Source: OJ L, 2025/299, 13.2.2025Current language: EN
- Markets in crypto-assets
Crypto-asset service provider
- RTS on continuity and regularity
Article 4 Business continuity plans
When implementing the business continuity policy referred to in Article 68(7) of Regulation (EU) 2023/1114, crypto-asset service providers shall establish business continuity plans. The business continuity plans shall set out the procedures necessary to protect and, where necessary, re-establish:
the confidentiality, integrity, and availability of client data;
the availability of the business functions, supporting processes and information assets of the crypto-asset service providers.
The business continuity plans shall contain the following:
a range of possible adverse scenarios relating to the operation of critical or important functions, including the unavailability of business functions, staff, workspace, external suppliers, data centres, or loss or alteration of critical data and documents;
the procedures and policies to be followed in case of a disruptive incident, including:
the measures that are necessary to recover critical or important functions;
the deadlines by which those critical or important functions are to be recovered;
recovery point objectives;
the maximum time to resume services;
the procedures and policies for relocating the business functions used to provide crypto-asset services to a back-up site;
back-up of critical business data, including up-to-date information of the necessary contacts to ensure communication inside the crypto-asset service provider, between the crypto-asset service provider and its clients;
procedures for timely communications with clients and other external stakeholders, including competent authorities.
In the event of a disruption involving a permissionless distributed ledger used by the crypto asset service provider in the provision of its services, the communications referred to in paragraph 2, point (e) shall include the following information:
when the services are expected to be resumed;
the reasons and the impact of the disruptive incident;
any risks concerning clients’ funds and crypto-assets held on their behalf;
measures that the crypto-asset service intends to take in response to the disruption of a permissionless distributed ledger.
Where that information is not readily available to the crypto-asset service provider, the crypto-asset service provider shall communicate updates as regards the information in the first subparagraph to clients and stakeholders, including competent authorities, on a best effort basis.
The business continuity plans shall contain procedures to address any disruptions of outsourced critical or important functions, including where those critical or important functions become unavailable.
Relevant recitals
Recital 2 Communicating permissionless distributed ledger disruptions
In providing their services, crypto-asset service providers may use a distributed ledger over which they have no control, including a permissionless distributed ledger. In that case, they may not be capable of ensuring the regularity and continuity of their services when disruptions are caused by problems that are inherent to the operation of such distributed ledgers. To mitigate market volatility that may have an adverse impact on clients affected by such disruptions, crypto-asset service providers should include in their business continuity policy measures for timely communication with clients and other external stakeholders. Such communication should include essential and timely information for clients on such disruptions, including ongoing status updates, until the disruption is resolved and services are resumed. Where information on the status of the permissionless distributed ledger responsible for a service disruption is not readily available to the crypto-asset service provider, that crypto-asset service provider should communicate updates to clients and other stakeholders, including competent authorities, on a best effort basis to ensure that clients and stakeholders have as comprehensive information as possible on such disruptions.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
- providing custody and administration of crypto-assets on behalf of clients;
- operation of a trading platform for crypto-assets;
- exchange of crypto-assets for funds;
- exchange of crypto-assets for other crypto-assets;
- execution of orders for crypto-assets on behalf of clients;
- placing of crypto-assets;
- reception and transmission of orders for crypto-assets on behalf of clients;
- providing advice on crypto-assets;
- providing portfolio management on crypto-assets;
- providing transfer services for crypto-assets on behalf of clients;
- designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;
- designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens;