Commission Delegated Regulation (EU) 2022/2116 of 13 July 2022 supplementing Regu... (32022R2116)
EU - Rechtsakte: 06 Right of establishment and freedom to provide services

COMMISSION DELEGATED REGULATION (EU) 2022/2116

of 13 July 2022

supplementing Regulation (EU) 2020/1503 of the European Parliament and of the Council with regard to regulatory technical standards specifying the measures and procedures for crowdfunding service providers’ business continuity plan

(Text with EEA relevance)

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European crowdfunding service providers for business, and amending Regulation (EU) 2017/1129 and Directive (EU) 2019/1937 (1), and in particular Article 12(16), fourth subparagraph, thereof,
Whereas:
(1) In order to ensure that the measures and procedures for the business continuity plan referred to in Article 12(2), point (j), of Regulation (EU) 2020/1503 are duly harmonised within the Union, the measures and procedures of such plan should be specified.
(2) In order to properly address the risks associated with the cessation of critical services, the business continuity plan should ensure that critical services including those that are outsourced, continue to be performed despite the failure of the crowdfunding service provider, or the third party to which critical services have been outsourced.
(3) Given the range of events that can have a detrimental impact on the performance of critical services, the business continuity plan should address situations triggering a significant defect or default in the performance of critical services.
(4) To ensure that the business continuity plan is effective, it is appropriate to set out the minimum content of measures and procedures for the business continuity plan.
(5) It is appropriate to clarify a limited number of technical terms. Those technical definitions are necessary to ensure the uniform application of this Regulation and, hence, contribute to the establishment of a single rulebook for Union crowdfunding service providers. Those definitions serve only for the purpose of setting out the obligations of crowdfunding service providers and should be strictly limited to understanding this Regulation.
(6) This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority.
(7) European Securities and Markets Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (2).
(8) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (3) and delivered an opinion on 1 June 2022,
HAS ADOPTED THIS REGULATION:

Article 1

Definitions

For the purpose of this Regulation, the following definitions apply:
(a) ‘critical services’ means operational and business services whose defect or default in their performance would materially impair the continuing compliance of a crowdfunding service provider with Regulation (EU) 2020/1503, or its financial performance, or the soundness or the continuity of its crowdfunding services and activities, notably vis-à-vis its clients;
(b) ‘failure’ means any insolvency or pre-insolvency proceeding applicable under relevant national law or any significant business interruption;
(c) ‘significant business interruption’ means a significant defect or default that materially impairs the performance of critical services.

Article 2

Minimum content of the business continuity plan

1.   Crowdfunding service providers shall develop a detailed business continuity plan addressing the risks associated with their failure (‘the business continuity plan’).
2.   The business continuity plan shall include:
(a) measures and procedures to ensure the continuity of the provision of critical services related to existing investments;
(b) measures and procedures to ensure the sound administration of agreements between the crowdfunding service provider and its clients and the sound administration of critical business data.

Article 3

Continuity of the provision of critical services

1.   The business continuity plan shall ensure that critical services, including those outsourced to third parties, continue to be performed despite the failure of the crowdfunding service provider or the third party to which critical services have been outsourced.
2.   The measures contained in the business continuity plan shall be adapted to the business model of the crowdfunding service provider and shall include arrangements ensuring the continuity of critical services through the outsourcing of some or all of such critical services to a third-party entity.
3.   The business continuity plan shall include provisions for:
(a) notification of the client about the occurrence of an event of failure;
(b) the clients’ access to information relating to their investments;
(c) where applicable, the continued servicing of outstanding loans;
(d) where applicable, the continuation of payment services as referred to in Article 10 of Regulation (EU) 2020/1503, including the arrangements referred to in paragraph 5 of that Article;
(e) where applicable, the handover of asset safekeeping arrangements as referred to in Article 10 of Regulation (EU) 2020/1503.

Article 4

Sound administration of agreements

1.   The business continuity plan shall, taking into account the nature, scale and complexity of the crowdfunding service provider as well as its business model, set out detailed measures to be taken to ensure the sound administration of agreements between the crowdfunding service provider and its clients.
2.   The steps referred to in paragraph 1 shall be applied to:
(a) agreements between the crowdfunding service provider and its clients, including information that is of critical importance for the sound administration of agreements;
(b) results from the entry knowledge test referred to in Article 21 of Regulation (EU) 2020/1503;
(c) other critical business data.
3.   The steps referred in paragraph 1 shall consist in the following:
(a) the storage in a safe place of agreements referred to in paragraph 2, point (a), where the original is only available in paper form;
(b) relevant back-up of the documents and information referred to in paragraph 2.
4.   Information and agreements enabling to trace payments made by investors and project owners shall be considered as critical business data for the purposesof paragraph 2, point (c).

Article 5

Procedures

1.   The procedures referred to in Article 2(2), points (a) and (b), shall be adapted to the business model of the crowdfunding service provider and shallinclude:
(a) a compilation of a list of contact details of the persons or department in charge in case of failure of the crowdfunding service provider;
(b) the identification of the three most likely scenarios of failure and the description of measures to be taken to mitigate their impact on the continuity of critical services;
(c) provisions regarding access by staff of the crowdfunding service provider to the workspace and company network;
(d) provisions regarding access to client information and, where relevant, client assets;
(e) an identification of operational and financial risks as well as measures to reduce their occurrence;
(f) an identification of critical business systems and contingency measures to ensure their continuity;
(g) an identification of critical business relationships, including outsourced functions;
(h) procedures to ensure the continuity of communication between the crowdfunding service provider, its clients, business partners, employees and competent authorities.

Article 6

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 13 July 2022.
For the Commission
The President
Ursula VON DER LEYEN
(1)  
OJ L 347, 20.10.2020, p. 1
.
(2)  Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision No 2009/77/EC (
OJ L 331, 15.12.2010, p. 84
).
(3)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
Markierungen
Leseansicht