2025/303
20.2.2025
COMMISSION DELEGATED REGULATION (EU) 2025/303
of 31 October 2024
supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information to be included by certain financial entities in the notification of their intention to provide crypto-asset services
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (1), and in particular Article 60(13), third subparagraph, thereof,
Whereas:
(1) To enable competent authorities to assess whether certain financial entities that intend to provide crypto-asset services meet the applicable requirements laid down in Title V and, where relevant, Title VI of Regulation (EU) 2023/1114, the information to be notified by certain financial entities of their intention to provide crypto-asset services should be sufficiently detailed and comprehensive without imposing undue burden.
(2) In accordance with Article 60(7), point (a) of Regulation (EU) 2023/1114, a notification of the intention to provide crypto-asset services is to contain a programme of operations. In order to provide a full picture of the operations the notifying entity intends to undertake, the programme of operations should comprise a description of the notifying entity’s organisational structure, their strategy in providing crypto-asset services to their targeted clients, and their operational capacity for the 3 years following the date of notification. Regarding the strategy used to target clients, the notifying entity should describe the marketing means that it intends to use, such as websites, mobile phone applications, face-to-face meetings, press releases, or any form of physical or electronic means, including social media campaign tools, internet advertisements or banners, retargeting of advertising, agreements with influencers, sponsorships agreements, calls, webinars, invitations to events, affiliation campaigns, gamification techniques, invitations to fill in a response form or to follow a training course, demo accounts or educational materials.
(3) To enable competent authorities to assess the notifying entity’s resilience to withstand external financial shocks, including those concerning the value of crypto-assets, the notifying entity should include in their notification stress scenarios simulating severe but plausible events in their forecast accounting plan.
(4) To avoid outages of operations as they can have major financial, regulatory and reputational consequences for the notifying entity and more generally, crypto-asset markets in general, it is critical to maintain operations or at least essential functions of crypto-asset service providers and to minimise downtime due to unexpected disruptions, including cyberattacks and natural disasters. A notification should therefore contain detailed information on the notifying entity’s arrangements to ensure continuity and regularity in the provision of crypto-asset services, including a detailed description of its risks and business continuity plans.
(5) Effective mechanisms, systems and procedures that comply with Directive (EU) 2015/849 of the European Parliament and of the Council (2) are needed to ensure that notifying entities appropriately address risks and practices of money laundering and terrorist financing in the provision of crypto-asset services. Notifying entities should therefore provide in their notification detailed information on their mechanisms, systems and procedures put in place to prevent risks associated with their business activities in relation to, inter alia, anti-money laundering and counter-terrorist financing.
(6) Due to the decentralised and digital nature of crypto-assets, cybersecurity risks for crypto-asset service providers are significant and take many forms. To ensure that the notifiying entity is able to prevent data breaches and financial losses that could be caused by cyberattacks, the information on the notifying entity’s deployed ICT systems and related security arrangements such as identity and geographical location of the providers, description of the outsourced activities or ICT services with their main characteristics, copy of contractual agreements, as referred to in Article 60(7), point (c), of Regulation (EU) 2023/1114, should include the human resources dedicated to addressing cybersecurity risks.
(7) The segregation of clients’ crypto-assets and funds protects clients from losses of the crypto-asset service provider and from misuse of their crypto-assets and funds. Article 70 of Regulation (EU) 2023/1114 therefore requires crypto-asset service providers to make adequate arrangements to safeguard the ownership rights of clients. That requirement also applies to crypto-asset service providers that do not provide custody and administration services.
