Chapter IX – Transitional and final provisions (Art. 58-64)
Art. 58 DORA - Review clause
Art. 59 DORA - Amendments to Regulation (EC) No 1060/2009
Art. 60 DORA - Amendments to Regulation (EU) No 648/2012
Regulation (EU) No 648/2012 is amended as follows:
- Article 26 is amended as follows:
- paragraph 3 is replaced by the following:
‘3. A CCP shall maintain and operate an organisational structure that ensures continuity
and orderly functioning in the performance of its services and activities. It shall employ appropriate and
proportionate systems, resources and procedures, including ICT systems managed in accordance with Regulation (EU)
2022/2554 of the European Parliament and of the Council (*2).
(*2) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14
December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No
1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p.
1).’;”
-
- paragraph 6 is deleted;
- Article 34 is amended as follows:
- paragraph 1 is replaced by the following:
‘1. A CCP shall establish, implement and maintain an adequate business continuity policy
and disaster recovery plan, which shall include ICT business continuity policy and ICT response and recovery plans
put in place and implemented in accordance with Regulation (EU) 2022/2554, aiming to ensure the preservation of its
functions, the timely recovery of operations and the fulfilment of the CCP’s obligations.’;
-
- in paragraph 3, the first subparagraph is replaced by the following:
‘3. In order to ensure consistent application of this Article, ESMA shall, after
consulting the members of the ESCB, develop draft regulatory technical standards specifying the minimum content and
requirements of the business continuity policy and of the disaster recovery plan, excluding ICT business continuity
policy and disaster recovery plans.’;
- in Article 56(3), the first subparagraph is replaced by the following:
‘3. In order to ensure consistent application of this Article, ESMA shall develop draft
regulatory technical standards specifying the details, other than for requirements related to ICT risk management,
of the application for registration referred to in paragraph 1.’;
- in Article 79, paragraphs 1 and 2 are replaced by the following:
‘1. A trade repository shall identify sources of operational risk and minimise them also
through the development of appropriate systems, controls and procedures, including ICT systems managed in accordance
with Regulation (EU) 2022/2554.
2. A trade repository shall establish, implement and maintain an adequate business
continuity policy and disaster recovery plan including ICT business continuity policy and ICT response and recovery
plans established in accordance with Regulation (EU) 2022/2554, aiming to ensure the maintenance of its functions,
the timely recovery of operations and the fulfilment of the trade repository’s obligations.’;
- in Article 80, paragraph 1 is deleted.
- in Annex I, Section II is amended as follows:
- points (a) and (b) are replaced by the following:
‘(a) a trade repository infringes Article 79(1) by not identifying sources of
operational risk or by not minimising those risks through the development of appropriate systems, controls and
procedures including ICT systems managed in accordance with Regulation (EU) 2022/2554;
(b) a trade repository infringes Article 79(2) by not establishing, implementing or
maintaining an adequate business continuity policy and disaster recovery plan established in accordance with
Regulation (EU) 2022/2554, aiming to ensure the maintenance of its functions, the timely recovery of operations and
the fulfilment of the trade repository’s obligations;’;
-
- point (c) is deleted.
- Annex III is amended as follows:
- Section II is amended as follows:
- point (c) is replaced by the following:
‘(c) a Tier 2 CCP infringes Article 26(3) by not maintaining or operating an
organisational structure that ensures continuity and orderly functioning in the performance of its services and
activities or by not employing appropriate and proportionate systems, resources or procedures including ICT systems
managed in accordance with Regulation (EU) 2022/2554;’; - point (f) is deleted.
- point (c) is replaced by the following:
- in Section III, point (a) is replaced by the following:
‘(a) a Tier 2 CCP infringes Article 34(1) by not establishing, implementing or
maintaining an adequate business continuity policy and response and recovery plan set up in accordance with
Regulation (EU) 2022/2554, aiming to ensure the preservation of its functions, the timely recovery of operations and
the fulfilment of the CCP’s obligations, which at least allows for the recovery of all transactions at the time of
disruption to allow the CCP to continue to operate with certainty and to complete settlement on the scheduled
date;’.
- Section II is amended as follows:
- 103
Recital 103
Consequently, the scope of the relevant articles related to operational risk, upon which empowerments laid down in Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014, and (EU) 2016/1011 had mandated the adoption of delegated and implementing acts, should be narrowed down with a view to carry over into this Regulation all provisions covering the digital operational resilience aspects which today are part of those Regulations.