BAKGRUNN (fra kommisjonsforordningen)

(1) Articles 11 and 12 of Regulation (EU) 2022/2554 of the European Parliament and of the Council3 provide for requirements relating to response and recovery, backup policies and procedures, restoration and recovery procedures and methods concerning the ICT systems of financial entities, including crypto-asset services providers. Commission Delegated Regulation (EU) 2024/1774 further specifies components of the ICT business continuity policy, the testing of ICT business continuity plans, the components of the ICT response and recovery plans of financial entities, including crypto-asset service providers. This Regulation complements those provisions of Regulation (EU) 2022/2554 and of Commission Delegated Regulation (EU) 2024/1774 with respect to continuity and regularity in the performance of the cryptoasset services. 

(2) In providing their services, crypto-asset service providers may use a distributed ledger over which they have no control, including a permissionless distributed ledger. In that case, they may not be capable of ensuring the regularity and continuity of their services when disruptions are caused by problems that are inherent to the operation of such distributed ledgers. To mitigate market volatility that may have an adverse impact on clients affected by such disruptions, crypto-asset service providers should include in their business continuity policy measures for timely communication with clients and other external stakeholders. Such communication should include essential and timely information for clients on such disruptions, including ongoing status updates, until the disruption is resolved and services are resumed. Where information on the status of the permissionless distributed ledger responsible for a service disruption is not readily available to the crypto-asset service provider, that crypto-asset service provider should communicate updates to clients and other stakeholders, including competent authorities, on a best effort basis to ensure that clients and stakeholders have as comprehensive information as possible on such disruptions. 

(3) To avoid disproportionate administrative burden for small and medium-enterprises and start-ups, crypto-asset service providers should consider in their business continuity policy the scale, nature, and range of the services they provide. That means that crypto-asset service providers should determine their specific business continuity requirements on the basis of a robust self-assessment, based on a number of criteria that would enable them to implement a business continuity policy that is commensurate with the market impact of their services. The self-assessment should also take into account other circumstances beyond those listed in the Annex that may have an impact on the crypto-asset service provider. 

(4) This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority. 

(5) The European Securities and Markets Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council