned shall afford them the necessary assistance, requesting, where appropriate, the assistance of the police or of an equivalent enforcement authority, so as to enable them to conduct their on-site inspection.
If the on-site inspection provided for in paragraph 1 or the assistance provided for in paragraph 7 requires authorisation by a court pursuant to national law, EBA shall make an application for such authorisation. Such authorisation may also be applied for as a precautionary measure.
Where a court in a Member State receives an application for the authorisation of an on-site inspection provided for in paragraph 1 or the assistance provided for in paragraph 7, that court shall verify whether:
(a) the decision adopted by EBA referred to in paragraph 4 is authentic;
(b) any measures to be taken are proportionate and not arbitrary or excessive.
(a) an issuer of a significant asset-referenced token or a person controlling or being directly or indirectly controlled by an issuer of a significant asset-referenced token;
(b) a third party as referred to in Article 34(5), first subparagraph, point (h), with which an issuer of a significant asset-referenced token has a contractual arrangement;
(c) a crypto-asset service provider, credit institution or investment firm ensuring the custody of the reserve assets in accordance with Article 37;
(d) an issuer of a significant e-money token or a person controlling or being directly or indirectly controlled by an issuer of a significant e-money token;
(e) a payment service provider that provides payment services in relation to significant e-money tokens;
(f) a natural or legal person in charge of distributing significant e-money tokens on behalf of the issuer of significant e-money tokens;
(g) a crypto-asset service provider providing custody and administration of crypto-assets on behalf of clients, in relation to significant asset-referenced tokens or significant e-money tokens;
(h) a trading platform for crypto-assets on which a significant asset-referenced token or a significant e-money token has been admitted to trading;
(i) the management body of the persons referred to in points (a) to (h).
(a) complying with the request is likely to adversely affect its own investigation, enforcement activities or, where applicable, criminal investigation;
(b) judicial proceedings have already been initiated in respect of the same actions and against the same natural or legal persons before the courts of the Member State addressed;
(c) a final judgment has already been delivered in relation to such natural or legal person for the same actions in the Member State addressed.
In order to carry out its supervisory responsibilities under Article 117, EBA may conclude administrative agreements on the exchange of information with the supervisory authorities of third countries only if the information disclosed is subject to guarantees of professional secrecy which are at least equivalent to those set out in Article 129.
The exchange of information shall be intended for the performance of the tasks of EBA or of the supervisory authorities referred to in paragraph 1.
With regard to transfers of personal data to a third country, EBA shall apply Regulation (EU) 2018/1725.
EBA may disclose information received from supervisory authorities of third countries only where EBA or the competent authority that provided the information to EBA has obtained the express agreement of the supervisory authority of a third country that has transmitted the information and, where applicable, the information is disclosed only for the purposes for which that supervisory authority gave its agreement or where such disclosure is necessary for judicial proceedings.
The requirement for an express agreement as referred to in paragraph 1 shall not apply to other supervisory authorities of the Union where the information requested by them is needed for the fulfilment of their tasks and shall not apply to courts where the information requested by them is needed for investigations or proceedings in respect of infringements subject to criminal penalties.
Where an issuer of a significant asset-referenced token or an issuer of a significant e-money token engages in activities other than those covered by this Regulation, EBA shall cooperate with the authorities responsible for the supervision of such other activities as provided for in the relevant Union or national law, including tax authorities and relevant supervisory authorities of third countries that are not members of the college as referred to in Article 119(2), point (m).
The obligation of professional secrecy shall apply to EBA and all persons who work or who have worked for EBA as well as for any other person to whom EBA has delegated tasks, including auditors and experts contracted by EBA.
(a) adopt a decision requiring the issuer of the significant asset-referenced token to cease the conduct constituting the infringement;
(b) adopt a decision imposing fines or periodic penalty payments pursuant to Articles 131 and 132;
(c) adopt a decision requiring the issuer of the significant asset-referenced token to transmit supplementary information, where necessary for the protection of holders of the asset-referenced token, in particular retail holders;
(d) adopt a decision requiring the issuer of the significant asset-referenced token to suspend an offer to the public of crypto-assets for a maximum period of 30 consecutive working days on any single occasion where it has reasonable grounds for suspecting that this Regulation has been infringed;
(e) adopt a decision prohibiting an offer to the public of the significant asset-referenced token where it finds that this Regulation has been infringed or where it has reasonable grounds for suspecting that it will be infringed;
(f) adopt a decision requiring the crypto-asset service provider operating a trading platform for crypto-assets that has admitted to trading the significant asset-referenced token to suspend trading of such crypto-asset for a maximum of 30 consecutive working days on any single occasion where it has reasonable grounds for suspecting that this Regulation has been infringed;
(g) adopt a decision prohibiting trading of the significant asset-referenced token on a trading platform for crypto-assets where it finds that this Regulation has been infringed;
(h) adopt a decision requiring the issuer of the significant asset-referenced token to amend its marketing communications, where it finds that the marketing communications do not comply with Article 29;
(i) adopt a decision to suspend or prohibit marketing communications where there are reasonable grounds for suspecting that this Regulation has been infringed;
(j) adopt a decision requiring the issuer of the significant asset-referenced token to disclose all material information which might have an effect on the assessment of the significant asset-referenced token offered to the public or admitted to trading in order to ensure consumer protection or the smooth operation of the market;
(k) issue warnings that the issuer of the significant asset-referenced token fails to fulfil its obligations under this Regulation;
(l) withdraw the authorisation of the issuer of the significant asset-referenced token;
(m) adopt a decision requiring the removal of a natural person from the management body of the issuer of the significant asset-referenced token;
(n) require the issuer of the significant asset-referenced token under its supervision to introduce a minimum denomination amount in respect of that significant asset-referenced token or to limit the amount of the significant asset-referenced token issued, in accordance with Article 23(4) and Article 24(3).
(a) adopt a decision requiring the issuer of the significant e-money token to cease the conduct constituting the infringement;
(b) adopt a decision imposing fines or periodic penalty payments pursuant to Articles 131 and 132;
(c) adopt a decision requiring the issuer of the significant e-money token to transmit supplementary information where necessary for the protection of holders of the significant e-money token, in particular retail holders;
(d) adopt a decision requiring the issuer of the significant e-money token to suspend an offer to the public of crypto-assets for a maximum period of 30 consecutive working days on any single occasion where it has reasonable grounds for suspecting that this Regulation has been infringed;
(e) adopt a decision prohibiting an offer to the public of the significant e-money token where it finds that this Regulation has been infringed or where it has reasonable grounds for suspecting that it will be infringed;
(f) adopt a decision requiring the relevant crypto-asset service provider operating a trading platform for crypto-assets that has admitted to trading significant e-money tokens to suspend trading of such crypto-assets for a maximum of 30 consecutive working days on any single occasion where it has reasonable grounds for suspecting that this Regulation has been infringed;
(g) adopt a decision prohibiting trading of significant e-money tokens on a trading platform for crypto-assets where it finds that this Regulation has been infringed;
(h) adopt a decision requiring the issuer of the significant e-money token to disclose all material information which might have an effect on the assessment of the significant e-money token offered to the public or admitted to trading in order to ensure consumer protection or the smooth operation of the market;
(i) issue warnings that the issuer of the significant e-money token fails to fulfil its obligations under this Regulation;
(j) require the issuer of the significant e-money token under its supervision to introduce a minimum denomination amount in respect of that significant e-money token or to limit the amount of the significant e-money token issued, as a result of the application of Article 58(3).
(a) the duration and frequency of the infringement;
(b) whether financial crime has been occasioned, facilitated or is otherwise attributable to the infringement;
(c) whether the infringement has revealed serious or systemic weaknesses in the procedures, policies and risk management measures of the issuer of the significant asset-referenced token or the issuer of the significant e-money tokens;
(d) whether the infringement has been committed intentionally or negligently;
(e) the degree of responsibility of the issuer of the significant asset-referenced token or the issuer of the significant e-money token responsible for the infringement;
(f) the financial strength of the issuer of the significant asset-referenced token, or of the issuer of the significant e-money token, responsible for the infringement, as indicated by the total turnover of the responsible legal person or the annual income and net assets of the responsible natural person;
(g) the impact of the infringement on the interests of holders of significant asset-referenced tokens or significant e-money tokens;
(h) the importance of the profits gained, losses avoided by the issuer of the significant asset-referenced token or significant e-money token responsible for the infringement or the losses for third parties caused by the infringement, insofar as they can be determined;
(i) the level of cooperation of the issuer of the significant asset-referenced token or of the issuer of the significant e-money token responsible for the infringement with EBA, without prejudice to the need to ensure disgorgement of profits gained or losses avoided by that person;
(j) previous infringements by the issuer of the significant asset-referenced token or by the issuer of the e-money token responsible for the infringement;
(k) measures taken by the issuer of the significant asset-referenced token or by the issuer of the significant e-money token after the infringement to prevent the repetition of such an infringement.
Before taking any of the measures as referred to in paragraph 1, points (d) to (g), and point (j), EBA shall inform ESMA and, where the significant asset-referenced tokens are referencing the euro or an official currency of a Member State that is not the euro, the ECB or the central bank of the Member State concerned issuing that official currency, respectively.
Before taking any of the measures as referred to in paragraph 2, EBA shall inform the competent authority of the issuer of the significant e-money token and the central bank of the Member State whose official currency the significant e-money token is referencing.
EBA shall notify any measure taken pursuant to paragraph 1 or 2 to the issuer of the significant asset-referenced token or the issuer of the significant e-money token responsible for the infringement without undue delay and shall communicate that measure to the competent authorities concerned as well as to the Commission. EBA shall publicly disclose any such decision on its website within 10 working days of the date of adoption of such decision, unless such disclosure would seriously jeopardise financial stability or cause disproportionate damage to the parties involved. Such disclosure shall not contain personal data.
The disclosure to the public referred to in paragraph 6 shall include the following statements:
(a) a statement affirming the right of the person responsible for the infringement to appeal the decision before the Court of Justice;
(b) where relevant, a statement affirming that an appeal has been lodged and specifying that such an appeal does not have suspensive effect;
(c) a statement asserting that it is possible for EBA’s Board of Appeal to suspend the application of the contested decision in accordance with Article 60(3) of Regulation (EU) No 1093/2010.
(a) an issuer of a significant asset-referenced token or a member of its management body has, intentionally or negligently, committed an infringement as listed in Annex V;
(b) an issuer of a significant e-money token or a member of its management body has, intentionally or negligently, committed an infringement as listed in Annex VI.
An infringement shall be considered to have been committed intentionally if EBA finds objective factors which demonstrate that such an issuer or a member of its management body acted deliberately to commit the infringement.