(8) To enable competent authorities to assess the adequacy of the notifying entity’s operating rules for their trading platforms for crypto-assets, the notifying entity should detail specific elements in the description of those rules. In particular, the notifying entity should elaborate on aspects of the operating rules relating to the admission to trading, the trading and the settlement of crypto-assets. As regards the admission to trading of crypto-assets, notifying entities should provide detailed information on the way in which the admitted crypto-assets comply with the notifying entity’s rules, on the types of crypto-assets that the notifying entity will not admit to trading on its trading platform and the reasons for such exclusions, and on the fees for the admission to trading. As regards the trading of crypto-assets, the notifying entity should specify the elements of the operating rules governing the execution and cancelation of orders, orderly trading, transparency and record-keeping. Finally, the notifying entity should include in the description of the operating rules the elements governing the settlement of transactions in crypto-assets on the trading platform, including whether the settlement is initiated by using distributed ledger technology (DLT), the timeframe in which the execution is initiated, the definition of the moment when the settlement is final, all verifications required to ensure the effective settlement of the transaction and any measure to limit settlement failures.
(9) To allow for competent authorities to assess the adequacy of the notifying entity in providing certain crypto-asset services such as exchange of crypto-assets for funds or other crypto-assets, execution, the provision of advice on crypto-assets or portfolio management of crypto-assets and transfer services, the notifying entity should specify the details of how these crypto-asset services will be provided as well as the arrangements put in place to ensure that the notifying entity complies with the relevant provisions of Regulation (EU) 2023/1114 with regards to the provision of those crypto-asset services.
(10) Any processing of personal data under this Regulation shall comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council (3).
(11) This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority (ESMA) and developed in close cooperation with the European Banking Authority.
(12) ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4).
(13) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (5) and delivered formal comments on 21 June 2024,
HAS ADOPTED THIS REGULATION:
Article 1
Programme of operations
1. For the purposes of Article 60(7), point (a), of Regulation (EU) 2023/1114, the notifying entity shall provide to the competent authority the programme of operations for the 3 years following the date of notification, including the following information:
(a) where the notifying entity belongs to a group as defined in Article 2, point (11), of Directive 2013/34/EU of the European Parliament and of the Council (6), an explanation of how the activities of the notifying entity fit within that group strategy and interact with the activities of the other entities of that group, including an overview of the current and planned organisation and structure of that group;
(b) an explanation of how the activities of the entities affiliated with the notifying entity, including where there are regulated entities in the group, is expected to impact the activities of the notifying entity, including a list of and information on the entities affiliated with the notifying entity, and where there are regulated entities, the services provided by these entities and the domain names of each website operated by such entities;
(c) a list of crypto-asset services that the notifying entity intends to provide and the types of crypto-assets to which the crypto-asset services will relate;
(d) other planned activities, regulated in accordance with Union or national law or unregulated, including any other services than crypto-asset services, that the notifying entity intends to provide;
(e) whether the notifying entity intends to offer crypto-assets to the public or seeks admission to trading of crypto-assets and if so, what type of crypto-assets;
(f) a list of jurisdictions, both in the Union and in third countries, in which the notifying entity plans to provide crypto-asset services, including information on the targeted number of clients by geographical area;
(g) types of prospective clients targeted by the notifying entitity’s crypto-asset services;
(h) a description of the means of access to the notifying entity’s crypto-asset services by clients, including all of the following:
(i) the domain names for each website or other ICT-based application through which the crypto-asset services will be provided by the notifying entity and information on the languages in which the website or other ICT-based application will be available, the types of crypto-asset services that will be accessed through that website or other ICT-based application and, where applicable, from which Member States the website or other ICT-based application will be accessible;
(ii) the name of any ICT-based application available to clients to access the crypto-asset services, the languages in which that ICT-based application is available and the crypto-asset services which can be accessed through that ICT-based application;
(i) the planned marketing and promotional activities and arrangements for the crypto-asset services, including the following:
(i) all means of marketing to be used for each of the services;
(ii) the intended means of identification of the notifying entity;
(iii) information on the relevant category of clients targeted;
(iv) types of crypto-assets;
(v) languages that will be used for the marketing and promotional activities;
(j) a detailed description of the human, financial and ICT resources allocated to the intended crypto-asset services, and their geographical location;
(k) the notifying entity’s outsourcing policy and how it was adapted to crypto-asset services as well as a detailed description of the notifying entity’s planned outsourcing arrangements, including intra-group arrangements, and the way that the notifying entity will comply with Article 73 of Regulation (EU) 2023/1114, including information on the function or person responsible for outsourcing, the human and ICT resources allocated to the control of the outsourced functions, services or activities of the related arrangements and on the risk assessment related to the outsourcing;
(l) the list of entities that will provide outsourced services for the provision of crypto-asset services, their geographical location and the relevant services outsourced;
(m) a forecast accounting plan including stress scenarios at an individual and, where applicable, at a consolidated group and sub-consolidated level in accordance with Directive 2013/34/EU, taking into consideration any intra-group loans granted or to be granted by and to the notifying entity;
(n) any exchange of crypto-assets for funds and other crypto-asset activities that the notifying entity intends to undertake, including through any decentralised finance applications with which the notifying entity intends to interact on its own account.
2. Where the notifying entity intends to provide the service of reception and transmission of orders for crypto-assets on behalf of clients, it shall provide to the competent authority a copy of the procedures and a description of the arrangements ensuring compliance with Article 80 of Regulation (EU) 2023/1114.
3. Where the notifying entity intends to provide the service of placing of crypto-assets, it shall provide to the competent authority a copy of procedures to identify, prevent, manage and disclose conflicts of interests and a description of the arrangements in place to comply with Article 79 of Regulation (EU) 2023/1114 and Commission Delegated Regulation establishing technical standards adopted pursuant to Article 72(5) of Regulation (EU) 2023/1114.
Article 2
Business continuity plan
1. For the purposes of Article 60(7), point (b) (iii), of Regulation (EU) 2023/1114, the notifying entity shall submit to the competent authority a detailed description of its business continuity plan, including the steps to be taken to ensure continuity and regularity in the provision of its crypto-asset services.
2. The description referred to in paragraph 1 shall include the following:
(a) details showing that the established business continuity plan is appropriate and that arrangements are set up to maintain and periodically test that plan;
(b) with regard to critical or important functions supported by third-party service providers, details on how business continuity is ensured in the event that the quality of the provision of such functions deteriorates to an unacceptable level or fails;
(c) information on how business continuity is ensured in the event of the death of a key person and, where relevant, political risks in the service provider’s jurisdictions.
Article 3
Detection and prevention of money laundering and terrorist financing
For the purposes of Article 60(7), point (b)(i) and (ii), of Regulation (EU) 2023/1114, the notifying entity shall provide the competent authority with information on its internal control mechanisms, policies and procedures to ensure compliance with the provisions of national law transposing Directive (EU) 2015/849 and on the risk assessment framework to manage risks relating to money laundering and terrorist financing, including the following:
(a) the notifying entity’s assessment of the inherent and residual risks of money laundering and terrorist financing associated with its provision of crypto-asset services, including the risks relating to:
(i) the notifying entity’s customer base;
(ii) the services provided;
(iii) the distribution channels used;
(iv) the geographical areas of operation;
(b) the measures that the notifying entity has or will put in place to prevent the identified risks and comply with applicable anti-money laundering and counter-terrorist financing requirements, including the notifying entity’s risk assessment process, the policies and procedures to comply with customer due diligence requirements, and the policies and procedures to detect and report suspicious transactions or activities;
(c) detailed information on how internal control mechanisms, policies and procedures are adequate and proportionate to the scale, nature, inherent risk of money laundering and terrorist financing, including the range of crypto-asset services provided, the complexity of the business model and how the notifying entity ensures its compliance with Directive (EU) 2015/849 and Regulation (EU) 2023/1113 of the European Parliament and of the Council (7);
(d) the identity of the person in charge of ensuring the notifying entity’s compliance with anti-money laundering and counter-terrorist financing requirements, including evidence of that person’s skills and expertise;
(e) arrangements, human and financial resources devoted to ensure, based on annual indications, that staff of the notifying entity is appropriately trained in anti-money laundering and counter-terrorist financing matters and on specific crypto-asset related risks;
(f) a copy of the notifying entity’s anti-money laundering and counter-terrorism policies, procedures and systems;
(g) a summary document outlining changes that have been made to the notifying entity’s anti-money laundering and counter-terrorism procedures and systems as a consequence of the planned crypto-asset services;
(h) the frequency of the assessment of the adequacy and effectiveness of the internal control mechanisms, systems and procedures, including the identity of the person or function responsible for such assessment.
