Commission Delegated Regulation (EU) 2025/305 of 31 October 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information to be included in an application for authorisation as a crypto-asset service provider

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (1), and in particular Article 62(5), third subparagraph, thereof,

Whereas:

(1) To enable competent authorities to assess whether legal persons or other undertakings seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 (‘applicants’) meet the applicable requirements laid down in Title V and, where relevant, Title VI of that Regulation, the information to be provided in an application for authorisation as crypto-asset service provider submitted in accordance with Article 62(1) of that Regulation (‘application for authorisation’) should be sufficiently detailed and comprehensive without imposing undue burden.

(2) The application for authorisation should contain data about the identity of the applicant, the governance arrangements and internal control mechanisms, the suitability of the members of the management body and the sufficiently good repute of the shareholders or members with qualifying holdings. In compliance with the principle of data minimisation as expressed in Article 5(1), point (c) of Regulation (EU) 2016/679 of the European Parliament and of the Council (2), such information should be sufficient to enable competent authorities to carry out a comprehensive assessment of applicants, and of their ability to comply with the relevant requirements of Regulation (EU) 2023/1114. Furthermore, that information should be sufficient to enable competent authorities to verify that there are no objective and demonstrable grounds for refusal of the authorisation as referred to in Article 63(10), points (a) to (d), of that Regulation.

(3) To ensure that the competent authorities’ assessment is based on accurate information, applicants should provide copies of their corporate documents, including their legal entity identifier, the articles of association, a copy of their registration in the national register of companies and, where applicants intend to operate a trading platform, the commercial name used.

(4) In accordance with Article 62(2), point (d), of Regulation (EU) 2023/1114 an application for authorisation is to contain a programme of operations. That programme should specify the applicants’ organisational structure, strategy in providing crypto-asset services to their targeted clients and their operational capacity for 3 years following authorisation. When specifying the strategy used to target clients, for transparency reasons the applicants should describe the marketing means that they intend to use, including websites, mobile phone applications, face-to-face meetings, press releases, or any form of physical or electronic means, including social media campaign tools, internet advertisements or banners, retargeting of advertising, agreements with influencers, sponsorships agreements, calls, webinars, any invitation to an event, affiliation campaign, gamification techniques, invitation to fill in a response form or to follow a training course, demo accounts or educational materials.

(5) To enable competent authorities to assess the applicants’ resilience to withstand external financial shocks, including those concerning the value of crypto-assets, applicants should include in their application for authorisation stress scenarios simulating severe but plausible events in its forecast calculations and plans to determine their own funds.

(6) Clients are exposed to potential risks related to the crypto-asset service providers. To enable competent authorities to assess whether applicants meet the prudential requirements set out in Article 67 of Regulation (EU) 2023/1114 to protect clients against such risks, an application for authorisation should contain information specifying the applicant’s prudential safeguards.

(7) To ensure that crypto-asset service providers comply with their obligations laid down in Regulation (EU) 2023/1114, applicants should demonstrate that they have adequate and robust governance arrangements and internal control mechanisms, including arrangements and mechanisms that are essential to the sound and prudent management of crypto-asset service providers.

(8) In the financial services system, time is essential. To avoid outages as they can have major financial, regulatory and reputational consequences for the crypto-asset service providers and crypto-asset markets in general, it is critical to maintain operations or at least essential functions of crypto-asset service providers and to minimise downtime due to unexpected disruptions, including cyberattacks and natural disasters. An application for authorisation should thus contain detailed information on the applicant’s arrangements to ensure continuity and regularity in the provision of crypto-asset services, including a detailed description of its risks and business continuity plans.

(9) Effective mechanisms, systems and procedures that comply with Directive (EU) 2015/849 of the European Parliament and of the Council (3) and Regulation (EU) 2023/1113 of the European Parliament and of the Council (4) are needed to ensure that applicants appropriately address risks and practices of money laundering and terrorist financing in the provision of crypto-asset services. Thus, applicants should provide in their application for authorisation detailed information on their mechanisms, systems and procedures put in place to prevent risks associated with their business activities in relation to, inter alia, anti-money laundering and counter-terrorist financing.