(a) the duration and frequency of the infringement;
(b) whether financial crime has been occasioned, facilitated or is otherwise attributable to the infringement;
(c) whether the infringement has revealed serious or systemic weaknesses in the issuer of the significant asset-referenced token’s or in the issuer of the significant e-money token’s procedures, policies and risk management measures;
(d) whether the infringement has been committed intentionally or negligently;
(e) the degree of responsibility of the issuer of the significant asset-referenced token or the issuer of the significant e-money token responsible for the infringement;
(f) the financial strength of the issuer of the significant asset-referenced token, or of the issuer of the significant e-money token, responsible for the infringement, as indicated by the total turnover of the responsible legal person or the annual income and net assets of the responsible natural person;
(g) the impact of the infringement on the interests of holders of significant asset-referenced tokens or significant e-money tokens;
(h) the importance of the profits gained, losses avoided by the issuer of the significant asset-referenced token or the significant e-money token responsible for the infringement or the losses for third parties caused by the infringement, insofar as they can be determined;
(i) the level of cooperation of the issuer of the significant asset-referenced token or of the issuer of the significant e-money token responsible for the infringement with EBA, without prejudice to the need to ensure disgorgement of profits gained or losses avoided by that person;
(j) previous infringements by the issuer of the significant asset-referenced token or by the issuer of the significant e-money token responsible for the infringement;
(k) measures taken by the issuer of the significant asset-referenced token or by the issuer of the significant e-money token after the infringement to prevent the repetition of such an infringement.
For issuers of significant asset-referenced tokens, the maximum amount of the fine referred to in paragraph 1 shall be up to 12,5 % of its annual turnover in the preceding business year, or twice the amount or profits gained or losses avoided because of the infringement where those can be determined.
For issuers of significant e-money tokens, the maximum amount of the fine referred to in paragraph 1 shall be up to 10 % of its annual turnover in the preceding business year, or twice the amount or profits gained or losses avoided because of the infringement where those can be determined.
(a) a person to cease the conduct constituting an infringement in accordance with a decision taken pursuant to Article 130;
(b) a person referred to in Article 122(1):
(i) to provide complete information which has been requested by a decision pursuant to Article 122;
(ii) to submit to an investigation and in particular to produce complete records, data, procedures or any other material required and to complete and correct other information provided in an investigation launched by a decision pursuant to Article 123;
(iii) to submit to an on-site inspection ordered by a decision taken pursuant to Article 124.
A periodic penalty payment shall be effective and proportionate. The periodic penalty payment shall be imposed for each day of delay.
Notwithstanding paragraph 2, the amount of the periodic penalty payments shall be 3 % of the average daily turnover in the preceding business year or, in the case of natural persons, 2 % of the average daily income in the preceding calendar year. It shall be calculated from the date set out in EBA’s decision imposing the periodic penalty payment.
A periodic penalty payment shall be imposed for a maximum period of six months following the notification of EBA’s decision. At the end of that period, EBA shall review the measure.
EBA shall disclose to the public every fine and periodic penalty payment that has been imposed pursuant to Articles 131 and 132, unless such disclosure to the public would seriously jeopardise financial stability or cause disproportionate damage to the parties involved. Such disclosure shall not contain personal data.
Fines and periodic penalty payments imposed pursuant to Articles 131 and 132 shall be of an administrative nature.
Fines and periodic penalty payments imposed pursuant to Articles 131 and 132 shall be enforceable in accordance with the rules of civil procedure in force in the State in the territory of which the fine or periodic penalty payment is enforced.
The amounts of the fines and periodic penalty payments shall be allocated to the general budget of the Union.
Where, notwithstanding Articles 131 and 132, EBA decides not to impose fines or penalty payments, it shall inform the European Parliament, the Council, the Commission, and the competent authorities of the Member State concerned and shall set out the reasons for its decision.
Where, in carrying out its supervisory responsibilities under Article 117, there are clear and demonstrable grounds to suspect that there has been or will be an infringement as listed in Annex V or VI, EBA shall appoint an independent investigation officer within EBA to investigate the matter. The investigation officer shall not be involved or have been directly or indirectly involved in the supervision of the issuers of significant asset-referenced tokens or issuers of significant e-money tokens concerned and shall perform its functions independently from EBA.
The investigation officer shall investigate the alleged infringements, taking into account any comments submitted by the persons who are subject to the investigation, and shall submit a complete file with the investigation officer’s findings to EBA.
In order to carry out its tasks, the investigation officer may exercise the power to request information in accordance with Article 122 and the power to conduct investigations and on-site inspections in accordance with Articles 123 and 124. When using those powers, the investigation officer shall comply with Article 121.
Where carrying out its tasks, the investigation officer shall have access to all documents and information gathered by EBA in its supervisory activities.
Upon completion of its investigation and before submitting the file with its findings to EBA, the investigation officer shall give the persons subject to the investigation the opportunity to be heard on the matters being investigated. The investigation officer shall base its findings only on facts on which the persons concerned have had the opportunity to comment.
The rights of the defence of the persons concerned shall be fully respected during investigations under this Article.
When submitting the file with its findings to EBA, the investigation officer shall notify the persons who are subject to the investigation thereof. The persons subject to the investigation shall be entitled to have access to the file, subject to the legitimate interest of other persons in the protection of their business secrets. The right of access to the file shall not extend to confidential information affecting third parties or EBA’s internal preparatory documents.
Based on the file containing the investigation officer’s findings and, when requested by the persons subject to the investigation, after having heard those persons in accordance with Article 135, EBA shall decide whether an infringement as listed in Annex V or VI has been committed by the issuer of the significant asset-referenced token or the issuer of the significant e-money token subject to the investigation and, in such a case, shall take a supervisory measure in accordance with Article 130 or impose a fine in accordance with Article 131.
The investigation officer shall not participate in EBA’s deliberations or in any other way intervene in EBA’s decision-making process.
The Commission shall adopt delegated acts in accordance with Article 139 by 30 June 2024 to supplement this Regulation by specifying further the procedural rules for the exercise of the power to impose fines or periodic penalty payments, including provisions on the rights of the defence, temporal provisions, the collection of fines or periodic penalty payments and the limitation periods for the imposition and enforcement of fines and periodic penalty payments.
EBA shall bring matters to the attention of the relevant national authorities for investigation and, where appropriate, criminal prosecution where, in carrying out its duties under this Regulation, it finds that there are serious indications of the possible existence of facts liable to constitute criminal offences. In addition, EBA shall refrain from imposing fines or periodic penalty payments where it is aware that a prior acquittal or conviction arising from an identical fact or facts which are substantially the same has already acquired the force of res judicata as a result of criminal proceedings under national law.
Before taking any decision pursuant to Article 130, 131 or 132, EBA shall give the persons subject to an investigation the opportunity to be heard on its findings. EBA shall base its decisions only on findings on which the persons subject to such investigation have had an opportunity to comment.
Paragraph 1 shall not apply if urgent action is needed in order to prevent significant and imminent damage to financial stability or to the holders of crypto-assets, in particular retail holders. In such a case, EBA may adopt an interim decision and shall give the persons concerned the opportunity to be heard as soon as possible after taking its decision.
The rights of the defence of the persons subject to an investigation shall be fully respected. Those persons shall be entitled to have access to EBA’s file, subject to the legitimate interest of other persons in the protection of their business secrets. The right of access to EBA’s file shall not extend to confidential information or to EBA’s internal preparatory documents.
The Court of Justice shall have unlimited jurisdiction to review decisions whereby EBA has imposed a fine, a periodic penalty payment or any administrative penalty or other administrative measure in accordance with this Regulation. It may annul, reduce or increase the fine or periodic penalty payment imposed.
EBA shall charge fees to issuers of significant asset-referenced tokens and issuers of significant e-money tokens. Those fees shall cover EBA’s expenditure for the execution of its supervisory tasks relating to issuers of significant asset-referenced tokens and issuers of significant e-money tokens in accordance with Articles 117 and 119, as well as the reimbursement of costs that the competent authorities might incur carrying out work under this Regulation, in particular as a result of any delegation of tasks in accordance with Article 138.
The amount of the fee charged to an individual issuer of a significant asset-referenced token shall be proportionate to the size of its reserve assets and shall cover all costs incurred by EBA for the performance of its supervisory tasks under this Regulation.
The amount of the fee charged to an individual issuer of a significant e-money token shall be proportionate to the size of issuance of the e-money token in exchange for funds and shall cover all costs derived from the execution of EBA’s supervisory tasks under this Regulation, including the reimbursement of any costs incurred as a result of the execution of those tasks.
Where necessary for the proper performance of a supervisory task in respect of issuers of significant asset-referenced tokens or issuers of significant e-money tokens, EBA may delegate specific supervisory tasks to a competent authority. Such specific supervisory tasks may include the power to carry out requests for information in accordance with Article 122 and to conduct investigations and on-site inspections in accordance with Article 123 or 124.
Before delegating a task as referred to in paragraph 1, EBA shall consult the relevant competent authority about:
(a) the scope of the task to be delegated;
(b) the timetable for the performance of the task; and
(c) the transmission of necessary information by and to EBA.
In accordance with the delegated act on fees adopted by the Commission pursuant to Article 137(3) and Article 139, EBA shall reimburse a competent authority for the costs incurred as a result of carrying out delegated tasks.
EBA shall review the delegation of tasks at appropriate intervals. Such delegation may be revoked at any time.
The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
The power to adopt delegated acts referred to in Articles 3(2), 43(11), 103(8), 104(8), 105(7), 134(10) and 137(3) shall be conferred on the Commission for a period of 36 months from 29 June 2023. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the 36-month period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.
The delegation of powers referred to in Articles 3(2), 43(11), 103(8), 104(8), 105(7), 134(10) and 137(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.
As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
A delegated act adopted pursuant to Articles 3(2), 43(11), 103(8), 104(8), 105(7), 134(10) and 137(3) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of three months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months on the initiative of the European Parliament or of the Council.
By 30 June 2027, having consulted EBA and ESMA, the Commission shall present a report to the European Parliament and the Council on the application of this Regulation accompanied, where appropriate, by a legislative proposal. An interim report shall be presented by 30 June 2025, accompanied, where appropriate, by a legislative proposal.