Article 4
ICT systems and related security arrangements
For the purposes of Article 60(7), point (c), of Regulation (EU) 2023/1114, the notifying entity shall provide the competent authority the following information:
(a) technical documentation of the ICT systems, DLT infrastructure relied upon, where relevant, and the security arrangements, including a description of the arrangements and deployed ICT and human resources established to comply with Regulation (EU) 2022/2554 of the European Parliament and of the Council (8) including the following:
(i) a description of how the notifying entity ensures a sound, comprehensive and well-documented ICT risk management framework as part of its overall risk management system, including a detailed description of ICT systems, protocols and tools and of how the notifying entity’s procedures, policies and systems will safeguard the security, integrity, availability, authenticity and confidentiality of data in accordance with Regulations (EU) 2022/2554 and (EU) 2016/679;
(ii) an identification of ICT services supporting critical or important functions, developed or maintained by the notifying entity, as well as those provided by third-party service providers, a description of such contractual arrangements and how those arrangements comply with Article 73 of Regulation (EU) 2023/1114 and Chapter V of Regulation (EU) 2022/2554;
(iii) a description of the notifying entity’s procedures, policies, arrangements and systems for security and incident management;
(b) if available, a description of a cybersecurity audit conducted by a third-party cybersecurity auditor having sufficient experience in accordance with Commission Delegated Regulation establishing technical standards pursuant to Article 26(11) fourth subparagraph of Regulation (EU) 2022/2554 covering ideally the following audits or tests by external independent parties:
(i) organisational cybersecurity, physical security and secure software development lifecycle arrangements;
(ii) vulnerability assessments and network security assessments;
(iii) configuration reviews of ICT assets supporting critical and important functions as defined in Article 3, point (22) of Regulation (EU) 2022/2554;
(iv) penetration tests on the ICT assets supporting critical and important functions as defined in Article 3, point (17) of Regulation (EU) 2022/2554, in accordance with all the following audit test approaches:
(1) black box: the auditor has no information other than the IP addresses and URLs associated with the audited target. This phase is generally preceded by the discovery of information and the identification of the target by querying domain name system (DNS) services, scanning open ports, discovering the presence of filtering equipment;
(2) grey box phase: auditors have the knowledge of a standard user of the information system (legitimate authentication, ‘standard’ workstation). The identifiers can belong to different user profiles in order to test different privilege levels;
(3) white box phase: auditors have as much technical information as possible (architecture, source code, telephone contacts, identifiers, etc.) before starting the analysis and also access to technical contacts related to the target;
(v) where the notifying entity uses and/or develops smart-contracts, a cybersecurity source code review of them;
(c) a description of conducted audits of the ICT systems, if any, including used DLT infrastructure and security arrangements;
(d) a description of the relevant information referred to in points (a) and (b) in non-technical language.
