(fra kommisjonsforordningen)

(1) Regulation (EU) No 1227/2011 provides that market participants are to disclose information and submit inside information reports through inside information platforms (‘IIPs’) and report the data through registered reporting mechanisms (‘RRMs’). The Commission is to set out rules which will replace the current registration procedure for IIPs and RRMs established by the European Union Agency for the Cooperation of Energy Regulators (‘the Agency’). 

(2) Since many obligations set out in Regulation (EU) No 1227/2011 are common to both IIPs and RRMs, it is appropriate to lay down the detailed rules supplementing that Regulation in a single act. This will ensure consistency and legal certainty while avoiding repetition. 

(3) In order to specify the means by which IIPs are to fulfil the obligation to make public the inside information and submit inside information reports to the Agency, and RRMs are to report data records to the Agency, which pursuant to Article 4a(1) and Article 9a(1) of Regulation (EU) No 1227/2011 requires them to be authorised by the Agency, it is necessary to set out rules on the authorisation process specifying the information to be provided to the Agency as part of an application for authorisation as IIPs or RRMs. 

(4) Clear and comprehensive definitions should apply to both IIPs and RRMs. However, given the differences in the scope of the reporting obligations for IIPs and RRMs, it is necessary to apply different definitions of the term ‘client’ for each type of reporting entity. This will enable IIPs and RRMs to understand and comply with their respective obligations vis-à-vis their respective clients in an unambiguous manner. 

(5) To enable the Agency to assess whether the applicants for an authorisation as IIPs or RRMs comply with the authorisation requirements, they should submit to the Agency information necessary to identify them and prove, inter alia, their establishment within the Union. They should also submit documents proving that they have the necessary organisational requirements in place to provide IIP or RRM services. To demonstrate compliance with Article 4a(3) of Regulation (EU) No 1227/2011, which provides that IIPs are to have adequate policies and arrangements in place to disclose the inside information as close to real time as technically possible, IIPs should provide to the Agency information about the time needed by the IIP to disclose on their platform the information received from their IIP clients and successfully validated by their data validation system. To ensure that the Agency receives accurate, complete and timely data records and inside information reports that meet regulatory standards, as part of the authorisation process, applicants should undergo a testing phase to demonstrate their ability to comply with the reporting requirements set out in in Regulation (EU) No 1227/2011 and further detailed in this Regulation. 

(6) To ensure legal certainty and reduce the administrative burden on IIPs and RRMs that were already registered by the Agency, those IIPs and RRMs should not be required to resubmit documents that are already available to the Agency. Therefore, the authorisation process should contain specific provisions for them. Those IIPs and RRMs should be eligible for a simplified authorisation process, insofar as the Agency confirms to the relevant IIPs and RRMs that it has already received, during the registration process, all the information required for authorisation. However, the Agency should maintain the right to request the resubmission of documentation already provided during the registration process, if it is necessary to ensure compatibility with its IT systems, particularly in cases where technical updates are required. 

(7) To ensure a timely and efficient authorisation process, the Agency should adopt a decision on an authorisation as an IIP or RRM within three months from receiving a complete application. Prior to the commencement of the three-month assessment period, the Agency should have performed an initial assessment regarding completeness of the application. If the Agency deems that it needs more time for adopting an authorisation decision, the Agency should, prior to the expiry of the threemonth period, inform the applicant of the additional time it needs to adopt the decision. For legal certainty, if no decision is adopted within the additional time period, the Agency should be deemed to have adopted a positive decision. 

(8) In order to ensure that the applicants that submit authorisation applications have genuine intentions to perform IIP and RRM services, as well as to avoid unnecessary delays and administrative burden on the Agency, applicants who remain inactive for more than three months should be considered to have withdrawn their application, unless they inform the Agency that they still wish to be authorised. 

(9) To allow applicants and authorised IIPs and RRMs to enforce their rights linked to decisions adopted by the Agency under this Regulation, any of the Agency’s decisions referred to in this Regulation, including decisions rejecting an application for authorisation, should be subject to the legal remedies available pursuant to Articles 28 and 29 of Regulation (EU) 2019/942 of the European Parliament and of the Council. 

(10) To ensure the accuracy and completeness of the information disclosed and inside information reports submitted by IIPs to the Agency, as well as of the data records reported by RRMs to the Agency, the Agency should provide guidance, inter alia, on the validation principles and processes set out in this Regulation by providing technical specifications for the verification of data. That guidance should aim to ensure that the Agency receives high quality data, thereby enabling effective market monitoring. Compliance with data validation principles and processes is a key requirement to ensure that the data reported to the Agency is meaningful, coherent, and ready to be processed, thereby enabling the Agency to perform its monitoring role in an efficient manner. 

(11) IIPs and RRMs should have in place sound information security systems that ensure the secure provision of disclosing and reporting services, prevent data breaches and security incidents, and guarantee continuity of services through back-up facilities. To ensure the security and resilience of network and information systems, IIPs and RRMs should implement appropriate and proportionate technical, operational, and organisational measures to manage risks and prevent or minimise the impact of incidents on recipients of their services. Those measures should be state-of-the-art and, where applicable, comply with relevant European and international standards. 

(12) To ensure that the requirements of this Regulation are effectively implemented and complied with throughout the entire period during which IIPs and RRMs provide their services, IIPs and RRMs should be subject to regular supervision by the Agency. For that purpose, the Agency should have the right to request clarifications and information from authorised entities in case of potential non-compliance. 

(13) RRMs are to submit an annual report to the Agency, in accordance with Article 9a(2) of Regulation (EU) No 1227/2011. To ensure the least possible administrative and reporting burden on RRMs, the content of that report should be limited to the minimum necessary, while ensuring that it contains useful information for the Agency in carrying out its supervisory powers. 

(14) The withdrawal of authorisations of IIPs and RRMs should be possible on the initiative of either the Agency, based on the grounds set out in Regulation (EU) No 1227/2011, or on request of the IIP or RRM itself. If the IIP or RRM requests to have their authorisations withdrawn, an expedited procedure should apply. To ensure that an authorisation is withdrawn in a swift and efficient way, the Agency should also be able to apply the expedited procedure in cases where, after the initiation of the withdrawal procedure by the Agency, the IIP or RRM concerned expresses its willingness to have its authorisation withdrawn. 

(15) To ensure a fair and impartial decision-making process, the Agency’s decision on granting or withdrawing an authorisation should be based on a thorough examination of the relevant facts and should be well-reasoned. The Agency’s decision to withdraw an authorisation should only be based on findings on which the IIP or RRM has had the opportunity to express its views. 

(16) To enable IIPs and RRMs to take all necessary actions to comply with the requirements introduced by this Regulation, the application of the provisions detailing the authorisations process, the organisational requirements, the supervision and reporting and the withdrawal and substitution processes should be deferred.

(17) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council12 . (18) Any processing of personal data performed by IIPs and RRMs under this Regulation should be carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council13. Any processing of personal data performed by the Agency under this Regulation should be carried out in accordance with Regulation (EU) 2018/1725. Following the withdrawal of an IIP or RRM, the personal data previously collected should be retained by the Agency for ten years, as indicated in the Agency’s retention policy and in line with Regulation (EU) 2018/1725,