(fra kommisjonsforordningen)

(1) Article 2(1), point (36a), of Regulation (EU) No 600/2014 defines data reporting services providers (DRSPs) as approved publication arrangements (APAs), approved reporting mechanisms (ARMs), and consolidated tape providers (CTPs). Although those types of entities are engaged in different data reporting activities, Regulation (EU) No 600/2014 and Commission Delegated Regulation (EU) 2017/571 provided for a similar authorisation procedure. Regulation (EU) 2024/791 of the European Parliament and of the Council amended Regulation (EU) No 600/2014 to introduce a distinction between the authorisation procedure for APAs and ARMs, on the one hand, and the authorisation procedure for CTPs, on the other hand. Regulation (EU) 2024/791 also amended organisational requirements for CTPs. Moreover, as of 2025, DRSPs are required to comply with Regulation (EU) 2022/2554 of the European Parliament and of the Council. To reflect those changes, Delegated Regulation (EU) 2017/571 should be repealed and replaced by a new Regulation. 

(2) To enable the European Securities and Markets Authority (ESMA), or, where relevant, the national competent authority, to assess whether the APA or ARM has sufficient human resources and oversight over its business, the organisational structure referred to in Article 27d(1) of Regulation (EU) No 600/2014 should identify who is responsible for the different activities of that APA or ARM. To identify areas which may affect the independence of the APA or ARM and give rise to a conflict of interest, the organisational structure should not only cover the scope of the data reporting services performed by the APA or ARM, but also cover any other services that the APA or ARM provides. To enable competent authorities to assess whether the policies, procedures and corporate governance structure ensure the independence of the APA or ARM and the avoidance of conflicts of interest, an applicant seeking authorisation as an APA or ARM should also provide information on the composition, functioning and independence of its governing bodies. 

(3) Conflicts of interest can arise between APAs or ARMs, on the one hand, and clients using their services to meet their regulatory obligations and other entities purchasing data from APAs or ARMs, on the other hand. Those conflicts may arise in particular where the APA or ARM is engaged in other activities, including acting as a market operator, investment firm or trade repository. A conflict of interest that is left unaddressed could incentivise APAs or ARMs to delay publication or submission of data or to trade on the basis of the confidential information they have received. APAs and ARMs should therefore operate and maintain effective administrative arrangements to identify, prevent and manage existing and potential conflicts of interest, including by preparing an inventory of conflicts of interest and by implementing policies and procedures that are appropriate to manage those conflicts and, where necessary, by separating business functions and personnel to limit the flow of sensitive information between different business areas. 

(4) To ensure that all members of the management body of an APA or ARM are of sufficiently good repute, have sufficient knowledge, skills and experience and commit sufficient time to perform their duties, as is required by Article 27f of Regulation (EU) No 600/2014, APAs and ARMs should be able to demonstrate that they have a robust process for appointing and evaluating the performance of members of the management body and that clear reporting lines and regular reporting to the management body are in place. 

(5) The internal control’s environment of APAs and ARMs is an essential part of their organisational structure as referred to in Article 27d(1) of Regulation (EU) No 600/2014. To enable ESMA, or, where relevant, the national competent authority to assess whether APAs and ARMs have put in place all the necessary arrangements to meet their obligations at the time of initial authorisation, applicant APAs and ARMs should submit to their competent authority information on their internal control’s environment, including information regarding their internal control, compliance, risk management and internal audit functions. 

(6) APAs and ARMs fall under the scope of Regulation (EU) 2022/2554 and are therefore subject to the digital operational resilience requirements included therein. An applicant APA or ARM should therefore demonstrate to ESMA or, where relevant, to the national competent authority, compliance with all applicable obligations under that Regulation. An applicant APA or ARM should demonstrate compliance in particular with the obligations in the areas of information and communication technology (ICT) risk-management, ICT third-party risk management, business continuity and back-up facilities, testing and capacity, security and incident reporting. 

