Final Report on Draft Technical Standards for CSDR Review and Evaluation

20 February 2025 ESMA74-2119945925-2089 Final Report Draft technical standards amending Regulation (EU) 2017/392 and Regulation (EU) 2017/394 under CSDR on review and evaluation

Legislative References CSDR Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, 28.8.2014, p. 1) CSDR Refit Regulation (EU) No 2023/2845 of the European Parliament and of the Council of 13 December 2023 amending Regulation (EU) No 909/2014 as regards settlement discipline, cross￾border provision of services, supervisory cooperation, provision of banking-type ancillary services and requirements for third-country central securities depositories and amending Regulation (EU) No 236/2012 (OJ L, 2023/2845, 27.12.2023) DORA Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022) MiFID II Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (recast) (OJ L 173, 12.6.2014) RTS on CSD requirements Commission Delegated Regulation (EU) 2017/392 of 11 November 2016 supplementing Regulation (EU) No 909/2014 of the European Parliament and of the Council with regard to regulatory technical standards on authorisation, supervisory and operational requirements for central securities depositories (OJ L 65, 10.3.2017) ITS on CSD requirements Commission Implementing Regulation (EU) 2017/394 of 11 November 2016 laying down implementing technical standards with regard to standard forms, templates and procedures for authorisation, review and evaluation of central securities depositories, for the cooperation between authorities of the home Member State and the host Member State, for the consultation of authorities involved in the authorisation to provide banking-type ancillary services, for access involving central securities depositories, and with regard to the format of the records to be maintained by central securities depositories in accordance with Regulation (EU) No 909/2014 of the European Parliament and of the Council (OJ L 65, 10.3.2017, p. 145–206) RTS on Settlement Discipline Commission Delegated Regulation (EU) 2018/1229 of 25 May 2018 supplementing Regulation (EU) No 909/2014 of the European Parliament and of the Council with regard to

regulatory technical standards on settlement discipline (OJ L 230, 13.9.2018, p. 1–53) Settlement Finality Directive Directive 98/26/EC of the European Parliament and of the Council of 19 May 1998 on settlement finality in payment and securities settlement systems (OJ L 166, 11.6.1998, p. 45–50)

ESMA - 201-203 rue de Bercy - CS 80910 - 75589 Paris Cedex 12 - France - Tel. +33 (0) 1 58 36 43 21 - www.esma.europa.eu 2 List of acronyms CA Competent Authority CP Consultation Paper CSD Central securities depository DVP Delivery-versus-payment ESMA European Securities and Markets Authority EC European Commission EEA European Economic Area EU European Union FOP Free-of-payment ITS Implementing Technical Standards RAs Relevant authorities, as referred to in Article 12 of CSDR RTS Regulatory Technical Standards SMSG ESMA’s Securities and Markets Stakeholder Group SSS Securities settlement system T2S Target2-Securities

3

4 1 Executive Summary ......................................................................................................6 2 Background and general considerations.......................................................................8 3 Proposed amendments to the RTS on CSD requirements ...........................................8 3.1. Overall approach....................................................................................................8 3.1.1. Proposal in the CP........................................................................................8 3.1.2. Feedback to the consultation......................................................................9 3.1.3. ESMA’s assessment and next steps...........................................................9 3.2. Report on the CSDs’ activities .............................................................................10 3.2.1. Proposal in the CP......................................................................................10 3.2.2. Feedback to the consultation....................................................................10 3.2.3. ESMA’s assessment and next steps.........................................................11 3.3. Periodic Information .............................................................................................12 3.3.1. Proposal in the CP......................................................................................12 3.3.2. Feedback to the consultation....................................................................13 3.3.3. ESMA’s assessment and next steps.........................................................14 3.4. Statistical data......................................................................................................16 3.4.1. Proposal in the CP......................................................................................16 3.4.2. Feedback to the consultation....................................................................17 3.4.3. ESMA’s assessment and next steps.........................................................20 4 Proposed amendments to the ITS on CSD requirements...........................................21 4.1. Main changes.......................................................................................................21 4.2. Frequency of reporting.........................................................................................22 4.2.1. Proposal in the CP......................................................................................22 4.2.2. Feedback to the consultation....................................................................22 4.2.3. ESMA’s assessment and next steps.........................................................22 Annexes .............................................................................................................................23 Annex I: Legislative mandate to develop technical standards ........................................23 Annex II: Cost and benefit analysis ................................................................................24 Annex III: Draft technical standards................................................................................25

5 COMMISSION DELEGATED REGULATION (EU) …/… ...............................................25 COMMISSION IMPLEMENTING REGULATION (EU) …/... ..........................................39

6 1 Executive Summary Reasons for publication Article 22 of CSDR has established a periodic review and evaluation process (the R&E process), according to which competent authorities (CAs) shall review the arrangements, strategies, processes and mechanisms implemented by a CSD with respect to compliance with CSDR and evaluate the risks to which the CSD is, or might be, exposed or which it creates for the smooth functioning of securities markets or stability of the financial markets. CSDR Refit has modified this article and, under Article 22(10) of CSDR, tasked ESMA to develop draft RTS to specify: • the information that the CSD is to provide to its CA for the purposes of the R&E process; • the information that the CA is to supply to the relevant authorities referred to in Article 12 of CSDR1 (RAs), ESMA and, where applicable, the college of supervisors and the competent authority under MiFID II under Article 22(7) of CSDR (i.e. information on the results, including any remedial action or penalties, of the R&E process); and • the information that the CAs of CSDs belonging to groups are to supply one another. ESMA was also mandated to develop draft ITS to determine standard forms, templates and procedures for the provision of information referred to in the RTS. ESMA has sought input on its proposed draft RTS and ITS in a CP to that end. Five respondents provided their feedback. The SMSG was consulted as per Article 37 of the ESMA Regulation and did not provide any advice on this CP. In light of the feedback received, ESMA introduced adaptations and clarifications in the final draft RTS and ITS annexed to this Final report. Content Following general considerations, this Final report recalls ESMA’s proposals, summarises the feedback received and outlines ESMA’s assessment and proposed way forward. The proposed amendments proposed in the CP were made with two angles in mind: (i) the changes required to address the modifications introduced by CSDR Refit to the R&E process; and (ii) the extensive experience gathered by CAs as well as RAs through the conduct of annual R&E processes in the previous years, which has revealed the need to enhance and harmonise the process across the Union.

7 Following the input received through its public consultation, ESMA has maintained its proposal to introduce new reporting requirements, for periodic information ESMA understands is already required by RAs, to ensure the harmonisation of existing reporting requirements across the EU. However, in the interest of burden reduction, ESMA has reconsidered its proposal in terms of new requirements for statistical data. Lastly, ESMA also proposes to include a one-year implementing period for the changes that are likely to require IT developments and adaptation of their processes by CSDs. ESMA suggests developing these draft RTS and ITS as amending regulations to the existing RTS on CSD requirements and ITS on CSD requirements which already covered similar mandates under CSDR. These adaptations are embodied in the final texts of the draft RTS and ITS included in this Final report. Annex I contains the legislative mandate to develop such RTS, Annex II, an analysis of the costs and benefits of the policy options explored and Annex III, the draft RTS and ITS. Next Steps ESMA submits this Final report and the draft technical standards to the EC. In accordance with Articles 10 and 15 of ESMA Regulation, the EC has three months to decide whether to endorse the proposed amendments to the RTS and ITS. 1 Further to Article 12 of CSDR, relevant authorities are: “(a) the authority responsible for the oversight of the securities settlement system operated by the CSD in the Member State whose law applies to that securities settlement system; (b) the central banks in the Union issuing the most relevant currencies in which settlement takes or will take place; (c) where relevant, the central bank in the Union in whose books the cash payments of a securities settlement system operated by the CSD is or will be settled.”

8 2 Background and general considerations

1. Prepared in the aftermath of the financial crisis, CSDR introduced a new, fully-fledged regulatory and supervisory framework for CSDs, including an R&E process. The aim of the R&E process is to focus on ongoing rather than ex-post supervision and to ensure that the CAs have sufficient access to information on a continuous basis.
2. The implementation of this framework has been done through RTS (through Chapter V of the RTS on CSD requirements) and ITS (through Chapter II of the ITS on CSD requirements).
3. After a few years of implementation, it appeared that the annual frequency for the R&E process was burdensome for both, CSDs and the authorities and that discrepancies existed in the way the requirements for the provision of information were implemented in the various jurisdictions, leading to an unlevel playing field. Additionally, the RAs were not satisfied with the rather light requirements for CAs to consult them in the course of this process.
4. CSDR Refit has therefore brought a few changes to the R&E process, in particular relaxing the requirement on annual frequency, strengthening the process for consulting the RAs and extending the range of authorities receiving the results of the R&E processes. It also includes mandates for ESMA to revise the existing RTS and ITS.
5. Considering the interactions between the two sets of requirements, ESMA finds it appropriate to review the RTS and the ITS in parallel. Section 3 presents the assessment and proposed amendments in relation to the existing RTS and Section 4, the assessment and proposed amendments for the existing ITS. 3 Proposed amendments to the RTS on CSD requirements 3.1. Overall approach 3.1.1. Proposal in the CP
6. In the CP, ESMA proposed to review RTS on CSD requirements with two angles in mind: the changes required to address the modifications introduced by CSDR Refit and the extensive experience gathered by CAs as well as RAs through the conduct of annual R&E processes on the CSDs they supervise, since this requirement started to apply in 2018.

