Commission Delegated Regulation (EU) 2025/1125 of 5 June 2025 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information in an application for authorisation to offer asset-referenced tokens to the public or to seek their admission to trading

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (1), and in particular Article 18(6), third subparagraph thereof,

Whereas:

(1) To enable competent authorities to assess whether legal persons or other undertakings that intend to offer to the public or seek the admission to trading of asset-referenced tokens (‘applicant issuers’) meet the requirements laid down in Title III of Regulation (EU) 2023/1114 and do not fall in any of the grounds justifying the refusal of authorisation, the information to be provided in an application for authorisation to offer to the public or to seek admission to trading of an asset-referenced token submitted in accordance with Article 18(1) of that Regulation should be sufficiently detailed and comprehensive.

(2) The applicant issuer should submit information that is true, accurate, complete and up-to-date. For that purpose, the applicant issuer should inform the competent authorities of any changes or updates, occurring after the submission of the application, and before the public offer or admission to trading of the asset-referenced token, that relate to the information provided in the application, and that could be relevant for the assessment of the application. Competent authorities should also be able to enquire whether any changes or updates have occurred before the public offer or admission to trading of the asset-referenced token.

(3) The application for authorisation should contain information on the applicant issuer, including the identity thereof and information on the suitability of the members of the management body and the sufficiently good repute of the shareholders or members, whether direct or indirect, with qualifying holdings.

(4) The information contained in the application for authorisation would include personal data. In compliance with the principle of data minimisation, enshrined in Article 5(1), point (c), of Regulation (EU) 2016/679 of the European Parliament and of the Council (2), only the personal data necessary to enable the competent authority to carry out a comprehensive assessment of the applicant issuer, the assessment of the members of its management body, its ability to comply with the prudential requirements of Regulation (EU) 2023/1114, and that the applicant issuer does not fall into any ground of refusal of the authorisation set out in Article 21(2), points (a) to (e), of Regulation (EU) 2023/1114 should be requested.

(5) To provide competent authorities with a comprehensive overview of the applicant issuers’ current and planned operations and related organisation, the applicant issuers should include in their application for authorisation a programme of operations.

(6) Issuers of an asset-referenced token that are not crypto-asset service providers or other obliged entities are not subject to Directive (EU) 2015/849 of the European Parliament and of the Council (3) or to Regulation (EU) 2023/1113 of the European Parliament and of the Council (4). However, it is crucial that the applicant issuer’s business model is structured in a manner that does not expose the applicant issuer or the financial sector to risks of money laundering and terrorist financing, since that constitutes a ground of refusal of the authorisation. Accordingly, the applicant issuer should provide an overall risk assessment containing adequate information to enable the competent authority’s assessment of the applicant issuer’s business model’s exposure and sensitivity in relation to money laundering and terrorist financing risks. The overall risk assessment should include information on the mechanisms and arrangements related to the issuance, redemption and distribution of an asset-referenced token and the envisaged involvement of crypto-asset service providers in such mechanisms. Where the applicant issuer’s business model would involve arrangements with crypto-asset service providers, the application for authorisation should include a forward-looking description prepared by such crypto-asset service provider of their internal controls and continuous compliance with the relevant anti-money laundering and counter terrorism financing Union rules.

(7) Effective internal control frameworks, including risk management and information and information and communication technology (ICT) systems and risk management are crucial to the sound and prudent management of the activities of the applicant issuer and of the reserve assets to prevent, monitor and mitigate operational and other types of risks. Applicant issuers should therefore provide adequate documentation on their internal control framework and ICT risk management framework demonstrating that they comply with Regulation (EU) 2022/2554 of the European Parliament and of the Council (5).

(8) Reserves of assets are crucial to ensure the effectiveness of the stabilisation mechanism underpinning the asset-referenced token and the redemption rights of token holders at all times including in case of stress. Together with the application for authorisation, applicant issuers should therefore submit clear and detailed policies on the composition, constitution, segregation, custody and investment management of such reserves of assets.

(9) Applicant issuers should provide the competent authority with all necessary and sufficient information enabling the competent authority to carry out a comprehensive assessment of the members of the management body with a view to ensure that they meet the suitability requirements and do not fall in any of the grounds of refusal of the authorisation set out in Article 21(2), points (a) and (b), of Regulation (EU) 2023/1114. For that purpose, the application for authorisation should contain the information relevant to the assessment of reputation including sufficient information that allows to verify that the members of the management body have not been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute, to assess their professional experience, knowledge and skills in the areas relevant to financial services, crypto-assets, other digital assets, distributed ledger technology (DLT), digital innovation, information technology (IT), cybersecurity or management and information enable to assess the adequacy of their time commitment. To ensure coherence and coordination among different financial supervisors’ decisions that information should also include any prior assessments provided by competent authorities.

(10) In respect of shareholders and members directly or indirectly holding qualifying holdings in the applicant issuer, the application for authorisation should contain all information enabling the competent authority to carry out a comprehensive assessment of the sufficiently good repute of such shareholders or members and that they do not fall within the ground of refusal of the authorisation set out in Article 21(2), point (c), of Regulation (EU) 2023/1114. For that purpose, the application for authorisation should contain the information necessary and sufficient enabling competent authorities to verify that those shareholders or members have not been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute and to establish the certainty and legitimate origin of the funds or other assets used to set-up the applicant issuer and finance the business of that applicant issuer.

