Article 4
Business continuity plans
1. When implementing the business continuity policy referred to in Article 68(7) of Regulation (EU) 2023/1114, crypto-asset service providers shall establish business continuity plans. The business continuity plans shall set out the procedures necessary to protect and, where necessary, re-establish:
|
(a) |
the confidentiality, integrity, and availability of client data; |
|
(b) |
the availability of the business functions, supporting processes and information assets of the crypto-asset service providers. |
2. The business continuity plans shall contain the following:
|
(a) |
a range of possible adverse scenarios relating to the operation of critical or important functions, including the unavailability of business functions, staff, workspace, external suppliers, data centres, or loss or alteration of critical data and documents; |
|
(b) |
the procedures and policies to be followed in case of a disruptive incident, including:
|
|
(c) |
the procedures and policies for relocating the business functions used to provide crypto-asset services to a back-up site; |
|
(d) |
back-up of critical business data, including up-to-date information of the necessary contacts to ensure communication inside the crypto-asset service provider, between the crypto-asset service provider and its clients; |
|
(e) |
procedures for timely communications with clients and other external stakeholders, including competent authorities. |
3. In the event of a disruption involving a permissionless distributed ledger used by the crypto asset service provider in the provision of its services, the communications referred to in paragraph 2, point (e) shall include the following information:
|
(a) |
when the services are expected to be resumed; |
|
(b) |
the reasons and the impact of the disruptive incident; |
|
(c) |
any risks concerning clients’ funds and crypto-assets held on their behalf; |
|
(d) |
measures that the crypto-asset service intends to take in response to the disruption of a permissionless distributed ledger. |
Where that information is not readily available to the crypto-asset service provider, the crypto-asset service provider shall communicate updates as regards the information in the first subparagraph to clients and stakeholders, including competent authorities, on a best effort basis.
4. The business continuity plans shall contain procedures to address any disruptions of outsourced critical or important functions, including where those critical or important functions become unavailable.