Art. 59 Amendments to Regulation (EC) No 1060/2009 | DORA regulation | DORA

This article is an amending provision, meaning it does not introduce standalone rules but instead integrates DORA's requirements into the existing Credit Rating Agencies Regulation (Regulation (EC) No 1060/2009).

It does two things: it updates the organisational requirements for credit rating agencies to explicitly include ICT system management in line with DORA, and it updates the list of infringements to reflect that failure to comply with those ICT requirements constitutes a breach.

Important points:

Credit rating agencies must manage ICT systems in accordance with DORA, alongside their existing administrative, control, and risk assessment obligations.
Failure to meet these ICT management requirements is explicitly classified as an infringement under the Credit Rating Agencies Regulation.
This article connects DORA to the Credit Rating Agencies Regulation, ensuring that credit rating agencies fall within DORA's broader ICT compliance framework.

Regulation (EC) No 1060/2009 is amended as follows:

in Annex I, Section A, point 4, the first subparagraph is replaced by the following:
‘A credit rating agency shall have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council(⁴⁰).
in Annex III, point 12 is replaced by the following:
‘The credit rating agency infringes Article 6(2), in conjunction with point 4 of Section A of Annex I, by not having sound administrative or accounting procedures, internal control mechanisms, effective procedures for risk assessment, or effective control or safeguard arrangements for managing ICT systems in accordance with Regulation (EU) 2022/2554; or by not implementing or maintaining decision-making procedures or organisational structures as required by that point.’.