Source: OJ L, 2025/1125, 15.9.2025Current language: EN
- Markets in crypto-assets
ART/EMT issuer
- RTS on ART issuer authorisation
Article 5 Information on the internal control framework
Summary What does Article 5 of the RTS on ART issuer authorisation say?
This is a notably detailed article that sets out the operational resilience and internal control requirements that applicant issuers of asset-referenced tokens must document as part of their authorisation application.
Building on the governance and organisational requirements covered in Article 4, this article goes deeper into the practical frameworks that must be in place, covering internal controls, ICT systems, business continuity, DLT governance, and anti-money laundering arrangements with any associated crypto-asset service providers.
The breadth of coverage reflects the regulator's intent to ensure applicants can demonstrate genuine operational readiness, not just structural compliance.
Important points:
- Include a full internal control framework in your application, covering compliance, risk management, internal audit, and segregation of duties, along with a risk appetite statement and risk tolerance measures.
- Demonstrate compliance with DORA (Regulation (EU) 2022/2554) by documenting ICT systems, security policies, a business continuity plan, and, where a proprietary DLT is used, a technical and security audit report on its functioning.
- Where cooperation arrangements with crypto-asset service providers are envisaged, include a description of their anti-money laundering and counter-terrorist financing controls, along with a forward-looking assessment of their continued compliance over the three-year business plan horizon.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The application for authorisation shall contain a comprehensive description of the applicant issuer’s internal control framework, including all of the following:
a comprehensive description of the internal compliance function as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114 having sufficient authority, stature, resources and direct access to the management body;
a comprehensive description of the risk management framework, and of the risk management function where it is established, or where in accordance with proportionality in terms of size, complexity and risk profile, it is entrusted to a third-party provider, of the related third-party arrangements in accordance with Article 4(2);
a comprehensive description of the risk management systems and controls, explaining the applicant issuer’s strategy for identifying, assessing, monitoring, mitigating and reporting all risks the applicant issuer is or might be exposed to, including risks to the holders of an asset-referenced token, market, liquidity, concentration, operational, ICT, reputational, legal, conduct, compliance, ESG, money laundering and terrorism financing and strategic risks;
a comprehensive description of the internal audit function as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114 where that is established, or, where in accordance with proportionality in terms of size, complexity and risk profile of the activities of the issuer applicant, that mechanism has been entrusted to a third party provider, a comprehensive description of the arrangements with the third-party that shall include all of the elements referred to in Article 4(2), points (a) to (g) of this Regulation, as well as the name and contact details of the external auditor appointed;
an explanation of the governance arrangements implemented to ensure the separation and adequate segregation of duties of the business lines and units from the internal control functions as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114, and an explanation of the arrangements implemented to ensure the independence of the internal control functions, including through their direct access to the management body in its management and in its supervisory function.
For the purposes of point (c), the description shall also include the applicant issuer’s risk appetite statement and its risk tolerance, including the envisaged procedures and measures to manage the identified risks within the risk appetite.
The application for authorisation shall contain a description of the arrangements and assigned ICT and human resources to ensure that the applicant issuer complies with Regulation (EU) 2022/2554, including all of the following information in relation to the applicant issuer’s ICT systems, protocols and tools:
a detailed technical documentation including a description of the ICT risk management framework in accordance with Article 6(1) of Regulation (EU) 2022/2554, demonstrating the applicant issuer’s ability to address ICT risk rapidly, efficiently and comprehensively and to ensure a high level of digital operational resilience;
details showing that the applicant issuer maintains updated ICT systems, protocols and tools that are appropriate, reliable, equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and technologically resilient in accordance with Article 7 of Regulation (EU) 2022/2254;
a detailed description of the security policy demonstrating that the applicant issuer’s systems and procedures are capable to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers in accordance with Article 9(4) of Regulation (EU) 2022/2554;
a comprehensive description of the ICT process and systems showing the ability to provide the applicant issuer with reliable information and data to support data reporting requirements.