(11) This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Banking Authority, developed in close cooperation with the European Securities and Market Authority and with the European Central Bank.

(12) The European Banking Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (6).

(13) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (7) and delivered an opinion on 17 July 2024,

HAS ADOPTED THIS REGULATION:

Article 1

Information about the identity of the applicant issuer

For the purposes of Article 18(2), points (a), (b) and (c), of Regulation (EU) 2023/1114, an application for authorisation shall contain all of the following information about the identity of the applicant issuer:

(a) the applicant issuer’s current full legal name, trading name, logo, website addresses of all communication and marketing channels, including social media accounts and, where applicable, any intended changes to those names, accounts or addresses;

(b) the applicant issuer’s validated, issued and duly renewed ISO 17442 legal entity identifier released in accordance with the terms of any of the accredited Local Operating Units of the Global Legal Entity Identifier System;

(c) the applicant issuer’s legal form;

(d) the date and Member State of the applicant issuer’s incorporation or formation;

(e) the Member State and addresses of the applicant issuer’s registered office and, where different, of its head office, and of its principal place of business;

(f) where the applicant issuer is registered in a central register, commercial register, companies register or similar public register different from the register referred to in the second subparagraph, the name of that register and the registration number of the applicant issuer or an equivalent means of identification in that register and a copy of the registration certificate;

(g) the applicant issuer’s instruments of constitution or statute, and the articles of association;

(h) where the applicant issuer is an undertaking that is not a legal person, a documentation assessing that the level of protection of third party interests, including the rights of the holders of an asset-referenced token, is equivalent to that afforded by legal persons and that the applicant issuer is subject to equivalent prudential supervision appropriate to its legal form;

(i) the date of the accounting year end for the applicant issuer;

(j) the full name and contact details, including the phone number and email address, of the person within the applicant issuer to contact regarding the application for authorisation;

(k) the full name and contact details, including the phone number and email address, of the principal professional adviser, if any, used to prepare the application for authorisation.

For the purposes of points (c) to (g), as regards legal persons under the scope of Directive (EU) 2017/1132 of the European Parliament and of the Council (8), the information referred to in those points shall match the information contained in the national business register referred to in Article 16 of that Directive.

Article 2

Programme of operations: information on the business model, strategy and risk profile

For the purposes of point (a)(i)(4), where, upon being granted authorisation, the applicant issuer intends to appoint by consent and in writing other entities to carry out the offer to the public or the admission to trading of the asset-referenced token, the application for authorisation shall include policies and procedures clarifying, inter alia, that the responsibility for the compliance with Title III of Regulation (EU) 2023/1114 will remain with the issuer of an asset-referenced token that has been granted authorisation and that such other entities will be subject to the conduct and marketing requirements laid down in Article 16(1), second subparagraph, of that Regulation.

Article 3

Programme of operations: financial information on the business plan

(b) an explanation linking the elements of the programme of operations set out in Article 3(2) with the forecasts referred to in point (a) of this paragraph;

(c) planning assumptions for the forecasts referred to in point (a), including the expected number of token holders, the expected number and value of transactions per day and the expected average number and average aggregate value of transactions per day for the business plan time horizon, profitability drivers, and explanations of the quantitative information set out in that business plan;

(d) calculations of the applicant issuer’s own funds requirements pursuant to Article 35(1) of Regulation (EU) 2023/1114 covering the three-year business plan time horizon;

(f) forecast calculations of the amount and composition of the reserve of assets and their adequacy to ensure the permanent exercise of the redemption rights throughout the business plan time horizon.

(b) an outline of any indebtedness incurred or expected to be incurred by the applicant issuer prior to the offer to the public or the admission to trading of the asset-referenced token, including, where applicable, the name of the lenders, the maturities and terms of such indebtedness, the use of the proceeds and, where the lender is not a supervised financial institution, information on the origin of the funds borrowed or expected to be borrowed;

(c) an outline of any security interests, guarantees or indemnities granted or expected to be granted by the applicant issuer prior to the offer to the public or the admission to trading of the asset-referenced tokens;

(d) where available, information about the credit rating of the applicant issuer and, where applicable, the overall rating of any group it be a part of;

(e) where the applicant issuer has been set-up for less than three years, for the years not covered by financial statements, an updated summary dated as close as possible to the date of application for authorisation, of the applicant issuer’s financial situation and for the shareholders or members with qualifying holdings the financial statements of the previous three years in case of legal persons or their tax declaration in case of natural persons.

Article 4

Information about the internal governance arrangements and the structural organisation

(a) the organisational chart laying down the operational structure in terms of business lines and units and related allocation of staff, the interactions between the applicant issuer’s various functions, the indication of clear and effective reporting lines and allocation of responsibilities reflecting the applicant issuer’s business activities;

(b) the terms of reference of the management body, with a mapping of the roles, duties and reporting lines of each member;

(c) a detailed and comprehensive description of the foreseen number and profile of human resources, including seniority, skills, expertise of those, and technical resources, including specific features and functions, up-to-datedness, innovative character with an explanation of the adequacy of human and technical resources to implement the business plan;

(d) detailed description of the procedures and arrangements to ensure the accurate and timely reporting of data relating to the asset-referenced token;

(e) a description of the code of conduct laying down the applicant issuer’s ethical and professional corporate values and the risk culture;