9 7. Among the changes introduced by CSDR Refit in the R&E process, and beyond the mere changes in the references, ESMA considered that also the extension of the sharing of the results of the R&E process and the strengthening of the procedure for CAs to consult RAs in the course of the R&E process were relevant for this mandate. 8. These two latter aspects had driven the main changes proposed in the CP in the direction of requiring more information on (i) the cross-border activities of CSDs and on (ii) the risks to be considered by the RAs for the purpose of feeding the overall assessment by the CAs. 3.1.2. Feedback to the consultation 9. Too many new requirements: although respondents welcomed the intention to harmonise the report which may benefit the level-playing field and convergence at supervisory level and generally agreed with the proposed amendments, they all pointed out that the extent of the proposed modifications to the RTS and ITS did not seem to align with the overall objective of the CSDR Refit and of the Commission’s Regulatory Fitness and Performance (REFIT) programme to simplify and clarify the processes. In particular, the 16 new sets of data required under Article 41 of the RTS on CSD Requirements constituted an increase in the amount of information to be provided and in the number of reports to be produced, thus introducing a higher amount and complexity of tasks for CSDs. 10. They therefore recommended to carefully re-design the reporting obligations based on the principle of proportionality, ensuring consistency and avoiding duplications with other reporting workflows while improving the clarity and structure of the text of the regulation. 11. Need for a one-year implementing period. As a consequence to the above-mentioned points, all respondents highlighted that IT developments and adaptations of processes and queries will be necessary, requiring on average a change management period of at least one year from the coming into force of the draft RTS. 3.1.3. ESMA’s assessment and next steps 12. New requirements: in ESMA’s view most of them are not new in practice, as these data points and reports were already bilaterally required by some authorities to CSDs and as they refer to the CSDs' on-going compliance with existing requirements according to which CSDs must take various measures and actions, such as testing, reviewing, and updating of their arrangements. ESMA considers that this on-going compliance should be documented properly. Their introduction in these draft RTS and ITS ensures the harmonisation of reporting requirements across the EU.

10 13. Deferral: ESMA agrees to defer the application of certain new requirements, by one year in order to facilitate IT adaptations. 3.2. Report on the CSDs’ activities 3.2.1. Proposal in the CP 14. To allow for better comparability among supervisors between the CSDs’ performance, in particular, in the context of the implementation of the new requirements to establish colleges of supervisors for certain CSDs, and since CSDR requires the results of the R&E process to be shared also with the authorities participating in colleges, ESMA suggested in its CP to: • harmonise the minimum information to be provided in the report by the CSDs to their CAs, by including a non-exhaustive list of topics to be addressed in the report, and • include a non-exhaustive list of information items on changes that have been notified as ‘substantial changes’ under Article 16(4) of CSDR, for the purpose of the R&E process. 3.2.2. Feedback to the consultation 15. Duplicative reporting requirements: respondents have flagged two sets of requirements as duplicative: • the information concerning the change in the CSDs’ risk management framework impacting the calculation of capital requirements under Article 47 of CSDR, that seems to be included in the information reporting item related to risk management, capital requirements and recovery plan; • the information concerning services, governance and risk management changes, which seems to be requested as a change during the review period and as a substantive change under Article 16(4) of CSDR. 16. Information on user committee: one respondent suggested removing the requirement to provide information on the user committee’s activity from this article to add it to the existing Article 41(c) of RTS on CSD requirements which already applies to the user committee. 17. Clarifications were asked by various respondents in respect of the following aspects: • the meaning in practice of the requirement that the information should be provided “in a clear, precise and accessible manner”. In particular, respondents would like to

11 obtain clarification as to whether “accessible” applies to the means through which the information is provided or to the information itself, and if a specific communication channel with the CA should be defined; • whether the number of employees should be reported as number of physical employees or as number of full time equivalent (FTEs); • whether the reference to the group structure refers to the CSD or to the group the CSD belongs to; • whether the item on the reporting of the termination of a CSD link covers the termination of a link when the reporting CSD is acting as an “investor CSD”. 18. Substantive changes: respondents welcome the inclusion of a list of information on changes to be notified as substantive changes under Article 16(4) of CSDR, however pointing to some potential duplications (see point 15 above). 3.2.3. ESMA’s assessment and next steps 19. Report structure. ESMA has revised the structure of the report on the CSDs’ activities, which should now count four sections: • an overview of the changes that occurred during the review period in relation to (i) provision of services; (ii) its corporate governance structure, (iii) its risk management framework and (iv) its outsourced activities; • a high-level summary of the user committee activities; • a list of the substantive changes that occurred during this period; • a declaration by a CSD of an overall compliance with the provisions of CSDR during the review period. 20. No duplication. It should be noted that the section on substantive changes should include the full list of substantive changes that have occurred during the review period. Even though the topics covered in the first section of the report are similar, this section should give a broad overview of the CSD’s changes to the CSD risk management framework during the review period, while the section dedicated to substantive changes should look more like a factual list. 21. User committee: ESMA has not moved this requirement as suggested, as CAs deem it important to have a summary of all user committee’s activities upfront, in the report on the CSD’s activities. Point (c) of Article 41 the RTS on CSD Requirements is more specific, as it demands more detailed information about the decisions of the management body following or disregarding recommendations from the user committee. 22. Clarifications: in addition, ESMA has provided a few clarifications in the text of the RTS:

12 • the requirement to provide the information in a “clear precise and accessible manner” has been removed, as the way in which the information should be provided appears to be sufficiently clear from the further specifications provided in the draft ITS; • as to the number of employees, it is suggested to refer to “full-time equivalent” (or FTE), as this term is used by the Eurostat Glossary, and allows for easier comparison between CSDs; • as to the changes relating to the group structure, it has been rephrased to clarify that this refers to the structure of the group to which the CSD belongs; • as to the termination of CSD links, the requirement has been revised by reference to requesting and receiving CSDs. 3.3. Periodic Information 3.3.1. Proposal in the CP 23. CSDR Refit reinforces the necessary consultation of RAs and the CA(s) referred to in Article 67 of MiFID II (authorities consulted if the CSD provides investment services, hereafter ‘MiFID authorities’) within the R&E process. Such procedure ensures that the views of these authorities are part of the final decision on the R&E process. 24. This, coupled with the experience accumulated by both CAs and RAs in the conduct of R&E processes over the past years, led ESMA to suggest in its CP further specifying some existing information items and including in the required information a list of those items already requested under the existing R&E processes. These items relate to the risks that should be managed by CSDs: legal risks, general business risks and operational risks, which should be evaluated by the CA.

13 25. These proposals aimed to address the concerns raised in relation to different understandings and applications of various requirements as well as different readings of background documents, which may impact the consistent application of CSDR and distort the level playing field, as identified through the European Commission survey on the review of CSDR2 . These proposals should also promote a level-playing field across Member States and predictability for CSDs in terms of information to provide. It should also permit to save some time in a process where such information must be transmitted by CAs to RAs “at an early stage” of the process. 3.3.2. Feedback to the consultation 26. New reporting items: respondents noted that Article 41 of the RTS on CSD requirements is extended by 16 new items to be reported by the CSD, which will in their view considerably increase the workload for the CSDs and the regulators. The respondents therefore wondered whether such specific reporting is necessary, given the existing powers and competence of CAs and whether such specification would not go against the objective of the CSDR Refit to have a less burdensome R&E process. They also recommended to further evaluate whether certain information, such as information on business risk, is significant for the RAs, to preserve the smoothness and timeliness of the consultation process. 27. Suggestion to harmonise with T2S: one respondent suggested to further harmonise the report on the CSDs’ operational reliability objectives by referring to the parameters set by the T2S Framework Agreement. 28. Manual interventions: several respondents found that the scope was too broad, and that it was not relevant to cover every manual intervention performed by a CSD. They suggested to specify that manual interventions should be reported only to the extent that this is linked to Article 4 of the RTS on Settlement Discipline, i.e. to a summary of the types of manual interventions performed by a CSD in the automated settlement process according to Article 4 of the RTS on Settlement Discipline. 2 Impact Assessment Report, accompanying the Proposal for a Regulation of the European Parliament And Of The Council amending Regulation (EU) No 909/2014 as regards settlement discipline, cross-border provision of services, supervisory cooperation, provision of banking-type ancillary services and requirements for third-country central securities depositories, 16.3.2022, SWD(2022) 75 final

14 29. Clarification on ‘substantive’: one respondent suggested that the word ‘substantive’ should not be used for changes other than for the ‘substantive changes’ referred to in Article 16(4) of CSDR which entails immediate notification. In respect of changes to resolution plans, it was therefore suggested to substitute “significant” for “substantive” to avoid any confusion in reporting requirements. 30. Changes to CSD links: one respondent deemed the reporting item on the changes to CSD links as too broad as it does not seem relevant to report any operational change occurring to CSDs links. This respondent proposed an amendment specifying that only the significant changes affecting compliance with CSDR requirements applicable to CSD links should be reported. 31. Changes in management of legal risks: one respondent understood that this requirement consisted in reporting about the daily management of the legal risks and, as such, increases the workload significantly and is not a realistic expectation for a company’s daily, business-as-usual activities. They therefore suggested a removal of this paragraph because it would lead to a disproportionate workload on supervisory as well as entity level, and that the difference with the point on CSD’s risk management and control system is unclear. 32. Changes in management of ICT risks (DORA): all respondents asked either for a strict alignment of these requirements with the reporting requirements stemming from DORA or a removal of these requirements in the context of the R&E process. 3.3.3. ESMA’s assessment and next steps 33. New reporting items: ESMA notes that recital (2) of the draft RTS includes a general justification for the addition of such new requirements, notably based on the new Article 22(6) of CSDR, according to which RAs are now formally consulted by the CAs on whether the requirements of this Regulation or other requirements of Union law are met by the CSD as regards the functioning of the securities settlement systems operated by the CSD. As also pointed out in this recital, ESMA understands that the RAs were consulted also in the past during the R&E processes, which allowed both CAs and RAs to gain an extensive experience in conducting many R&E processes, which should be leveraged on in order to make the whole process more efficient and effective.

15 34. It is understood that the aim is to assess in a harmonised manner the ongoing compliance of the CSDs with the respective CSDR provisions. To that end, the draft RTS and ITS require the provision of all the information already requested by the Eurosystem in relation to the functioning of the SSS operated by the CSD. RAs have a legitimate interest to get comprehensive information on the functioning of an SSS and implicitly of the CSD operating that SSS because the design/functioning of an SSS is intertwined with and dependent on the design/functioning of the CSD operating that SSS. 35. Although for most of these items, the general baseline that a good governance of risks is a prerequisite for the smooth provision of core CSD services, which is critical for the smooth functioning of the financial system, a number of new recitals have been developed to provide more specific justifications for their inclusion in the draft RTS and ITS. 36. Suggestion to harmonise with T2S: ESMA proposes to specify this requirement by adding the following clarification at the end of the paragraph: “for this purpose, CSDs that use a common settlement infrastructure may provide extracts of the reports made available under the legal, regulatory and operational framework referred to in Article 30 (5) of [CSDR]”. 37. Manual interventions: ESMA agrees to align this requirement with the one provided in the RTS on Settlement Discipline, which is posterior to this RTS, and, to limit its scope, added “in the automated settlement process according to Article 4 of Regulation (EU) 1229/2018” at the end of the provision. 38. Clarification on ‘substantive’: ESMA agrees with the proposed clarification and replaced “substantive” with “significant”. 39. Changes to CSD links: ESMA agrees that the scope of this requirement is broad and might be disproportionate. However, it notes that a change in the type of link is important information, in respect of which there is no real notification requirement: CSDR only requests notifications for the establishment of new CSD links (which in turn CAs notify to ESMA). It is therefore important that this information is provided through the R&E process. 40. Changes in the management of legal risks: ESMA would like to clarify that this requirement entails no obligation to provide a daily reporting on the management of legal risks. The information expected to be received should be based on the one provided for the purpose of the authorisation process under Article 31 of the RTS on CSD requirements, highlighting the changes that occurred during the review period. ESMA therefore proposes no change to this requirement.

