Regulations amending Finansinspektionen’s rules on operations on trading venues

Finansinspektionen’s Regulatory Code Publisher: Acting Chief Legal Counsel Sophie Degenne, Finansinspektionen, Sweden, www.fi.se ISSN 1102-7460 This translation is furnished solely for information purposes. Only the printed version of the regulation in Swedish applies for the application of the law. 1 Regulations amending Finansinspektionen’s regulations (FFFS 2007:17) governing operations on trading venues; decided on 18 December 2024. Finansinspektionen prescribes pursuant to Chapter 6, section 1, points 3, 4 and 7 of the Securities Market Ordinance (2007:572) in respect of Finansinspektionen’s regulations (FFFS 2007:17) regarding operations on trading venues in part that Chapter 1a, sections 20, 21 and 28 shall have the following wording, and in part that a new section, Chapter 1a, section 21a, and a new heading immediately preceding Chapter 1a, section 21a shall be inserted with the following wording. Chapter 1a Section 20 The business plan shall state how the undertaking's IT activities will be organised, controlled and followed up. A general description of the IT system’s functions and areas of use shall be included. The undertaking shall also account in its business plan for how it will control and follow up its work related to IT security. It shall specify in particular how the undertaking will follow the provisions set out in Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, referred to as the DORA Regulation in these regulations. The undertaking shall also describe if and how it applies established standards and frameworks as well as current and planned independent audits of the IT operations and the security work. Furthermore, the undertaking shall ensure that the business plan contains an overview of the current contingency and continuity plans and, where applicable, information about when these plans were most recently updated and tested. Section 21 The business plan shall include a reference to any guidelines for the handling of events of material significance established by the undertaking in accordance with Finansinspektionen’s general guidelines (FFFS 2024:22) regarding reporting of events of material significance. ICT-related incidents Section 21a The business plan shall contain a description of such arrangements, plans, procedures and mechanisms the undertaking has established to ensure that FFFS 2024:23 Published on 27 December 2024

FFFS 2024:23 2 information about serious ICT-related incidents and significant cyber threats are transferred to a competent authority pursuant to Articles 19 of the DORA Regulation. Section 28 The business plan shall contain a description of how the undertaking fulfils the rules on pre and post trade information in Articles 3, 6, 8, 8a, 8b and 10 of Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012. If the undertaking is also applying for authorisation to operate a trading facility, the description shall include how the undertaking fulfils the same rules for the trading facility.

These regulations shall enter into force on 17 January 2025. DANIEL BARR Agneta Blomquist