EU Digital Finance Strategy: Overview

The proposed regulation on digital operational resilience for the financial sector (DOR Regulation) sets out requirements for operational resilience and Information and Communication Technology (ICT) risk management. It seeks to consolidate and upgrade the ICT risk requirements in other separate pieces of EU legislation.

It applies to a large number of EU financial entities, including alternative investment fund managers, MiFID investment firms, UCITS management companies, credit institutions, central securities depositories (CSDs), central counterparties, payment institutions, e-money institutions, crypto-asset service providers and trading venues.

It will also be relevant for entities which provide ICT services to EU financial entities both indirectly through EU financial entities reflecting the requirements applicable to them in their arrangements with their service providers and through provisions directly applicable to "critical" ICT third-party service providers. 

Requirements on financial services entities

The DOR Regulation imposes a number of requirements on financial services entities making use of ICT services including:

• Governance related requirements, including an overarching principle that the management body is responsible for managing ICT risk and specific requirements for setting clear roles and responsibilities for all ICT-related functions; determining the appropriate risk tolerance level, and approving and reviewing ICT audits and ICT third party service provider arrangements. Financial entities other than microenterprises must establish a role to monitor arrangements with ICT third-party service providers or designate a member of senior management as responsible for overseeing risk exposure and documentation in this area.
  
  
• ICT risk management requirements, including requirements to set-up and maintain an ICT risk management framework and systems and tools to minimize the impact of ICT risk; identification on a continuous basis of all sources of ICT risk; segregation of ICT management functions, control functions and audit functions (except for certain micro-enterprises); protection and prevention measures to prevent the loss of data and information leakage; mechanisms to detect anomalous activities such as network performance issues, and a dedicated and comprehensive business continuity policy and disaster recovery plan.
  
  
• ICT-related incident reporting requirements, including a requirement to implement a management process to detect and manage ICT-related incidents; an obligation to classify ICT-related incidents based on specific criteria and an obligation to report promptly ICT-related incidents to the relevant competent authorities.
  
  
• Digital operational resilience testing requirements, including a requirement for a digital operational resilience testing programme with independent testing of critical ICT applications and systems at least annually.
  
  
• ICT third-party risk management requirements, including sound monitoring of ICT third-party risk; third party contracts to contain a complete description of services, service level descriptions with quantitative and qualitative performance targets, reporting obligations, rights of access, co-operation obligations, clear termination rights and dedicated exit strategies, and an annual report to the relevant competent authorities on third-party service arrangements.

Financial entities will also be permitted to set-up arrangements to exchange cyber threat information and intelligence. Any membership of information-sharing arrangements must be notified to the relevant competent authorities.

EU oversight of critical ICT third-party service providers

The DOR Regulation also proposes a mechanism for EU oversight of critical ICT third-party service providers (which includes non-authorised entities).  

The assessment of whether an ICT third-party service provider is considered critical for these purposes will be based on a number of criteria including the systemic impact of a failure to provide the relevant services, the degree of substitutability of the ICT third-party service provider and the number of member states in which the ICT third-party service provider provides services. It is likely that there will be further clarification of the criteria in delegated legislation.

EU oversight would include an assessment of whether the critical ICT third-party service provider has in place effective arrangements to manage ICT risks to financial entities and a right for the overseeing authority to request information from the critical ICT third-party service provider and carry out on-site inspections.

Crucially for UK and other non-EU entities, the DOR Regulation proposes a prohibition on the use of non-EU critical ICT service providers by EU financial services entities.

A copy of the draft DOR Regulation can be found here. 

The regulation on markets in crypto-assets (Markets Regulation) creates a new regime for crypto-asset service providers and issuers at EU level.

The Markets Regulation applies to persons engaged in the issuance of certain crypto-assets or providing services related to crypto-assets in the EU. Crypto-assets for these purposes means “a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology”. However, the Markets Regulation does not apply to crypto-assets which are MiFID financial instruments, electronic money, deposits, structured deposits or securitisations as these would already be covered by existing financial services legislation. We therefore expect the Markets Regulation to be predominantly relevant in respect of "utility tokens" and certain types of "exchange tokens".

The Markets Regulation also does not apply to certain intra-group services and has a more limited application to credit institutions and MiFID investment firms.

There are five main areas covered by the Markets Regulation:

• Offerings of crypto-assets
• Issuers of asset-referenced tokens
• Issuers of e-money tokens
• Provision of crypto-asset services
• Market abuse

Offerings of crypto-assets

The Markets Regulation permits issuers of crypto-assets (other than asset-referenced tokens and e-money tokens – see below) to offer these to the public or seek admission to trading on a trading platform provided that they comply with certain obligations.  

These include that the issuer is a legal entity and has drawn up a crypto-asset white paper which includes certain detailed specified information (such as a description of the issuer and the applicable risks) and which is notified to the competent authorities. Exemptions to drawing up a white paper apply to certain offerings of crypto-assets including where offered to fewer than 150 people per member state and offerings targeting qualified investors under the Prospectus Regulation.

The Markets Regulation also introduces requirements for marketing communications, including that the information is fair, clear and not misleading.

Issuers of asset-referenced tokens

Issuers of asset-referenced tokens must be authorised to offer asset-referenced tokens to the public or to seek admission of the asset-referenced tokens to trading on a trading platform. They must also be an EU legal entity.

An asset-referenced token is “a type of crypto-asset that purports to maintain a stable value by referring to the value of several fiat currencies that are legal tender, one or several commodities or one or several crypto-assets, or a combination of such assets”. This is likely to include the majority of stablecoins.

The requirement for authorisation does not apply to credit institutions, certain small-scale asset-referenced tokens and for asset-referenced tokens that are exclusively marketed to, and held by, qualified investors under the Prospectus Regulation.

The Markets Regulation imposes a specific regime for issuers of asset-referenced tokens including prudential, governance and conduct of business requirements. These include a requirement to hold own funds requirements of at least the higher of €350,000 or 2% of reserve assets and rules on holding a reserve of assets backing the asset-referenced tokens. Conduct of business requirements include obligations to act honestly, fairly and professionally, comply with rules on conflicts of interest, provide ongoing information, establish a complaint handling procedure and comply with rules on marketing communications.

A "change in control" regime for the acquisition of issuers of asset-referenced tokens will also apply.

A crypto-asset white paper is required in order to issue asset-referenced tokens. This must include certain detailed information and be approved by the relevant competent authority. The approval of the white paper is valid for the whole of the EU.

Additional obligations apply to issuers of "significant" asset-referenced tokens, such as a remuneration policy, higher own funds requirements and a liquidity management policy.

Issuers of e-money tokens

Issuers of e-money tokens must be authorised credit institutions or electronic money institutions in order to offer e-money tokens to the public in the EU or to be admitted to trading on a crypto-asset trading platform. An e-money token is “a type of crypto-asset the main purpose of which is to be used as a means of exchange and that purports to maintain a stable value by referring to the value of a fiat currency that is legal tender”. This is likely to include many so-called "exchange tokens".

The requirement for authorisation does not apply to e-money tokens that are exclusively marketed to, and held by, qualified investors under the Prospectus Regulation or if the outstanding amount does not exceed EUR 5 million (or equivalent) over a 12-month period.

E-money tokens are deemed electronic money for the purpose of the E-Money Directive and issuers of e-money tokens must generally comply with a number of provisions in the E-Money Directive.

In addition, further obligations specific to e-money tokens apply, including rules on marketing communications. In addition, an issuance of e-money tokens requires a crypto-asset white paper with certain specified information including a description of the issuer and the project and information on risks. The white paper must be notified to the relevant competent authority.

Additional obligations also apply to issuers of "significant" e-money tokens.

Crypto-asset service providers

Crypto-asset service providers must be authorised EU legal entities to provide crypto-asset services to third parties on a professional basis as an occupation or business. Authorised crypto-asset service providers may benefit from a "passporting" regime permitting them to provide services both through a branch or on a cross-border services basis.

Crypto-asset services include custody and administration of crypto-assets, operating a crypto-trading platform, and placing, receiving and transmitting orders for, and advising on, crypto-assets.

A number of organisational rules also apply to crypto-assets service providers including prudential requirements, rules on the management body, risks assessment requirements and rules on outsourcing. They must also meet certain conduct of business requirements such as acting honestly, fairly and professionally, complying with rules on conflicts of interest and establishing a complaint handling procedure. Specific additional requirements will also apply depending on the services being provided.

There will also be a "change in control" regime for the acquisition of crypto-assets service providers.

Market abuse

The Markets Regulation also includes provisions to prevent market abuse involving crypto-assets admitted to trading on a trading platform for crypto-assets (or for which a request for admission to trading on such a platform has been made).

These include prohibitions on insider dealing, the unlawful disclosure of inside information and market manipulation.

Issuers with crypto-assets admitted to trading are also required to make disclosures of inside information.

A copy of the draft Markets Regulation can be found here. 

The proposed regulation on a pilot regime for market infrastructures based on distributed ledger technology (Market Infrastructures Regulation) sets out uniform requirements for operating distributed ledger technology (DLT) market infrastructure. It is a pilot regime and will be in place for up to five years subject to review and extension. We do not yet know if a similar regime is contemplated for the UK.

The Market Infrastructures Regulation applies to market participants i.e. investment firms, market operators or CSDs in respect of:

• DLT MTFs i.e. multilateral trading facilities (MTFs) which only admit to trading DLT transferable securities (i.e. transferable securities issued, recorded and transferred using a DLT); and
  
  
• DLT securities settlement systems i.e. securities settlement systems operated by CSDs which settle transactions in DLT transferable securities against payment.

A market participant already authorised as a MIFID investment firm or an operator of a regulated market may seek specific permission from the relevant competent authority to operate a DLT MTF. A market participant already authorised as a CSD may seek specific permission to operate a DLT securities settlement system. Any permission granted will last for up to six years.

The requirements for a DLT MTF are generally those applicable to an MTF under the Markets in Financial Instruments Directive (MiFID II) and the Markets in Financial Instruments Regulation and the requirements for a DLT securities settlement system are generally those applicable to a CSD under the Central Securities Depositaries Regulation (unless the DLT MTF or DLT securities settlement system benefits from an exemption under the Market Infrastructures Regulation and complies with certain additional obligations).

Additional requirements also apply under the Market Infrastructures Regulation to address DLT specific risks, including requirements to:

• provide information on how the activities are carried on and how these differ from a traditional MTF or CSD;
  
  
• ensure that overall IT and cyber arrangements related to the use of DLT are adequate; and
  
  
• have, where relevant, adequate arrangements for the safekeeping of clients’ funds and/or DLT transferable securities.

There are also notification requirements to the relevant competent authority and ESMA, for example, for proposed material changes to business plans, fraud or other serious malpractice, technical or operational difficulties and risks to investor protection, market integrity or financial stability.

Certain other restrictions apply to the activities of DLT MTFs and DLT securities settlement systems. In particular, they may only admit to trading or record:

• DLT transferable securities in the form of shares where the issuer’s market capitalisation is less than EUR 200 million; and
  
  
• DLT transferable securities in the form of bonds with an issuance size of less than EUR 500 million.

In addition, the total market value of DLT transferable securities recorded by a DLT securities settlement system or a DLT MTF must not exceed EUR 2.5 billion. DLT MTFs and DLT securities settlement systems must also not admit to trading or record sovereign bonds.

A copy of the draft Market Infrastructures Regulation can be found here.

The directive to incorporate digital risks in existing directives amends a number of directives, including the Alternative Investment Fund Managers Directive (AIFMD), the UCITS Directive and MiFID II, to reflect the provisions of the DOR Regulation (see above).

A copy of the draft directive can be found here.

If you would like further information or assistance in understanding the proposals and their potential impact, please speak to your usual Travers Smith contact or any of the partners or senior counsel below.