The reports referred to in paragraph 1 shall contain the following:
(a) the number of issuances of crypto-assets in the Union, the number of crypto-asset white papers submitted or notified to the competent authorities, the type of crypto-assets issued and their market capitalisation and the number of crypto-assets admitted to trading;
(b) a description of the experience with the classification of crypto-assets including possible divergences in approaches by competent authorities;
(c) an assessment of the necessity of the introduction of an approval mechanism for crypto-asset white papers for crypto-assets other than asset-referenced tokens and e-money tokens;
(d) an estimate of the number of Union residents using or investing in crypto-assets issued in the Union;
(e) where possible, an estimate of the number of Union residents using or investing in crypto-assets issued outside the Union and an explanation of the availability of data in that respect;
(f) the number and value of fraud, scams, hacks, the use of crypto-assets for payments related to ransomware attacks, cyber-attacks, thefts or losses of crypto-assets reported in the Union, types of fraudulent behaviour, the number of complaints received by crypto-asset service providers and issuers of asset-referenced tokens, the number of complaints received by competent authorities and the subjects of the complaints received;
(g) the number of issuers of asset-referenced tokens and an analysis of the categories of reserve assets, the size of the reserves of assets and the volume of payments made in asset-referenced tokens;
(h) the number of issuers of significant asset-referenced tokens and an analysis of the categories of reserve assets, the size of the reserves of assets and the volume of payments made in significant asset-referenced tokens;
(i) the number of issuers of e-money tokens and an analysis of the official currencies referenced by the e-money tokens, the composition and the size of the funds deposited or invested in accordance with Article 54 and the volume of payments made in e-money tokens;
(j) the number of issuers of significant e-money tokens and an analysis of the official currencies referenced by the significant e-money tokens and, for electronic money institutions issuing significant e-money tokens, an analysis of the categories of reserve assets, the size of the reserves of assets, and the volume of payments made in significant e-money tokens;
(k) the number of significant crypto-asset service providers;
(l) an assessment of the functioning of the markets in crypto-assets in the Union, including of market development and trends, taking into account the experience of the supervisory authorities, the number of authorised crypto-asset service providers and their respective average market share;
(m) an assessment of the level of protection of holders of crypto-assets and clients of crypto-asset service providers, in particular retail holders;
(n) an assessment of fraudulent marketing communications and scams involving crypto-assets occurring through social media networks;
(o) an assessment of the requirements applicable to issuers of crypto-assets and crypto-asset service providers and their impact on operational resilience, market integrity, financial stability, and the protection of clients and holders of crypto-assets;
(p) an evaluation of the application of Article 81 and of the possibility of introducing appropriateness tests in Articles 78, 79 and 80 in order to better protect clients of crypto-asset service providers, especially retail holders;
(q) an assessment of whether the scope of crypto-asset services covered by this Regulation is appropriate and whether any adjustment to the definitions set out in this Regulation is needed, as well as whether any additional innovative crypto-asset forms need to be included in the scope of this Regulation;
(r) an assessment of whether the prudential requirements for crypto-asset service providers are appropriate and whether they should be aligned with the requirements for initial capital and own funds applicable to investment firms under Regulation (EU) 2019/2033 of the European Parliament and of the Counciland Directive (EU) 2019/2034 of the European Parliament and of the Council;
(s) an assessment of the appropriateness of the thresholds to classify asset-referenced tokens and e-money tokens as significant as set out in Article 43(1), points (a), (b) and (c), and an assessment of whether the thresholds should be evaluated periodically;
(t) an assessment of the development of decentralised finance in markets in crypto-assets and of the appropriate regulatory treatment of decentralised crypto-asset systems;
(u) an assessment of the appropriateness of the thresholds to consider crypto-asset service providers as significant pursuant to Article 85, and an assessment of whether the thresholds should be evaluated periodically;
(v) an assessment of whether an equivalence regime should be established under this Regulation for entities providing crypto-asset services, issuers of asset-referenced tokens or issuers of e-money tokens from third countries;
(w) an assessment of whether the exemptions under Articles 4 and 16 are appropriate;
(x) an assessment of the impact of this Regulation on the proper functioning of the internal market with regard to crypto-assets, including any impact on the access to finance for SMEs and on the development of new means of payment, including payment instruments;
(y) a description of developments in business models and technologies in markets in crypto-assets with a particular focus on the environmental and climate-related impact of new technologies, as well as an assessment of policy options and where necessary any additional measures that might be warranted to mitigate the adverse impacts on the climate and other environment-related adverse impacts of the technologies used in markets in crypto-assets and, in particular, of the consensus mechanisms used to validate crypto-asset transactions;
(z) an appraisal of whether any changes are needed to the measures set out in this Regulation to ensure the protection of clients and holders of crypto-assets, market integrity and financial stability;
(aa) the application of administrative penalties and other administrative measures;
(ab) an evaluation of the cooperation between the competent authorities, EBA, ESMA, central banks, as well as other relevant authorities, including with regards to the interaction between their responsibilities or tasks, and an assessment of the advantages and disadvantages of the competent authorities of the Member States and EBA, respectively, being responsible for supervision under this Regulation;
(ac) an evaluation of the cooperation between the competent authorities and ESMA regarding the supervision of significant crypto-asset service providers, and an assessment of the advantages and disadvantages of the competent authorities of the Member States and ESMA, respectively, being responsible for the supervision of significant crypto-asset service providers under this Regulation;
(ad) the costs for issuers of crypto-assets other than asset-referenced tokens and e-money tokens, to comply with this Regulation as a percentage of the amount raised through crypto-asset issuances;
(ae) the costs for issuers of asset-referenced tokens and issuers of e-money tokens to comply with this Regulation as a percentage of their operational costs;
(af) the costs for crypto-asset service providers to comply with this Regulation as a percentage of their operational costs;
(ag) the number and amount of administrative fines and criminal penalties imposed for infringements of this Regulation by competent authorities and EBA.
By 31 December 2025 and every year thereafter, ESMA, in close cooperation with EBA, shall submit a report to the European Parliament and to the Council on the application of this Regulation and developments in markets in crypto-assets. The report shall be made publicly available.
The report shall contain the following:
(a) the number of issuances of crypto-assets in the Union, the number of crypto-asset white papers submitted or notified to the competent authorities, the type of crypto-asset issued and their market capitalisation, and the number of crypto-assets admitted to trading;
(b) the number of issuers of asset-referenced tokens, and an analysis of the categories of reserve assets, the size of the reserves of assets and the volume of transactions in asset-referenced tokens;
(c) the number of issuers of significant asset-referenced tokens, and an analysis of the categories of reserve assets, the size of the reserves of assets and the volume of transactions in significant asset-referenced tokens;
(d) the number of issuers of e-money tokens, and an analysis of the official currencies referenced by the e-money tokens, the composition and the size of the funds deposited or invested in accordance with Article 54, and the volume of payments made in e-money tokens;
(e) the number of issuers of significant e-money tokens, and an analysis of the official currencies referenced by the significant e-money tokens, and, for electronic money institutions issuing significant e-money tokens, an analysis of the categories of reserve assets, the size of the reserves of assets, and the volume of payments made in significant e-money tokens;
(f) the number of crypto-asset service providers, and the number of significant crypto-asset service providers;
(g) an estimate of the number of Union residents using or investing in crypto-assets issued in the Union;
(h) where possible, an estimate of the number of Union residents using or investing in crypto-assets issued outside the Union and an explanation of the availability of data in that respect;
(i) a mapping of the geographical location and level of know-your-customer and customer due diligence procedures of unauthorised exchanges providing services in crypto-assets to Union residents, including the number of exchanges without a clear domiciliation and the number of exchanges located in jurisdictions included in the list of high-risk third countries for the purposes of Union rules on anti-money laundering and counter-terrorist financing or in the list of non-cooperative jurisdictions for tax purposes, classified by the level of compliance with adequate know-your-customer procedures;
(j) the proportion of transactions in crypto-assets that occur through a crypto-asset service provider or unauthorised service provider or peer-to-peer, and their transaction volume;
(k) the number and value of fraud, scams, hacks, the use of crypto-assets for payments related to ransomware attacks, cyber-attacks, thefts or losses of crypto-assets reported in the Union, types of fraudulent behaviour, the number of complaints received by crypto-asset service providers and issuers of asset-referenced tokens, the number of complaints received by competent authorities and the subjects of the complaints received;
(l) the number of complaints received by crypto-asset service providers, issuers and competent authorities in relation to false and misleading information contained in crypto-asset white papers or in marketing communications, including via social media platforms;
(m) possible approaches and options, based on best practices and reports by relevant international organisations, to reduce the risk of circumvention of this Regulation, including in relation to the provision of crypto-asset services by third-country actors in the Union without authorisation.
Competent authorities shall provide ESMA with the information necessary for the preparation of the report. For the purposes of the report, ESMA may request information from law enforcement agencies.
By 30 December 2024 and after consulting EBA and ESMA, the Commission shall present a report to the European Parliament and the Council on the latest developments with respect to crypto-assets, in particular on matters that are not addressed in this Regulation, accompanied, where appropriate, by a legislative proposal.
The report referred to in paragraph 1 shall contain at least the following:
(a) an assessment of the development of decentralised-finance in markets in crypto-assets and of the appropriate regulatory treatment of decentralised crypto-asset systems without an issuer or crypto-asset service provider, including an assessment of the necessity and feasibility of regulating decentralised finance;
(b) an assessment of the necessity and feasibility of regulating lending and borrowing of crypto-assets;
(c) an assessment of the treatment of services associated to the transfer of e-money tokens, where not addressed in the context of the review of Directive (EU) 2015/2366;
(d) an assessment of the development of markets in unique and non-fungible crypto-assets and of the appropriate regulatory treatment of such crypto-assets, including an assessment of the necessity and feasibility of regulating offerors of unique and non-fungible crypto-assets as well as providers of services related to such crypto-assets.
Articles 4 to 15 shall not apply to offers to the public of crypto-assets that ended before 30 December 2024.
By way of derogation from Title II, only the following requirements shall apply in relation to crypto-assets other than asset-referenced tokens and e-money tokens that were admitted to trading before 30 December 2024:
(a) Articles 7 and 9 shall apply to marketing communications published after 30 December 2024;
(b) operators of trading platforms shall ensure by 31 December 2027 that a crypto-asset white paper, in the cases required by this Regulation, is drawn up, notified and published in accordance with Articles 6, 8 and 9 and updated in accordance with Article 12.
Member States may decide not to apply the transitional regime for crypto-asset service providers provided for in the first subparagraph or to reduce its duration where they consider that their national regulatory framework applicable before 30 December 2024 is less strict than this Regulation.
By 30 June 2024, Member States shall notify to the Commission and ESMA whether they have exercised the option provided for in the second subparagraph and the duration of the transitional regime.
Issuers of asset-referenced tokens other than credit institutions that issued asset-referenced tokens in accordance with applicable law before 30 June 2024, may continue to do so until they are granted or refused an authorisation pursuant to Article 21, provided that they apply for authorisation before 30 July 2024.
Credit institutions that issued asset-referenced tokens in accordance with applicable law before 30 June 2024, may continue to do so until the crypto-asset white paper has been approved or has failed to be approved pursuant to Article 17 provided that they notify their competent authority pursuant to paragraph 1 of that Article before 30 July 2024.
By way of derogation from Articles 62 and 63, Member States may apply a simplified procedure for applications for an authorisation that are submitted between 30 December 2024 and 1 July 2026 by entities that on 30 December 2024, were authorised under national law to provide crypto-asset services. The competent authorities shall ensure that Chapters 2 and 3 of Title V are complied with before granting authorisation pursuant to such simplified procedures.
EBA shall exercise its supervisory responsibilities pursuant to Article 117 from the date of application of the delegated acts referred to in Article 43(11).
In Article 1(2) of Regulation (EU) No 1093/2010, the first subparagraph is replaced by the following:
‘The Authority shall act within the powers conferred by this Regulation and within the scope of Directive 2002/87/EC, Directive 2008/48/EC, Directive 2009/110/EC, Regulation (EU) No 575/2013, Directive 2013/36/EU, Directive 2014/49/EU, Directive 2014/92/EU, Directive (EU) 2015/2366, Regulation (EU) 2023/1114 of the European Parliament and of the Council and, to the extent that those acts apply to credit and financial institutions and the competent authorities that supervise them, within the relevant parts of Directive 2002/65/EC, including all directives, regulations, and decisions based on those acts, and of any further legally binding Union act which confers tasks on the Authority. The Authority shall also act in accordance with Council Regulation (EU) No 1024/2013.
In Article 1(2) of Regulation (EU) No 1095/2010, the first subparagraph is replaced by the following:
‘The Authority shall act within the powers conferred by this Regulation and within the scope of Directives 97/9/EC, 98/26/EC, 2001/34/EC, 2002/47/EC, 2004/109/EC, 2009/65/EC, Directive 2011/61/EU of the European Parliament and of the Council, Regulation (EC) No 1060/2009 and Directive 2014/65/EU of the European Parliament and of the Council, Regulation (EU) 2017/1129 of the European Parliament and of the Council, Regulation (EU) 2023/1114 of the European Parliament and of the Council and to the extent that those acts apply to firms providing investment services or to collective investment undertakings marketing their units or shares, issuers or offerors of crypto-assets, persons seeking admission to trading or crypto-asset service providers and the competent authorities that supervise them, within the relevant parts of, Directives 2002/87/EC and 2002/65/EC, including all directives, regulations, and decisions based on those acts, and of any further legally binding Union act which confers tasks on the Authority.
In Annex I to Directive 2013/36/EU, point 15 is replaced by the following:
‘15.
Issuing electronic money including electronic-money tokens as defined in Article 3(1), point (7), of Regulation (EU) 2023/1114 of the European Parliament and of the Council.
Issuance of asset-referenced tokens as defined in Article 3(1), point (6), of Regulation (EU) 2023/1114.
Crypto-asset services as defined in Article 3(1), point (16), of Regulation (EU) 2023/1114.
In Part I.B of the Annex to Directive (EU) 2019/1937, the following point is added:
‘(xxii)
Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937.’.
Member States shall adopt and publish, by 30 December 2024, the laws, regulations and administrative provisions necessary to comply with Articles 146 and 147.
Member States shall communicate to the Commission, EBA and ESMA the text of the main measures of national law that they adopt in the field covered by Article 116.
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall apply from 30 December 2024.
By way of derogation from paragraph 2, Titles III and IV shall apply from 30 June 2024.
By way of derogation from paragraphs 2 and 3 of this Article, Articles 2(5), 3(2), 6(11) and (12), Article 14(1), second subparagraph, Articles 17(8), 18(6) and (7), 19(10) and (11), 21(3), 22(6) and (7), 31(5), 32(5), 34(13), 35(6), 36(4), 38(5), 42(4), 43(11), 45(7) and (8), 46(6), 47(5), 51(10) and (15), 60(13) and (14), 61(3), 62(5) and (6), 63(11), 66(6), 68(10), 71(5), 72(5), 76(16), 81(15), 82(2), 84(4), 88(4), 92(2) and (3), 95(10) and (11), 96(3), 97(1), 103(8), 104(8), 105(7), 107(3) and (4), 109(8) and 119(8), 134(10), 137(3) and Article 139 shall apply from 29 June 2023.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 31 May 2023.
For the European Parliament
The President
R. METSOLA
For the Council
The President
P. KULLGREN
Position of the European Parliament of 20 April 2023 (not yet published in the Official Journal) and decision of the Council of 16 May 2023.
Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU.
Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC.
Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC.
Directive 2014/49/EU of the European Parliament and of the Council of 16 April 2014 on deposit guarantee schemes.
Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
Regulation (EU) 2017/2402 of the European Parliament and of the Council of 12 December 2017 laying down a general framework for securitisation and creating a specific framework for simple, transparent and standardised securitisation, and amending Directives 2009/65/EC, 2009/138/EC and 2011/61/EU and Regulations (EC) No 1060/2009 and (EU) No 648/2012.
Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC.
Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC.
Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions.
Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC.
Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive).
Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts.
Directive 2002/65/EC of the European Parliament and of the Council of 23 September 2002 concerning the distance marketing of consumer financial services and amending Council Directive 90/619/EEC and Directives 97/7/EC and 98/27/EC.
Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012.
Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council.
Regulation (EU) No 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund and amending Regulation (EU) No 1093/2010.
Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC.
Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC.
Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II).
Directive (EU) 2016/2341 of the European Parliament and of the Council of 14 December 2016 on the activities and supervision of institutions for occupational retirement provision (IORPs).
Regulation (EU) 2019/1238 of the European Parliament and of the Council of 20 June 2019 on a pan-European Personal Pension Product (PEPP).
Regulation (EC) No 883/2004 of the European Parliament and of the Council of 29 April 2004 on the coordination of social security systems.
Regulation (EC) No 987/2009 of the European Parliament and of the Council of 16 September 2009 laying down the procedure for implementing Regulation (EC) No 883/2004 on the coordination of social security systems.
Directive 2004/109/EC of the European Parliament and of the Council of 15 December 2004 on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market and amending Directive 2001/34/EC.
Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS).
Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers and amending Directives 2003/41/EC and 2009/65/EC and Regulations (EC) No 1060/2009 and (EU) No 1095/2010.
Directive 97/9/EC of the European Parliament and of the Council of 3 March 1997 on investor-compensation schemes.
Regulation (EU) 2017/1129 of the European Parliament and of the Council of 14 June 2017 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market, and repealing Directive 2003/71/EC.
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 and (EU) 2016/1011.
Regulation (EU) 2017/1131 of the European Parliament and of the Council of 14 June 2017 on money market funds.
Directive 2002/47/EC of the European Parliament and of the Council of 6 June 2002 on financial collateral arrangements.
Commission Directive 2006/73/EC of 10 August 2006 implementing Directive 2004/39/EC of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive.
Commission Delegated Regulation (EU) 2015/61 of 10 October 2014 to supplement Regulation (EU) No 575/2013 of the European Parliament and the Council with regard to liquidity coverage requirement for Credit Institutions.
Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC.
Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act).
Regulation (EU) 2021/23 of the European Parliament and of the Council of 16 December 2020 on a framework for the recovery and resolution of central counterparties and amending Regulations (EU) No 1095/2010, (EU) No 648/2012, (EU) No 600/2014, (EU) No 806/2014 and (EU) 2015/2365 and Directives 2002/47/EC, 2004/25/EC, 2007/36/EC, 2014/59/EU and (EU) 2017/1132.
Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directive 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012.
Regulation (EU) 2019/2033 of the European Parliament and of the Council of 27 November 2019 on the prudential requirements of investment firms and amending Regulations (EU) No 1093/2010, (EU) No 575/2013, (EU) No 600/2014 and (EU) No 806/2014.
Directive (EU) 2019/2034 of the European Parliament and of the Council of 27 November 2019 on the prudential supervision of investment firms and amending Directives 2002/87/EC, 2009/65/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU and 2014/65/EU.
Part A: Information about the offeror or the person seeking admission to trading
Name;
Legal form;
Registered address and head office, where different;
Date of the registration;
Legal entity identifier or another identifier required pursuant to applicable national law;
A contact telephone number and an email address of the offeror or the person seeking admission to trading, and the period of days within which an investor contacting the offeror or the person seeking admission to trading via that telephone number or email address will receive an answer;
Where applicable, the name of the parent company;
Identity, business addresses and functions of persons that are members of the management body of the offeror or person seeking admission to trading;
Business or professional activity of the offeror or person seeking admission to trading and, where applicable, of its parent company;
The financial condition of the offeror or person seeking admission to trading over the past three years or where the offeror or person seeking admission to trading has not been established for the past three years, its financial condition since the date of its registration.
The financial condition shall be assessed based on a fair review of the development and performance of the business of the offeror or person seeking admission to trading and of its position for each year and interim period for which historical financial information is required, including the causes of material changes.
The review shall be a balanced and comprehensive analysis of the development and performance of the business of the offeror or person seeking admission to trading and of its position, consistent with the size and complexity of the business.
Part B: Information about the issuer, if different from the offeror or person seeking admission to trading
Name;
Legal form;
Registered address and head office, where different;
Date of the registration;
Legal entity identifier or another identifier required pursuant to applicable national law;
Where applicable, the name of the parent company;
Identity, business addresses and functions of persons that are members of the management body of the issuer;
Business or professional activity of the issuer and, where applicable, of its parent company.
Part C: Information about the operator of the trading platform in cases where it draws up the crypto-asset white paper
Name;
Legal form;
Registered address and head office, where different;
Date of the registration;
Legal entity identifier or another identifier required pursuant to applicable national law;
Where applicable, the name of the parent company;
The reason why that operator drew up the crypto-asset white paper;
Identity, business addresses and functions of persons that are members of the management body of the operator;
Business or professional activity of the operator and, where applicable, of its parent company.
Part D: Information about the crypto-asset project
Name of the crypto-asset project and of the crypto-assets, if different from the name of the offeror or person seeking admission to trading, and abbreviation or ticker handler;
A brief description of the crypto-asset project;
Details of all natural or legal persons (including business addresses or domicile of the company) involved in the implementation of the crypto-asset project, such as advisors, development team and crypto-asset service providers;
Where the crypto-asset project concerns utility tokens, key features of the goods or services to be developed;
Information about the crypto-asset project, especially past and future milestones of the project and, where applicable, resources already allocated to the project;
Where applicable, planned use of any funds or other crypto-assets collected.
