2025/305

31.3.2025

COMMISSION DELEGATED REGULATION (EU) 2025/305

of 31 October 2024

supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information to be included in an application for authorisation as a crypto-asset service provider

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (1), and in particular Article 62(5), third subparagraph, thereof,

Whereas:

(1) To enable competent authorities to assess whether legal persons or other undertakings seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 (‘applicants’) meet the applicable requirements laid down in Title V and, where relevant, Title VI of that Regulation, the information to be provided in an application for authorisation as crypto-asset service provider submitted in accordance with Article 62(1) of that Regulation (‘application for authorisation’) should be sufficiently detailed and comprehensive without imposing undue burden.

(2) The application for authorisation should contain data about the identity of the applicant, the governance arrangements and internal control mechanisms, the suitability of the members of the management body and the sufficiently good repute of the shareholders or members with qualifying holdings. In compliance with the principle of data minimisation as expressed in Article 5(1), point (c) of Regulation (EU) 2016/679 of the European Parliament and of the Council (2), such information should be sufficient to enable competent authorities to carry out a comprehensive assessment of applicants, and of their ability to comply with the relevant requirements of Regulation (EU) 2023/1114. Furthermore, that information should be sufficient to enable competent authorities to verify that there are no objective and demonstrable grounds for refusal of the authorisation as referred to in Article 63(10), points (a) to (d), of that Regulation.

(3) To ensure that the competent authorities’ assessment is based on accurate information, applicants should provide copies of their corporate documents, including their legal entity identifier, the articles of association, a copy of their registration in the national register of companies and, where applicants intend to operate a trading platform, the commercial name used.

(4) In accordance with Article 62(2), point (d), of Regulation (EU) 2023/1114 an application for authorisation is to contain a programme of operations. That programme should specify the applicants’ organisational structure, strategy in providing crypto-asset services to their targeted clients and their operational capacity for 3 years following authorisation. When specifying the strategy used to target clients, for transparency reasons the applicants should describe the marketing means that they intend to use, including websites, mobile phone applications, face-to-face meetings, press releases, or any form of physical or electronic means, including social media campaign tools, internet advertisements or banners, retargeting of advertising, agreements with influencers, sponsorships agreements, calls, webinars, any invitation to an event, affiliation campaign, gamification techniques, invitation to fill in a response form or to follow a training course, demo accounts or educational materials.

(5) To enable competent authorities to assess the applicants’ resilience to withstand external financial shocks, including those concerning the value of crypto-assets, applicants should include in their application for authorisation stress scenarios simulating severe but plausible events in its forecast calculations and plans to determine their own funds.

(6) Clients are exposed to potential risks related to the crypto-asset service providers. To enable competent authorities to assess whether applicants meet the prudential requirements set out in Article 67 of Regulation (EU) 2023/1114 to protect clients against such risks, an application for authorisation should contain information specifying the applicant’s prudential safeguards.

(7) To ensure that crypto-asset service providers comply with their obligations laid down in Regulation (EU) 2023/1114, applicants should demonstrate that they have adequate and robust governance arrangements and internal control mechanisms, including arrangements and mechanisms that are essential to the sound and prudent management of crypto-asset service providers.

(8) In the financial services system, time is essential. To avoid outages as they can have major financial, regulatory and reputational consequences for the crypto-asset service providers and crypto-asset markets in general, it is critical to maintain operations or at least essential functions of crypto-asset service providers and to minimise downtime due to unexpected disruptions, including cyberattacks and natural disasters. An application for authorisation should thus contain detailed information on the applicant’s arrangements to ensure continuity and regularity in the provision of crypto-asset services, including a detailed description of its risks and business continuity plans.

(9) Effective mechanisms, systems and procedures that comply with Directive (EU) 2015/849 of the European Parliament and of the Council (3) and Regulation (EU) 2023/1113 of the European Parliament and of the Council (4) are needed to ensure that applicants appropriately address risks and practices of money laundering and terrorist financing in the provision of crypto-asset services. Thus, applicants should provide in their application for authorisation detailed information on their mechanisms, systems and procedures put in place to prevent risks associated with their business activities in relation to, inter alia, anti-money laundering and counter-terrorist financing.

(10) In accordance with Article 62(2), point (g), of Regulation (EU) 2023/1114, an application for authorisation is to contain proof that the members of the management body are of sufficiently good repute and possess the appropriate knowledge, skills and experience to manage that crypto-asset service provider. In particular, applicants should provide competent authorities with all information about past criminal convictions and with information on pending criminal investigations, civil and administrative cases, penalties, enforcement actions and other adjudicatory proceedings of the members of the management body relating to commercial law, insolvency law, anti-money laundering, counter-terrorist financing, fraud, professional liability. To provide competent authorities with adequate information on the good repute of the members of the management body, applicants should provide the information for those cases directly concerning the member or concerning an organisation of which the member held a position as member of the management body, shareholder or member with qualifying holdings or a key function holder. To ensure that competent authorities receive sufficient information on refusals or withdrawals of, inter alia, registrations, authorisations or memberships related to the applicants’ provision of crypto-asset services, applicants should provide such information about any member of the management body. Furthermore, applicants should provide, for each member of the management body, relevant information to enable competent authorities to assess their professional knowledge, skills and experience in the scope of the position sought and a description of all financial and non-financial interests of the members of the management body that could create potential material conflicts of interest significantly affecting the members’ trustworthiness in the performance of their mandate.

(11) In respect of the requirement of good repute of shareholders and members directly or indirectly holding qualifying holdings in applicant, the application for authorisation should contain all information about their past convictions and pending criminal investigations, civil and administrative cases and other adjudicatory proceedings, and relevant information relating to the certainty and legitimate origin of the funds used to set-up applicants and finance their business so to enable the assessment of any attempt or suspicion of money laundering or terrorist financing.

(12) Due to the decentralised and digital nature of crypto-assets, cybersecurity risks for crypto-asset service providers are significant and take many forms. To ensure that applicants are able to prevent data breaches and financial losses that may be caused by cyberattacks, the information on the applicants’ deployed ICT systems and related security arrangements, as referred to in Article 62(2), point (j), of Regulation (EU) 2023/1114, should include the human resources dedicated to addressing cybersecurity risks.

(13) The segregation of clients’ crypto-assets and funds protects clients from losses of the crypto-asset service provider and from misuse of their crypto-assets and funds. Article 70 of Regulation (EU) 2023/1114 therefore requires crypto-asset service providers to make adequate arrangements to safeguard the ownership rights of clients. That requirement also applies to crypto-asset service providers that do not provide custody and administration services. It is therefore important that the application for authorisation includes information on the segregation of clients’ crypto-assets.

(14) To enable competent authorities to assess the adequacy of applicants’ operating rules of trading platforms for crypto-assets, applicant should detail specific elements in the description of those rules. In particular, applicants should elaborate on aspects of the operating rules relating to the admission to trading, the trading and the settlement of crypto-assets. As regards the admission to trading of crypto-assets, applicants should provide detailed information on rules governing the admission of crypto-assets to trading, the way in which the admitted crypto-assets comply with the applicants’ rules, the types of crypto-assets that applicants will not admit to their trading platform and the reasons for such exclusions, and fees for the admission to trading. As regards the trading of crypto-assets, applicants should specify the elements of the operating rules governing the execution and cancelation of orders orderly trading, transparency and record-keeping. Finally, applicants should include in the description of the operating rules the elements governing the settlement of transactions of crypto-assets concluded on the trading platform, including whether the settlement is initiated in the Distributed Ledger Technology (DLT), the timeframe in which the execution is initiated, the definition of the moment when the settlement is final, all verifications required to ensure the effective settlement of the transaction, and any measure to limit settlement failures.

(15) This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority and developed in close cooperation with the European Banking Authority.

(16) The European Securities and Markets Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (5).

(17) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) and delivered formal comments on 21 June 2024,

HAS ADOPTED THIS REGULATION:

Article 1

General information

Legal persons or other undertakings seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 (‘applicants’) shall include in their application for authorisation all the following information:

(a) the legal name, telephone number and email address of the applicant;

(b) any commercial or trading name used or to be used by the applicant;

(d) the full name, function, email address and telephone number of the designated contact point or person;

(e) the legal form of the applicant as referred to in Article 62(2), point (b) of Regulation (EU) 2023/1114, including information on whether the applicant is a legal person or other undertaking, and, where available, national identification number of the applicant, and evidence of its registration with the national register of companies;

(f) date and Member State of the applicant’s incorporation or foundation;

(g) where applicable, the instruments of constitution, the articles of association as referred to in Article 62(2), point (c), of Regulation (EU) 2023/1114 and by-laws;

(h) the address of the head office and, where different, of the registered office of the applicant;

(i) information on where the branches will operate, if any, and their legal entity identifiers (LEI), where available;

(j) the domain name of each website operated by the applicant and the social media accounts of that applicant;

(k) where the applicant is not a legal person, documentation to assess whether:

(i) the level of protection of third parties interests and the rights of the holders of crypto-assets, including in case of insolvency, is equivalent to protection afforded by legal persons;

(ii) the applicant is subject to equivalent prudential supervision appropriate to its legal form;

(l) where the applicant intends to operate a trading platform for crypto-assets:

(i) the physical address, telephone number and email address of the trading platform for crypto-assets;

(ii) any commercial name of the trading platform for crypto-assets.

Article 2

Programme of operations

1. For the purposes of Article 62(2), point (d), of Regulation (EU) 2023/1114, applicants shall provide to the competent authority the programme of operations for 3 years following the authorisation, including all the following information:

(a) where the applicant belongs to a group as defined in Article 2, point 11, of Directive 2013/34/EU of the European Parliament and of the Council (7), an explanation of how the activities of the applicant fit within the group strategy and interact with the activities of the other entities of that group, including an overview of the current and planned organisation and structure of that group;

(b) an explanation of how the activities of the entities affiliated with the applicant, including where there are regulated entities in the group, is expected to impact the activities of the applicant;

(c) a list of crypto-asset services that the applicant intends to provide and the types of crypto-assets to which the crypto-asset services relate;

(d) other planned activities, regulated in accordance with Union or national law or unregulated, including any services, other than crypto-asset services, that the applicant intends to provide;

(e) whether the applicant intends to offer crypto-assets to the public or seeks admission to trading of crypto-assets and if so, what type of crypto-assets;

(f) a list of jurisdictions, both in the Union and in third countries, in which the applicant plans to provide crypto-asset services, including information on the targeted number of clients by geographical area;

(g) types of prospective clients targeted by the applicant’s crypto-asset services;

(h) a description of the means of access to the applicant’s crypto-asset services by clients, including all of the following:

(i) the domain names for each website or other ICT-based application through which the crypto-asset services will be provided by the applicant and information on the languages in which the website or other ICT-based application will be available, the types of crypto-asset services that will be accessed through that website or other ICT-based application and, where applicable, from which Member States the website or other ICT-based application will be accessible;

(ii) the name of any ICT-based application available to clients to access the crypto-asset services, the languages in which that ICT-based application is available and the crypto-asset services which can be accessed through that ICT-based application;

(i) the planned marketing and promotional activities and arrangements for the crypto-asset services, including:

(i) all means of marketing to be used for each of the services;

(ii) the intended means of identification of the applicant;

(iii) information on the relevant category of clients targeted;

(iv) types of crypto-assets;

(v) languages that will be used for the marketing and promotional activities;

(j) a detailed description of the human, financial and ICT resources allocated to the intended crypto-asset services, and their geographical location;

(k) the applicant’s outsourcing policy and a detailed description of the applicant’s planned outsourcing arrangements, including intra-group arrangements, and the way that the applicant will comply with Article 73 of Regulation (EU) 2023/1114;

(l) the list of entities that will provide outsourced services, their geographical location and the relevant services outsourced;

(m) a forecast accounting plan including stress scenarios at an individual and, where applicable, consolidated group and sub-consolidated level in accordance with Directive 2013/34/EU;

(n) any exchange of crypto-assets for funds and other crypto-asset activities that the applicant intends to undertake, including through any decentralised finance applications with which the applicant intends to interact on its own account.

For the purposes of point (b), the explanation shall include a list of and information on the entities affiliated with the applicant, including where there are regulated entities, the services provided by those entities, including regulated services, activities and types of clients, and the domain names of each website operated by such entities.

For the purposes of point (k), the applicant shall include information on the functions or person responsible for outsourcing, human and ICT resources allocated to the control of the outsourced functions, services or activities of the related arrangements and on the risk assessment related to the outsourcing.

For the purposes of point (m), the financial forecast shall consider any intra-group loans granted or to be granted by and to the applicant.

2. Where applicants intend to provide the service of reception and transmission of orders for crypto-assets on behalf of clients, they shall provide to competent authorities a copy of the procedures and a description of the arrangements ensuring compliance with Article 80 of Regulation (EU) 2023/1114.

3. Where applicants intend to provide the service of placing of crypto-assets, they shall provide to competent authorities a copy of the procedures to identify, prevent, manage and disclose conflicts of interests and a description of the arrangements in place to comply with Article 79 of Regulation (EU) 2023/1114 and the Commission Delegated Regulation establishing technical standards adopted pursuant to Article 72(5) of Regulation (EU) 2023/1114.

Article 3

Prudential requirements

For the purposes of Article 62(2), point (e), of Regulation (EU) 2023/1114, applicants shall provide to the competent authority all the following information:

(a) a description of the applicant’s prudential safeguards set out in Article 67 of Regulation (EU) 2023/1114, consisting of:

(i) the amount of the prudential safeguards at the time of the application for authorisation and the description of the assumptions used for calculation of that amount;

(ii) the amount of the prudential safeguards covered by own funds referred to in Article 67(4), point (a), of Regulation (EU) 2023/1114, where applicable;

(iii) the amount of the applicant’s prudential safeguards covered by an insurance policy referred to in Article 67(4), point (b), of Regulation (EU) 2023/1114, where applicable;

(b) forecast calculations and plans to determine own funds, including:

(i) forecast calculation of the applicant’s prudential safeguards for the first 3 business years following the authorisation;

(ii) planning assumptions including stress scenarios for the forecast referred to in point (i) and explanations of the figures;

(iii) expected number and type of clients, volume of orders and transactions and volume of crypto assets under custody;

(c) for undertakings or other legal persons that are already active, where available, the financial statements of the last 3 years approved, where audited, by external auditor;

(d) a description of the applicant’s prudential safeguards planning and monitoring procedures in accordance with Article 67(1) of Regulation (EU) 2023/1114;

(e) proof that the applicant meets the prudential safeguards set out in Article 67 of Regulation (EU) 2023/1114, including:

(i) in relation to own funds referred to in Article 67(4), point (a), of Regulation (EU) 2023/1114:

(1) documentation specifying how the applicant has calculated the amount of prudential safeguards in accordance with Article 67 of Regulation (EU) 2023/1114;

(2) for undertakings or other legal persons that are already active and whose financial statements are not audited, a certification by the national supervisor of the amount of own funds of the applicant;

(3) for undertakings in the process of being incorporated, a statement issued by a credit institution certifying that the funds are deposited in the applicant’s account;

(ii) in relation to the insurance policy or comparable guarantee referred to in Article 67(4), point (b) of Regulation (EU) 2023/1114:

(1) the legal name, the date and Member State of incorporation or foundation, the address of the head office and, where different, of the registered office and contact details of the undertaking authorised to provide the insurance policy or comparable guarantee;

(2) a copy of any of the following:

— the subscribed insurance policy incorporating all the elements necessary to comply with Article 67(5) and (6) of Regulation (EU) 2023/1114, where available,

— the insurance agreement incorporating all the elements necessary to comply with Article 67(5) and (6) of Regulation (EU) 2023/1114 signed by an undertaking authorised to provide insurance in accordance with Union or national law.

Article 4

Information about governance arrangements and internal control mechanisms and conflict of interests

1. For the purposes of Article 62(2), points (f) and (i), of Regulation (EU) 2023/1114 applicants shall provide to the competent authority the following information on their governance arrangements and internal control mechanisms:

(a) a detailed description of the organisational structure of the applicant, where relevant encompassing the group, including the indication of the distribution of the tasks and powers and the relevant reporting lines and the internal control arrangements implemented, together with an organisational chart;

(b) the personal details of the heads of internal functions (management, supervisory and internal control functions), including their location and a curriculum vitae, stating relevant education, professional training and professional experience and a description of the knowledge, skills and experience necessary for the discharge of the responsibilities allocated to those heads of internal functions;

(c) the policies and procedures that are sufficiently effective to ensure compliance with Regulation (EU) 2023/1114 in accordance with Article 68(4) of that Regulation and a detailed description of the arrangements ensuring that relevant staff are aware of the procedures to be followed for the proper discharge of their responsibilities, including a detailed description of the procedures for the applicant’s staff to report potential or actual infringements of Regulation (EU) 2023/1114 in accordance with Article 116 of that Regulation;

(d) a detailed description of the arrangements for keeping records of the business and internal organisation of the applicant in accordance with Article 68(9) of Regulation (EU) 2023/1114, including the applicant’s record keeping arrangements in accordance with Commission Delegated Regulation establishing technical standards adopted pursuant to Article 68(10)(b) of Regulation (EU) 2023/1114;

(e) the arrangements enabling the management body to assess and periodically review the effectiveness of the policy arrangements and procedures put in place to comply with Title V, Chapters 2 and 3, of Regulation (EU) 2023/1114 in accordance with Article 68(6) of that Regulation, including all the following:

(i) identification of the internal control functions in charge of monitoring those policy arrangements and procedures, together with the scope of their responsibility and reporting lines to the management body of the applicant;

(ii) indication of the periodicity of internal control functions reporting to the management body of the applicant on the effectiveness of those policy arrangements and procedures;

(iii) explanation specifying:

(1) how the applicant ensures that the internal control functions operate independently and separately from the functions they control;

(2) whether the internal control functions have access to the necessary resources and information;

(3) whether those internal control functions can report directly to the management body of the applicant both at least once a year and on an ad hoc basis, including where they detect a significant risk of failure for the applicant to comply with its obligations under Regulation (EU) 2023/1114;

(iv) a description of the ICT systems, safeguards and controls put in place to monitor the activities of the applicant and to comply with Title V, Chapters 2 and 3, of Regulation (EU) 2023/1114, including back-up systems, and ICT systems and risk controls, where not provided in accordance with Article 9 of this Regulation;

(f) where relevant, a description of the arrangements put in place to prevent and detect market abuse in accordance with Article 92 of Regulation (EU) 2023/1114;

(g) whether the applicant has appointed or will appoint external auditors and, if that is the case, their name and contact details, where available;

(h) the accounting policies and procedures by which the applicant will record and report its financial information, including the start and end dates of the applied accounting year.

2. In accordance with Article 72 of Regulation (EU) 2023/1114 to idenitfy, prevent, manage and diclose conflicts of interest, applicants shall provide to the competent authority all the following information on the management of conflicts of interests:

(a) a copy of the applicant’s conflicts of interest policy, together with a description of how that policy:

(i) ensures that the applicant identifies, prevents and manages conflicts of interests in accordance with Article 72(1) of Regulation (EU) 2023/1114 and discloses conflicts of interest in accordance with Article 72(2) of that Regulation;

(ii) is commensurate to the scale, nature and range of crypto-asset services that the applicant intends to provide and of the other activities of the group to which the applicant belongs;

(iii) ensures that the remuneration policies, procedures and arrangements do not create conflicts of interest;

(b) how the applicant’s conflicts of interest policy ensures compliance with Commission Delegated Regulation establishing technical standards adopted pursuant to Article 72(5) of Regulation (EU) 2023/1114, including information on the systems and arrangements put in place by the applicant to:

(i) monitor, assess, review the effectiveness of its conflicts of interests policy and remedy any deficiencies;

(ii) record cases of conflicts of interests, including the identification, assessment, remedy and the fact whether the case was disclosed to the client.

Article 5

Business continuity plan

1. For the purposes of Article 62(2), point (i), of Regulation (EU) 2023/1114 applicants shall submit to the competent authority a detailed description of the business continuity plan, including the steps to be taken to ensure continuity and regularity in the provision of the applicant’s crypto-asset services.

2. The description referred to in paragraph 1 shall include the following:

(a) details proving that the business continuity plan is appropriate and that arrangements are set up to maintain and periodically test that plan;

(b) with regard to critical or important functions supported by third-party service providers, information on how business continuity is ensured where the quality of the provision of such functions deteriorates to an unacceptable level or fails;

(c) information on how business continuity is ensured in the event of the death of a key person and, where relevant, political risks in the service provider’s jurisdiction.

Article 6

Detection and prevention of money laundering and terrorist financing

For the purposes of Article 62(2), point (i), of Regulation (EU) 2023/1114, applicants shall provide the competent authority with information on their internal control mechanisms, policies and procedures to comply with the provisions of national law transposing Directive (EU) 2015/849 and the risk assessment framework to manage risks relating to money laundering and terrorist financing, including all of the following:

(a) the applicant’s assessment of the inherent and residual risks of money laundering and terrorist financing associated with its business, including the risks relating to:

(i) the applicant’s customer base;

(ii) services provided;

(iii) distribution channels used;

(iv) geographical areas of operation;

(b) the measures that the applicant has or will put in place to prevent the identified risks and comply with applicable anti-money laundering and counter-terrorist financing requirements, including the applicant’s risk assessment process, the policies and procedures to comply with customer due diligence requirements, and the policies and procedures to detect and report suspicious transactions or activities;

(c) detailed information on how those internal control mechanisms, policies and procedures are adequate and proportionate to the scale, nature, inherent risk of money laundering and terrorist financing, range of crypto-asset services provided, complexity of the business model and how those mechanisms, policies and procedures ensure compliance with Directive (EU) 2015/849 and Regulation (EU) 2023/1113;

(d) the identity of the person in charge of ensuring compliance with anti-money laundering and counter-terrorist financing requirements, and evidence of that person’s knowledge, skills and experience;

(e) arrangements, human and financial resources ensuring that the staff of the applicant is appropriately trained in anti-money laundering and counter-terrorist financing matters (annual indications) and on specific crypto-asset related risks;

(f) a copy of the applicant’s anti-money laundering and counter-terrorism policies, procedures and systems;

(g) the frequency of the assessment of the adequacy and effectiveness of those internal control mechanisms, policies and procedures, and the person or function responsible for such assessment.

Article 7

Identity and proof of good repute, knowledge, skills and experience, and of sufficient time commitment of the members of the management body

1. For the purposes of Article 62(2), point (g), of Regulation (EU) 2023/1114, applicants shall provide the competent authority with all the following information for each member of the management body:

(a) the full name and, where different, name at birth;

(b) the place and date of birth, address and contact details of the current place of residence and of any other place of residence in the past 10 years, nationality or nationalities, national identification number and copy of an official identity document or equivalent;

(c) details of the position held or to be held by the member of the management body, including whether the position is executive or non-executive, the start date or planned start date and, where applicable, the duration of mandate, and a description of the member’s key duties and responsibilities;

(d) a curriculum vitae stating relevant education, professional training and professional experience with the name and nature of all organisations for which the member has worked and the nature and duration of the functions performed for positions held in the previous 10 years, in particular highlighting any activities within the scope of the position sought, including professional experience relevant to financial services, crypto-assets, or other digital assets, DLT, information technology, cybersecurity, or digital innovation;

(e) documentation relating to the member’s reputation and experience, in particular a list of reference persons including contact information and letters of recommendation;

(f) member’s history, namely all the following:

(i) absence of a criminal record;

(ii) information on pending criminal proceedings or investigations or penalties (relating to commercial law, financial services law, money laundering, and terrorist financing, fraud or professional liability), information on enforcement proceedings or sanctions, information on relevant civil and administrative cases and disciplinary actions, including disqualification as a company director, bankruptcy, insolvency and similar procedures;

(iii) information on any refusal, withdrawal, revocation or termination of registration, authorisation, membership or licence to carry out a trade, business or profession, or any expulsion by a regulatory or government body, professional body or association;

(iv) information on dismissal from a position of trust, fiduciary relationship, or similar situation of trust or relationship;

(v) information on whether any authority has assessed the reputation of the individual, including the identity of that authority, the date of the assessment and information about the outcome of that assessment;

(g) a description of any financial and non-financial interests or relationships of the member and close relatives of that member to other members of the management body and key function holders in the same institution, the parent institution, subsidiaries and shareholders; that could create potential conflicts of interest.

(h) where a material conflict of interest is identified, a statement of how that conflict will be mitigated or remedied, including a reference to the outline of the conflicts of interest policy;

(i) information on the time that will be devoted to the performance of the member’s functions within the applicant, including all of the following:

(i) the estimated minimum time, per year and per month, that the member will devote to the performance of his or her functions within the applicant;

(ii) a list of the other executive and non-executive directorships that the member holds, referring to commercial and non-commercial activities or set up for the sole purposes of managing the economic interests of the member concerned;

(iii) information on the size and complexity of the companies or organisations where the directorships referred to in point (ii) are held, including total assets, based on the last available annual accounts whether or not the company is listed and the number of employees of those companies or organisations;

(iv) a list of any additional responsibilities associated with the directorships referred to in point (ii), including chairing a committee;

(v) the estimated time in days per year dedicated to each of the other directorships referred to in point (ii) and the number of meetings per year dedicated to each mandate.

For the purposes of point (d), applicant shall include details on all delegated powers and internal decision-making powers held and the areas of operations under control.

For the purposes of points (f)(i) and (ii), applicants shall provide the information through an official certificate, where available from the relevant Member State or third country, or through another equivalent document, where such certificate does not exist. Official records, certificates and documents shall have been issued within 3 months before the submission of application for authorisation. For ongoing investigations, the information may be provided through a declaration of honour.

For the purposes of point (f)(iv), the applicant shall not be required to submit the information about the previous assessment where the competent authority already has such information.

For the purposes of point (g), the description shall include any financial interests, including crypto assets, other digital assets, loans, shareholdings, guarantees or security interests, whether granted or received, commercial relationships, legal proceedings and whether the person was a politically exposed person as defined in Article 3, point (9), of Directive (EU) 2015/849 over the past 2 years.

2. An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 shall provide to the competent authority the results of any suitability assessment of each member of the management body performed by the applicant, and the results of the assessment of the collective suitability of the management body, including the suitability assessment report or documents on the outcome of the suitability assessment.

Article 8

Information relating to shareholders or members with qualifying holdings

For the purposes of Article 62(2), point (h), of Regulation (EU) 2023/1114, applicants shall provide to the competent authority all the following information:

(a) a detailed organigram of the holding structure of the applicant, including the breakdown of its capital and voting rights and the names of the shareholders or members with qualifying holdings;

(b) for each shareholder or member having a direct or indirect qualifying holding in the applicant, the information and documents set out in Articles 1 to 4 of Commission Delegated Regulation (EU) 2025/414 (8) as applicable;

(c) the identity of each member of the management body that will direct the business of the applicant and will be appointed by, or following a nomination from, such shareholder or member with qualifying holdings;

(d) for each shareholder or member having a direct or indirect qualifying holding in the applicant, information on the number and type of shares or other holdings subscribed, their nominal value, any premium paid or to be paid, any security interests or encumbrances, including the identity of the secured parties;

(e) information referred to in Article 6, points (b), (d) and (e), and Article 8 of Commission Delegated Regulation (EU) 2025/414.