16 41. ICT risks (DORA): ESMA wants to highlight that it is important for RAs to receive information from CAs about the CSD's compliance with DORA, including for the performance of their role under Article 22(6) of CSDR and to ensure compliance with Article 45 of CSDR. Further, within CSDR’s framework of information sharing, Articles 22(6) and (7) of CSDR already establish an obligation on CAs to share information with, among others, RAs for the purposes of the R&E process, regarding the compliance by CSDs with requirements under CSDR or other Union laws, which would also include information regarding compliance with requirements under DORA3 . 42. To avoid any duplication of reporting, ESMA has therefore removed the draft requirements proposed in the CP (for CSDs to provide CAs, in the context of the R&E processes, with reports expected to be provided under DORA), but has specified that the report on the outcome of the R&E process which CAs shall provide to a range of authorities shall also include information about “the result of the most recent evaluation of the CSD’s compliance with [DORA], including any identified compliance gaps and related recommendations or remedial measures”. 3.4. Statistical data 3.4.1. Proposal in the CP 43. CSDR Refit extended the obligation for CAs to share the results of the R&E process, including any remedial actions or penalties, not only to the RAs and where applicable to MiFID authorities, but also to ESMA and where applicable, to the college of supervisors to be established in respect of certain CSDs (when a CSD is considered of substantial importance for the functioning of securities markets and the protection of investors in at least two host Member States). 44. In ESMA’s view, this change justified requiring more information from CSDs regarding cross-border aspects of their activities, to gain a more precise knowledge on the CSDs ecosystems and potential risks associated to such services, which can feed into supervisory convergence at ESMA and discussions at college level. 3 More specifically, under Article 22(7) of CSDR, CAs should “transmit the necessary information to the relevant authorities […] and consult them on whether the requirements of this Regulation or other requirements of Union law are met by the CSD as regards the functioning of the securities settlement systems operated by the CSD” and should also “inform the relevant authorities […] of the results, including any remedial action or penalties, of the review and evaluation”.

17 45. Therefore, ESMA considered it appropriate for CSDs to provide statistical information on: • its users: indicating the jurisdiction of incorporation of its participants, issuers, linked CSDs; • the securities in respect of which they provide services, in particular the law under which they are constituted (indicating the jurisdiction of incorporation of their issuer and the jurisdiction of the law governing the issue, in line with Article 49 of CSDR). 46. In addition, the draft RTS proposed requiring CSDs to provide information on so-called ‘relayed links’. A relayed link is not a CSD link under CSDR. This concept is used only by the Eurosystem, based on information submitted by CSDs in order to check their compliance with the eligibility criteria of their links for use in the Eurosystem credit operations. In this context, a relayed link is defined as “a contractual and technical arrangement that allows issuer and investor CSDs to hold and transfer securities through an account with a third CSD ("middle CSD"), which acts as an intermediary”. 47. The inclusion of a requirement relating to such ‘relayed links’ followed from the work done in the ESMA report on cross-border services under CSDR4 . Here on the basis of the first elements analysed it was noted that “relayed links seem to be an important part of the EEA links landscape and that many CSDs rely on the use of links with ICSDs to access markets (both EEA and worldwide) where the ICSDs has established a link with the local CSD. This may be an explanation for the overall stability of the number of links in place for CSDs in the EEA, both with other EEA CSDs and worldwide”. 3.4.2. Feedback to the consultation 48. Participants: branches. Two respondents argued that while CSDs maintain information on participants related to the entity that, having legal capacity, assumes all obligations deriving from the participation in the system, such does not exist with respect to their participants’ branches. They suggested deleting this requirement. 49. Participants: types. In the draft RTS and ITS submitted to consultation, ESMA proposed a new requirement for CSDs to report the type of their participants. All respondents commented on this requirement: 4 Report on the provision of cross-border services by CSDs and handling of applications under Article 23 of CSDR from 2020 to 2022, 31 January 2024 (ESMA74-2119945925-1568). “For the purpose of the quantitative survey supporting this report, relayed links were defined as two (or more) direct (standard or customised) links of the intermediary CSD with each of the other involved CSDs. Based on this definition, 7 CSDs (…) reported 56 relayed links. It is however difficult to draw a conclusive assessment of the reported relayed links and related settlement activity, due to likely discrepancies in reporting from respondents on a practice not defined in CSDR. The extent to which EEA CSDs are acting as intermediary CSD in relayed links and to which settlement is happening through relayed links was in all likelihood underreported and has therefore not been included in this report.” (p. 18)

18 • A response noted that the information on such participants is already present in various registers maintained by ESMA or the CAs, and suggested not asking the CSDs to make significant technical developments in order to provide it again and in another format; • Another response asked why the proposed list was not aligned with the Settlement Finality Directive, highlighting that, as such, this would be a new classification that would need to be collected from all participants and built into CSD reference data systems. For this respondent it means a considerable effort for operational teams regarding data gathering and IT system development; • For another respondent this might lead to divergent interpretations when compared to the classification currently applied by CSDs (e.g. public authorities and publicly guaranteed undertakings); therefore, this should be clarified, taking into account existing categorisations, that participants can have multiple licences and fall within multiple categories; • Finally, another respondent considered that for third-country participants, “other” is not accurate enough. For them, it should refer to the actual regulatory status of the third country entity rather than trying to match with a very limited list without being sure that from a local law perspective there is an equivalence or similarity with the listed status. 50. As the benefits of this additional data are questionable, several respondents disagree with ESMA’s proposal on the basis of a lack of proportionality and ask for the removal of the new requirements. 51. Registered name: one respondent suggested that the term “registered name” used in various fields should be clarified. 52. Value of securities: one respondent asked for a clarification of what is meant by ‘negative’ value in relation to the total nominal/market value of the securities, as the total nominal/market value of a security could not be negative. 53. Underlying transactions of FOP settlement instructions: this proposal received some pushback from several respondents, arguing that it should be either clarified (with examples) or removed, based on the following: • CSDs usually do not collect information regarding the type of the underlying transaction of a FOP settlement instruction, and even in the case where this information could be in one of the fields of the settlement instruction, due to the characteristics of the field, the information may not be harmonised and reliable; • as regards the proposed category of underlying transactions, it is not clear how a FOP settlement instruction could result from a ‘transaction in commercial bank

19 money and foreign currencies’ since FOP instructions are defined as a delivery of securities which is not linked to a corresponding transfer of funds; • it is not clear why FOPs would represent (more) risk and how the CSD could/should mitigate this risk, as the use of DVP or FOP is solely decided by the CSD participants and thus CSDs cannot judge whether using FOP is “reasonable” or not. 54. Penalties: one respondent suggested removing this requirement as they find it unclear in respect of the following: • the ‘amount’ it refers to (the penalty paid per participant or to the total amount charged by the CSD to all participants); • the period for which it should be provided (they assume that the requirement refers to the amounts paid on an annual basis); • the ‘number’ it refers to: value is to be provided, considering that all penalty reports are already available in the report provided under the RTS on Settlement Discipline. 55. Requirements not applicable to all CSDs: one respondent highlighted that the reporting requirements do not consider the cases where CSDs do not provide ‘securities borrowing and lending operations’, ‘guarantees and commitment related to securities borrowing and lending operations’ or ‘treasury activities involving foreign exchange and transferable securities related to managing participants’. The respondent therefore suggested adding “where applicable” (or similar) to the wording. 56. Settlement through CSD links: some respondents highlighted that the requested data about the linked CSD (country of incorporation, LEI, registered name, type of link) is already available to authorities in public registers (in particular in the CSD register ESMA publishes under Article 21 of CSDR5 ). 57. In this respect, one respondent found the proposed sub-paragraph (“in case a CSD link qualifies both as an interoperable link as well as another type of link, for the purpose of (ii), such link should be exclusively considered as an interoperable link”) was unclear and proposed to delete it. 58. This respondent further wondered why the references to requesting and receiving CSDs have been removed, as they were helpful in giving the persons that elaborate the report a practical idea in which sense to consider the CSD link, i.e. when the CSD has another CSD as a participant (in its capacity as receiving CSD) and when the CSD has transactions as a participant locally with another CSD (in its capacity as requesting CSD). 5 See ESMA website on CSDs

20 59. Settlement through relayed links. This new item received strong pushback from all respondents, on various grounds: • this data should not be considered as relevant to assess the cross-border activity of a CSD; • this data is already included in the information reported under letter (l) of Table 3 related to “direct links”; • it should not create any duplicate with the Eurosystem self-assessment. Part of the feedback proposed to align this requirement with the terminology used by the Eurosystem to avoid divergent interpretations, and the subsequent risk of creating additional requirements; • the definition proposed in the draft CP is not clear, while the concept used by the Eurosystem is actually very simple and clear (there are three or more SSS linked by direct links); • IT developments and adaptations will be necessary to include the additional information in the reporting workflows, which will require on average a change management period of one year from the coming into force of the new RTS; • CSDs can only provide the information which they see in their systems (due to omnibus accounts): CSDs in a relayed link might not be aware of its existence, as contractual arrangements exist only in certain cases; • it is not clear which CSD(s) should report; this reporting would duplicate reporting of settlement made through standard links. 3.4.3. ESMA’s assessment and next steps 60. Participants’ branches: For proportionality purposes ESMA has removed the proposed requirement. 61. Participants’ types: ESMA has decided to remove this requirement as well, as sufficient information on participants (corporate name, LEI, country of incorporation) is already provided for supervisory purposes and no other reporting requirement is based on this breakdown. 62. Clarification on registered name: ESMA has substituted “registered name” with “corporate name”, to align it with the rest of the RTS on CSD requirements. 63. Value of securities. ESMA has removed the reference to negative values.

21 64. Underlying transactions of FOP settlement instructions: ESMA decided to remove this proposal and not include this new requirement in the draft RTS and ITS based on the absence of identified risk. ESMA notes that this information can however be requested on a bilateral basis by a CA to a CSD as it might be interesting to better understand the underlying reason of the FOP transactions. 65. Penalties: The reporting available to CAs and RAs on cash penalties under the RTS on Settlement Discipline (cf. Annex 1, Table 1, items 39 and 40) does not include information on the number (total number of penalties imposed) and amount (total value of penalties imposed) of penalties per CSD participant. ESMA therefore considers it important to keep this requirement here. 66. Settlement through CSD links: ESMA would like to clarify that this requirement is not about data on the CSD link itself but about the volume and value of instructions settled through each CSD link, split per linked CSD, type of link, etc for the purpose of the cross￾border activity report. No change has thus been made to this requirement, which has been applied since 2018 without having raised any issue so far. 67. Reporting of settlement through relayed links: ESMA has re-examined the requirements proposed in the CP and decided to remove it from the draft RTS and ITS as it seemed to introduce a lot of complexity in the reporting under the R&E process. 68. This does however not prevent CAs from requiring targeted information on its relayed links to the CSD they supervise, in order to get better knowledge of the interactions existing between the EEA CSDs and thus better knowledge of CSD cross-border activity. 69. Requirements not applicable to all CSDs: ESMA agrees with the suggestion made by the responses to the consultation and has included “where applicable” in these two points. 4 Proposed amendments to the ITS on CSD requirements 4.1. Main changes 70. Most of the proposed amendments relate to the templates for the provision of periodical and statistical information and directly reflect the proposed amendments to RTS on CSD requirements. ESMA therefore modified the draft accordingly following the revision of the amendments proposed to this regulation.

22 71. The amendments included in the draft ITS also extend the deadline to share the results of the R&E process from three days to ten days, to allow for smoother processes in light of the experience gathered during past R&E processes. No comment was received on this part from the respondents to the public consultation therefore no modification has been made. 72. Finally, among these information items, ESMA considers that it is important to closely monitor the CSDs’ progress in addressing the outstanding findings and recommendations, from previous R&E processes, if there are any, as their prolonged existence might jeopardise the risks or even give rise to regulatory arbitrage. CSDs should thus inform their CAs about measures taken to address these outstanding findings and overall supervision. 73. The only comments received through the public consultation specifically on this draft ITS concerned the frequency of reporting. 4.2. Frequency of reporting 4.2.1. Proposal in the CP 74. Beyond the above-mentioned modifications, ESMA suggested making explicit the possibility for CAs to request certain information items on a more frequent basis to satisfy their supervisory needs, having regard to the type of information and to the size, systemic importance, risk profile, nature, scale and complexity of the activities of the CSD concerned. 4.2.2. Feedback to the consultation 75. One respondent wondered whether such specification was necessary, given the existing powers and competence of the CAs and whether such specification would not prejudice the objective to have a less burdensome R&E process envisaged in CSDR. 4.2.3. ESMA’s assessment and next steps 76. ESMA kept this possibility explicit in the draft ITS. This reference clarifies that CAs can indeed request information on a more frequent basis, if they deem it relevant for their supervisory needs (e.g. certain statistical data which are available to CSDs on a monthly or yearly basis). ESMA considers that this possibility is particularly relevant when CAs choose to conduct R&E processes only every three years.

23 Annexes Annex I: Legislative mandate to develop technical standards Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 Article 22 Review and evaluation (…) 10. ESMA shall, in close cooperation with the members of the ESCB, develop draft regulatory technical standards to specify the following: (a) the information that the CSD is to provide to the competent authority for the purposes of the review and evaluation referred to in paragraph 1; (b) the information that the competent authority is to supply in accordance with paragraph 7; (c) the information that the competent authorities referred to in paragraph 8 are to supply one another. ESMA shall submit those draft regulatory technical standards to the Commission by 17 January 2025. Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with in Articles 10 to 14 of Regulation (EU) No 1095/2010. 11. ESMA shall, in close cooperation with the members of the ESCB, develop draft implementing technical standards to determine standard forms, templates and procedures for the provision of information referred to in the first subparagraph of paragraph 10. ESMA shall submit those draft implementing technical standards to the Commission by 17 January 2025. Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph in accordance with Article 15 of Regulation (EU) No 1095/2010.

24 Annex II: Cost and benefit analysis Defer the application of new reporting requirements by one year Policy Objective Provide CAs with the information items newly required in these draft RTS and ITS as soon as possible. Option 1 No deferral. Option 2 Defer by one year the application of all new reporting requirements. Option 3 Defer by one year the application only of the new reporting requirements which entail changes to the CSDs’ ICT systems. Preferred Option Option 3 Benefits Qualitative description Quantitative description The third option was chosen since it allows CAs receiving all of the new reporting items that do not necessitate an update of the CSDs’ ICT systems as soon as possible, while giving the CSDs some time to adapt their systems for the reporting of these new statistical data points. NA Cost to regulator:

• One-off
• On￾going No cost identified. NA Compliance cost: − IT − Training − Staff For CSDs, the cost of adapting their ICT systems to the reporting of these new statistical data items (one-off cost) and their maintenance. NA Other costs None identified. NA Innovation￾related aspects Innovation-related aspects are not of direct relevance to the provision of new pieces of information by CSDs for the purpose of the R&E process. ESG-related aspects ESG-related aspects are not of direct relevance to the provision of new pieces of information by CSDs for the purpose of the R&E process. Proportionality￾related aspects The identified benefits outweigh the one-off costs for the CSDs; hence no proportionality related aspects are of direct relevance to the provision of new pieces of information by CSDs for the purpose of the R&E process.

25 Annex III: Draft technical standards COMMISSION DELEGATED REGULATION (EU) …/… of XXX amending the regulatory technical standards laid down in Commission Delegated Regulation (EU) 2017/392 of 11 November 2016 supplementing Regulation (EU) No 909/2014 of the European Parliament and of the Council with regard to regulatory technical standards on authorisation, supervisory and operational requirements for central securities depositories (Text with EEA relevance) THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/20126 , and in particular Article 22(10) thereof, Whereas: (1) The amendments introduced to Regulation (EU) No 909/2014 by Regulation (EU) 2023/2845 of the European Parliament and of the Council7 require amending certain provisions of Commission Delegated Regulation (EU) 2017/3928 accordingly. (2) Considering the strengthening of the role of relevant authorities and, where applicable, of the authorities referred to in Article 67 of Directive 2014/65/EU, in the review and evaluation process operated by Regulation (EU) No 909/2014the competent authorities should transmit to these authorities the information necessary to fulfil their role, which has been extended beyond the functioning of the securities settlement systems operated by the central securities depository (CSD) to compliance with CSDR and other 6 OJ L 257, 28.8.2014, p. 1–72. 7 Regulation (EU) 2023/2845 of the European Parliament and of the Council of 13 December 2023 amending Regulation (EU) No 909/2014 as regards settlement discipline, cross-border provision of services, supervisory cooperation, provision of banking-type ancillary services and requirements for third-country central securities depositories and amending Regulation (EU) No 236/2012 (OJ L, 2023/2845, 27.12.2023). 8 Commission Delegated Regulation (EU) 2017/392 of 11 November 2016 supplementing Regulation (EU) No 909/2014 of the European Parliament and of the Council with regard to regulatory technical standards on authorisation, supervisory and operational requirements for central securities depositories (OJ L 65, 10.3.2017)

26 requirements of Union law as regards the functioning of the securities settlement systems. (3) The recent amendments to Regulation (EU) No 909/2014, along with the supervisory experience gained since its implementation, justify the reporting by CSDs to competent authorities of new information items. This enhancement should also make the reporting requirement more predictable, reducing the administrative burden for both CSDs and authorities by minimizing 'ad hoc' information requests. (4) In order to ensure minimum harmonisation and comparability for authorities and foster supervisory convergence, it is appropriate to require a summary of the key changes occurred since the last review on a number of parameters intrinsically related to the ongoing supervision of the CSD in the form of a report addressing a minimum list of topics. In light of the new minimum frequency for review and evaluation, this report should cover the core elements of the structure and functioning of the CSD from a supervisory perspective. These elements include the group structure, management and shareholders, their activities or services or the termination of services and links. Additionally, the summary must be compared with other information to determine if supervisory action is needed, such as the results of business continuity and disaster recovery tests or details about past operational incidents. (5) In particular, a number of information items on the changes in the CSDs’ risk management framework, in terms of legal risks, general business risks and operational risks have been included in the set of periodic information to be provided to the competent authorities for the review and evaluation. (6) Considering the new requirement introduced in Regulation (EU) 909/2014 for competent authorities to inform the European Securities and Markets Authority (ESMA) and, as applicable, colleges of supervisors of the results of the review and evaluation process, the review and evaluation conducted by competent authorities should also relate to the services provided by CSDs on a cross-border basis, in other Member States and in third countries. Therefore, this Regulation mandates that CSDs provide competent authorities with statistical data on their cross-border activities, including the jurisdictions of their participants or issuers and the governing law of the securities for which they provide core services. This information will enable authorities to thoroughly understand the operational, legal, and liquidity risks associated with the cross-border provision of services by CSDs. (7) To ensure that a CSD is properly identifying, rating, and managing its legal risk exposure, the CSDs should provide information regarding any changes to their legal management framework in the course of the review period.

27 (8) To ensure that a CSD complies at all times with the conditions for authorisation, the CSD’s progress in addressing the outstanding findings and recommendations, where there are such, should be closely monitored. CSDs should inform their competent authorities about measures taken to address these outstanding findings and recommendations, as part of the review and evaluation process. In particular, CSDs should periodically report changes regarding the variation on the risk rating of the CSD occurred during the review period. (9) Outsourced activities or services may have a direct impact on the management of securities settlement systems. As a consequence, CSDs should periodically provide information on major changes occurred in them during the review period to ensure that the outsourcing contract adequately provides for oversight and proper control of the outsourced functions by the CSD as the CSD remains liable for any issues that arise in relation to the outsourced activity or service. (10) A new requirement was introduced in Regulation (EU) No 909/2014 in relation to CSDs operating securities settlement systems applying deferred net settlement. Given that deferred net settlement entails credit and liquidity risks, it is necessary that CSDs provide periodic information as regards the way in which those credit and liquidity risks are managed. (11) A CSD is required to periodically review its operational objectives to incorporate new technological and business developments. Accordingly, it should provide competent authorities with information about the outcome of such review in the course of the periodic review and evaluation process. In particular, the processes and activities that contribute to the delivery of the services that the CSD provides and the IT systems that support them may be revised in light of the periodic business impact analysis, after material incidents or due to significant operational changes. Such revisions should be periodically reported in line with their relevance for the functioning of the securities settlement systems. (12) Operational risk is one of the main risks that CSDs face on an ongoing basis. As a consequence, CSDs should provide competent authorities with adequate information about the operational risks faced during the review period and the procedures followed to mitigate those exposures and losses. Additionally, it is necessary that CSDs periodically report the outcome of the CSD’s tests and reviews on their operational arrangements, policies and procedures with users. (13) CSDs are required to promote early settlement on the intended settlement date, by means of cash penalties, settlement fails reporting and eventually, mandatory buy-in therefore, competent authorities need to monitor any changes that CSDs implement in this area during the review period.

28 (14) To ensure that CSDs have the capacity to take timely action in case of default of one or more of its participants, the relevant rules and procedures should be periodically tested and reviewed. CSDs should report the outcome of such testing and review to competent authorities to allow the identification of the risks to which CSDs might be exposed. (15) Similarly, CSDs should periodically review the business continuity policy and the disaster recovery plan, addressing all their critical operations. CSDs should provide competent authorities with the result of the periodic reviews taking place during the period covered by the review and evaluation. This information shall not only ensure that such periodic reviews have been undertaken but will also enable competent authorities to monitor whether their results have been adequately addressed. (16) CSDs may use measures or tools to condition the delivery of securities to the payment of the cash leg operated outside its system for free-of-payment settlement instructions. Given their systemic relevance for the securities settlement system, competent authorities should receive information about their implementation during the period under review. (17) This Regulation specifies further the requirements for CSDs to report relevant information, which might lead to structural changes for CSDs. As a consequence, the application of some of the requirements of this Regulation should be deferred by one year to provide CSDs with enough time to undertake the necessary changes. (18) Delegated Regulation (EU) 2017/392 should therefore be amended accordingly. (19) This Regulation is based on the draft regulatory technical standards submitted to the Commission by ESMA. (20) ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council9 , 9 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010).

29 HAS ADOPTED THIS REGULATION: Article 1 Amendments to Delegated Regulation (EU) 2017/392 Delegated Regulation (EU) 2017/392 is amended as follows: (1) Article 40 is amended as follows: (a) paragraph 2 is replaced by the following: “For the purposes of the review and evaluation referred to in Article 22(1) of Regulation (EU) No 909/2014, a CSD shall provide to its competent authority the following: (a) the information referred to in Articles 41 and 42; (b) a report on the CSD's activities for the relevant review period and the substantive changes referred to in Article 16(4) of Regulation (EU) No 909/2014 notified during the review period, and all related documents. The report shall include information pertaining to the following aspects, relevant to the review period: (i) changes in the provision of the CSD core and ancillary services, referred to in the Annex to Regulation (EU) No 909/2014, in its home Member State, and as applicable in other Member States and in third countries; (ii) changes in the CSD’s corporate governance and organisational structure including in the number of employees; (iii) changes made to the risk management framework in respect of legal, business, operational and other direct or indirect risks referred to in Article 42 of Regulation (EU) 909/2014, demonstrating the CSD’s ongoing evaluation of the changing landscape of risks it faces through a classification of the main risks; (iv) a summary of the user committee activities referred to in Article 28 of Regulation (EU) No 909/2014, including the number of meetings, advice and opinions delivered, indicating their topics and identifying those that have not been followed by the CSD’s management body, if any;

30 (v) the main changes in the evolution of the outsourcing by the CSD of services and activities under Article 30 of Regulation (EU) 909/2014; (vi) details on substantive changes referred to in Article 16(4) of Regulation (EU) No 909/2014, shall cover, without being limited to, any of the following events if notified during the review period: — change in the CSD’s group structure, senior management, management body and shareholders pursuant to Article 27 of Regulation (EU) 909/2014; — changes to an existing activity or service other than in the context of Article 19(1) of Regulation (EU) 909/2014, where the description of services referred to in points (l) to (p) of Article 4(2) of this Regulation would need to be amended; — termination of a CSD service; — termination of a CSD link; — change in the CSD’s risk management framework impacting the calculation of capital requirements under Article 47 of Regulation (EU) 909/2014; (c) any additional information requested by the competent authority that is necessary for assessing the compliance of the CSD and its activities with Regulation (EU) No 909/2014 during the review period or to evaluate the risks to which the CSD is, or might be, exposed or which it creates for the smooth functioning of securities markets or stability of the financial markets.” (2) Article 41 is replaced by the following: “Article 41 Periodic information relevant for each review and evaluation For each review period, the CSD shall provide the competent authority with the following: (a) a complete set of the latest audited financial statements of the CSD, including those consolidated at group level; (b) a summarised version of the most recent interim financial statements of the CSD; (c) any decisions of the management body following the advice of the user committee, as well as any decisions where the management body has decided not to follow the advice of the user committee;

31 (d) information on any pending civil, administrative or any other judicial or extrajudicial proceedings involving the CSD, in particular in relation to matters concerning tax and insolvency, or matters that may cause financial or reputational costs for the CSD; (e) information on any pending civil, administrative or any other judicial or extrajudicial, proceedings involving a member of the management body or a member of the senior management that may have a negative impact on the CSD; (f) any final decisions resulting from the proceedings referred to in points (d) and (e); (g) a copy of the results of business continuity and disaster recovery tests or similar exercises performed during the review period as referred to in Article 79 of this Regulation and of audit reviews referred to in Article 76(1), point (b) of this Regulation; (h) a report on the operational incidents that occurred during the review period and affected the smooth provision of any core services, information on the classification of these incidents, the measures taken to address them and the results thereof as referred to in Article 71(4) of this Regulation; (i) a report on whether the CSD’s established operational reliability objectives including operational performance objectives and committed service-level targets for its services and securities settlement systems referred to in Article 70(3) of this Regulation, are met. This report shall include information on the CSD’s actions to regularly monitor, assess, and report on these objectives, as referred to in paragraphs 5 and 6 of Article 70 of this Regulation, and an assessment of the system’s availability during the review period, measured on a daily basis as the percentage of time the system is operational and functioning according to the agreed parameters; (j) a summary of the types of manual intervention performed by the CSD in the automated settlement process according to Article 4 of Regulation (EU) no. 2018/1229; (k) information required to assess the plans for recovery and orderly wind-down and in particular concerning any significant changes to its plans for recovery and orderly wind-down and, as applicable, any significant change to its resolution plan, as referred to in Article 22a of Regulation (EU) No 909/2014, that occurred during the review period;

32 (l) information on any formal complaints received by the CSD during the review period including information on the following elements: (i) the nature of the complaint; (ii) how the complaint was handled, including the outcome of the complaint; (iii) the date when the treatment of the complaint ended; (m)information concerning the cases where the CSD denied access to its services to any existing or potential participant, any issuer, another CSD or another market infrastructure in accordance with Articles 33(3), 49(3), 52(2) and 53(3) of Regulation (EU) No 909/2014; (n) a report on the significant changes affecting any CSD links established by the CSD that have an impact on the requirements referred to in Chapter XII of this Regulation, including changes in the type of CSD link and to the mechanisms and procedures used for the settlement in those CSD links; (o) information concerning all cases of identified conflicts of interests that materialised during the review period, including the description of how they were managed; (p) information concerning internal controls and audits performed by the CSD during the review period, including information on the audit of CSD’s operational risk￾management framework and systems as referred to in Article 45 of Regulation (EU) No 909/2014 and in paragraphs (1) and (2) of Article 73 of this Regulation as well as regular and independent audits of the CSD as referred to in Article 26(6) of Regulation (EU) No 909/2014 and in Articles 51 and 52(1) of this Regulation; (q) information concerning any identified infringement of Regulation (EU) No 909/2014, including those identified through the reporting channel referred to in Article 26(5) of Regulation (EU) No 909/2014; (r) detailed information concerning any disciplinary actions taken by the CSD during the review period, including any cases of suspension of participants in accordance with Article 7(7) of Regulation (EU) No 909/2014 with a specification of the period of suspension and the reason for suspension; (s) the general business strategy of the CSD and a detailed business plan for the services provided by the CSD covering at least the next review period; (t) information on changes that occurred during the review period to the CSD’s management of legal risk as referred to in Article 43 of Regulation (EU) No 909/2014 and Article 31 of this Regulation;

33 (u) information on changes that occurred during the review period to the CSD’s risk￾management and control systems as well as to the IT tools put in place by the CSD to manage business risk referred to in Article 32(1) of this Regulation; (v) where the CSD has obtained a risk rating from a third party as referred to in Article 32(2) of this Regulation, information on any variation in the risk rating that the CSD obtained from a third party during the review period, including any relevant information supporting that risk rating; (w) information on changes that occurred during the review period to the CSD’s management of services or activities outsourced to a third party as referred to in Article 30 of Regulation (EU) No 909/2014, including staff sharing pursuant to Article 49 of this Regulation, and to the methods used to monitor the service level of the outsourced services and activities referred to in point (b) of Article 33(2) of this Regulation; (x) a report on changes that occurred during the review period in the measurement, monitoring and management of the credit and liquidity risks arising from the use of deferred net settlement as referred to in Article 47a(2) of Regulation (EU) No 909/2014; (y) information on the CSD’s actions taken during the review period to review its operational objectives to incorporate new technological and business developments as referred to in Article 70(7) of this Regulation; (z) information on the CSD’s assessment of the operational risks that the CSD faced during the review period, including the operational risks faced from key participants, by providing the regular reporting to the senior management of operational risk exposures and losses experienced from operational risks, and on the procedures followed to mitigate those exposures and losses, as referred to in Article 45 of Regulation (EU) No 909/2014 and in Articles 66(2), 67(4) and 71(2) of this Regulation; (aa) information on the outcome of the CSD’s tests and reviews of its operational arrangements, policies and procedures with users, as referred to in Article 73(4) of this Regulation, that occurred during the review period; (ba) information on updates of the CSD’s business impact analysis and risk analysis during the review period, stemming from either its annual review or any ad hoc review following a material incident or significant operational changes and

