Commission Delegated Regulation (EU) 2025/303 of 31 October 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information to be included by certain financial entities in the notification of their intention to provide crypto-asset services

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (1), and in particular Article 60(13), third subparagraph, thereof,

Whereas:

(1) To enable competent authorities to assess whether certain financial entities that intend to provide crypto-asset services meet the applicable requirements laid down in Title V and, where relevant, Title VI of Regulation (EU) 2023/1114, the information to be notified by certain financial entities of their intention to provide crypto-asset services should be sufficiently detailed and comprehensive without imposing undue burden.

(2) In accordance with Article 60(7), point (a) of Regulation (EU) 2023/1114, a notification of the intention to provide crypto-asset services is to contain a programme of operations. In order to provide a full picture of the operations the notifying entity intends to undertake, the programme of operations should comprise a description of the notifying entity’s organisational structure, their strategy in providing crypto-asset services to their targeted clients, and their operational capacity for the 3 years following the date of notification. Regarding the strategy used to target clients, the notifying entity should describe the marketing means that it intends to use, such as websites, mobile phone applications, face-to-face meetings, press releases, or any form of physical or electronic means, including social media campaign tools, internet advertisements or banners, retargeting of advertising, agreements with influencers, sponsorships agreements, calls, webinars, invitations to events, affiliation campaigns, gamification techniques, invitations to fill in a response form or to follow a training course, demo accounts or educational materials.

(3) To enable competent authorities to assess the notifying entity’s resilience to withstand external financial shocks, including those concerning the value of crypto-assets, the notifying entity should include in their notification stress scenarios simulating severe but plausible events in their forecast accounting plan.

(4) To avoid outages of operations as they can have major financial, regulatory and reputational consequences for the notifying entity and more generally, crypto-asset markets in general, it is critical to maintain operations or at least essential functions of crypto-asset service providers and to minimise downtime due to unexpected disruptions, including cyberattacks and natural disasters. A notification should therefore contain detailed information on the notifying entity’s arrangements to ensure continuity and regularity in the provision of crypto-asset services, including a detailed description of its risks and business continuity plans.

(5) Effective mechanisms, systems and procedures that comply with Directive (EU) 2015/849 of the European Parliament and of the Council (2) are needed to ensure that notifying entities appropriately address risks and practices of money laundering and terrorist financing in the provision of crypto-asset services. Notifying entities should therefore provide in their notification detailed information on their mechanisms, systems and procedures put in place to prevent risks associated with their business activities in relation to, inter alia, anti-money laundering and counter-terrorist financing.

(6) Due to the decentralised and digital nature of crypto-assets, cybersecurity risks for crypto-asset service providers are significant and take many forms. To ensure that the notifiying entity is able to prevent data breaches and financial losses that could be caused by cyberattacks, the information on the notifying entity’s deployed ICT systems and related security arrangements such as identity and geographical location of the providers, description of the outsourced activities or ICT services with their main characteristics, copy of contractual agreements, as referred to in Article 60(7), point (c), of Regulation (EU) 2023/1114, should include the human resources dedicated to addressing cybersecurity risks.

(7) The segregation of clients’ crypto-assets and funds protects clients from losses of the crypto-asset service provider and from misuse of their crypto-assets and funds. Article 70 of Regulation (EU) 2023/1114 therefore requires crypto-asset service providers to make adequate arrangements to safeguard the ownership rights of clients. That requirement also applies to crypto-asset service providers that do not provide custody and administration services.

(8) To enable competent authorities to assess the adequacy of the notifying entity’s operating rules for their trading platforms for crypto-assets, the notifying entity should detail specific elements in the description of those rules. In particular, the notifying entity should elaborate on aspects of the operating rules relating to the admission to trading, the trading and the settlement of crypto-assets. As regards the admission to trading of crypto-assets, notifying entities should provide detailed information on the way in which the admitted crypto-assets comply with the notifying entity’s rules, on the types of crypto-assets that the notifying entity will not admit to trading on its trading platform and the reasons for such exclusions, and on the fees for the admission to trading. As regards the trading of crypto-assets, the notifying entity should specify the elements of the operating rules governing the execution and cancelation of orders, orderly trading, transparency and record-keeping. Finally, the notifying entity should include in the description of the operating rules the elements governing the settlement of transactions in crypto-assets on the trading platform, including whether the settlement is initiated by using distributed ledger technology (DLT), the timeframe in which the execution is initiated, the definition of the moment when the settlement is final, all verifications required to ensure the effective settlement of the transaction and any measure to limit settlement failures.

(9) To allow for competent authorities to assess the adequacy of the notifying entity in providing certain crypto-asset services such as exchange of crypto-assets for funds or other crypto-assets, execution, the provision of advice on crypto-assets or portfolio management of crypto-assets and transfer services, the notifying entity should specify the details of how these crypto-asset services will be provided as well as the arrangements put in place to ensure that the notifying entity complies with the relevant provisions of Regulation (EU) 2023/1114 with regards to the provision of those crypto-asset services.

(10) Any processing of personal data under this Regulation shall comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council (3).

(11) This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority (ESMA) and developed in close cooperation with the European Banking Authority.

(12) ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4).