Part E: Information about the offer to the public of crypto-assets or their admission to trading
Indication as to whether the crypto-asset white paper concerns an offer to the public of crypto-assets or their admission to trading;
The reasons for the offer to the public or for seeking admission to trading;
Where applicable, the amount that the offer to the public intends to raise in funds or in any other crypto-asset, including, where applicable, any minimum and maximum target subscription goals set for the offer to the public of crypto-assets, and whether oversubscriptions are accepted and how they are allocated;
The issue price of the crypto-asset being offered to the public (in an official currency or any other crypto-assets), any applicable subscription fee or the method in accordance with which the offer price will be determined;
Where applicable, the total number of crypto-assets to be offered to the public or admitted to trading;
Indication of the prospective holders targeted by the offer to the public of crypto-assets or admission of such crypto-assets to trading, including any restriction as regards the type of holders for such crypto-assets;
Specific notice that purchasers participating in the offer to the public of crypto-assets will be able to be reimbursed if the minimum target subscription goal is not reached at the end of the offer to the public, if they exercise the right to withdrawal foreseen in Article 13 or if the offer is cancelled and detailed description of the refund mechanism, including the expected timeline of when such refunds will be completed;
Information about the various phases of the offer to the public of crypto-assets, including information on discounted purchase price for early purchasers of crypto-assets (pre-public sales); in the case of discounted purchase prices for some purchasers, an explanation why purchase prices may be different, and a description of the impact on the other investors;
For time-limited offers, the subscription period during which the offer to the public is open;
The arrangements to safeguard funds or other crypto-assets as referred to in Article 10 during the time-limited offer to the public or during the withdrawal period;
Methods of payment to purchase the crypto-assets offered and methods of transfer of the value to the purchasers when they are entitled to be reimbursed;
In the case of offers to the public, information on the right of withdrawal as referred to in Article 13;
Information on the manner and time schedule of transferring the purchased crypto-assets to the holders;
Information about technical requirements that the purchaser is required to fulfil to hold the crypto-assets;
Where applicable, the name of the crypto-asset service provider in charge of the placing of crypto-assets and the form of such placement (with or without a firm commitment basis);
Where applicable, the name of the trading platform for crypto-assets where admission to trading is sought, and information about how investors can access such trading platforms and the costs involved;
Expenses related to the offer to the public of crypto-assets;
Potential conflicts of interest of the persons involved in the offer to the public or admission to trading, arising in relation to the offer or admission to trading;
The law applicable to the offer to the public of crypto-assets, as well as the competent court.
Part F: Information about the crypto-assets
The type of crypto-asset that will be offered to the public or for which admission to trading is sought;
A description of the characteristics, including the data necessary for classification of the crypto-asset white paper in the register referred to in Article 109, as specified in accordance with paragraph 8 of that Article, and functionality of the crypto-assets being offered or admitted to trading, including information about when the functionalities are planned to apply.
Part G: Information on the rights and obligations attached to the crypto-assets
A description of the rights and obligations, if any, of the purchaser, and the procedure and conditions for the exercise of those rights;
A description of the conditions under which the rights and obligations may be modified;
Where applicable, information on the future offers to the public of crypto-assets by the issuer and the number of crypto-assets retained by the issuer itself;
Where the offer to the public of crypto-assets or their admission to trading concerns utility tokens, information about the quality and quantity of goods or services to which the utility tokens give access;
Where the offers to the public of crypto-assets or their admission to trading concerns utility tokens, information on how utility tokens can be redeemed for goods or services to which they relate;
Where an admission to trading is not sought, information on how and where the crypto-assets can be purchased or sold after the offer to the public;
Restrictions on the transferability of the crypto-assets that are being offered or admitted to trading;
Where the crypto-assets have protocols for the increase or decrease of their supply in response to changes in demand, a description of the functioning of such protocols;
Where applicable, a description of protection schemes protecting the value of the crypto-assets and of compensation schemes;
The law applicable to the crypto-assets, as well as the competent court.
Part H: Information on the underlying technology
Information on the technology used, including distributed ledger technology, protocols and technical standards used;
The consensus mechanism, where applicable;
Incentive mechanisms to secure transactions and any fees applicable;
Where the crypto-assets are issued, transferred and stored using distributed ledger technology that is operated by the issuer, the offeror or a third-party acting on their behalf, a detailed description of the functioning of such distributed ledger technology;
Information on the audit outcome of the technology used, if such an audit was conducted.
Part I: Information on the risks
A description of the risks associated with the offer to the public of crypto-assets or their admission to trading;
A description of the risks associated with the issuer, if different from the offeror, or person seeking admission to trading;
A description of the risks associated with the crypto-assets;
A description of the risks associated with project implementation;
A description of the risks associated with the technology used as well as mitigation measures, if any.
Part A: Information about the issuer of the asset-referenced token
Name;
Legal form;
Registered address and head office, where different;
Date of the registration;
Legal entity identifier or another identifier required pursuant to applicable national law;
Where applicable, the identity of the parent company;
Identity, business addresses and functions of persons that are members of the management body of the issuer;
Business or professional activity of the issuer and, where applicable, of its parent company;
The financial condition of the issuer over the past three years or, where the issuer has not been established for the past three years, its financial condition since the date of its registration.
The financial condition shall be assessed based on a fair review of the development and performance of the business of the issuer and of its position for each year and interim period for which historical financial information is required, including the causes of material changes.
The review shall be a balanced and comprehensive analysis of the development and performance of the issuer’s business and of its position, consistent with the size and complexity of the business.
A detailed description of the issuer’s governance arrangements;
Except for issuers of asset-referenced tokens that are exempted from authorisation in accordance with Article 17, details about the authorisation as an issuer of an asset-referenced token and name of the competent authority which granted such authorisation.
For credit institutions, the name of the competent authority of the home Member State.
Part B: Information about the asset-referenced token
Name and abbreviation or ticker handler of the asset-referenced token;
A description of the characteristics of the asset-referenced token, including the data necessary for classification of the crypto-asset white paper in the register referred to in Article 109, as specified in accordance with paragraph 8 of that Article;
Details of all natural or legal persons (including business addresses or domicile of the company) involved in the operationalisation of the asset-referenced token, such as advisors, development team and crypto-asset service providers;
A description of the role, responsibilities and accountability of any third-party entities referred to in Article 34(5), first subparagraph, point (h);
Information about the plans for the asset-referenced tokens, including the description of the past and future milestones and, where applicable, resources already allocated.
Part C: Information about the offer to the public of the asset-referenced token or its admission to trading
Indication as to whether the crypto-asset white paper concerns an offer to the public of the asset-referenced token or its admission to trading;
Where applicable, the amount that the offer to the public of the asset-referenced token intends to raise in funds or in any other crypto-asset, including, where applicable, any minimum and maximum target subscription goals set for the offer to the public of the asset-referenced token, and whether oversubscriptions are accepted and how they are allocated;
Where applicable, the total number of units of the asset-referenced token to be offered or admitted to trading;
Indication of the prospective holders targeted by the offer to the public of the asset-referenced token or admission of such asset-referenced token to trading, including any restriction as regards the type of holders for such asset-referenced token;
A specific notice that purchasers participating in the offer to the public of the asset-referenced token will be able to be reimbursed if the minimum target subscription goal is not reached at the end of the offer to the public, including the expected timeline of when such refunds will be completed; the consequences of exceeding a maximum target subscription goal should be made explicit;
Information about the various phases of the offer to the public of the asset-referenced token, including information on discounted purchase price for early purchasers of the asset-referenced token (pre-public sales) and, in the case of discounted purchase price for some purchasers, an explanation as to why the purchase prices may be different, and a description of the impact on the other investors;
For time-limited offers, the subscription period during which the offer to the public is open;
Methods of payment to purchase and to redeem the asset-referenced token offered;
Information on the method and time schedule of transferring the purchased asset-referenced token to the holders;
Information about technical requirements that the purchaser is required to fulfil to hold the asset-referenced token;
Where applicable, the name of the crypto-asset service provider in charge of the placing of asset-referenced tokens and the form of such placement (with or without a firm commitment basis);
Where applicable, the name of the trading platform for crypto-assets where admission to trading is sought, and information about how investors can access such trading platforms and the costs involved;
Expenses related to the offer to the public of the asset-referenced token;
Potential conflicts of interest of the persons involved in the offer to the public or admission to trading, arising in relation to the offer or admission to trading;
The law applicable to the offer to the public of the asset-referenced token, as well as the competent court.
Part D: Information on the rights and obligations attached to the asset-referenced token
A description of the characteristics and functionality of the asset-referenced token being offered or admitted to trading, including information about when the functionalities are planned to apply;
A description of the rights and obligations, if any, of the purchaser, and the procedure and conditions for the exercise of those rights;
A description of the conditions under which the rights and obligations may be modified;
Where applicable, information on the future offers to the public of the asset-referenced token by the issuer and the number of units of the asset-referenced token retained by the issuer itself;
Where an admission to trading is not sought, information on how and where the asset-referenced token can be purchased or sold after the offer to the public;
Any restrictions on the transferability of the asset-referenced token that is being offered or admitted to trading;
Where the asset-referenced token has protocols for the increase or decrease of its supply in response to changes in demand, a description of the functioning of such protocols;
Where applicable, a description of protection schemes protecting the value of the asset-referenced token and compensation schemes;
Information on the nature and enforceability of rights, including permanent rights of redemption and any claims that holders and any legal or natural person as referred to in Article 39(2), may have against the issuer, including information on how such rights will be treated in the case of insolvency procedures, information on whether different rights are allocated to different holders and the non-discriminatory reasons for such different treatment;
A detailed description of the claim that the asset-referenced token represents for holders, including:
(a) the description of each referenced asset and specified proportions of each of those assets;
(b) the relation between the value of the referenced assets and the amount of the claim and the reserve of assets; and
(c) a description how a fair and transparent valuation of components of the claim is undertaken, which identifies, where relevant, independent parties;
Where applicable, information on the arrangements put in place by the issuer to ensure the liquidity of the asset-referenced token, including the name of the entities in charge of ensuring such liquidity;
The contact details for submitting complaints and description of the complaints-handling procedures and any dispute resolution mechanism or redress procedure established by the issuer of the asset-referenced token;
A description of the rights of the holders when the issuer is not able to fulfil its obligations, including in insolvency;
A description of the rights in the context of the implementation of the recovery plan;
A description of the rights in the context of the implementation of the redemption plan;
Detailed information on how the asset-referenced token is redeemed, including whether the holder will be able to choose the form of redemption, the form of transference or the official currency of redemption;
The law applicable to the asset-referenced token, as well as the competent court.