(10) In accordance with Article 62(2), point (g), of Regulation (EU) 2023/1114, an application for authorisation is to contain proof that the members of the management body are of sufficiently good repute and possess the appropriate knowledge, skills and experience to manage that crypto-asset service provider. In particular, applicants should provide competent authorities with all information about past criminal convictions and with information on pending criminal investigations, civil and administrative cases, penalties, enforcement actions and other adjudicatory proceedings of the members of the management body relating to commercial law, insolvency law, anti-money laundering, counter-terrorist financing, fraud, professional liability. To provide competent authorities with adequate information on the good repute of the members of the management body, applicants should provide the information for those cases directly concerning the member or concerning an organisation of which the member held a position as member of the management body, shareholder or member with qualifying holdings or a key function holder. To ensure that competent authorities receive sufficient information on refusals or withdrawals of, inter alia, registrations, authorisations or memberships related to the applicants’ provision of crypto-asset services, applicants should provide such information about any member of the management body. Furthermore, applicants should provide, for each member of the management body, relevant information to enable competent authorities to assess their professional knowledge, skills and experience in the scope of the position sought and a description of all financial and non-financial interests of the members of the management body that could create potential material conflicts of interest significantly affecting the members’ trustworthiness in the performance of their mandate.

(11) In respect of the requirement of good repute of shareholders and members directly or indirectly holding qualifying holdings in applicant, the application for authorisation should contain all information about their past convictions and pending criminal investigations, civil and administrative cases and other adjudicatory proceedings, and relevant information relating to the certainty and legitimate origin of the funds used to set-up applicants and finance their business so to enable the assessment of any attempt or suspicion of money laundering or terrorist financing.

(12) Due to the decentralised and digital nature of crypto-assets, cybersecurity risks for crypto-asset service providers are significant and take many forms. To ensure that applicants are able to prevent data breaches and financial losses that may be caused by cyberattacks, the information on the applicants’ deployed ICT systems and related security arrangements, as referred to in Article 62(2), point (j), of Regulation (EU) 2023/1114, should include the human resources dedicated to addressing cybersecurity risks.

(13) The segregation of clients’ crypto-assets and funds protects clients from losses of the crypto-asset service provider and from misuse of their crypto-assets and funds. Article 70 of Regulation (EU) 2023/1114 therefore requires crypto-asset service providers to make adequate arrangements to safeguard the ownership rights of clients. That requirement also applies to crypto-asset service providers that do not provide custody and administration services. It is therefore important that the application for authorisation includes information on the segregation of clients’ crypto-assets.

(14) To enable competent authorities to assess the adequacy of applicants’ operating rules of trading platforms for crypto-assets, applicant should detail specific elements in the description of those rules. In particular, applicants should elaborate on aspects of the operating rules relating to the admission to trading, the trading and the settlement of crypto-assets. As regards the admission to trading of crypto-assets, applicants should provide detailed information on rules governing the admission of crypto-assets to trading, the way in which the admitted crypto-assets comply with the applicants’ rules, the types of crypto-assets that applicants will not admit to their trading platform and the reasons for such exclusions, and fees for the admission to trading. As regards the trading of crypto-assets, applicants should specify the elements of the operating rules governing the execution and cancelation of orders orderly trading, transparency and record-keeping. Finally, applicants should include in the description of the operating rules the elements governing the settlement of transactions of crypto-assets concluded on the trading platform, including whether the settlement is initiated in the Distributed Ledger Technology (DLT), the timeframe in which the execution is initiated, the definition of the moment when the settlement is final, all verifications required to ensure the effective settlement of the transaction, and any measure to limit settlement failures.

(15) This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority and developed in close cooperation with the European Banking Authority.

(16) The European Securities and Markets Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (5).