Article 9

ICT systems and related security arrangements

For the purposes of Article 62(2), point (j), of Regulation (EU) 2023/1114, applicants shall provide to the competent authority the following information:

(a) technical documentation of the ICT systems, DLT infrastructure relied upon, where relevant, and the security arrangements, including a description of the arrangements and deployed ICT and human resources established to comply with Regulation (EU) 2022/2554 of the European Parliament and of the Council (9)as follows:

(i) a description of how the applicant ensures a sound, comprehensive and well-documented ICT risk management framework as part of its overall risk management system, including a detailed description of ICT systems, protocols and tools and of how the applicant’s procedures, policies and systems to safeguard the security, integrity, availability, authenticity and confidentiality of data comply with Regulations (EU) 2022/2554 and (EU) 2016/679;

(ii) an identification of ICT services supporting critical or important functions, developed or maintained by the applicant, and ICT services supporting critical or important functions provided by third-party service providers, a description of such contractual arrangements (identity and geographical location of the providers, description of the outsourced activities or ICT services with their main characteristics, copy of contractual agreements) and how those arrangements comply with Article 73 of Regulation (EU) 2023/1114 and Chapter V of Regulation (EU) 2022/2554;

(iii) a description of the applicant’s procedures, policies, arrangements and systems for security and incident management;

(b) if available, a description of a cybersecurity audit conducted by a third-party cybersecurity auditor having sufficient experience in accordance with Commission Delegated Regulation establishing technical standards adopted pursuant to Article 26(11) fourth subparagraph of Regulation (EU) 2022/2554 covering ideally the following audits or tests:

(i) organisational cybersecurity, physical security and secure software development lifecycle arrangements;

(ii) vulnerability assessments and scans and, network security assessments;

(iii) configuration reviews of ICT assets supporting critical and important functions as defined in Article 3, point (22) of Regulation (EU) 2022/2554;

(iv) penetration tests on the ICT assets supporting critical and important functions as defined in Article 3, point (17) of Regulation (EU) 2022/2554, in accordance with all the following audit test approaches:

(1) black box: the auditor has no information other than the IP addresses and URLs associated with the audited target. This phase is generally preceded by the discovery of information and the identification of the target by querying domain name system (DNS) services, scanning open ports, discovering the presence of filtering equipment, etc.;

(2) grey box phase: auditors have the knowledge of a standard user of the information system (legitimate authentication, ‘standard’ workstation, etc.). The identifiers can belong to different user profiles in order to test different privilege levels;

(3) white box phase: auditors have as much technical information as possible (architecture, source code, telephone contacts, identifiers, etc.) before starting the analysis and also access to technical contacts related to the target;

(v) where the applicant uses and/or develops smart-contracts, a cybersecurity source code review of them;

(c) a description of conducted audits of the ICT systems, if any, including used DLT infrastructure and security arrangements;

(d) a description of the relevant information referred to in points (a) and (b) in non-technical language.

Article 10

Segregation and safekeeping of clients’ crypto-assets and funds

1. For the purposes of Article 62(2), point (k), of Regulation (EU) 2023/1114, applicants that intend to hold crypto-assets belonging to clients or the means of access to such crypto-assets, or clients’ funds, other than e-money tokens, shall provide to the competent authority a detailed description of their procedures for the segregation of clients’ crypto assets and funds, including all of the following:

(a) how the applicant ensures that:

(i) clients’ funds are not used for its own account;

(ii) crypto-assets belonging to the clients are not used for its own account;

(iii) the wallets holding clients’ crypto-assets are different from the applicant’s own wallets;

(b) a detailed description of the approval system for cryptographic keys and safeguarding of cryptographic keys, including multi-signature wallets;

(c) how the applicant segregates clients’ crypto-assets, including from other clients’ crypto-assets where wallets contain crypto-assets of more than one client (omnibus accounts);

(d) a description of the procedure ensuring that clients’ funds, other than e-money tokens, are deposited with a central bank or a credit institution by the end of the business day following the day on which those funds were received and held in an account separately identifiable from any accounts used to hold funds belonging to the applicant;

(e) where the applicant does not intend to deposit funds with the relevant central bank, which factors the applicant takes into account to select the credit institutions with which to deposit clients’ funds, including the applicant’s diversification policy, where available, and the frequency of review of the selection of credit institutions with which to deposit clients’ funds;

(f) how the applicant ensures that clients are informed in clear, concise and non-technical language about the key aspects of the applicant’s systems, policies and procedures to comply with Article 70(1), (2) and (3) of Regulation (EU) 2023/1114.

2. In accordance with Article 70(5) of Regulation (EU) 2023/1114, crypto-asset service providers that are electronic money institutions or payment institutions shall only provide the information referred to in paragraph 1 of this Article in relation to the segregation of clients’ crypto-assets.

Article 11

Complaints-handling procedures

For the purposes of Article 62(2), point (l), of Regulation (EU) 2023/1114, applicants shall provide to the competent authority a detailed description of their complaints-handling procedures, including all the following:

(a) information on the human and technical resources allocated to complaints handling;

(b) information on the person in charge of the resources dedicated to the management of complaints, together with a curriculum vitae stating relevant education, professional training and professional experience justifying the knowledge, skills, and experience for the discharge of the responsibilities allocated to that person;

(c) how the applicant ensures compliance with Commission Delegated Regulation establishing technical standards adopted pursuant to Article 71(5) of Regulation (EU) 2023/1114;

(d) how the applicant will inform clients or potential clients of the possibility to file a complaint free of charge, where that information is available on the applicant’s website, or on any other relevant digital device that may be used by clients to access the crypto-asset services and the content of the information provided;

(e) the applicant’s record-keeping arrangements in relation to complaints;

(f) the timeline provided in the complaints-handling procedures of the applicant to investigate, respond and, where appropriate, take measures in response to complaints received;

(g) how the applicant will inform clients or potential clients of the available remedies;

(h) the procedural key steps of the applicant in deciding on a complaint and how the applicant will communicate that decision to the client or potential client that filed the complaint.

Article 12

Custody and administration policy

For the purposes of Article 62(2), point (m), of Regulation (EU) 2023/1114, applicants that intend to provide custody and administration of crypto-assets on behalf of clients shall provide to the competent authority all of the following information:

(a) a description of the arrangements linked to the type of custody offered to clients, a copy of the applicant’s standard agreement for the custody and administration of crypto-assets on behalf of clients pursuant to Article 75(1) of Regulation (EU) 2023/1114and a copy of the summary of the custody policy made available to clients in accordance with Article 75(3) of Regulation (EU) 2023/1114;

(b) the applicant’s custody and administration policy, including a description of identified sources of operational and ICT risks for the safekeeping and control of the crypto-assets or the means of access to the crypto-assets of clients, together with a description of:

(i) the policies and procedures and a description of the arrangements to comply with Article 75(8) of Regulation (EU) 2023/1114;

(ii) the policies and procedures, and a description of the systems and controls to manage operational and ICT risks, including where the custody and administration of crypto-assets on behalf of clients is outsourced to a third party;

(iii) the policies and procedures relating to, and a description of, the systems ensuring the exercise of the rights attached to the crypto-assets by the clients;

(iv) the procedures and a description of the systems ensuring the return of crypto-assets or the means of access to the clients;

(d) information on arrangements to minimise the risk of loss of crypto-assets or of means of access to crypto-assets;

(e) where the crypto-asset service provider has delegated the provision of custody and administration of crypto-assets on behalf of clients to a third-party:

(i) information on the identity of any third-party providing the custody and administration of crypto-assets and its status in accordance with Article 59 or Article 60 of Regulation (EU) 2023/1114;

(ii) a description of any functions relating to the custody and administration of crypto-assets delegated by the crypto-asset service provider, the list of any delegates and sub-delegates, as applicable, and any conflicts of interest that could arise from such a delegation;

(iii) a description of how the applicant intends to supervise the delegations or sub-delegations.

Article 13

Operating rules of the trading platform and market abuse detection

1. For the purposes of Article 62(2), point (n), of Regulation (EU) 2023/1114, applicants that intend to operate a trading platform for crypto-assets shall provide to the competent authority all of the following information:

(a) the rules on the admission of crypto-assets to trading;

(b) the approval process for admitting crypto-assets to trading, including the customer due diligence carried out in accordance with Directive (EU) 2015/849;

(d) the policies, procedures and fees for the admission to trading, together with a description, where relevant, of membership, rebates and the related conditions;

(e) the rules governing order execution, including any cancellation procedures for executed orders and for disclosing such information to market participants;

(f) the policies, procedures and methods put in place to assess the suitability of crypto-assets in accordance with Article 76(2) of Regulation (EU) 2023/1114;

(g) the systems, procedures and arrangement put in place to comply with Article 76(7), of Regulation (EU) 2023/1114;

(h) the manner of making public any bid and ask prices, the depth of trading interests at those prices that are advertised for crypto-assets through their trading platforms and price, volume and time of transactions executed in respect of crypto-assets traded on their trading platform, in accordance with Article 76(9) and (10) of Regulation (EU) 2023/1114;

(i) the fee structures and a justification of how those fee structures comply with Article 76(13) of Regulation (EU) 2023/1114;

(j) the systems, procedures and arrangements put in place to keep data relating to all orders at the disposal of the competent authority or the mechanism to ensure that the competent authority has access to the order book and any other trading system;

(k) with regards to the settlement of transactions:

(i) whether the final settlement of transactions is initiated on the distributed ledger or outside the distributed ledger;

(ii) the timeframe within which the final settlement of crypto-asset transactions is initiated;

(iii) the way to verify the availability of funds and crypto-assets;

(iv) the way to confirm the relevant details of transactions;

(v) the measures foreseen to limit settlement fails;

(vi) the moment at which settlement is final and the moment at which final settlement is initiated following the execution of the transaction;

(l) the policies, procedures and systems put in place to detect and prevent market abuse, including information on the communications to the competent authority of possible market abuse cases.

2. Applicants that intend to operate a trading platform for crypto-assets shall provide to the competent authority a copy of the operating rules of the trading platform and of any procedures and systems to detect and prevent market abuse.

Article 14

Exchange of crypto-assets for funds or other crypto-assets

For the purposes of Article 62(2), point (o), of Regulation (EU) 2023/1114, applicants that intend to exchange crypto-assets for funds or other crypto-assets shall provide to the competent authority all of the following information:

(a) a description of the commercial policy established in accordance with Article 77(1) of Regulation (EU) 2023/1114;

(b) a description of the method for determining the price of the crypto-assets that the applicant proposes to exchange for funds or other crypto-assets in accordance with Article 77(2) of Regulation (EU) 2023/1114, including how the volume and market volatility of crypto-assets impact the pricing mechanism.

Article 15

Execution policy

For the purposes of Article 62(2), point (p), of Regulation (EU) 2023/1114, applicants that intend to execute orders for crypto-assets on behalf of clients shall provide to the competent authority their execution policy, including all of the following:

(a) the arrangements ensuring that the client has provided consent on the execution policy prior to the execution of the order;

(b) a list of the trading platforms for crypto-assets on which the applicant will rely for the execution of orders and the criteria for the assessment of execution venues included in the execution policy in accordance with Article 78(6) of Regulation (EU) 2023/1114;

(c) which trading platforms the applicant intends to use for each type of crypto-assets and confirmation that the applicant will not receive any form of remuneration, discount or non-monetary benefit in return for routing orders received to a particular trading platform for crypto-assets;

(d) how the execution takes into account price, costs, speed, likelihood of execution and settlement, size, nature, conditions of custody of the crypto-assets or any other relevant factors that are considered as part of all necessary steps to obtain the best possible result for the client;

(e) where applicable, the arrangements for informing clients that the applicant will execute orders outside a trading platform and how the applicant will obtain the prior express consent of its clients before executing such orders;

(f) how the client is warned that any specific instructions from a client may prevent the applicant from taking the necessary steps, in line with the arrangements that the applicant has established and implemented in its execution policy, to obtain the best possible result for the execution of those orders in respect of the elements covered by those instructions;

(g) the selection process for trading venues, execution strategies employed, the arrangements used to analyse the quality of execution obtained and how the applicant monitors and verifies that the best possible results were obtained for clients;

(h) the arrangements to prevent the misuse of any information relating to clients’ orders by the employees of the applicant;

(i) the arrangements and procedures for how the applicant will disclose to clients information on its order execution policy and notify them of any material changes to their order execution policy;

(j) the arrangements to demonstrate compliance with Article 78 of Regulation (EU) 2023/1114 to the competent authority, upon the request of that competent authority.

Article 16

Provision of advice on crypto-assets or portfolio management of crypto-assets

For the purposes of Article 62(2), point (q), of Regulation (EU) 2023/1114, applicants that intend to provide advice on crypto-assets or portfolio management of crypto-assets shall provide to the competent authority all of the following information:

(a) a detailed description of the arrangements put in place by the applicant to comply with Article 81(7) of Regulation (EU) 2023/1114, including the following:

(i) the mechanisms to control, assess and maintain effectively the knowledge and expertise of the natural persons giving advice on crypto-assets or managing portfolios of crypto-assets;

(ii) the arrangements ensuring that natural persons involved in the provision of advice or portfolio management are aware of, understand and apply the applicant’s internal policies and procedures established to comply with Regulation (EU) 2023/1114, in particular with Article 81(1) of that Regulation and with Directive (EU) 2015/849;

(iii) the amount of human and financial resources planned to be devoted on a yearly basis by the applicant to the professional development and training of the staff giving advice on crypto-assets or managing portfolio of crypto-assets;

(b) the mechanisms to control, assess and maintain effectively the knowledge and competence of the natural persons giving advice on behalf of the applicant have the necessary knowledge and competence, according to the criteria for such assessment used in national legislation, so as to conduct the suitability assessment referred to in Article 81(1) of Regulation (EU) 2023/1114.

Article 17

Transfer services

For the purposes of Article 62(2), point (r), of Regulation (EU) 2023/1114, applicants that intend to provide transfer services for crypto-assets on behalf of clients shall provide to the competent authority all of the following information:

(a) details on the types of crypto-assets for which the applicant intends to provide transfer services;

(b) a detailed description of the arrangements put in place by the applicant to comply with Article 82 of Regulation (EU) 2023/1114, including detailed information on the applicant’s arrangements and deployed ICT and human resources to address risks promptly, efficiently and thoroughly during the provision of transfer services for crypto-assets on behalf of clients, taking into account potential operational failures and cybersecurity risks;

(c) where available, a description of the applicant’s insurance policy, including on the insurance’s coverage of detriment to client’s crypto-assets that may result from cyber security risks;

(d) arrangements to ensure that clients are adequately informed about the policies, procedures and arrangements referred to in point (b).

Article 18

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the

Official Journal of the European Union

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 31 October 2024.

For the Commission

The President

Ursula VON DER LEYEN

(1)

OJ L 150, 9.6.2023, p. 40

, ELI:

http://data.europa.eu/eli/reg/2023/1114/oj

(2) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (

OJ L 119, 4.5.2016, p. 1

, ELI:

http://data.europa.eu/eli/reg/2016/679/oj

(3) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (

OJ L 141, 5.6.2015, p. 73

, ELI

http://data.europa.eu/eli/dir/2015/849/oj

(4) Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (

OJ L 150, 9.6.2023, p. 1

, ELI:

http://data.europa.eu/eli/reg/2023/1113/oj

(5) Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (

OJ L 331, 15.12.2010, p. 84

, ELI

http://data.europa.eu/eli/reg/2010/1095/oj

(6) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (

OJ L 295, 21.11.2018, p. 39

, ELI

http://data.europa.eu/eli/reg/2018/1725/oj

(7) Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (

OJ L 182, 29.6.2013, p. 19

, ELI:

http://data.europa.eu/eli/dir/2013/34/oj

(8) Commission Delegated Regulation (EU) 2025/414 of 18 December 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of information necessary to carry out the assessment of a proposed acquisition of a qualifying holding in a crypto-asset service provider (

OJ L, 2025/414, 31.3.2025, ELI: http://data.europa.eu/eli/reg_del/2025/414/oj

(9) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (

OJ L 333, 27.12.2022, p. 1

, ELI:

http://data.europa.eu/eli/reg/2022/2554/oj

ELI: http://data.europa.eu/eli/reg_del/2025/305/oj

ISSN 1977-0677 (electronic edition)