(7) APAs and ARMs should monitor that the data they are publishing or submitting are accurate and complete. They should also ensure that they have mechanisms for detecting errors or omissions caused by the clients or themselves. For ARMs, that can include reconciliations of a sample population of data submitted to the ARM by an investment firm or generated by the ARM on the investment firm's behalf with the corresponding data provided by the competent authority. The frequency and extent of such reconciliations should be proportionate to the volume of data handled by the ARM and the extent to which it is generating transaction reports from clients' data or passing on transaction reports completed by clients. To ensure timely reporting that is free of errors and omissions, ARMs should continuously monitor the performance of their systems. 

(8) An ARM that causes an error or omission should correct such error or omission without delay. That ARM should also notify ESMA or, where relevant, the national competent authority and any competent authority to which it submits reports of such error or omission and of its correction. To enable a client to align its internal records with the information which the ARM has submitted to the competent authority on the client's behalf, an ARM should also notify its clients of the details of the error or omission and provide them with an updated transaction report. 

(9) APAs should be able to delete and amend information received from an investment firm submitting the trade report where that investment firm is experiencing technical difficulties and cannot delete or amend the information itself. However, because APAs cannot be certain whether a perceived error or omission is indeed incorrect, as they were not a party to the executed trade, APAs should not be responsible for correcting information contained in published reports where the error or omission is attributable to the investment firm submitting the trade report. 

(10) To facilitate reliable communication between APAs and investment firms submitting the trade reports, particularly in relation to cancellations of and amendments to specific transactions, APAs should include in the confirmation messages to such investment firms the transaction identification code that has been assigned by the APA concerned when making the information public. 

(11) To comply with their reporting obligation under Regulation (EU) No 600/2014, ARMs should ensure the smooth flow of information to and from a competent authority. ARMs should therefore be able to demonstrate that they can comply with the technical specifications set out by a competent authority regarding the interface between those ARMs and the competent authority. 

(12) To ensure efficient dissemination of information by APAs and an easy access and use of such information by market participants, that information should be published in a machine-readable format through robust channels allowing for automatic access to that information. Websites may not always offer an architecture that is robust and scalable enough and may not always allow for easy automatic access to data. Those technological constraints may, however, be overcome in the future. A particular technology should therefore not be prescribed. Instead, criteria should be set out that the chosen technology needs to meet. 

(13) To enable ESMA to assess whether an applicant for authorisation as a CTP has put in place, at the time of the application for authorisation, all the necessary arrangements to fulfil the criteria laid down in Article 27da(2) of Regulation (EU) No 600/2014, such applicant should, in its application for authorisation, provide a programme of operations, an organisational chart and an ownership chart. To enable ESMA to assess whether an applicant for authorisation as a CTP has sufficient human resources and oversight over its business, the organisational chart should identify who is responsible for the different activities. Furthermore, to enable ESMA to identify areas which may affect the independence of a CTP and give rise to a conflict of interest, the organisational chart should not only cover the scope of the consolidated tape service, but also include any other services that the applicant CTP intends to provide. Finally, to enable ESMA to assess whether the policies, procedures and corporate governance structure ensure both the independence of the CTP and the avoidance of conflicts of interest, an applicant for authorisation as a CTP should also provide information on the composition, functioning and independence of its governing bodies and on its internal control environment. 

(14) To ensure that all members of the management body of a CTP are persons who are of sufficiently good repute and possess sufficient knowledge, skills and experience, an applicant for authorisation as a CTP should be able to demonstrate that it has a robust process for appointing and evaluating the performance of members of the management body, and that clear reporting lines and regular reporting to the management body are in place. 

(15) Conflicts of interest can arise between the CTP, on the one hand, and data contributors or data users, on the other hand. Those conflicts may arise in particular where the CTP is engaged in other activities, including acting as a market operator, investment firm, or trade repository. As part of its corporate governance, an applicant for authorisation as a CTP should prove to ESMA that it has established frameworks that are appropriate to identify, prevent, and manage existing and potential conflicts of interest, including by preparing an inventory of conflicts of interest and implementing policies and procedures that are appropriate to manage those conflicts and, where necessary, by separating business functions and personnel to limit the flow of sensitive information between different business areas of the CTP. 

(16) The outsourcing of activities, in particular of critical and important functions, may constitute a material change of the conditions for the authorisation of a CTP. To ensure that the outsourcing of activities does not impair the ability of the CTP to meet its obligations under Regulation (EU) No 600/2014 or lead to conflicts of interest, a CTP should be able to demonstrate sufficient oversight and control over those activities. 

(17) CTPs fall under the scope of Regulation (EU) 2022/2554 and are therefore subject to the digital operational resilience requirements laid down in that Regulation. In their application for authorisation, applicants for authorisation as a CTP should therefore provide assurance of their compliance with the applicable requirements laid down in that Regulation. 

(18) An applicant for authorisation as a CTP should prove that its systems are able to ingest data from trading venues and APAs and to consolidate and publish that information without disruptions. It should also demonstrate its ability to consolidate and publish data in line with the requirements set out in Commission Delegated Regulation (EU) xx/xx [PO: please insert reference to Commission Delegated Regulation (EU) xx/xx supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council with regard to regulatory technical standards specifying the input and output data of consolidated tapes, the synchronisation of business clocks and the revenue redistribution by the CTP for shares and ETFs, and repealing Delegated Regulation (EU) 2017/574 - C(2025) 3102]. 

(19) To demonstrate the reasonable level of fees that an applicant for authorisation as a CTP intends to charge to its clients, that applicant should provide ESMA with the market data policy, including a detailed explanation of licensing models and the envisaged fee schedule pursuant to Article 17 of Commission Delegated Regulation (EU) xx/xx [PO: please insert reference to Commission Delegated Regulation (EU) xx/xx supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council with regard to regulatory technical standards on the obligation to make market data available to the public on a reasonable commercial basis - C(2025) 3103]. An applicant for authorisation as a CTP for bonds should disclose any arrangements for any revenue redistribution to data contributors as referred to in Article 27h, point (5), of Regulation (EU) No 600/2014. 

(20) To enable ESMA to understand the energy consumption generated by the activities related to data collecting, processing and storing, an applicant for authorisation as a CTP should provide the expected power utilisation effectiveness (PUE) ratio as defined by international standards. 

(21) To enable ESMA to determine if their combined resources are essential for the operation of the consolidated tape, the joint applicants referred to in Article 27da(2), point (n), of Regulation (EU) No 600/2014 should prove the necessity in terms of technical and logistical capacity for each applicant to jointly operate the CT. 

(22) Information submitted to the competent authorities should contain information on the identity of the members of the management body of a DRSP and on their suitability. Such information includes personal data. In compliance with the principle of data minimisation enshrined in Article 5(1), point (c), of Regulation (EU) 2016/679, only personal data that is necessary to enable the competent authority to assess the ability of the members of the management body of a DRSP to comply with the requirements laid down in Regulation (EU) No 600/2014 should be requested. The processing of personal data for the purposes of this Regulation should be carried out in accordance with Union law on the protection of personal data. In that regard, any processing of personal data performed by national competent authorities in application of this Regulation should be carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council and national requirements on the protection of natural persons with regard to the processing of personal data. Any processing of personal data performed by ESMA in application of this Regulation should be carried out in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council. To enable competent authorities to conduct the assessment for the purposes of the initial authorisation and the ongoing supervision, while ensuring appropriate safeguards, personal data relating to the good repute of a member of the management body should be kept by DRSPs and competent authorities for no longer than five years after that member has ceased to perform its function. 

(23) This Regulation is based on the draft regulatory technical standards submitted by ESMA to the Commission. 

(24) ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the opinion of the Securities and Markets Stakeholder Group established by Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council. 

(25) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council15 and delivered formal comments on 17 March 2025. 

(26) The regulatory technical standards to be adopted on the basis of the empowerments laid down in Articles 27d(4), 27db(7), 27g(6) and (8), and 27i(5) of Regulation (EU) No 600/2014 should be bundled into a single Commission Delegated Regulation to ensure that all provisions specifying authorisation conditions for DRSPs are consolidated into one Regulation,