The application for authorisation shall contain a description of the business continuity plan and policy ensuring the applicant issuer’s ability to operate on an ongoing basis and to limit losses in the event of severe business disruption. For that purpose, the business continuity plan shall include:
the mapping of the essential data and functions;
an overview of available back-up and recovery systems;
a description of the availability of key staff in business continuity situations in accordance with Article 34(8) of Regulation (EU) 2023/1114 and Article 11(1) of Regulation (EU) 2022/2554.
Where asset-referenced tokens are issued, stored and transferred using a proprietary DLT or similar technology operated by the applicant issuer or by a third party acting on its behalf, the application for authorisation shall demonstrate the functioning of the DLT or similar technology covering all the following:
the description of the applicant issuer’s legal title towards the DLT or similar technology, whether it is right of property or other contractual relationships providing control of the distributed ledger technology or of the similar technology to the applicant issuer, irrespective of the circumstance that the DLT is operated by a different undertaking;
the name and contact details of the operator or operators of the DLT, if different from the applicant issuer;
the applicant issuer’s or third-party operator’s plan on risk identification, monitoring, assessment, mitigation, and prevention, also having regard to the potential spill-over to other crypto-assets issued, transferred or stored on that DLT and the related crypto-asset service providers, and the plan on the regular technological maintenance and update of the DLT or of similar technology;
a technical and security audit report on the consistency of the DLT functioning with quality standards in use in the market, and on the appropriateness and adequacy of the plans referred to in point (c);
in case the proprietary DLT is permissioned, a detailed description of the transparency mechanisms.
Where cooperation arrangements between the applicant issuer and specific crypto-assets service providers are envisaged, the application for authorisation shall contain a detailed description of the crypto-asset service provider’s current internal control mechanisms and procedures ensuring compliance with the obligations in relation to the prevention of money laundering and terrorist financing under Directive (EU) 2015/849 and, where applicable, Regulation (EU) 2023/1113. Such detailed description shall include a forward-looking assessment of the continuous compliance with such obligation for the three-year time horizon of the applicant issuer’s business plan. Such description and forward-looking assessment prepared by the specific crypto-asset service provider may be exchanged by the competent authority with the competent authorities for anti-money laundering and counter-terrorist financing, financial intelligence units or other public bodies, in accordance with Article 20(2), second subparagraph, of Regulation (EU) 2023/1114.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
placing of crypto-assets
Definition
applicant issuer
Definition
official currency
Definition
distributed ledger
Definition
reception and transmission of orders for crypto-assets on behalf of clients
Definition
exchange of crypto-assets for funds
Definition
consensus mechanism
Definition
operation of a trading platform for crypto-assets
Definition
e-money token
Definition
crypto-asset service
- providing custody and administration of crypto-assets on behalf of clients;
- operation of a trading platform for crypto-assets;
- exchange of crypto-assets for funds;
- exchange of crypto-assets for other crypto-assets;
- execution of orders for crypto-assets on behalf of clients;
- placing of crypto-assets;
- reception and transmission of orders for crypto-assets on behalf of clients;
- providing advice on crypto-assets;
- providing portfolio management on crypto-assets;
- providing transfer services for crypto-assets on behalf of clients;
Definition
offer to the public
Definition
providing advice on crypto-assets
Definition
offeror
Definition
execution of orders for crypto-assets on behalf of clients
Definition
DLT
Definition
management body
Definition
crypto-asset service provider
Definition
crypto-asset
Definition
DLT network node
Definition
funds
Definition
client
Definition
asset-referenced token
Definition
issuer
Definition
exchange of crypto-assets for other crypto-assets
Definition
electronic money token
Definition
providing custody and administration of crypto-assets on behalf of clients
Definition
providing transfer services for crypto-assets on behalf of clients
Definition
distributed ledger technology
Definition
competent authority
- designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;
- designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens;