On 17 December 2022, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (hereinafter, “DORA”) was published in the Official Journal of the European Union, marking the culmination of a legislative trend in the European Union aimed at addressing the challenge of digital operational resilience of financial institutions and fostering security of information and communication technologies (“ICT”).

Consequently, DORA represents a major step in the development of a regulatory framework on digital operational resilience according to which all companies within its scope must ensure that they can withstand, respond to and recover from any type of ICT-related disruption or threat. These requirements, which are uniform across Member States, have the primary objective of preventing and mitigating cyber threats.

The second step in the development of the aforementioned regulatory framework was taken by the European Supervisory Authorities (hereinafter “ESAs”) on 17 January with the publication of a first package of technical standards. This package implements Articles 15, 16(3), 18(3), 28(9) and 28(10) of DORA concerning the management of third-party and ICT risks, the classification of incidents, ICT services provided by third-party providers and the registration of information on third-party providers.

Specifically, the first package included drafts of the following regulatory technical standards (“RTS”) and implementing technical standards (“ITS”):

• Regulatory Technical Standards on the ICT risk management framework and the simplified ICT risk management framework (Articles 15 and 16(3) DORA)

The draft RTS identifies new elements related to ICT risk management, which supplements those established in DORA, with a view to harmonising tools, methods, processes and policies.

The RTS provides a simplified ICT risk management framework by identifying the key elements to be implemented by entities subject to the simplified regime.

• Regulatory Technical Standards on criteria for the classification of ICT incidents (Article 18(3) of DORA)

These RTS provide the approach, criteria and materiality thresholds for the classification of ICT-related incidents as serious, as well as for the consideration of cyber threats as significant.

They also include the criteria to be followed by competent authorities when assessing the materiality of serious ICT-related or payment-related incidents for the competent authorities of other Member States, and the details of the notifications to be made in this respect.

• Regulatory Technical Standards to establish a policy on ICT services that support critical or important functions provided by third-party ICT service providers (Article 28(10) of DORA)

These draft RTS detail the content of the policies that financial institutions should establish regarding the use of third-party ICT service providers that support critical or important functions, including information on governance arrangements, risk management and the internal control framework.

Its purpose is to facilitate financial institutions’ maintenance of operational risk control, information security and business continuity for the duration of contractual relationships with third-party ICT service providers that support critical or important functions.

• Implementing Technical Standards setting out the templates for recording information (Article 28(9) of DORA)

Lastly, these ITS will set out the templates to be maintained and updated by financial institutions subject to DORA for the recording of contractual arrangements with third-party ICT service providers.

In this way, the RTS will guide institutions in the proper documentation of such contracts, distinguishing between those involving ICT services that support essential or important functions and those that do not. This register should be available to competent authorities and ESAs, both for monitoring compliance with DORA and for the designation of critical third-party ICT service providers.

The second package of technical standards under DORA has been under consultation until 4 March. It focuses on the establishment of a harmonised legal framework concerning the reporting of serious ICT-related incidents, digital operational resilience testing, third-party risk management in the ICT domain and the oversight of third-party providers of critical ICT services.

In their public consultation, the ESAs have proposed that this second package be comprised of the following elements:

• RTS and ITS on the reporting of serious ICT-related incidents (Article 20 of DORA): These draft technical standards mainly provide details of the forms, procedures and templates for the notification of such incidents, the content of the incidents and the deadline for their submission.
• Guidelines on aggregate costs and losses arising from serious incidents (Article 11(11) of DORA): These guidelines establish a system for the quantification and reporting of costs and losses arising from major ICT-related incidents.
• RTS on outsourcing of critical or important functions (Article 30(5) of DORA): These RTS seek to develop the elements provided in Article 30(2) of DORA that financial institutions should consider and assess when outsourcing ICT services that support essential or important functions.
• RTS on harmonisation of supervision (Article 41 of DORA): These RTS develop and specify the format and content of the information that ICT service providers must submit to the competent authorities.
• Guidelines on supervisory cooperation between ESAs and competent authorities (Article 32(7) of DORA): These guidelines establish a regulatory framework for cooperation between European supervisory authorities and national competent authorities for the supervision of compliance with DORA.
• RTS on threat-based penetration testing (Article 26(11)(c) of DORA): These RTS establish the scope and method for the performance of the threat-based penetration tests regulated in Article 26(2) of the DORA.

At Pérez-Llorca, we are aware of the scale and complexity of the regulatory framework that is taking shape around the cyber-resilience of financial institutions, as well as the challenge that updating their policies, operating schemes and relationships with third-party providers represents for the institutions affected, in order to ensure compliance with all applicable requirements. Therefore, we have compiled a multidisciplinary team of experts in this sector who can help you get ready for the upcoming entry into force of these obligations.

To find out how we can help you, please click on the following link

On 27 February, the Spanish Council of Ministers authorised the referral to the Spanish Parliament of the Draft Law on Customer Services, the purpose of which is to standardise the regulation and quality standards required of the customer services of large companies and those providing certain basic services of general interest.

On 12 February, the Ministry of Economy, Commerce and Business launched a public consultation on Draft Law XX/20XX of XX of XXXX amending the criteria for determining the size of companies or groups in corporate reporting in order to transpose the European Commission Delegated Directive (EU) 2023/2775 of 17 October 2023 amending Directive 2013/34/EU of the European Parliament and of the Council as regards the adjustments of the size criteria for micro, small, medium-sized and large undertakings or groups.

The main objective is to adjust the criteria for determining the size of a company or group of companies in order to take into account the impact of inflation, in line with the provisions of the Delegated Directive (EU) 2023/2775. Specifically:

• Consideration of an entity as a micro undertaking: the amount of the balance sheet total is raised from EUR350,000 to EUR450,000 and the net turnover is raised from EUR700,000 to EUR900,000.
• Consideration of an entity or group as small: the balance sheet total is raised from EUR4 million to EUR5 million and the net turnover is raised from EUR8 million to EUR10 million.
• Consideration of an entity or group as medium or large: the balance sheet total is raised from EUR20 million to EUR25 million and the net turnover is raised from EUR40 million to EUR50 million.

On 27 February, the CNMV published its Annual Activity Plan, in which it sets out the Commission’s objectives and strategic priorities for 2024.

In general terms, the CNMV will focus its efforts on: (i) strengthening the framework for the protection of retail investors with a focus on products and services that promote ESG, complex products and those with a long-term impact; (ii) fostering growth and the transition to a sustainable economy by focusing on identifying and investigating possible greenwashing practices; and (iii) monitoring the influence of financial and technological innovation on the securities markets, with the entry into force of the MiCA and DORA Regulations being particularly relevant, as well as the opportunities and challenges presented by the use of artificial intelligence in the financial sector.

On 2 February, the CNMV announced that it will adopt the ESMA Guidelines, of 23 October 2023, (the “Guidelines”) on notifications under Regulation (EU) No 648/2012 of the European Parliament and the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (“EMIR”). With this statement, the CNMV confirms that it will monitor the implementation of the Guidelines by entities subject to the obligations to report transactions with derivatives to trade repositories.

These Guidelines seek to complete and clarify the information on derivatives transactions available to competent authorities for assessing systemic risk and the concentration of exposures in the EU over-the-counter (OTC) derivatives market under the amendments to the derivatives reporting regime introduced by the technical standards published as part of the EMIR review (Commission Delegated Regulation No 2022/1855 of 10 June 2022 and Commission Implementing Regulation No 2022/1860 of 10 June 2022).

On 1 February, the Bank of Spain published Circular 1/2024, of 26 January, in the Official State Gazette (BOE). The purpose of this Circular is to establish the confidential information that banks, credit cooperatives, credit financial institutions (“establecimientos financieros de crédito”), payment services providers and electronic money institutions must submit to the Bank of Spain regarding acquisitions, increases and reductions in their capital holdings.

On 26 February, the Council of the European Union adopted, at first reading, the Directive amending Directive 2011/61/EU (“AIFMD”) and Directive 2009/65/EC (“UCITSD”) as regards delegation arrangements, liquidity risk management, supervisory reporting, provision of depositary and custodial services and loan origination by alternative investment funds (the “Proposal”), which had previously been approved by the European Parliament on 7 February.

The main developments are as follows:

Authorisation requirements: The business of management companies of undertakings for collective investment in transferable securities (“SGIIC”) and alternative investment fund managers (“AIFM”) must be conducted by at least two natural persons who are employed on a full-time basis, or are executive members or members of the management body, who are full-time employees, and who are domiciled within the European Union.

Delegation of functions: While the delegation framework remains largely unchanged, new disclosure obligations are introduced for managers delegating portfolio or risk management functions. Additionally, minimum substance requirements for managers are now introduced.

In addition, AIFMs and SGIICs are prohibited from delegating their functions and services to the extent that they become shell entities, and powers are granted to the Commission to define the conditions and criteria for assessing when an entity will be considered a shell entity.

Conflicts of interest and white labelling: The Directive provides for the existence of “host managers”, which are AIFMs or SGIICs that manage or intend to manage an alternative investment fund (“AIF”) or an undertaking for collective investment in transferable securities (“UCITS”) on the initiative of a third party. In this regard, their use is not prohibited, but they are required to provide information to the national competent authority (“NCA”) on the measures taken to prevent, manage and control potential conflicts of interest.

Costs: The Proposal aims to increase investor protection by enhancing the transparency of costs. Thus, in what appears to be a first step within the Retail Investment Strategy to implement a framework regarding possible undue costs charged to retail investors, the Proposal introduces an obligation for the AIFM to disclose the details of costs and expenses incurred by the AIFM in relation to the operation of the AIF, which are subsequently allocated directly or indirectly to the AIF. In addition, the AIFM will be required to disclose annually to its investors all fees, charges and expenses incurred directly or indirectly by investors.

Misleading fund names: the Proposal obliges AIFs and UCITS marketed to retail investors to include in their key information documents the name of the vehicle and to ensure that the name of the vehicle is accurate, fair and clear and does not convey a misleading or confusing message to attract investors.

Extension of activities permitted to management companies: Asset managers will be able to engage in credit servicing and benchmark administration, and will no longer be required to always apply for a discretionary portfolio management authorisation in order to obtain a licence to provide investment advice, custody services and reception and transmission of orders, but will be able to access these licences on a stand-alone basis.

Lending regime: The Proposal amends the AIFMD to establish a standardised framework of requirements for AIFs that grant loans and AIFMs that manage them.

Liquidity management: The Proposal establishes a list of liquidity management instruments permitted for AIFMs managing open-ended AIFs and for SGIICs, in Annexes II and IV, respectively, so that their use must be aligned with the investment strategy and redemption policy of the relevant funds.

Cross-border appointment of depositaries: NCAs may allow AIFMs to appoint depositaries from Member States other than the AIF’s home Member State, subject to certain conditions.

Reporting obligations: A new expanded framework of reporting obligations to home NCAs has been introduced, aimed at achieving a higher level of harmonisation of reporting processes, which will be further developed by the European Commission and ESMA to set the level of standardisation, content and frequency.

Next Steps

After adoption by the Council of the European Union, the Proposal will be published in the Official Journal of the European Union and will enter into force 20 days later. It will have to be transposed into national law and will start to apply 24 months after its entry into force. In other words, the rule is expected to apply in the spring of 2026.

On 7 February, Commission Delegated Regulation (EU) 2024/450 of 26 October 2023 supplementing Regulation (EU) 2021/23 of the European Parliament and of the Council with regard to regulatory technical standards specifying the minimum elements to be included in a business reorganisation plan and the criteria to be fulfilled for its approval by the resolution authority, was published in the OJEU.

On 29 January, Commission Delegated Regulation (EU) 2024/397 was published in the OJEU. This Regulation establishes how credit institutions in the European Union must calculate the losses under a future shock scenario in order to determine more reliably the own funds requirement for market risk.

On 20 February, as part of the review of the MiFID II Directive and the MiFIR Regulation, the Council adopted the Parliament and Council Regulation amending the MiFIR Regulation, which will be directly applicable 20 days after its publication in the OJEU, and a Parliament and Council Directive amending the MiFID II Directive, which Member States will have to transpose into national law within 18 months of its publication.

On 26 February the Council of the European Union adopted the Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) No 260/2012 and (EU) No 2021/1230 and Directives 98/26/EC and (EU) 2015/2366 as regards instant credit transfers in euros. It aims to make instant payments in euros possible for all citizens and businesses holding a bank account in the EU as well as in Iceland, Norway and Liechtenstein. The Proposal now awaits publication in the OJEU, after which it will enter into force after 20 days.

On 7 February, the Council of the European Union published a statement announcing that a provisional political agreement had been reached with the European Parliament on a review of Regulation (EU) No 648/2012 of the European Parliament and the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (“EMIR”), which refers to the EU securities clearing system.

The proposed EMIR review seeks to streamline and shorten procedures, improve consistency between rules, strengthen the supervision of central counterparties and require market participants of substantial systemic importance, who are subject to a clearing obligation, to have an operationally active account at an EU central counterparty.

On 13 February, ESMA issued a public statement with the aim of promoting coordinated action by National Competent Authorities in relation to compliance by investment firms with the provisions of Article 27(6) of MiFID II regarding the reporting of information on the trading venues they use and the quality of execution on those venues.

Under the reviewed MiFID II Directive and the MiFIR Regulation, the European Parliament agreed to the removal of the reporting obligations under Article 27(6) of MiFID II. However, in this communication, ESMA has clarified that, notwithstanding the removal of the obligation, this will continue to apply to investment firms during the financial year 2024, until the transposition of the MiFID II Amending Directive into national law.

On 2 February, ESMA updated the following Q&A documents:

Q&A on credit rating agencies, which is amended in relation to the discontinuation of credit ratings.

Q&A on the European Market Infrastructure Regulation (EMIR), which is amended regarding:

• Reporting of information on Exchange-Traded Derivatives (ETD).
• Update of client codes.
• Reporting under the STM/CTM model.
• Reporting of client information falling within the scope of Article 1(4)(a) and (b).
• Transfer of information by trade repositories.
• Access by authorities to information on derivatives with affiliates.

Q&A on the Markets in Crypto-Assets Regulation (MiCA), which is amended concerning:

• The application of the transitional period to crypto-asset service providers (CASPs) established before (and after) 30 December 2024.
• Passporting rights for entities benefitting from the transitional period.
• Prohibition of monetary and non-monetary benefits.
• Provision of crypto-asset services by credit institutions.

Q&A on the Markets in Financial Instruments Regulation (MiFIR), which is amended regarding the reporting of information regarding operations.

On 1 February, the ESAs published a report analysing the direct provision of financial services in the EU, by so-called Big Tech, or the subsidiaries of Big Tech companies.

The report identifies the types of financial services currently provided by Big Tech in the EU. These services are mainly related to payments, e-money and insurance, and the report highlights inherent opportunities, risks, and regulatory and supervisory challenges that this phenomenon brings.

On 6 February, ESMA released a statement aimed at informing people who publish investment information on social media (whether these are “financial influencers”, technical experts or people interested in the world of investment) of the elements that they should consider in order to avoid infringing securities markets regulations.

On 1 February, ESMA published an article analysing whether investment funds which claim to contribute to achieving the United Nations Sustainable Development Goals (“SDGs”) are delivering on their commitments to investors, or whether, on the contrary, their activity is no different from investment vehicles that do not make such claim.

The article concludes that most SDG-aligned funds, firstly, do not clearly describe how their investment strategy aligns with and contributes to the SDGs, and, secondly, do not appear to show greater alignment with the SDGs than funds that do make such a claim.

On 29 January, ESMA published two consultation papers seeking input from market participants regarding the application of the reverse solicitation exemption under the MiCA Regulation and the consideration of crypto-assets as financial instruments.

In relation to the first consultation paper, ESMA is seeking the views of market participants in relation to the proposed guidance relating to the conditions for the application of the reverse solicitation exemption under the MiCA Regulation. This exemption should be understood as very narrowly framed and must be regarded as the exception, being only applicable on those occasions where the client requests the services of a non-domestic entity at the sole initiative of the clients.

Regarding the second consultation paper, the proposed guidelines aim to provide NCAs and market participants with conditions and criteria to determine whether a crypto-asset can be classified as a financial instrument and, therefore, whether the requirements under MiFID II should apply.

On 30 January, ESMA published a report on the EU alternative investment funds (“AIFs”) market and an article on the risks posed by leveraged AIFs in the EU. Throughout these documents, ESMA highlights the risk posed by real estate funds in the current environment of declining transaction volumes and a general fall in prices, especially in jurisdictions where such funds hold a significant portion of the real estate market.

On 11 January, the EBA published a draft on the implementation of the amending technical standards that supplement the information on the alternative standardised approach (“ASA”). It includes further details on instruments and positions within the scope of the ASA, as well as detailed information on the instruments and positions in the scope of the alternative internal model approach (AIMA).

With the exception of the information on reclassifications, these requirements shall apply from 31 March 2025.

On 16 January, the EBA issued a press release regarding the extension of its Guidelines on money laundering and terrorism financing risk factors (ML/TF) to crypto-asset service providers. In doing so, the EBA established the main ML/TF risk factors that crypto-asset service providers need to consider when providing their services, as well as the mitigating measures that may apply.

On 16 January, the EBA released a report on specific aspects of the net stable funding ratio (NSFR) framework, which evaluates the materiality of a number of items (derivative contracts, securities financing transactions and unsecured transactions with a residual maturity of less than six months) and provides an assessment of the impact of the possible changes to the current prudential treatment.

In its analysis, the EBA concluded that these items are not necessarily material in terms of their contribution to the total required stable funding and therefore, changes to the current legislation are not necessary.

On 23 January, the European Parliament published the Final Report on the draft delegated act amending Commission Delegated Regulation (EU) 2022/1288 of 6 April 2022, aimed at reviewing certain aspects of the Delegated Regulation, focusing, among other topics, on the disclosure of principal adverse impacts (PAI) of investment decisions on sustainability factors and of financial products’ decarbonisation targets.