(13) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (5) and delivered formal comments on 21 June 2024,

HAS ADOPTED THIS REGULATION:

Article 1

Programme of operations

(a) where the notifying entity belongs to a group as defined in Article 2, point (11), of Directive 2013/34/EU of the European Parliament and of the Council (6), an explanation of how the activities of the notifying entity fit within that group strategy and interact with the activities of the other entities of that group, including an overview of the current and planned organisation and structure of that group;

(b) an explanation of how the activities of the entities affiliated with the notifying entity, including where there are regulated entities in the group, is expected to impact the activities of the notifying entity, including a list of and information on the entities affiliated with the notifying entity, and where there are regulated entities, the services provided by these entities and the domain names of each website operated by such entities;

(c) a list of crypto-asset services that the notifying entity intends to provide and the types of crypto-assets to which the crypto-asset services will relate;

(d) other planned activities, regulated in accordance with Union or national law or unregulated, including any other services than crypto-asset services, that the notifying entity intends to provide;

(e) whether the notifying entity intends to offer crypto-assets to the public or seeks admission to trading of crypto-assets and if so, what type of crypto-assets;

(f) a list of jurisdictions, both in the Union and in third countries, in which the notifying entity plans to provide crypto-asset services, including information on the targeted number of clients by geographical area;

(g) types of prospective clients targeted by the notifying entitity’s crypto-asset services;

(j) a detailed description of the human, financial and ICT resources allocated to the intended crypto-asset services, and their geographical location;

(k) the notifying entity’s outsourcing policy and how it was adapted to crypto-asset services as well as a detailed description of the notifying entity’s planned outsourcing arrangements, including intra-group arrangements, and the way that the notifying entity will comply with Article 73 of Regulation (EU) 2023/1114, including information on the function or person responsible for outsourcing, the human and ICT resources allocated to the control of the outsourced functions, services or activities of the related arrangements and on the risk assessment related to the outsourcing;

(l) the list of entities that will provide outsourced services for the provision of crypto-asset services, their geographical location and the relevant services outsourced;

(m) a forecast accounting plan including stress scenarios at an individual and, where applicable, at a consolidated group and sub-consolidated level in accordance with Directive 2013/34/EU, taking into consideration any intra-group loans granted or to be granted by and to the notifying entity;

(n) any exchange of crypto-assets for funds and other crypto-asset activities that the notifying entity intends to undertake, including through any decentralised finance applications with which the notifying entity intends to interact on its own account.

Article 2

Business continuity plan

(a) details showing that the established business continuity plan is appropriate and that arrangements are set up to maintain and periodically test that plan;

(b) with regard to critical or important functions supported by third-party service providers, details on how business continuity is ensured in the event that the quality of the provision of such functions deteriorates to an unacceptable level or fails;

(c) information on how business continuity is ensured in the event of the death of a key person and, where relevant, political risks in the service provider’s jurisdictions.

Article 3

Detection and prevention of money laundering and terrorist financing

For the purposes of Article 60(7), point (b)(i) and (ii), of Regulation (EU) 2023/1114, the notifying entity shall provide the competent authority with information on its internal control mechanisms, policies and procedures to ensure compliance with the provisions of national law transposing Directive (EU) 2015/849 and on the risk assessment framework to manage risks relating to money laundering and terrorist financing, including the following:

(b) the measures that the notifying entity has or will put in place to prevent the identified risks and comply with applicable anti-money laundering and counter-terrorist financing requirements, including the notifying entity’s risk assessment process, the policies and procedures to comply with customer due diligence requirements, and the policies and procedures to detect and report suspicious transactions or activities;

(c) detailed information on how internal control mechanisms, policies and procedures are adequate and proportionate to the scale, nature, inherent risk of money laundering and terrorist financing, including the range of crypto-asset services provided, the complexity of the business model and how the notifying entity ensures its compliance with Directive (EU) 2015/849 and Regulation (EU) 2023/1113 of the European Parliament and of the Council (7);

(d) the identity of the person in charge of ensuring the notifying entity’s compliance with anti-money laundering and counter-terrorist financing requirements, including evidence of that person’s skills and expertise;

(e) arrangements, human and financial resources devoted to ensure, based on annual indications, that staff of the notifying entity is appropriately trained in anti-money laundering and counter-terrorist financing matters and on specific crypto-asset related risks;

(f) a copy of the notifying entity’s anti-money laundering and counter-terrorism policies, procedures and systems;

(g) a summary document outlining changes that have been made to the notifying entity’s anti-money laundering and counter-terrorism procedures and systems as a consequence of the planned crypto-asset services;

(h) the frequency of the assessment of the adequacy and effectiveness of the internal control mechanisms, systems and procedures, including the identity of the person or function responsible for such assessment.

Article 4

ICT systems and related security arrangements

For the purposes of Article 60(7), point (c), of Regulation (EU) 2023/1114, the notifying entity shall provide the competent authority the following information:

(c) a description of conducted audits of the ICT systems, if any, including used DLT infrastructure and security arrangements;

(d) a description of the relevant information referred to in points (a) and (b) in non-technical language.

Article 5

Segregation and safekeeping of clients’ crypto-assets and funds

(b) a detailed description of the approval system for cryptographic keys and safeguarding of cryptographic keys including multi-signature wallets;

(c) how the notifying entity segregates clients’ crypto-assets, including from other clients’ crypto-assets where wallets containing crypto-assets of more than one client, are kept in omnibus accounts;

(d) a description of the procedure ensuring that clients’ funds other than e-money tokens are deposited with a central bank or a credit institution by the end of the business day following the day on which they were received and are held in an account separately identifiable from any accounts used to hold funds belonging to the notifying entity;

(e) where the notifying entity does not intend to deposit funds with the relevant central bank, which factors the notifying entity takes into account to select the credit institutions with which to deposit clients’ funds, including the notifying entity’s diversification policy, where available, and the frequency of review of the selection of credit institutions with which to deposit clients’ funds;

(f) how the notifying entity ensures that clients are informed in clear, concise and non-technical language about the key aspects of the notifying entity’s systems, policies and procedures to comply with Article 70(1), (2) and (3) of Regulation (EU) 2023/1114.

Article 6

Custody and administration policy

For the purposes of Article 60(7), point (e), of Regulation (EU) 2023/1114, the notifying entity shall provide to the competent authority the following information: