TITLE IIICENTRAL SECURITIES DEPOSITORIES

CHAPTER IIRequirements for CSDs

Section 4Prudential requirements

Article 45Operational risks

1

A CSD shall identify sources of operational risk, both internal and external, and minimise their impact through the deployment of appropriate IT tools, controls and procedures, including for all the securities settlement systems it operates.

2

A CSD shall maintain appropriate IT tools that ensure a high degree of security and operational reliability, and have adequate capacity. IT tools shall adequately deal with the complexity, variety and type of services and activities performed so as to ensure high standards of security, and the integrity and confidentiality of the information maintained.

3

For services that it provides as well as for each securities settlement system that it operates, a CSD shall establish, implement and maintain an adequate business continuity policy and disaster recovery plan to ensure the preservation of its services, the timely recovery of operations and the fulfilment of the CSD’s obligations in the case of events that pose a significant risk of disrupting operations.

4

The plan referred to in paragraph 3 shall provide for the recovery of all transactions and participants’ positions at the time of disruption to allow the participants of a CSD to continue to operate with certainty and to complete settlement on the scheduled date, including by ensuring that critical IT systems can promptly resume operations from the time of disruption. It shall include the setting-up of a second processing site with sufficient resources, capabilities and functionalities and appropriate staffing arrangements.

5

The CSD shall plan and carry out a programme of tests of the arrangements referred to in paragraphs 1 to 4.

6

A CSD shall identify, monitor and manage the risks that key participants in the securities settlement systems it operates, as well as service and utility providers, and other CSDs or other market infrastructures might pose to its operations. It shall, upon request, provide competent and relevant authorities with information on any such risk identified.

It shall also inform the competent authority and relevant authorities without delay of any operational incidents resulting from such risks.

7

ESMA shall, in close cooperation with the members of the ESCB, develop draft regulatory technical standards to specify the operational risks referred to in paragraphs 1 and 6 and the methods to test, to address or to minimise those risks, including the business continuity policies and disaster recovery plans referred to in paragraphs 3 and 4 and the methods of assessment thereof.

ESMA shall submit those draft regulatory technical standards to the Commission by 18 June 2015.

Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.