34 taking into account all relevant developments, including market and IT developments as referred to in Article 45 of Regulation (EU) No 909/2014 and in Article 77(3) of this Regulation; (ca) information on developments occurred in relation to the CSD’s measures to prevent and address settlement fails as referred to in Articles 6(3) and (4) and 7(1) and (2) of Regulation (EU) No 909/2014 and in Articles 4 to 15 of Regulation (EU) No 1229/2018; (da) information on the outcome of the CSD’s testing of its participant default rules and procedures as referred to in Article 41(3) of Regulation (EU) No 909/2014 that occurred during the review period; (ea) information on review or update of the CSD’s business continuity policy and disaster recovery plan referred to under Article 80 of this Regulation that occurred during the review period; (fa) information on the measures or tools the CSD used during the review period to condition the delivery of securities to the payment of the cash leg operated outside its system for free-of-payment (FOP) settlement instructions, if any; (ga) information on the progress that the CSD achieved in addressing the outstanding findings and recommendations formulated in the authorisation or in previous reviews and evaluations of the CSD in accordance with Article 22(9) of Regulation (EU) No 909/2014; For the purpose of point (i), CSDs that use a common settlement infrastructure may provide extracts of the reports made available under the legal, regulatory and operational framework referred to in Article 30(5) of Regulation (EU) No 909/2014 to replace relevant parts of the report referred to in point (i).”. (3) Article 42 is amended as follows: (a) The first subparagraph of paragraph (1) is replaced by the following: “For each review period, the CSD shall provide the competent authority with the following statistical data per each calendar year, or per other period as determined by the competent authority,” (b) point (a) is replaced the following: “(a) a list of the participants of each securities settlement system operated by the CSD, specifying all of the following:

35 (i) their country of incorporation; (ii) their LEI code, and (iii) their corporate name. (c) point (b) is replaced by the following: “(b) a list of issuers to whom the CSD provides the service referred to in point (1) of Section A of the Annex to Regulation (EU) No 909/2014, specifying all of the following: (i) their country of incorporation, (ii) their LEI code and (iii) their corporate name;” (d) a new point (ba) is inserted: “(ba) a list of securities issues recorded in securities accounts centrally maintained in each securities settlement system operated by the CSD, specifying all of the following: (i) the ISIN code of the securities, (ii) the country of incorporation of the issuer, (iii) the country of the governing corporate or similar law under which the securities are issued; (iv) the LEI code of the issuer; (v) the corporate name of the issuer;” (e) a new point (bb) is inserted: “(bb) a list of securities issues recorded in securities accounts not centrally maintained in each securities settlement system operated by the CSD, specifying all of the following: (i) the ISIN code of the securities; (ii) the country of incorporation of the issuer; (iii) the LEI code of the issuer; (iv) the corporate name of the issuer;” (f) in point (d), points (ii) and (iii) are replaced by the following: “(ii) by country of incorporation of the participant to which the services are provided; (iii) by country of incorporation of their issuer; (iv) by country of the governing corporate or similar law under which they are issued;”

36 (g) in point (f), the following point (iv) is added: “(iv) by country of the governing corporate or similar law under which they are issued;” (h) in point (h), the following point (iiia) is added: “(iiia) by country of the governing corporate or similar law under which the financial instruments are issued;” (i) point (i) is replaced by the following: “(i) the number and value of buy-in transactions referred to in Article 7a of Regulation (EU) No 909/2014;”; (j) point (l) is replaced by the following: “(l) the total number and value of settlement instructions settled via each CSD link, specifying: (i) the linked CSD (its country of incorporation, its LEI and its corporate name) and, if the CSD operates several of them, the linked securities settlement system; (ii) the type of link, as follows: — standard, as per Article 2(1), point (30), of Regulation (EU) No 909/2014; — customised, as per Article 2(1), point (31), of Regulation (EU) No 909/2014 per participant; — indirect, as per Article 2(1), point (32), of Regulation (EU) No 909/2014; — interoperable, as per Article 2(1), point (33), of Regulation (EU) No 909/2014; (iii) whether the CSD is the requesting CSD or the receiving CSD; for this purpose, the receiving CSD shall be considered the CSD providing the service referred to in of Section A, point (1), of the Annex to Regulation (EU) No 909/2014; (k) new paragraphs 2a and 2b are inserted:

37 “2a. The nominal value referred to in paragraph 1 shall be set to zero for securities denominated in units and recorded as such in the securities settlement systems, where the nominal value is not available. 2b. The information provided by the CSD under paragraph 1, points (a) to (f) shall reflect the situation at the end of the calendar year or of the period referred to in paragraph 1, as applicable.” (4) Article 44 is replaced by the following: “For each review period, the competent authority shall supply the relevant authorities, ESMA and, where applicable, the college referred to in Article 24a of Regulation (EU) 909/2014 and the authority referred to in Article 67 of Directive 2014/65/EU, with the following: (a) a report on the evaluation by the competent authority of the compliance of the arrangements, strategies, processes and mechanisms implemented by the CSD with Regulation (EU) 909/2024, including the plans referred to in Article 22a of Regulation (EU) 909/2014 and of the risks to which the CSD is or might be exposed or which it creates for the smooth functioning of securities markets or stability of the financial markets; (b) any envisaged or final remedial actions or penalties against the CSD as a result of the review and evaluation. The report referred to in point (a) shall include information about the result of the most recent evaluation of the CSD’s compliance with Regulation (EU) 2022/2554, including any identified compliance gaps and related recommendations or remedial measures, and, where applicable, about the result of the evaluation on issues relating to any outsourcing or extension of activities and services under Article 19 of Regulation (EU) 909/2014, on the provision of cross-border services by the CSD, and on issues relating to any potential breach of Regulation (EU) 909/2014 arising from the provision of services in a host Member States as referred to in Article 24(5) of that Regulation.” (5) In Article 45(2), point (a) is replaced by the following: “(a) a report on the evaluation by the competent authority of the risks to which the CSD is or might be exposed or which it creates for the smooth functioning of securities markets or stability of the financial markets;”.

38 Article 2 Entry into force and application This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. However, points (b) to (h) and point (j) of point 3 of Article 1 shall apply from [a date that is one year after the entry into force of this Regulation]. This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Brussels, For the Commission The President

39 COMMISSION IMPLEMENTING REGULATION (EU) …/... of XXX amending Implementing Regulation (EU) 2017/394 of 11 November 2016 laying down implementing technical standards with regard to standard forms, templates and procedures for authorisation, review and evaluation of central securities depositories, for the cooperation between authorities of the home Member State and the host Member State, for the consultation of authorities involved in the authorisation to provide banking-type ancillary services, for access involving central securities depositories, and with regard to the format of the records to be maintained by central securities depositories in accordance with Regulation (EU) No 909/2014 of the European Parliament and of the Council (Text with EEA relevance) THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 10, and in particular Article 22(11) thereof, Whereas: (1) Considering the requirement introduced in Regulation (EU) No 909/2014 on competent authorities to conduct review and evaluation processes at least every three years, the competent authorities may need some or all of the information required for the purpose of the review and evaluation to be provided more frequently to ensure they have sufficient information on a continuous basis to perform their on-going supervision. Competent authorities should therefore be able to require certain information to be provided on a more frequent basis than the one established for conducting the review and evaluation process to satisfy their supervisory needs. (2) Considering that a CSD shall comply at all times with the conditions for authorisation, it is extremely important to closely monitor the CSD’s progress in addressing the 10 OJ L 257, 28.8.2014, p. 1–72.

40 outstanding findings and recommendations, if there are any. These findings and recommendations indicate certain weaknesses of the CSD and their prolonged existence might jeopardise the risks or even create a regulatory arbitrage. CSDs should thus inform their competent authorities about measures taken to address these outstanding findings and recommendations at least annually, even if the frequency of the review and evaluation is lower. (3) After several years of implementation of the review and evaluation process, it is considered appropriate to increase the delay for the competent authority to transmit the results of the review and evaluation to various other authorities from three to ten working days to allow for smoother processes, in particular as the review and evaluation process now involve more authorities. (4) To reflect the amendments made to Articles 40, 41 and 42 of Delegated Regulation (EU) 2017/39211 and to enhance the efficiency of the review and evaluation process, Tables 1 to 3 of Annex II should be modified accordingly. (6) Implementing Regulation (EU) 2017/394 should therefore be amended accordingly. (7) This Regulation is based on the draft implementing technical standards submitted to the Commission by the European Securities and Markets Authority (ESMA). (8) ESMA has conducted open public consultations on the draft implementing technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council12 , HAVE ADOPTED THIS REGULATION: Article 1 Amendments to Implementing Regulation (EU) 2017/394 Implementing Regulation (EU) 2017/394 is amended as follows: 11 Commission Delegated Regulation (EU) 2017/392 of 11 November 2016 supplementing Regulation (EU) No 909/2014 of the European Parliament and of the Council with regard to regulatory technical standards on authorisation, supervisory and operational requirements for central securities depositories (OJ L 65, 10.3.2017, p. 48–115). 12 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84–119.