Article 5
Segregation and safekeeping of clients’ crypto-assets and funds
1. For the purposes of Article 60(7), point (d), of Regulation (EU) 2023/1114, the notifying entity that intends to hold crypto-assets belonging to clients or the means of access to such crypto-assets, or clients’ funds other than e-money tokens, shall provide to the competent authority a detailed description of its procedures for the segregation of clients’ crypto-assets and funds, including the following:
(a) how the notifying entity ensures the following:
(i) clients’ funds are not used for its own account;
(ii) crypto-assets belonging to the clients are not used for its own account;
(iii) the wallets holding clients’ crypto-assets are different from the notifying entity’s own wallets;
(b) a detailed description of the approval system for cryptographic keys and safeguarding of cryptographic keys including multi-signature wallets;
(c) how the notifying entity segregates clients’ crypto-assets, including from other clients’ crypto-assets where wallets containing crypto-assets of more than one client, are kept in omnibus accounts;
(d) a description of the procedure ensuring that clients’ funds other than e-money tokens are deposited with a central bank or a credit institution by the end of the business day following the day on which they were received and are held in an account separately identifiable from any accounts used to hold funds belonging to the notifying entity;
(e) where the notifying entity does not intend to deposit funds with the relevant central bank, which factors the notifying entity takes into account to select the credit institutions with which to deposit clients’ funds, including the notifying entity’s diversification policy, where available, and the frequency of review of the selection of credit institutions with which to deposit clients’ funds;
(f) how the notifying entity ensures that clients are informed in clear, concise and non-technical language about the key aspects of the notifying entity’s systems, policies and procedures to comply with Article 70(1), (2) and (3) of Regulation (EU) 2023/1114.
2. In accordance with Article 70(5) of Regulation (EU) 2023/1114, crypto-asset service providers that are electronic money institutions or credit institutions shall only provide the information set out in paragraph 1 of this Article.
Article 6
Custody and administration policy
For the purposes of Article 60(7), point (e), of Regulation (EU) 2023/1114, the notifying entity shall provide to the competent authority the following information:
(a) a description of the arrangements linked to the type of custody offered to clients, a copy of the notifying entity’s standard agreement for the custody and administration of crypto-assets on behalf of clients pursuant to Article 75(1) of Regulation (EU) 2023/1114 and a copy of the summary of the custody policy made available to clients in accordance with Article 75(3) third subparagraph of that Regulation;
(b) the notifying entity’s custody and administration policy, including a description of identified sources of operational and ICT risks for the safekeeping and control of the crypto-assets or the means of access to the crypto-assets of clients, together with the following:
(i) the policies and procedures, and a description of the arrangements to comply with Article 75(8) of Regulation (EU) 2023/1114;
(ii) the policies and procedures, and a description of the systems and controls, to manage the operational and ICT risks, including where the custody and administration of crypto-assets on behalf of clients is outsourced to a third party;
(iii) the policies and procedures relating to, and a description of, the systems to ensure the exercise of the rights attached to the crypto-assets by the clients;
(iv) the policies and procedures relatig to, and a description of, the systems ensuring the return of crypto-assets or the means of access to the clients;
(c) information on how the crypto-assets and the means of access to the crypto-assets of the clients are identified;
(d) information on arrangements to minimise the risk of loss of crypto-assets or means of access to crypto-assets;
(e) where the crypto-asset service provider has delegated the provision of custody and administration of crypto-assets on behalf of clients to a third-party:
(i) information on the identity of any third-party providing the service of custody and administration of crypto-assets and its status in accordance with Article 59 or Article 60 of Regulation (EU) 2023/1114;
(ii) a description of any functions relating to the custody and administration of crypto-assets delegated by the crypto-asset service provider, the list of any delegates and sub-delegates, as applicable, and any conflict of interest that could arise from such a delegation;
(iii) a description of how the notifying entity intends to supervise the delegations or sub-delegations.
