(1)

To enable competent authorities to assess whether certain financial entities that intend to provide crypto-asset services meet the applicable requirements laid down in Title V and, where relevant, Title VI of Regulation (EU) 2023/1114, the information to be notified by certain financial entities of their intention to provide crypto-asset services should be sufficiently detailed and comprehensive without imposing undue burden.

(2)

In accordance with Article 60(7), point (a) of Regulation (EU) 2023/1114, a notification of the intention to provide crypto-asset services is to contain a programme of operations. In order to provide a full picture of the operations the notifying entity intends to undertake, the programme of operations should comprise a description of the notifying entity’s organisational structure, their strategy in providing crypto-asset services to their targeted clients, and their operational capacity for the 3 years following the date of notification. Regarding the strategy used to target clients, the notifying entity should describe the marketing means that it intends to use, such as websites, mobile phone applications, face-to-face meetings, press releases, or any form of physical or electronic means, including social media campaign tools, internet advertisements or banners, retargeting of advertising, agreements with influencers, sponsorships agreements, calls, webinars, invitations to events, affiliation campaigns, gamification techniques, invitations to fill in a response form or to follow a training course, demo accounts or educational materials.

(3)

To enable competent authorities to assess the notifying entity’s resilience to withstand external financial shocks, including those concerning the value of crypto-assets, the notifying entity should include in their notification stress scenarios simulating severe but plausible events in their forecast accounting plan.

(4)

To avoid outages of operations as they can have major financial, regulatory and reputational consequences for the notifying entity and more generally, crypto-asset markets in general, it is critical to maintain operations or at least essential functions of crypto-asset service providers and to minimise downtime due to unexpected disruptions, including cyberattacks and natural disasters. A notification should therefore contain detailed information on the notifying entity’s arrangements to ensure continuity and regularity in the provision of crypto-asset services, including a detailed description of its risks and business continuity plans.

(5)

Effective mechanisms, systems and procedures that comply with Directive (EU) 2015/849 of the European Parliament and of the Council (2) are needed to ensure that notifying entities appropriately address risks and practices of money laundering and terrorist financing in the provision of crypto-asset services. Notifying entities should therefore provide in their notification detailed information on their mechanisms, systems and procedures put in place to prevent risks associated with their business activities in relation to, inter alia, anti-money laundering and counter-terrorist financing.

(6)

Due to the decentralised and digital nature of crypto-assets, cybersecurity risks for crypto-asset service providers are significant and take many forms. To ensure that the notifiying entity is able to prevent data breaches and financial losses that could be caused by cyberattacks, the information on the notifying entity’s deployed ICT systems and related security arrangements such as identity and geographical location of the providers, description of the outsourced activities or ICT services with their main characteristics, copy of contractual agreements, as referred to in Article 60(7), point (c), of Regulation (EU) 2023/1114, should include the human resources dedicated to addressing cybersecurity risks.

(7)

The segregation of clients’ crypto-assets and funds protects clients from losses of the crypto-asset service provider and from misuse of their crypto-assets and funds. Article 70 of Regulation (EU) 2023/1114 therefore requires crypto-asset service providers to make adequate arrangements to safeguard the ownership rights of clients. That requirement also applies to crypto-asset service providers that do not provide custody and administration services.

(8)

To enable competent authorities to assess the adequacy of the notifying entity’s operating rules for their trading platforms for crypto-assets, the notifying entity should detail specific elements in the description of those rules. In particular, the notifying entity should elaborate on aspects of the operating rules relating to the admission to trading, the trading and the settlement of crypto-assets. As regards the admission to trading of crypto-assets, notifying entities should provide detailed information on the way in which the admitted crypto-assets comply with the notifying entity’s rules, on the types of crypto-assets that the notifying entity will not admit to trading on its trading platform and the reasons for such exclusions, and on the fees for the admission to trading. As regards the trading of crypto-assets, the notifying entity should specify the elements of the operating rules governing the execution and cancelation of orders, orderly trading, transparency and record-keeping. Finally, the notifying entity should include in the description of the operating rules the elements governing the settlement of transactions in crypto-assets on the trading platform, including whether the settlement is initiated by using distributed ledger technology (DLT), the timeframe in which the execution is initiated, the definition of the moment when the settlement is final, all verifications required to ensure the effective settlement of the transaction and any measure to limit settlement failures.

(9)

To allow for competent authorities to assess the adequacy of the notifying entity in providing certain crypto-asset services such as exchange of crypto-assets for funds or other crypto-assets, execution, the provision of advice on crypto-assets or portfolio management of crypto-assets and transfer services, the notifying entity should specify the details of how these crypto-asset services will be provided as well as the arrangements put in place to ensure that the notifying entity complies with the relevant provisions of Regulation (EU) 2023/1114 with regards to the provision of those crypto-asset services.

(10)

Any processing of personal data under this Regulation shall comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council (3).

(11)

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority (ESMA) and developed in close cooperation with the European Banking Authority.

(12)

ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4).

(13)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (5) and delivered formal comments on 21 June 2024,