Part E: Information on the underlying technology
Information on the technology used, including distributed ledger technology, as well as protocols and technical standards used, allowing for the holding, storing and transfer of asset-referenced tokens;
The consensus mechanism, where applicable;
Incentive mechanisms to secure transactions and any fees applicable;
Where the asset-referenced tokens are issued, transferred and stored using distributed ledger technology that is operated by the issuer or a third-party acting on the issuer’s behalf, a detailed description of the functioning of such distributed ledger technology;
Information on the audit outcome of the technology used, if such an audit was conducted.
Part F: Information on the risks
The risks related to the reserve of assets, when the issuer is not able to fulfil its obligations;
A description of the risks associated with the issuer of the asset-referenced token;
A description of the risks associated with the offer to the public of the asset-referenced token or its admission to trading;
A description of the risks associated with the asset-referenced token, in particular with regard to the assets referenced;
A description of the risks associated with the operationalisation of the asset-referenced token project;
A description of the risks associated with the technology used as well as mitigation measures, if any.
Part G: Information on the reserve of assets
A detailed description of the mechanism aimed at aligning the value of the reserve of assets with the claim associated with the asset-referenced token, including legal and technical aspects;
A detailed description of the reserve of assets and their composition;
A description of the mechanisms through which asset-referenced tokens are issued and redeemed;
Information on whether a part of the reserve assets are invested and, where applicable, a description of the investment policy for those reserve assets;
A description of the custody arrangements for the reserve assets, including their segregation, and the name of crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients, credit institutions or investment firms appointed as custodians of the reserve assets.
Part A: Information about the issuer of the e-money token
Name;
Legal form;
Registered address and head office, where different;
Date of the registration;
Legal entity identifier or another identifier required pursuant to applicable national law;
A contact telephone number and an email address of the issuer, and the period of days within which an investor contacting the issuer via that telephone number or email address will receive an answer;
Where applicable, the identity of the parent company;
Identity, business address and functions of persons that are members of the management body of the issuer;
Business or professional activity of the issuer and, where applicable, of its parent company;
Potential conflicts of interest;
Where the issuer of the e-money token also issues other crypto-assets, or also has other activities related to crypto-assets, that should be clearly stated; the issuer should also state whether there is any connection between the issuer and the entity running the distributed ledger technology used to issue the crypto-asset, including if the protocols are run or controlled by a person closely connected to project participants;
The issuer’s financial condition over the past three years or, where the issuer has not been established for the past three years, the issuer’s financial condition record since the date of its registration.
The financial condition shall be assessed based on a fair review of the development and performance of the business of the issuer and of its position for each year and interim period for which historical financial information is required, including the causes of material changes.
The review shall be a balanced and comprehensive analysis of the development and performance of the issuer’s business and of its position, consistent with the size and complexity of the business;
Part B: Information about the e-money token
Name and abbreviation;
A description of the characteristics of the e-money token, including the data necessary for classification of the crypto-asset white paper in the register referred to in Article 109, as specified in accordance with paragraph 8 of that Article;
Details of all natural or legal persons (including business addresses and/or domicile of the company) involved in the design and development, such as advisors, development team and crypto-asset service providers.
Part C: Information about the offer to the public of the e-money token or its admission to trading
Indication as to whether the crypto-asset white paper concerns an offer to the public of the e-money token or its admission to trading;
Where applicable, the total number of units of the e-money token to be offered to the public or admitted to trading;
Where applicable, name of the trading platforms for crypto-assets where the admission to trading of the e-money token is sought;
The law applicable to the offer to the public of the e-money token, as well as the competent court.
Part D: Information on the rights and obligations attached to e-money tokens
A detailed description of the rights and obligations, if any, that the holder of the e-money token has, including the right of redemption at par value as well as the procedure and conditions for the exercise of those rights;
A description of the conditions under which the rights and obligations may be modified;
A description of the rights of the holders when the issuer is not able to fulfil its obligations, including in insolvency;
A description of rights in the context of the implementation of the recovery plan;
A description of rights in the context of the implementation of the redemption plan;
The contact details for submitting complaints and description of the complaints-handling procedures and any dispute resolution mechanism or redress procedure established by the issuer of the e-money token;
Where applicable, a description of protection schemes protecting the value of the crypto-asset and of compensation schemes;
The law applicable to the e-money token as well as the competent court.
Part E: Information on the underlying technology
Information on the technology used, including distributed ledger technology, as well as the protocols and technical standards used, allowing for the holding, storing and transfer of e-money tokens;
Information about the technical requirements that the purchaser has to fulfil to gain control over the e-money token;
The consensus mechanism, where applicable;
Incentive mechanisms to secure transactions and any fees applicable;
Where the e-money token is issued, transferred and stored using distributed ledger technology that is operated by the issuer or a third-party acting on its behalf, a detailed description of the functioning of such distributed ledger technology;
Information on the audit outcome of the technology used, if such an audit was conducted.
Part F: Information on the risks
Description of the risks associated with the issuer of the e-money token;
Description of the risks associated with the e-money token;
Description of the risks associated with the technology used as well as mitigation measures, if any.
Crypto-asset service providers
Type of crypto-asset services
Minimum capital requirements under Article 67(1), point (a)
Class 1
Crypto-asset service provider authorised for the following crypto-asset services:
execution of orders on behalf of clients;
placing of crypto-assets;
providing transfer services for crypto-assets on behalf of clients;
reception and transmission of orders for crypto-assets on behalf of clients;
providing advice on crypto-assets; and/or
providing portfolio management on crypto-assets.
EUR 50 000
Class 2
Crypto-asset service provider authorised for any crypto-asset services under class 1 and:
providing custody and administration of crypto-assets on behalf of clients;
exchange of crypto-assets for funds; and/or
exchange of crypto-assets for other crypto-assets.
EUR 125 000
Class 3
Crypto-asset service provider authorised for any crypto-asset services under class 2 and:
operation of a trading platform for crypto-assets.
EUR 150 000
The issuer infringes Article 22(1) by not reporting, for each significant asset-referenced token with an issue value that is higher than EUR 100 000 000, on a quarterly basis to EBA the information referred to in the first subparagraph, points (a) to (d), of that paragraph.
The issuer infringes Article 23(1) by not stopping issuing a significant asset-referenced token upon reaching the thresholds provided for in that paragraph or by not submitting a plan to EBA within 40 working days of reaching those thresholds to ensure that the estimated quarterly average number and average aggregate value of the transactions per day are kept below those thresholds.
The issuer infringes Article 23(4) by not complying with the modifications of the plan referred to in paragraph 1, point (b), of that Article as required by EBA.
The issuer infringes Article 25 by not notifying EBA of any intended change of its business model likely to have a significant influence on the purchase decision of any holders or prospective holders of significant asset-referenced tokens, or by not describing such a change in a crypto-asset white paper.
The issuer infringes Article 25 by not complying with a measure requested by EBA in accordance with Article 25(4).
The issuer infringes Article 27(1) by not acting honestly, fairly and professionally.
The issuer infringes Article 27(1) by not communicating with holders and prospective holders of the significant asset-referenced token in a fair, clear and not misleading manner.
The issuer infringes Article 27(2) by not acting in the best interests of the holders of the significant asset-referenced token, or by giving preferential treatment to specific holders which is not disclosed in the issuer’s crypto-asset white paper or, where applicable, the marketing communications.
The issuer infringes Article 28 by not publishing on its website the approved crypto-asset white paper as referred to in Article 21(1) and, where applicable, the modified crypto-asset white paper as referred to in Article 25.
The issuer infringes Article 28 by not making the crypto-asset white paper publicly accessible by the starting date of the offer to the public of the significant asset-referenced token or the admission to trading of that token.
The issuer infringes Article 28 by not ensuring that the crypto-asset white paper, and, where applicable, the modified crypto-asset white paper, remains available on its website for as long as the significant asset-referenced token is held by the public.
The issuer infringes Article 29(1) and (2) by publishing marketing communications relating to an offer to the public of a significant asset-referenced token, or to the admission to trading of such significant asset-referenced token, which do not comply with the requirements set out in paragraph 1, points (a) to (d), and paragraph 2 of that Article.
The issuer infringes Article 29(3) by not publishing marketing communications and any modifications thereto on its website.
The issuer infringes Article 29(5) by not notifying marketing communications to EBA upon request.
The issuer infringes Article 29(6) by disseminating marketing communications prior to the publication of the crypto-asset white paper.
The issuer infringes Article 30(1) by not disclosing in a clear, accurate and transparent manner in a publicly and easily accessible place on its website the amount of the significant asset-referenced token in circulation and the value and composition of the reserve of assets referred to in Article 36, or by not updating the required information at least monthly.
The issuer infringes Article 30(2) by not publishing as soon as possible in a publicly and easily accessible place on its website a brief, clear, accurate and transparent summary of the audit report, as well as the full and unredacted audit report, in relation to the reserve of assets referred to in Article 36.
The issuer infringes Article 30(3) by not disclosing in a publicly and easily accessible place on its website in a clear, accurate and transparent manner as soon as possible any event that has or is likely to have a significant effect on the value of the significant asset-referenced token or on the reserve of assets referred to in Article 36.
The issuer infringes Article 31(1) by not establishing and maintaining effective and transparent procedures for the prompt, fair and consistent handling of complaints received from holders of the significant asset-referenced token and other interested parties, including consumer associations that represent holders of the significant asset-referenced token, and by not publishing descriptions of those procedures, or, where the significant asset-referenced token is distributed, totally or partially, by third-party entities, by not establishing procedures to also facilitate the handling of complaints between holders and third-party entities as referred to in Article 34(5), first subparagraph, point (h).
The issuer infringes Article 31(2) by not enabling the holders of the significant asset-referenced token to file complaints free of charge.
The issuer infringes Article 31(3) by not developing and making available to the holders of the significant asset-referenced token a template for filing complaints and by not keeping a record of all complaints received and any measures taken in response to those complaints.
The issuer infringes Article 31(4), by not investigating all complaints in a timely and fair manner or by not communicating the outcome of such investigations to the holders of its significant asset-referenced token within a reasonable period.
The issuer infringes Article 32(1) by not implementing and maintaining effective policies and procedures to identify, prevent, manage and disclose conflicts of interest between the issuer itself and its shareholders or members, itself and any shareholder or member, whether direct or indirect, that has a qualifying holding in it, itself and the members of its management body, itself and its employees, itself and the holders of the significant asset-referenced token or itself and any third party providing one of the functions as referred in Article 34(5), first subparagraph, point (h).