(17) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) and delivered formal comments on 21 June 2024,

HAS ADOPTED THIS REGULATION:

Article 1

General information

Legal persons or other undertakings seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 (‘applicants’) shall include in their application for authorisation all the following information:

(a) the legal name, telephone number and email address of the applicant;

(b) any commercial or trading name used or to be used by the applicant;

(c) the legal entity identifier (LEI) of the applicant;

(d) the full name, function, email address and telephone number of the designated contact point or person;

(e) the legal form of the applicant as referred to in Article 62(2), point (b) of Regulation (EU) 2023/1114, including information on whether the applicant is a legal person or other undertaking, and, where available, national identification number of the applicant, and evidence of its registration with the national register of companies;

(f) date and Member State of the applicant’s incorporation or foundation;

(g) where applicable, the instruments of constitution, the articles of association as referred to in Article 62(2), point (c), of Regulation (EU) 2023/1114 and by-laws;

(h) the address of the head office and, where different, of the registered office of the applicant;

(i) information on where the branches will operate, if any, and their legal entity identifiers (LEI), where available;

(j) the domain name of each website operated by the applicant and the social media accounts of that applicant;

Article 2

Programme of operations

(a) where the applicant belongs to a group as defined in Article 2, point 11, of Directive 2013/34/EU of the European Parliament and of the Council (7), an explanation of how the activities of the applicant fit within the group strategy and interact with the activities of the other entities of that group, including an overview of the current and planned organisation and structure of that group;

(b) an explanation of how the activities of the entities affiliated with the applicant, including where there are regulated entities in the group, is expected to impact the activities of the applicant;

(c) a list of crypto-asset services that the applicant intends to provide and the types of crypto-assets to which the crypto-asset services relate;

(d) other planned activities, regulated in accordance with Union or national law or unregulated, including any services, other than crypto-asset services, that the applicant intends to provide;

(e) whether the applicant intends to offer crypto-assets to the public or seeks admission to trading of crypto-assets and if so, what type of crypto-assets;

(f) a list of jurisdictions, both in the Union and in third countries, in which the applicant plans to provide crypto-asset services, including information on the targeted number of clients by geographical area;

(g) types of prospective clients targeted by the applicant’s crypto-asset services;

(j) a detailed description of the human, financial and ICT resources allocated to the intended crypto-asset services, and their geographical location;

(k) the applicant’s outsourcing policy and a detailed description of the applicant’s planned outsourcing arrangements, including intra-group arrangements, and the way that the applicant will comply with Article 73 of Regulation (EU) 2023/1114;

(l) the list of entities that will provide outsourced services, their geographical location and the relevant services outsourced;

(m) a forecast accounting plan including stress scenarios at an individual and, where applicable, consolidated group and sub-consolidated level in accordance with Directive 2013/34/EU;

(n) any exchange of crypto-assets for funds and other crypto-asset activities that the applicant intends to undertake, including through any decentralised finance applications with which the applicant intends to interact on its own account.

For the purposes of point (b), the explanation shall include a list of and information on the entities affiliated with the applicant, including where there are regulated entities, the services provided by those entities, including regulated services, activities and types of clients, and the domain names of each website operated by such entities.

For the purposes of point (k), the applicant shall include information on the functions or person responsible for outsourcing, human and ICT resources allocated to the control of the outsourced functions, services or activities of the related arrangements and on the risk assessment related to the outsourcing.

For the purposes of point (m), the financial forecast shall consider any intra-group loans granted or to be granted by and to the applicant.

Article 3

Prudential requirements

For the purposes of Article 62(2), point (e), of Regulation (EU) 2023/1114, applicants shall provide to the competent authority all the following information:

(c) for undertakings or other legal persons that are already active, where available, the financial statements of the last 3 years approved, where audited, by external auditor;

(d) a description of the applicant’s prudential safeguards planning and monitoring procedures in accordance with Article 67(1) of Regulation (EU) 2023/1114;

Article 4

Information about governance arrangements and internal control mechanisms and conflict of interests

(a) a detailed description of the organisational structure of the applicant, where relevant encompassing the group, including the indication of the distribution of the tasks and powers and the relevant reporting lines and the internal control arrangements implemented, together with an organisational chart;