Article 7
Operating rules of the trading platform and market abuse detection
1. For the purposes of Article 60(7), point (f), of Regulation (EU) 2023/1114, the notifying entity that intends to operate a trading platform for crypto-assets shall provide to the competent authority the following information:
(a) the rules on the admission of crypto-assets to trading;
(b) the approval process for admitting crypto-assets to trading, including the customer due diligence carried out in accordance with Directive (EU) 2015/849;
(c) the list of any categories of crypto-assets that will not be admitted to trading and the reasons for such exclusion;
(d) the policies, procedures and fees for the admission to trading, together with a description, where relevant, of membership, rebates and the related conditions;
(e) the rules governing order execution, including any cancellation procedures for executed orders and for disclosing such information to market participants;
(f) the methods put in place to assess the suitability of crypto-assets in accordance with Article 76(2) of Regulation (EU) 2023/1114;
(g) the systems, procedures and arrangements put in place to comply with Article 76(7) of Regulation (EU) 2023/1114;
(h) the manner of making public any bid and ask prices, the depth of trading interests at those prices that are advertised for crypto-assets through their trading platform and price, volume and time of transactions executed in respect of crypto-assets traded on their trading platform, in accordance with Article 76(9) and (10) of Regulation (EU) 2023/1114;
(i) the fee structures and a justification on how those structures comply with Article 76(13) of Regulation (EU) 2023/1114;
(j) the systems, procedures and arrangements put in place to keep data relating to all orders at the disposal of the competent authority or the mechanism to ensure that the competent authority has access to the order book and any other trading system;
(k) with regards to the settlement of transactions:
(i) whether the final settlement of transactions is initiated on the distributed ledger or outside the distributed ledger;
(ii) the timeframe within which the final settlement of crypto-asset transactions is initiated;
(iii) the way to verify the availability of funds and crypto-assets;
(iv) the way to confirm the relevant details of transactions;
(v) the measures foreseen to limit settlement fails;
(vi) the moment at which settlement is final and the moment at which final settlement is initiated following the execution of the transaction;
(l) the procedures and systems put in place to detect and prevent market abuse, including information on the communications to the competent authority of possible market abuse cases.
2. Notifying entities intending to operate a trading platform for crypto-assets shall provide to the competent authority a copy of the operating rules of the trading platform and of any procedures to detect and prevent market abuse.
Article 8
Exchange of crypto-assets for funds or other crypto-assets
For the purposes of Article 60(7), point (g), of Regulation (EU) 2023/1114, the notifying entity that intends to exchange crypto-assets for funds or other crypto-assets shall provide to the competent authority the following information:
(a) a description of the commercial policy established in accordance with Article 77(1) of Regulation (EU) 2023/1114;
(b) the method for determining the price of the crypto-assets that the notifying entity proposes to exchange for funds or other crypto-assets in accordance with Article 77(2) of Regulation (EU) 2023/1114, including how the volume and market volatility of crypto-assets impact the pricing mechanism.
Article 9
Execution policy
For the purposes of Article 60(7), point (h), of Regulation (EU) 2023/1114, the notifying entity that intends to execute orders for crypto-assets on behalf of clients shall provide to the competent authority its execution policy, including the following information:
(a) the arrangements ensuring that the client has provided consent on the execution policy prior to the execution of the order;
(b) a list of the trading platforms for crypto-assets on which the notifying entity will rely for the execution of orders and the criteria for the assessment of execution venues included in the execution policy in accordance with Article 78(6) of Regulation (EU) 2023/1114;
(c) which trading platforms the notifying entity intends to use for each type of crypto-assets and confirmation that the notifying entity will not receive any form of remuneration, discount or non-monetary benefit in return for routing orders received to a particular trading platform for crypto-assets;
(d) how the execution takes into accout price, costs, speed, likelihood of execution and settlement, size, nature, conditions of custody of the crypto-assets or any other relevant factors that are considered as part of all necessary steps to obtain the best possible result for the client;
(e) where applicable, the arrangements for informing clients that the notifying entity will execute orders outside a trading platform and how the notifying entity will obtain the prior express consent of its client before executing such orders;
(f) how the client is being warned that any specific instructions from a client may prevent the notifying entity from taking the necessary steps, in line with the arrangements that the notifying entity has established and implemented in its execution policy, to obtain the best possible result for the execution of those orders in respect of the elements covered by those instructions;
(g) the selection process for trading venues, execution strategies employed, the arrangements used to analyse the quality of execution obtained and how the notifying entity monitors and verifies that the best possible results were obtained for clients;
(h) the arrangements to prevent the misuse of any information relating to clients’ orders by the employees of the notifying entity;
(i) the arrangements and procedures for how the notifying entity will disclose to clients information on its order execution policy and notify them of any material changes to their order execution policy;
(j) the arrangements to demonstrate compliance with Article 78 of Regulation (EU) 2023/1114 to the competent authority, upon the request of that competent authority.
Article 10
Provision of advice on crypto-assets or portfolio management of crypto-assets
For the purposes of Article 60(7), point (i), of Regulation (EU) 2023/1114, the notifying entity that intends to provide advice on crypto-assets or portfolio management of crypto-assets shall provide to the competent authority the following information:
(a) a detailed description of the arrangements put in place by the notifying entity to ensure compliance with Article 81(7) of Regulation (EU) 2023/1114, including the following:
(i) the mechanisms to control, assess and maintain effectively the knowledge and expertise of the natural persons providing advice on crypto-assets or managing portfolios of crypto-assets;
(ii) the arrangements ensuring that natural persons involved in the provision of advice or portfolio management are aware of, understand and apply the notifying entity’s internal policies and procedures established to comply with Regulation (EU) 2023/1114, in particular with Article 81(1) of that Regulation and with Directive (EU) 2015/849;
(iii) the amount of human and financial resources planned to be devoted on a yearly basis by the notifying entity to the professional development and training of the staff providing advice on crypto-assets or managing portfolios of crypto-assets;
(b) the mechanisms to control, assess and maintain that the natural persons giving advice on behalf of the notifying entity have the necessary knowledge and expertise, according to the critera for such assessment used in national legislation, to assess the suitability as referred to in Article 81(1) of Regulation (EU) 2023/1114.
Article 11
Transfer services
For the purposes of Article 60(7), point (k), of Regulation (EU) 2023/1114, the notifying entity that intends to provide transfer services for crypto-assets on behalf of clients shall provide to the competent authority the following information:
(a) details on the types of crypto-assets for which the notifying entity intends to provide transfer services;
(b) a detailed description of the arrangements put in place by the notifying entity to comply with Article 82 of Regulation (EU) 2023/1114, including detailed information on the notifying entity’s arrangements and deployed ICT and human resources to address risks promptly, efficiently and thoroughly during the provision of transfer services for crypto-assets on behalf of clients, taking into account potential operational failures and cybersecurity risks;
(c) where available, a description of the notifying entity’s insurance policy, including on the insurance’s coverage of detriment to client’s crypto-assets that may result from cyber security risks;
(d) arrangements to ensure that clients are adequately informed about the arrangements referred to in point (b).
Article 12
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 31 October 2024.
For the Commission
The President
Ursula VON DER LEYEN
(1)
OJ L 150, 9.6.2023, p. 40
, ELI:
http://data.europa.eu/eli/reg/2023/1114/oj
.
(2) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (
OJ L 141, 5.6.2015, p. 73
, ELI:
http://data.europa.eu/eli/dir/2015/849/oj
).
(3) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
, ELI:
http://data.europa.eu/eli/reg/2016/679/oj
).
(4) Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (
OJ L 331, 15.12.2010, p. 84
, ELI:
http://data.europa.eu/eli/reg/2010/1095/oj
).
(5) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
, ELI
http://data.europa.eu/eli/reg/2018/1725/oj
).
(6) Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (
OJ L 182, 29.6.2013, p. 19
, ELI:
http://data.europa.eu/eli/dir/2013/34/oj
).
(7) Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (
OJ L 150, 9.6.2023, p. 1
, ELI:
http://data.europa.eu/eli/reg/2023/1113/oj
).
(8) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (
OJ L 333, 27.12.2022, p. 1
, ELI:
http://data.europa.eu/eli/reg/2022/2554/oj
).
ELI: http://data.europa.eu/eli/reg_del/2025/303/oj
ISSN 1977-0677 (electronic edition)