The issuer infringes Article 32(2) by not taking all appropriate steps to identify, prevent, manage and disclose conflicts of interest arising from the management and investment of the reserve of assets referred to in Article 36.
The issuer infringes Article 32(3) and (4), by not disclosing, in a prominent place on its website, to the holders of the significant asset-referenced token the general nature and sources of conflicts of interest and the steps taken to mitigate those risks, or by not being sufficiently precise in the disclosure to enable the prospective holders of the significant asset-referenced token to take an informed purchasing decision about such token.
The issuer infringes Article 33 by not immediately notifying EBA of any changes to its management body or by not providing EBA with all necessary information to assess compliance with Article 34(2).
The issuer infringes Article 34(1) by not having robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks to which it is or might be exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures.
The issuer infringes Article 34(2) by having members of its management body who are not of sufficiently good repute or do not possess the appropriate knowledge, skills and experience, both individually and collectively, to perform their duties or do not demonstrate that they are capable of committing sufficient time to effectively perform their duties.
The issuer infringes Article 34(3) by not having its management body assess or periodically review the effectiveness of the policy arrangements and procedures put in place to comply with Chapters 2, 3, 5 and 6 of Title III or by not taking appropriate measures to address any deficiencies in that respect.
The issuer infringes Article 34(4) by having shareholders or members, whether direct or indirect, with qualifying holdings who are not of sufficiently good repute.
The issuer infringes Article 34(5) by not adopting policies and procedures that are sufficiently effective to ensure compliance with this Regulation, in particular by not establishing, maintaining and implementing any of the policies and procedures referred to in the first subparagraph, points (a) to (k), of that paragraph.
The issuer infringes Article 34(5) by not entering into contractual arrangements with third-party entities as referred to in the first subparagraph, point (h), of that paragraph that set out the roles, responsibilities, rights and obligations both of the issuer and of the third-party entity concerned, or by not providing for an unambiguous choice of applicable law.
The issuer infringes Article 34(6), unless it has initiated a plan as referred to in Article 47, by not employing appropriate and proportionate systems, resources or procedures to ensure the continued and regular performance of its services and activities, and by not maintaining all of its systems and security access protocols in conformity with the appropriate Union standards.
The issuer infringes Article 34(7) by not submitting a plan for discontinuation of providing services and activities to EBA, for approval of such discontinuation.
The issuer infringes Article 34(8) by not identifying sources of operational risks and by not minimising those risks through the development of appropriate systems, controls and procedures.
The issuer infringes Article 34(9) by not establishing a business continuity policy and plans to ensure, in the case of an interruption of its ICT systems and procedures, the preservation of essential data and functions and the maintenance of its activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of its activities.
The issuer infringes Article 34(10) by not having in place internal control mechanisms and effective procedures for risk management, including effective control and safeguard arrangements for managing ICT systems as required by Regulation (EU) 2022/2554.
The issuer infringes Article 34(11) by not having in place systems and procedures that are adequate to safeguard the availability, authenticity, integrity and confidentiality of data as required by Regulation (EU) 2022/2554 and in line with Regulation (EU) 2016/679.
The issuer infringes Article 34(12) by not ensuring that the issuer is regularly audited by independent auditors.
The issuer infringes Article 35(1) by not having, at all times, own funds equal to amounts of at least the highest of that set in point (a) or (c) of that paragraph or in Article 45(5).
The issuer infringes Article 35(2) of this Regulation where its own funds do not consist of the Common Equity Tier 1 items and instruments referred to in Articles 26 to 30 of Regulation (EU) No 575/2013 after the deductions in full, pursuant to Article 36 of that Regulation, without the application of threshold exemptions referred to in Article 46(4) and Article 48 of that Regulation.
The issuer infringes Article 35(3) by not complying with the requirement of EBA to hold a higher amount of own funds, following the assessment made in accordance with points (a) to (g) of that paragraph.
The issuer infringes Article 35(5) by not conducting, on a regular basis, stress testing that takes into account severe but plausible financial stress scenarios, such as interest rate shocks and non-financial stress scenarios such as operational risk.
The issuer infringes Article 35(5) by not complying with the requirement of EBA to hold a higher amount of own funds based on the outcome of the stress testing.
The issuer infringes Article 36(1) by not constituting and, at all times, maintaining a reserve of assets.
The issuer infringes Article 36(1) by not ensuring that the reserve of assets is composed and managed in such a way that the risks associated to the assets referenced by the significant asset-referenced token are covered.
The issuer infringes Article 36(1) by not ensuring that the reserve of assets is composed and managed in such a way that the liquidity risks associated to the permanent rights of redemption of the holders are addressed.
The issuer infringes Article 36(3) by not ensuring that the reserve of assets is operationally segregated from the issuer’s estate, and from the reserve of assets of other asset-referenced tokens.
The issuer infringes Article 36(6) where its management body does not ensure effective and prudent management of the reserve of assets.
The issuer infringes Article 36(6) by not ensuring that the issuance and redemption of the significant asset-referenced token is always matched by a corresponding increase or decrease in the reserve of assets.
The issuer infringes Article 36(7) by not determining the aggregate value of the reserve of assets using market prices, and by not having its aggregate value always at least equal to the aggregate value of the claims against the issuer from holders of the significant asset-referenced token in circulation.
The issuer infringes Article 36(8), by not having a clear and detailed policy describing the stabilisation mechanism of the significant asset-referenced token that meets the conditions set out in points (a) to (g) of that paragraph.
The issuer infringes Article 36(9) by not mandating an independent audit of the reserve of assets every six months, as of the date of its authorisation or as of the date of approval of the crypto-asset white paper pursuant to Article 17.
The issuer infringes Article 36(10) by not notifying to EBA the result of the audit in accordance with that paragraph or by not publishing the result of the audit within two weeks of the date of notification to EBA.
The issuer infringes Article 37(1) by not establishing, maintaining or implementing custody policies, procedures and contractual arrangements that ensure at all times that the conditions listed in the first subparagraph, points (a) to (e), of that paragraph are met.
The issuer infringes Article 37(2) by not having, when issuing two or more significant asset-referenced tokens, a custody policy in place for each pool of reserve of assets.
The issuer infringes Article 37(3) by not ensuring that the reserve assets are held in custody by a crypto-asset service provider providing custody and administration of crypto-assets on behalf of clients, a credit institution or an investment firm by no later than five working days after the date of issuance of the significant asset-referenced token.
The issuer infringes Article 37(4) by not exercising all due skill, care and diligence in the selection, appointment and review of crypto-asset service providers, credit institutions and investment firms appointed as custodians of the reserve assets, or by not ensuring that the custodian is a legal person different from the issuer.
The issuer infringes Article 37(4) by not ensuring that the crypto-asset service providers, credit institutions and investment firms appointed as custodians of the reserve assets have the necessary expertise and market reputation to act as custodians of such reserve assets.
The issuer infringes Article 37(4) by not ensuring in the contractual arrangements with the custodians that the reserve assets held in custody are protected against claims of the custodians’ creditors.
The issuer infringes Article 37(5) by not setting out in the custody policies and procedures the selection criteria for the appointment of crypto-asset service providers, credit institutions or investment firms as custodians of the reserve assets or by not setting out the procedure for reviewing such appointment.
The issuer infringes Article 37(5) by not reviewing the appointment of crypto-asset service providers, credit institutions or investment firms as custodians of the reserve assets on a regular basis, by not evaluating its exposures to such custodians or by not monitoring the financial conditions of such custodians on an ongoing basis.
The issuer infringes Article 37(6) by not ensuring that custody of the reserve assets is carried out in accordance with the first subparagraph, points (a) to (d), of that paragraph.
The issuer infringes Article 37(7) by not having the appointment of a crypto-asset service provider, credit institution or investment firm as custodian of the reserve assets evidenced by a contractual arrangement, or by not regulating, by means of such a contractual arrangement, the flow of information necessary to enable the issuer of the significant asset-referenced token, the crypto-asset service provider, the credit institution and the investment firm to perform their functions as custodians.
The issuer infringes Article 38(1) by investing the reserve of assets in any products that are not highly liquid financial instruments with minimal market risk, credit risk and concentration risks or where such investments cannot be liquidated rapidly with minimal adverse price effect.
The issuer infringes Article 38(3) by not holding in custody in accordance with Article 37 the financial instruments in which the reserve of assets is invested.
The issuer infringes Article 38(4) by not bearing all profits and losses and any counterparty or operational risks that result from the investment of the reserve of assets.
The issuer infringes Article 39(1), by not establishing, maintaining and implementing clear and detailed policies and procedures in respect of permanent rights of redemption of holders of the significant asset-referenced token.
The issuer infringes Article 39(1) and (2) by not ensuring that holders of the significant asset-referenced token have permanent rights of redemption in accordance with those paragraphs, and by not establishing a policy on such permanent rights of redemption that meets the conditions listed in Article 39(2), first subparagraph, points (a) to (e).
The issuer infringes Article 39(3) by applying fees in the event of the redemption of the significant asset-referenced token.
The issuer infringes Article 40 by granting interest in relation to the significant asset-referenced token.
The issuer infringes Article 45(1) by not adopting, implementing and maintaining a remuneration policy that promotes the sound and effective risk management of issuers of significant asset-referenced tokens and that does not create incentives to relax risk standards.
The issuer infringes Article 45(2) by not ensuring that its significant asset-referenced token can be held in custody by different crypto-asset service providers authorised for providing custody and administration of crypto-assets on behalf of clients, on a fair, reasonable and non-discriminatory basis.
The issuer infringes Article 45(3) by not assessing or monitoring the liquidity needs to meet requests for redemption of the significant asset-referenced token by its holders.
The issuer infringes Article 45(3) by not establishing, maintaining or implementing a liquidity management policy and procedures or by not ensuring, with those policy and procedures, that the reserve assets have a resilient liquidity profile that enables the issuer of the significant asset-referenced token to continue operating normally, including under scenarios of liquidity stress.
The issuer infringes Article 45(4) by not conducting, on a regular basis, liquidity stress testing or by not strengthening the liquidity requirements where requested by EBA based on the outcome of such tests.
The issuer infringes Article 46(1) by not drawing up and maintaining a recovery plan providing for measures to be taken by the issuer of the significant asset-referenced token to restore compliance with the requirements applicable to the reserve of assets in cases where the issuer fails to comply with those requirements, including the preservation of its services related to the significant asset-referenced token, the timely recovery of operations and the fulfilment of the issuer’s obligations in the case of events that pose a significant risk of disrupting operations.
The issuer infringes Article 46(1) by not drawing up and maintaining a recovery plan that includes appropriate conditions and procedures to ensure the timely implementation of recovery actions as well as a wide range of recovery options, as listed in the third subparagraph of that paragraph.
