(fra kommisjonsforordningen)

(1) The good repute of the senior management and the members of the board of an external reviewer is of paramount importance to ensure that the external reviewer meets its regulatory obligations. An assessment of good repute should be based on information on the prior activities of those persons, including information on potential relevant criminal convictions, past misconduct, gross negligence, mismanagement of conflicts of interest or impairments to independence and objectivity, and information on their honesty, integrity and reputation. 

(2) Given that the senior management and the members of the board are accountable for the external reviewer’s activities, they should have sufficient skills, professional qualifications and experience. An assessment of whether those skills, professional qualifications and experience are sufficient should take into account the curriculum vitae of all members of the senior management and of the board, including up-to-date information on education, training, and employment history. The assessment should also take into account the overall composition and diversity of the senior management and of the board and the collective skills, professional qualifications and experience of their members, as relevant to the activities of the external reviewer and the risks to which that external reviewer is exposed. 

(3) To safeguard the continuity and regularity of external reviews, an external reviewer should employ an appropriate number of analysts, employees and persons who are directly involved in assessment activities. In that regard, information on the staffing arrangements of an external reviewer for analysts, employees and persons directly involved in assessment activities should be taken into account. That information should include the number of permanent and temporary contracts, likely future assessment activities, and the reasons why the external reviewer considers the analytical resources to be sufficient. 

(4) To ensure the quality of external reviews, analysts, employees and other persons directly involved in assessment activities should have adequate levels of knowledge, experience, and training. The assessment should take into account the education, training, and employment history of those persons. Furthermore, external reviewers should put in place training and development plans for all employees directly involved in assessment activities. 

(5) To ensure that decision-making structures provide for the sound and prudent management of the external reviewer, external reviewers should have corporate governance arrangements that specify the organisation, scope, purpose and functioning of their governance bodies, such as the board, supervisory body and relevant committees. 

(6) Maintaining a transparent and effective organisational structure is also a key component of sound and prudent management. To ensure transparency and effectiveness of their organisational structure, external reviewers should have clear reporting lines, responsibilities, and communication channels that encourage accountability and decision-making. For the same reason, external reviewers should implement and properly document appropriate policies and procedures as regards their governance structures, internal controls, business continuity, information processing systems, recordkeeping, administration, and accounting. 

(7) Given the importance of the internal control functions to the sound and prudent management of an external reviewer, external reviewers should put in place an internal control framework that ensures that the persons responsible for performing that function are appropriately empowered and that there is a clear segregation from the business lines they are overseeing. 

(8) To ensure sound and prudent management of compliance with their obligations under Regulation (EU) 2023/2361, external reviewers should ensure that the policies and procedures needed to comply with that Regulation are approved by their board. 

(9) The conflicts of interest management framework of an external reviewer should contain a comprehensive conflicts of interest policy approved by the board, and an inventory of conflicts of interests. The conflicts of interest policy should contain risk management procedures and controls to identify, eliminate, or manage and disclose in a transparent manner actual or potential conflicts of interest. That policy should also identify which conflicts of interest the external reviewer considers are to be managed or disclosed in a transparent manner and which conflicts of interest are to be eliminated. In addition, that policy should provide for appropriate an oversight and management of situations where professional judgement or decision-making may be compromised. 

(10) External reviewers should assess whether third-party service providers have the capacity to perform assessment activities reliably and professionally. In that regard, external reviewers should consider whether the expertise and availability of the thirdparty service provider are appropriate to the outsourced activities. For that purpose, external reviewers should take into account key elements relating to the third-party service provider and the outsourcing arrangement, such as its business model, the qualifications of its staff, the control framework, the use of automation and technology in the outsourced assessment activities, and its regulatory compliance. 

(11) External reviewers should ensure that the outsourcing of assessment activities does not materially impair the quality of their internal control. In that regard, external reviewers should evaluate the extent of their reliance on the third-party service provider and should monitor and control activities that address the risks arising from the outsourcing, in particular with regard to third countries. External reviewers should apply internal controls to ensure that adequate arrangements are in place in relation to the quality of service provided by the third-party service provider. External reviewers should put in place adequate practices in relation to documentation and recordkeeping by third-party service providers. That should ensure that an external reviewer and the European Securities and Markets Authority (ESMA) have access to all necessary information and that the outsourcing of assessment activities does not impair ESMA’s ability to supervise the external reviewer’s compliance with Regulation (EU) 2023/2631. 

(12) To ensure a sufficient degree of oversight over outsourced activities, external reviewers should carry out regular assessments. 

(13) The regulatory technical standards to be adopted on the basis of the empowerments laid down in Article 23(6), third subparagraph, Article 27(2), third subparagraph, Article 28(3), third subparagraph and Article 33(7), third subparagraph of Regulation (EU) 2023/2631 should be bundled into a single Commission Delegated Regulation to ensure that all provisions specifying registration of external reviewers are consolidated into one Regulation. 

(14) Information submitted to ESMA may contain information on the identity of the senior management and members of the board of an applicant external reviewer, as well as analysts, employees and other persons directly involved in assessment activities on their suitability. Such information includes personal data. In compliance with the principle of data minimisation enshrined in Article 4(1), point (c), of Regulation (EU) 2018/1725, only personal data that is necessary to enable ESMA to assess the ability of the senior management, members of the board of an applicant external reviewer, as well as analysts, employees and other persons directly involved in assessment activities, to comply with the requirements laid down in Regulation (EU) 2023/2631 should be requested. 

(15) This Regulation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, and notably the right to protection of personal data. The processing of personal data for the purposes of this Regulation should be carried out in accordance with Union law on the protection of personal data. In that regard, any processing of personal data performed by ESMA in application of this Regulation should be carried out in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council. Any processing of personal data performed by entities applying for external reviewer within application of this Regulation should be carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council and national requirements on the protection of natural persons with regard to the processing of personal data. 

(16) To enable ESMA to conduct the assessment for the purposes of the registration and the ongoing supervision, while ensuring appropriate safeguards, personal data relating to the good repute of senior management and members of the board of an external reviewer should be kept by external reviewers and ESMA for no longer than five years after that member has ceased to perform its function or, in the event of the withdrawal of the registration of the external reviewer concerned. 

(17) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on 7 July 2025. 

(18) This Regulation is based on the draft regulatory technical standards submitted to the Commission by ESMA. 

(19) ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council,