(fra kommisjonsforordningen)

(1) In accordance with the general objectives of Regulation (EU) 2024/3005, in particular to enhance transparency and reliability regarding the operations of ESG rating providers, it is appropriate that this Regulation ensures that the information to be submitted to the European Securities and Markets Authority (ESMA) for the purposes of the authorisation and recognition processes of ESG rating providers is sufficient for enabling ESMA to make relevant informed decisions. (2) The regulatory technical standards to be adopted on the basis of the empowerments laid down in Article 6(3), third subparagraph, and Article 12(9), third subparagraph of Regulation (EU) 2024/3005 should be bundled into a single Commission Delegated Regulation to ensure that all provisions specifying authorisation, registration and recognition of ESG rating providers are consolidated into one Regulation. (3) Information submitted to ESMA may contain information on the identity of the contact person, of the senior management or of the legal representative of an applicant ESG rating provider, as well as of analysts, employees and other persons directly involved in ESG rating activities. Such information includes personal data. In compliance with the principle of data minimisation enshrined in Article 4(1), point (c), of Regulation (EU) 2018/1725 of the European Parliament and of the Council2 , only personal data that is necessary to enable ESMA to assess the compliance of the application for authorisation as an ESG rating provider or for recognition of an ESG rating provider with the requirements laid down in Regulation(EU) 2024/3005 should be requested. 

(4) This Regulation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, and notably the right to protection of personal data. The processing of personal data for the purposes of this Regulation should be carried out in accordance with Union law on the protection of personal data. In that regard, any processing of personal data performed by ESMA in application of this Regulation should be carried out in accordance with Regulation (EU) 2018/1725. 

(5) Personal data, in particular the proof of the absence of criminal records for each member of senior management of a ESG rating provider relating to money laundering, terrorist financing, provision of financial services or data services, acts of fraud or embezzlement, should be retained by that ESG rating provider and ESMA for no longer than five years after the concerned senior management has ceased to perform its function. 

(6) To ensure that ESMA is able to assess compliance by ESG rating providers with the relevant framework, including the measures and safeguards to be implemented by ESG rating providers in relation to the separation of business and activities, ESG rating providers that wish to apply for authorisation to provide benchmarks in accordance with Article 16(3) of Regulation (EU) 2024/3005 at the time they apply for authorisation to operate in the Union in accordance with Article 6(1) of that Regulation should provide ESMA with additional information in that regard., 

(7) Members of senior management of ESG rating providers exercise significant influence over the operations of such rating providers. It is therefore necessary to require that ESG rating providers include in their application for authorisation proof of the good repute of such members and an official certificate or equivalent evidence from each member of senior management as regards the absence of convictions for certain criminal offences. The official certificate should be sufficiently recent to provide an up-to-date level of assurance and should cover a sufficiently long period of time. 

(8) Point (g) of Annex I to Regulation (EU) 2024/3005 requires that applications for authorisation should contain the number of rating analysts, employees and other persons working for the applicant who are directly involved in ESG rating activities, and their level of experience and training. In order to further specify that requirement and taking into account various types of assessment, that information should also cover the analysts and staff working to develop and review the ESG rating methodology and who implement and maintain the systems, resources and procedures necessary for ESG rating providers to comply with their obligations under Regulation (EU) 2024/3005. To streamline the application process, the information provided should be at the level of the team or group of persons performing the activities. 

(9) Article 16 of Regulation (EU) 2024/3005 prohibits ESG rating providers to engage in certain activities, or requires ESG rating providers to separate such activities from their ESG rating activities t. To verify whether the applicant has taken the necessary steps to ensure that the other activities or services it provides do not unduly interfere with or compromise the integrity of its ESG rating activities, applicants should provide an adequate level of information on the measures put in place in accordance with Article 16(2) and (3) of Regulation (EU) 2024/3005. 

(10) To safeguard security and enhance data management and usability in light of increased digitalisation, any information submitted to ESMA in an application should be machine- readable, structured to be easily identified, recognised and extracted by a software application, and provided in a durable medium. 

(11) To assist ESMA in identifying the documents that an applicant has submitted as part of the application for authorisation and registration, a unique reference number should be provided to each document. 

(12) For assurance and accountability purposes, an application for authorisation or registration submitted to ESMA should include a letter signed by a member of the senior management of the applicant, attesting that the submitted information is accurate and complete to the best of that member’s knowledge. 

(13) Since this Regulation supplements Regulation (EU) 2024/3005, which applies from 2 July 2026, it is appropriate to align the dates of application of the two Regulations. 

(14) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 5 May 2026. 

(15) This Regulation is based on the draft regulatory technical standards submitted to the Commission by ESMA. (16) ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) 1095/2010 of the European Parliament and of the Council3 ,