The issuer infringes Article 46(2) by not notifying the recovery plan to EBA and, where applicable, to its resolution and prudential supervisory authorities, within six months of the date of authorisation pursuant to Article 21 or of the date of approval of the crypto-asset white paper pursuant to Article 17.
The issuer infringes Article 46(2) by not regularly reviewing or updating the recovery plan.
The issuer infringes Article 47(1) by not drawing up and maintaining an operational plan to support the orderly redemption of each significant asset-referenced token.
The issuer infringes Article 47(2) by not having a redemption plan that demonstrates the ability of the issuer of the significant asset-referenced token to carry out the redemption of the outstanding significant asset-referenced token issued without causing undue economic harm to its holders or to the stability of the markets of the reserve assets.
The issuer infringes Article 47(2) by not having a redemption plan that includes contractual arrangements, procedures or systems, including the designation of a temporary administrator, to ensure the equitable treatment of all holders of the significant asset-referenced token and to ensure that holders of the significant asset-referenced token are paid in a timely manner with the proceeds from the sale of the remaining reserve assets.
The issuer infringes Article 47(2) by not having a redemption plan that ensures the continuity of any critical activities that are necessary for the orderly redemption and that are performed by the issuer or by any third-party entity.
The issuer infringes Article 47(3) by not notifying the redemption plan to EBA within six months of the date of authorisation pursuant to Article 21 or of the date of approval of the crypto-asset white paper pursuant to Article 17.
The issuer infringes Article 47(3) by not regularly reviewing or updating the redemption plan.
The issuer infringes Article 88(1), except where the conditions of Article 88(2) are met, by not informing the public as soon as possible of inside information as referred to in Article 87, that directly concerns that issuer, in a manner that enables fast access and complete, correct and timely assessment of the information by the public.
The issuer infringes Article 22(1) by not reporting, for each significant e-money token denominated in a currency that is not an official currency of a Member State with an issue value that is higher than EUR 100 000 000, on a quarterly basis to EBA, the information referred to in the first subparagraph, points (a) to (d), of that paragraph.
The issuer infringes Article 23(1) by not stopping issuing a significant e-money token denominated in a currency that is not an official currency of a Member State upon reaching the thresholds provided for in that paragraph or by not submitting a plan to EBA within 40 working days of reaching those thresholds to ensure that the estimated quarterly average number and average aggregate value of the transactions per day are kept below those thresholds.
The issuer infringes Article 23(4) by not complying with the modifications of the plan referred to in paragraph 1, point (b), of that Article as required by EBA.
The issuer infringes Article 35(2) of this Regulation where its own funds do not consist of the Common Equity Tier 1 items and instruments referred to in Articles 26 to 30 of Regulation (EU) No 575/2013 after the deductions in full, pursuant to Article 36 of that Regulation, without the application of threshold exemptions referred to in Article 46(4) and Article 48 of that Regulation.
The issuer infringes Article 35(3) by not complying with the requirement of EBA to hold a higher amount of own funds, following the assessment made in accordance with points (a) to (g) of that paragraph.
The issuer infringes Article 35(5) by not conducting, on a regular basis, stress testing that takes into account severe but plausible financial stress scenarios, such as interest rate shocks, and non-financial stress scenarios, such as operational risk.
The issuer infringes Article 35(5) by not complying with the requirement of EBA to hold a higher amount of own funds based on the outcome of the stress testing.
The issuer infringes Article 36(1) by not constituting and, at all times, maintaining a reserve of assets.
The issuer infringes Article 36(1) by not ensuring that the reserve of assets is composed and managed in such a way that the risks associated to the official currency referenced by the significant e-money token are covered.
The issuer infringes Article 36(1) by not ensuring that the reserve of assets is composed and managed in such a way that the liquidity risks associated to the permanent rights of redemption of the holders are addressed.
The issuer infringes Article 36(3) by not ensuring that the reserve of assets is operationally segregated from the issuer’s estate, and from the reserve of assets of other e-money tokens.
The issuer infringes Article 36(6) where its management body does not ensure effective and prudent management of the reserve of assets.
The issuer infringes Article 36(6) by not ensuring that the issuance and redemption of the significant e-money token is always matched by a corresponding increase or decrease in the reserve of assets.
The issuer infringes Article 36(7) by not determining the aggregate value of the reserve of assets by using market prices, and by not having its aggregate value always at least equal to the aggregate value of the claims against the issuer from the holders of the significant e-money token in circulation.
The issuer infringes Article 36(8) by not having a clear and detailed policy describing the stabilisation mechanism of the significant e-money token that meets the conditions set out in points (a) to (g) of that paragraph.
The issuer infringes Article 36(9) by not mandating an independent audit of the reserve of assets every six months after the date of the offer to the public or admission to trading.
The issuer infringes Article 36(10) by not notifying to EBA the result of the audit in accordance with that paragraph or by not publishing the result of the audit within two weeks of the date of notification to EBA.
The issuer infringes Article 37(1) by not establishing, maintaining or implementing custody policies, procedures and contractual arrangements that ensure at all times that the conditions listed in the first subparagraph, points (a) to (e), of that paragraph are met.
The issuer infringes Article 37(2) by not having, when issuing two or more significant e-money tokens, a custody policy in place for each pool of reserve of assets.
The issuer infringes Article 37(3) by not ensuring that the reserve assets are held in custody by a crypto-asset service provider providing custody and administration of crypto-assets on behalf of clients, a credit institution or an investment firm by no later than five working days after the date of issuance of the significant e-money token.
The issuer infringes Article 37(4) by not exercising all due skill, care and diligence in the selection, appointment and review of crypto-asset service providers, credit institutions and investment firms appointed as custodians of the reserve assets or by not ensuring that the custodian is a legal person different from the issuer.
The issuer infringes Article 37(4) by not ensuring that the crypto-asset service providers, credit institutions and investment firms appointed as custodians of the reserve assets have the necessary expertise and market reputation to act as custodians of such reserve assets.
The issuer infringes Article 37(4) by not ensuring in the contractual arrangements with the custodians that the reserve assets held in custody are protected against claims of the custodians’ creditors.
The issuer infringes Article 37(5) by not setting out in the custody policies and procedures the selection criteria for the appointment of crypto-asset service providers, credit institutions or investment firms as custodians of the reserve assets or by not setting out the procedure for reviewing such appointment.
The issuer infringes Article 37(5) by not reviewing the appointment of crypto-asset service providers, credit institutions or investment firms as custodians of the reserve assets on a regular basis, and by not evaluating its exposures to such custodians, or by not monitoring the financial conditions of such custodians on an ongoing basis.
The issuer infringes Article 37(6) by not ensuring that the custody of the reserve assets is carried out in accordance with the first subparagraph, points (a) to (d), of that paragraph.
The issuer infringes Article 37(7) by not having the appointment of a crypto-asset service provider, credit institution or investment firm as custodian of the reserve assets evidenced by a contractual arrangement, or by not regulating, by means of such a contractual arrangement, the flow of information necessary to enable the issuer of the significant e-money token, the crypto-asset service provider, the credit institutions and the investment firm to perform their functions as custodians.
The issuer infringes Article 38(1) by investing the reserve of assets in any products that are not highly liquid financial instruments with minimal market risk, credit risk and concentration risks or where such investments cannot be liquidated rapidly with minimal adverse price effect.
The issuer infringes Article 38(3) by not holding in custody in accordance with Article 37 the financial instruments in which the reserve of assets is invested.
The issuer infringes Article 38(4) by not bearing all profits and losses and any counterparty or operational risks that result from the investment of the reserve of assets.
The issuer infringes Article 45(1) by not adopting, implementing and maintaining a remuneration policy that promotes the sound and effective risk management of issuers of significant e-money tokens and that does not create incentives to relax risk standards.
The issuer infringes Article 45(2) by not ensuring that its significant e-money token can be held in custody by different crypto-asset service providers authorised for providing custody and administration of crypto-assets on behalf of clients on a fair, reasonable and non-discriminatory basis.
The issuer infringes Article 45(3) by not assessing or monitoring the liquidity needs to meet requests for redemption of the significant e-money token by its holders.
The issuer infringes Article 45(3) by not establishing, maintaining or implementing a liquidity management policy and procedures or by not ensuring, with those policy and procedures, that the reserve assets have a resilient liquidity profile that enables the issuer of the significant e-money token to continue operating normally, including under liquidity stressed scenarios.
The issuer infringes Article 45(4) by not conducting, on a regular basis, liquidity stress testing or by not strengthening the liquidity requirements where requested by EBA based on the outcome of such tests.
The issuer infringes Article 45(5) by not complying, at all times, with the own funds requirement.
The issuer infringes Article 46(1) by not drawing up and maintaining a recovery plan providing for measures to be taken by the issuer of significant e-money tokens to restore compliance with the requirements applicable to the reserve of assets in cases where the issuer fails to comply with those requirements, including the preservation of its services related to the significant e-money token, the timely recovery of operations and the fulfilment of the issuer’s obligations in the case of events that pose a significant risk of disrupting operations.
The issuer infringes Article 46(1) by not drawing up and maintaining a recovery plan that includes appropriate conditions and procedures to ensure the timely implementation of recovery actions as well as a wide range of recovery options, as listed in the third subparagraph, points (a), (b) and (c), of that paragraph.
The issuer infringes Article 46(2) by not notifying the recovery plan to EBA and, where applicable, to its resolution and prudential supervisory authorities, within six months of the date of the offer to the public or admission to trading.
The issuer infringes Article 46(2) by not regularly reviewing or updating the recovery plan.
The issuer infringes Article 47(1) by not drawing up and maintaining an operational plan that supports the orderly redemption of each significant e-money token.
The issuer infringes Article 47(2) by not having a redemption plan that demonstrates the ability of the issuer of the significant e-money token to carry out the redemption of the outstanding significant e-money token issued without causing undue economic harm to its holders or to the stability of the markets of the reserve assets.
The issuer infringes Article 47(2) by not having a redemption plan that includes contractual arrangements, procedures or systems, including the designation of a temporary administrator, to ensure the equitable treatment of all holders of the significant e-money token and to ensure that holders of the significant e-money token are paid in a timely manner with the proceeds from the sale of the remaining reserve assets.
The issuer infringes Article 47(2) by not having a redemption plan that ensures the continuity of any critical activities that are necessary for the orderly redemption and that are performed by the issuer or by any third-party entities.
The issuer infringes Article 47(3) by not notifying the redemption plan to EBA within six months of the date of the offer to the public or admission to trading.
The issuer infringes Article 47(3) by not regularly reviewing or updating the redemption plan.