Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
In- en Uitvoer
Home

Commission Delegated Regulation (EU) 2025/299 of 31 October 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council on markets in crypto-assets with regard to regulatory technical standards on continuity and regularity in the performance of crypto-asset services

Commission Delegated Regulation (EU) 2025/299 of 31 October 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council on markets in crypto-assets with regard to regulatory technical standards on continuity and regularity in the performance of crypto-asset services

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets and amending Regulation (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937(1), and in particular Article 68(10), third subparagraph, thereof,

Whereas:

  1. Articles 11 and 12 of Regulation (EU) 2022/2554 of the European Parliament and of the Council(2) provide for requirements relating to response and recovery, backup policies and procedures, restoration and recovery procedures and methods concerning the ICT systems of financial entities, including crypto-asset services providers. Commission Delegated Regulation (EU) 2024/1774(3) further specifies components of the ICT business continuity policy, the testing of ICT business continuity plans, the components of the ICT response and recovery plans of financial entities, including crypto-asset service providers. This Regulation complements those provisions of Regulation (EU) 2022/2554 and of Delegated Regulation (EU) 2024/1774 with respect to continuity and regularity in the performance of the crypto-asset services.

  2. In providing their services, crypto-asset service providers may use a distributed ledger over which they have no control, including a permissionless distributed ledger. In that case, they may not be capable of ensuring the regularity and continuity of their services when disruptions are caused by problems that are inherent to the operation of such distributed ledgers. To mitigate market volatility that may have an adverse impact on clients affected by such disruptions, crypto-asset service providers should include in their business continuity policy measures for timely communication with clients and other external stakeholders. Such communication should include essential and timely information for clients on such disruptions, including ongoing status updates, until the disruption is resolved and services are resumed. Where information on the status of the permissionless distributed ledger responsible for a service disruption is not readily available to the crypto-asset service provider, that crypto-asset service provider should communicate updates to clients and other stakeholders, including competent authorities, on a best effort basis to ensure that clients and stakeholders have as comprehensive information as possible on such disruptions.

  3. To avoid disproportionate administrative burden for small and medium-enterprises and start-ups, crypto-asset service providers should consider in their business continuity policy the scale, nature, and range of the services they provide. That means that crypto-asset service providers should determine their specific business continuity requirements on the basis of a robust self-assessment, based on a number of criteria that would enable them to implement a business continuity policy that is commensurate with the market impact of their services. The self-assessment should also take into account other circumstances beyond those listed in the Annex that may have an impact on the crypto-asset service provider.

  4. This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority.

  5. The European Securities and Markets Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(4),

HAS ADOPTED THIS REGULATION:

Article 1 Definitions

For the purposes of this Regulation, the following definitions shall apply:

  1. ‘critical or important function’ means a critical or important function as defined in Article 3, point (22), of Regulation (EU) 2022/2554;

  2. ‘permissionless distributed ledger’ means a specific type of distributed ledger in which no entity controls the distributed ledger and DLT network nodes can be set up by any person complying with the technical requirements and the protocols of that distributed ledger.

Article 2 Business continuity organisational arrangements

1.

The business continuity policy referred to in Article 68(7) of Regulation (EU) 2023/1114 shall be comprised of plans, procedures and measures.

2.

The management body of crypto-asset service providers, in the exercise of its functions referred to in Article 68(6) of Regulation (EU) 2023/1114, shall establish and endorse the plans, procedures, and measures that comprise the business continuity policy. The crypto-asset service provider’s management body shall be responsible for the implementation of the business continuity policy, and for reviewing its effectiveness at least on an annual basis.

3.

Crypto-asset service providers shall ensure that any modifications to the business continuity policy are transmitted to all relevant internal staff through effective communication channels.

Article 3 Business continuity policy

1.

The business continuity policy referred to in Article 68(7) of Regulation (EU) 2023/1114 shall ensure that crypto-asset service providers properly address disruptive incidents or performance issues relating to the systems critical to the operation of their business functions and it shall be laid down in a durable medium.

2.

Crypto-asset service providers shall include in the business continuity policy all of the following:

  1. a specification of the scope of the business continuity policy, including its limitations and exclusions, to be covered by the business continuity plans, procedures, and measures;

  2. a description of the criteria to activate the business continuity plans, including escalation procedures up to the level of the management body;

  3. provisions on the governance and organisation of the crypto-asset service provider, including, the roles and responsibilities of the staff, ensuring that sufficient resources are available for the effective implementation of the policy;

  4. provisions that ensure consistency between the business continuity plans and the ICT-business continuity plans, and ICT response and recovery plans referred to in Articles 24 and 26 of Delegated Regulation (EU) 2024/1774.

Article 4 Business continuity plans

1.

When implementing the business continuity policy referred to in Article 68(7) of Regulation (EU) 2023/1114, crypto-asset service providers shall establish business continuity plans. The business continuity plans shall set out the procedures necessary to protect and, where necessary, re-establish:

  1. the confidentiality, integrity, and availability of client data;

  2. the availability of the business functions, supporting processes and information assets of the crypto-asset service providers.

2.

The business continuity plans shall contain the following:

  1. a range of possible adverse scenarios relating to the operation of critical or important functions, including the unavailability of business functions, staff, workspace, external suppliers, data centres, or loss or alteration of critical data and documents;

  2. the procedures and policies to be followed in case of a disruptive incident, including:

    1. the measures that are necessary to recover critical or important functions;

    2. the deadlines by which those critical or important functions are to be recovered;

    3. recovery point objectives;

    4. the maximum time to resume services;

  3. the procedures and policies for relocating the business functions used to provide crypto-asset services to a back-up site;

  4. back-up of critical business data, including up-to-date information of the necessary contacts to ensure communication inside the crypto-asset service provider, between the crypto-asset service provider and its clients;

  5. procedures for timely communications with clients and other external stakeholders, including competent authorities.

3.

In the event of a disruption involving a permissionless distributed ledger used by the crypto asset service provider in the provision of its services, the communications referred to in paragraph 2, point (e) shall include the following information:

  1. when the services are expected to be resumed;

  2. the reasons and the impact of the disruptive incident;

  3. any risks concerning clients’ funds and crypto-assets held on their behalf;

  4. measures that the crypto-asset service intends to take in response to the disruption of a permissionless distributed ledger.

Where that information is not readily available to the crypto-asset service provider, the crypto-asset service provider shall communicate updates as regards the information in the first subparagraph to clients and stakeholders, including competent authorities, on a best effort basis.

4.

The business continuity plans shall contain procedures to address any disruptions of outsourced critical or important functions, including where those critical or important functions become unavailable.

Article 5 Periodic testing of the business continuity plans

Article 6 Complexity and risk considerations

Article 7 Entry into force

ANNEXCRITERIA FOR THE SELF-ASSESSMENT OF CRYPTO-ASSET SERVICE PROVIDERS