41 (1) Article 3 is replaced by the following: “Article 3 Procedure for the provision of information

1. The competent authority shall communicate to the CSD, and to the relevant authorities, ESMA and, where applicable, the college referred to in Article 24a of this Regulation and the authority referred to in Article 67 of Directive 2014/65/EU, the following information: (a) the frequency and the depth of the review and evaluation as referred to in Article 22(1) of Regulation (EU) No 909/2014; (b) the commencement and end dates of the review period referred to in Article 40 of Delegated Regulation (EU) 2017/392; (c) the language in which all information shall be submitted. The competent authority may request the CSD to submit the same information in a language customary in the sphere of international finance; (d) the frequency of delivery of any or all of the information referred to in Article 40 of Delegated Regulation (EU) 2017/392 for the purpose of the review and evaluation. The competent authority shall communicate to the CSD, to the relevant authorities, ESMA and, where applicable, the college referred to in Article 24a of this Regulation and the authority referred to in Article 67 of Directive 2014/65/EU, any changes to the information referred to in the first subparagraph, including the request for a more frequent submission of specific information, without undue delay.
2. Unless otherwise communicated under paragraph 1, point (d), of this Article, the CSD shall provide the information referred to in Article 40(2) of Delegated Regulation (EU) 2017/392 within two months following the end of the review period.” (2) Article 4 is replaced as follows: “Article 4 Provision of information under Article 22(7) of Regulation (EU) No 909/2014

42

1. Upon completion of the review and evaluation, the competent authority shall communicate within ten working days to the relevant authorities, ESMA and, where applicable, the college referred to in Article 24a of this Regulation and the authority referred to in Article 67 of Directive 2014/65/EU, its results as specified in Article 44 of Delegated Regulation (EU) 2017/392.
2. Where the review and evaluation gives rise to remedial action or a penalty, the competent authority shall inform the authorities referred to in paragraph 1 within ten working days after that measure is taken.” (3) Article 5, paragraph 4, is replaced by the following: “4. Within 10 working days from the completion of the review and evaluation referred to in Article 22(1) of Regulation (EU) No 909/2014, as notified by the competent authority to the competent authorities included in the list referred to in paragraph 1, the competent authority shall communicate to the competent authorities included in the list referred to in paragraph 1 its results as specified under Article 45(2) of Delegated Regulation (EU) 2017/392.” (4) Annex II is replaced by the text in the Annex to this Regulation. Article 2 Entry into force and application This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Brussels, For the Commission The President

43 ANNEX “ANNEX II Templates for submission of information for the review and evaluation (Article 22(11) of Regulation (EU) No 909/2014) Table 1 General information to be provided by a CSD No Type of information Format 1 Date of submission of information ISO 8601 date in the UTC format YYYY-MM-DD 2 Date of the last review and evaluation ISO 8601 date in the UTC format YYYY-MM-DD 3 Corporate name of the CSD Free text 4 Identification of the CSD ISO 17442 Legal Entity Identifier (LEI) 20 alphanumerical character code that is included in the LEI data as published by the Global LEI Foundation. The LEI must be duly renewed in accordance with the terms of any of the accredited Local Operating Units of the Global Legal Entity Identifier System. 5 Legal address of the CSD Free text 6 Securities settlement system(s) operated by the CSD Free text 7 Contact details of the person responsible of the review and evaluation process (name, function, phone number, email address) Free text 8 Contact details of the person(s) responsible for the CSD's internal control and compliance function (name, function, phone number, email address) Free text 9 List of all documents provided by the CSD with unique reference numbers Free text 10 Report on the CSD's activities for the relevant review period and the substantive changes referred to in Article 16(4) of the Regulation (EU) No 909/2014, made during the review period and all related documents; the report shall include: (a) an overview of the changes that occurred during the review period in relation to the following: (i) the provision of the CSD core and ancillary services, as per the Annex to Regulation (EU) No 909/2014, in its home Member State, and as applicable in other Member States and in third countries; Separate document

44 (ii) the CSD’s corporate governance and organisational structure including in the number of employees expressed in number of full-time equivalents; (iii) the risk management framework and the results from risk assessment(s) carried out by the CSD in respect of legal, business, operational and other direct or indirect risks referred to in Article 42 of Regulation (EU) 909/2014, demonstrating ongoing evaluation of the changing landscape of risks it faces; (iv) the outsourcing by the CSD of services and activities under Article 30 of Regulation (EU) 909/2014; (b) a high-level summary of the user committee activities referred to in Article 28 of Regulation (EU) No 909/2014, during the review period, including the number of meetings, advice and opinions delivered, indicating their topics and identifying those that have not been followed by the CSD’s management body, if any; (c) the list of substantive changes referred to in Article 16(4) of Regulation (EU) No 909/2014 that were made during the review period, including, without being limited to, any of the following events: —changes in the structure of the group to which the CSD belongs, senior management, management body and shareholders pursuant to Article 27 of Regulation (EU) 909/2014; —extension of an existing activity or service other than the context of Article 19(1) of Regulation (EU) 909/2014, where the description of services referred to in points (l) to (p) of Article 4(2) would need to be amended; —termination of a CSD service; —termination of a CSD link, irrespective of whether the CSD is the requesting or the receiving CSD; —change in the CSD’s risk management framework impacting the calculation of capital requirements under Article 47 of Regulation (EU) 909/2014; (d) a declaration of overall compliance with the provisions of Regulation (EU) No 909/2014 during the review period. Table 2 Periodic information relevant for each review and evaluation

45 No Type of information The unique reference number of the document in which the information is included a A complete set of the latest audited financial statements of the CSD, including those consolidated at group level b A summarised version of the most recent interim financial statements of the CSD c Any decisions of the management body following the advice of the user committee, as well as any decisions where the management body has decided not to follow the advice of the user committee d Information on any pending civil, administrative or any other judicial or extrajudicial proceedings involving the CSD, in particular in relation to matters concerning tax and insolvency, or matters that may cause financial or reputational costs for the CSD e Information on any pending civil, administrative or any other judicial or extrajudicial, proceedings involving a member of the management body or a member of the senior management that may have a negative impact on the CSD f Any final decisions resulting from the proceedings referred to in point (d) and (e) g A copy of the results of business continuity stress tests or similar exercises performed during the review period as referred to in Article 79 and of audit reviews referred to in Article 76(1), point (b) h A report on the operational incidents that occurred during the review period and affected the smooth provision of any core services, information on the classification of these incidents, the measures taken to address them and the results thereof as referred to in Article 71(4) of this Regulation i A report on whether the CSD’s established operational reliability objectives, including operational performance objectives and committed service-level targets for its services and securities settlement systems, as referred to in Article 70(3) of this Regulation, are met, including information on the CSD’s actions to regularly monitor, assess, and report them as referred to in paragraphs 5 and 6 of Article 70 of this Regulation, and an assessment of the system’s availability during the review period, measured on a daily basis as the percentage of time the system is operational and functioning according to the agreed parameters; for this purpose, CSDs that use a common settlement infrastructure may provide extracts of the reports made available under the legal, regulatory and

46 operational framework referred to in Article 30 (5) of Regulation (EU) No. 909/2014 j A summary of the types of manual intervention performed by the CSD in the automated settlement process according to Article 4 of Regulation (EU) no. 2018 /1229 k Information required to assess the plans for recovery and orderly wind -down and in particular concerning any significant changes to its plans for recovery and orderly wind -down and, as applicable, any significant change to its resolution plan, as referred to in Article 22a of Regulation (EU) No 909/2014, that occurred during the review period l Information on any formal complaints received by the CSD during the review period including information on: (i) the nature of the complaint; (ii) how the complaint was handled, including the outcome of the complaint; and (iii) the date when the treatment of the complaint ended. m Information concerning the cases where the CSD denied access to its services to any existing or potential participant, any issuer, another CSD or another market infrastructure n A report on the significant changes affecting any CSD links established by the CSD that have an impact on the requirements referred to in Chapter XII of Regulation (EU) no 392/2017, including changes in the type of CSD link and to the mechanisms and procedures used for settlement in those CSD links o Information concerning all cases of identified conflicts of interest that occurred during the review period, including the description of how they were managed p Information concerning internal controls and audits performed by the CSD during the review period , including information on the audit of CSD’s operational risk

management framework and systems as referred to in Article 45 of Regulation (EU) No 909/2014 and in paragraphs (1) and (2) of Article 73 of this Regulation as well as regular and independent audits of the CSD as referred to in Article 26(6) of Regulation (EU) No 909/2014 and in Articles 51 and 52(1) of this Regulation q Information concerning any identified infringements of Regulation (EU) No 909/2014, including those identified through the reporting channel referred to in Article 26(5) of Regulation (EU) No 909/2014 r Detailed information concerning any disciplinary actions taken by the CSD during the review period, including any cases of suspension of participants in accordance with Article 7( 7) of Regulation (EU) No 909/2014 with a specification of the period of suspension and the reason for suspension

47 s The general business strategy of the CSD and a detailed business plan for the services provided by the CSD covering at least the next review period t Information on changes that occurred during the review period to the CSD’s management of legal risk as referred to in Article 43 of Regulation (EU) No 909/2014 and Article 31 of this Regulation u Information on changes to the CSD’s risk management and control systems as well as to the IT tools put in place by the CSD to manage business risk referred to in Article 32(1) of this Regulation, that occurred during the review period v Where the CSD has obtained a risk rating from a third party as referred to in Article 32(2), information on any variation in the risk rating that the CSD obtained from a third party during the review period, including any relevant information supporting that risk rating w Information on changes that occurred during the review period to the CSD’s management of services or activities outsourced to a third party as referred to in Article 30 of Regulation (EU) No 909/2014, including staff sharing pursuant to Article 49 of this Regulation, and to the methods used to monitor the service level of the outsourced services and activities referred to in Article 33(2) of the same regulation x A report on changes that occurred during the review period in the measurement, monitoring and management of the credit and liquidity risks arising from the use of deferred net settlement as referred to in Article 47a(2) of Regulation (EU) No 909/2014 y Information on the CSD’s actions taken during the review period to review its operational objectives to incorporate new technological and business developments as referred to in Article 45 of Regulation (EU) No 909/2014 and in Article 70(7) of this Regulation z Information on CSD’s assessment of the operational risk that the CSD faced during the review period, on an ongoing basis by providing the regular reporting to the senior management of operational risk exposures and losses experienced from operational risks, and procedures followed during the reviewed period to mitigate those exposures and losses (including the operational risks that the CSD faces from key participants) as referred to in Article 45 of Regulation (EU) No 909/2014 and in Articles 66(2), 67(4) and 71(2) of this Regulation aa Information on the outcome of the CSD’s tests and reviews of its operational arrangements, policies and procedures with users, referred to in Article 73(4) of this Regulation, that occurred during the review period

48 ba Information on updates of the CSD’s business impact analysis and risk analysis during the review period, stemming from either its annual review or any ad hoc review following a material incident or significant operational changes and taking into account all relevant developments, including market and IT developments as referred to in Article 45 of Regulation (EU) No 909/2014 and in Article 77(3) of this Regulation ca Information on developments occurred in relation to the CSD’s measures to prevent and address settlement fails as referred to in Articles 6(3) and (4) and 7(1) and (2) of Regulation (EU) No 909/2014 and in Articles 4 to 15 of Regulation (EU) No 1229/2018 da Information on the outcome of the CSD’s testing of its participant default rules and procedures as referred to in Article 41(3) of Regulation (EU) No 909/2014, that occurred during the review period ea Information on review or update of the CSD’s business continuity policy and disaster recovery plan referred to under Article 80 that occurred during the review period fa Information on the measures or tools the CSD used during the review period to condition the delivery of securities to the payment of the cash leg operated outside its system for free-of-payment (FOP) settlement instructions, if any ga information on the progress that the CSD achieved in addressing the outstanding findings and recommendations formulated in the authorisation or in previous reviews and evaluations of the CSD in accordance with Article 22(9) of Regulation (EU) No 909/2014 Table 3 Statistical data No Type of data Format a List of participants of each securities settlement system operated by the CSD, specifying:

• their country of incorporation
• their LEI code
• their corporate name For each participant:
• ISO 3166 2-character country code
• ISO 17442 Legal Entity Identifier (LEI) 20 alphanumerical character code that is included in the LEI data as published by the Global LEI Foundation. The LEI must be duly renewed in accordance with the terms of any of the accredited Local Operating Units of the Global Legal Entity Identifier System.
• Corporate name

49 b List of issuers to whom the CSD provides the service referred to in point (1) of Section A of the Annex to Regulation (EU) No 909/2014, specifying:

• their country of incorporation, - their LEI code
• their corporate name For each issuer:
• ISO 3166 2-character country code
• ISO 17442 Legal Entity Identifier (LEI) 20 alphanumerical character code that is included in the LEI data as published by the Global LEI Foundation. The LEI must be duly renewed in accordance with the terms of any of the accredited Local Operating Units of the Global Legal Entity Identifier System.
• Corporate name ba List of securities issues recorded in securities account centrally maintained in each SSS operated by the CSD, specifying:
• the ISIN code of the securities,
• the country of incorporation of the issuer,
• the country of the governing corporate or similar law under which the securities are issued
• the LEI code of the issuer and
• the corporate name of the issuer For each security issue:
• ISO 6166 ISIN 12-character alphanumerical code
• ISO 3166 2-character country code of the issuer
• ISO 3166 2-character country code of the governing law of the securities
• ISO 17442 Legal Entity Identifier (LEI) 20 alphanumerical character code of the issuer
• Corporate name of the issuer bb List of securities issues recorded in securities accounts not centrally maintained in each securities settlement system operated by the CSD, specifying:
• the ISIN code of the securities,
• the country of incorporation of the issuer,
• the LEI code of the issuer and
• the corporate name of the issuer For each security issue:
• ISO 6166 ISIN 12-character alphanumerical code
• ISO 3166 2-character country code of the issuer
• ISO 17442 Legal Entity Identifier (LEI) 20 alphanumerical character code of the issuer
• Corporate name of the issuer c Total market value and nominal value of the securities recorded in securities accounts centrally and non-centrally maintained in each securities settlement system operated by the CSD Nominal value of securities: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. Market value of securities: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. d Nominal and market value of the securities referred to in point 3 divided as follows: For each type of financial instruments:

50 (i) by type of financial instruments, as follows: (a) transferable securities referred to in point (a) of Article 4(1)(44) of Directive 2014/65/EU; (b) sovereign debt referred to in Article 4(1)(61) of Directive 2014/65/EU; (c) transferable securities referred to in point (b) of Article 4(1)(44) of Directive 2014/65/EU, other than those mentioned under point (b); (d) transferable securities referred to in point (c) of Article 4(1)(44) of Directive 2014/65/EU; (e) exchange-traded funds (ETFs) referred to in Article 4(1)(46) of Directive 2014/65/EU; (f) units in collective investment undertakings, other than ETFs; (g) money-market instruments, other than those mentioned under point (b); (h) emission allowances; (i) other financial instruments. (ii) by country of incorporation of the participant to which the services are provided; (iii) by country of incorporation of their issuer (iv) by country of the governing corporate or similar law under which they are issued a) SHRS (or more granular codes as provided by the CSD) — transferable securities referred to in point (a) of Article 4(1)(44) of Directive 2014/65/EU b) SOVR (or more granular codes as provided by the CSD) — sovereign debt referred to in Article 4(1)(61) of Directive 2014/65/EU; c) DEBT (or more granular codes as provided by the CSD) — transferable securities referred to in point (b) of Article 4(1)(44) of Directive 2014/65/EU, other than those mentioned under point (b); d) SECU (or more granular codes as provided by the CSD) — transferable securities referred to in point (c) of Article 4(1)(44) of Directive 2014/65/EU; e) ETFS (or more granular codes as provided by the CSD) — exchange-traded funds (ETFs); f) UCIT (or more granular codes as provided by the CSD) — units in collective investment undertakings, other than ETFs; g) MMKT (or more granular codes as provided by the CSD) — money-market instruments, other than those mentioned under point (b); h) EMAL (or more granular codes as provided by the CSD) — emission allowances; i) OTHR (or more granular codes as provided by the CSD) — others by country of incorporation of the participant (ISO 3166 2 character country code)/country of incorporation of the issuer (ISO 3166 2 character country code)/country of governing law (ISO 3166 2-character country code): Nominal value of securities: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. Market value of securities: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting

51 counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. e Nominal and market value of the securities initially recorded in each securities settlement system operated by the CSD Nominal value of securities: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. Market value of securities: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. f Nominal and market value of the securities referred to in point (e) above, divided as follows: (i) by types of financial instruments; (ii) by country of incorporation of the participant; (iii) by country of incorporation of the issuer. (iv) by country of the governing corporate or similar law under which they are issued. For each type of financial instruments (as referred to in point (4)/country of incorporation of the participant (ISO 3166 2-character country code)/country of incorporation of the issuer (ISO 3166 2- character country code)/law (ISO 3166 2- character country code)/country of governing law (ISO 3166 2-character country code): Nominal value of securities: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. Market value of securities: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. g Total number and value of the settlement instructions against payment plus the total number and market value of the FOP settlement instructions or, if not available, Number of settlement instructions settled in each securities settlement system operated by the CSD:

52 the nominal value of the FOP settlement instructions settled in each securities settlement system operated by the CSD up to 20 numerical characters reported as whole numbers without decimals. Value of settlement instructions settled in each securities settlement system operated by the CSD: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. h Total number and value of the settlement instructions referred to in point g divided as follows: (i) by types of financial instruments referred to in point d; (ii) by country of the incorporation of the participant; (iii) by country of incorporation of the issuer; (iiia) by country of the governing corporate or similar law under which the financial instruments are issued (iv) by settlement currency; (v) by type of settlement instructions, as follows: (a) FOP settlement instructions that consist of deliver free of payment (DFP) and receive free of payment (RFP) settlement instructions; (b) delivery versus payment (DVP) and receive versus payment (RVP) settlement instructions; (c) delivery with payment (DWP) and receive with payment (RWP) settlement instructions; (d) payment free of delivery (PFOD) settlement instructions. (vi) for settlement instructions that have a cash leg, by whether cash settlement is performed in accordance with Article 40(1) of Regulation (EU) No 909/2014 in accordance with Article 40(2) of Regulation (EU) No 909/2014 For each type of financial instruments (as referred to in point (4)/country of incorporation of the participant (ISO 3166 2 character country code)/country of incorporation of the issuer (ISO 3166 2 character country code)/country of governing law (ISO 3166 2-character country code)/settlement currency (ISO 4217 Currency Code, 3 alphabetical digits)/type of settlement instruction (DVP/RVP/DFP/RFP/DWP/RWP/PFOD)/se ttlement in central bank money (CBM)/commercial bank money (COM)/law under which financial instruments are constituted (ISO 3166 2 character country code): Number of settlement instructions settled in each securities settlement system operated by the CSD: up to 20 numerical characters reported as whole numbers without decimals. Value of settlement instructions settled in each securities settlement system operated by the CSD: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot.

53 (vii) by law under which the financial instruments are constituted i Number and value of buy-in transactions referred to in Article 7a of Regulation (EU) No 909/2014 Number of buy-in transactions: up to 20 numerical characters reported as whole numbers without decimals. Value of buy-in transactions: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. j Number and amount of penalties referred to in Article 7(2) of Regulation (EU) No 909/2014 per CSD participant For each CSD participant: Number of penalties: up to 20 numerical characters reported as whole numbers without decimals. Amount of penalties: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. k Where applicable, the total value of securities borrowing and lending operations processed by the CSD acting as an agent and as principal, as the case may be, divided per type of financial instruments referred to in point d For each type of financial instruments (as referred to in point (d)), the value of securities borrowing and lending operations processed by: a) CSD acting as an agent: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. The negative symbol, if populated, is not counted as a numeric character. b) CSD acting as principal: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a

54 dot. The negative symbol, if populated, is not counted as a numeric character. l The total number and value of settlement instructions settled via each CSD link, specifying: (i) the linked CSD (its country of incorporation, its LEI and its corporate name) and, if the CSD operates several of them, the linked securities settlement system; (ii) the type of link, as follows: —standard, as per Article 7(32(1)(30) of Regulation (EU) No 909/2014; —customised, as per Article 7(2(1)(31) of Regulation (EU) No 909/2014 per participant; —indirect, as per Article 2(1)(32) of Regulation (EU) No 909/2014; —interoperable, as per Article 2(1)(33) of Regulation (EU) No 909/2014; (iii) whether the CSD is the requesting CSD or the receiving CSD; for this purpose, the receiving CSD shall be considered the CSD providing the service referred to in point (1) of Section A of the Annex to Regulation (EU) No 909/2014; For each link identified through the linked CSD (for each CSD: country of incorporation of the linked CSD (ISO 3166 2-character country code)/ISO 17442 Legal Entity Identifier (LEI) 20 alphanumerical character code/corporate name) and type of link (standard/customised/indirect /interoperable): a) Requesting CSD perspective: Number of settlement instructions settled via such CSD link: Up to 20 numerical characters reported as whole numbers without decimals. Value of settlement instructions settled via such CSD link: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. b)Receiving CSD perspective: Number of settlement instructions settled via such CSD link: Up to 20 numerical characters reported as whole numbers without decimals. Value of settlement instructions settled via such CSD link: up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. m Where applicable, the value of the CSD’s guarantees and commitments related to securities borrowing and lending operations Up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. The negative symbol,

55 if populated, is not counted as a numeric character. n Where Applicable, the value of the CSD’s treasury activities involving foreign exchange and transferable securities related to managing participants' long balances including categories of institutions whose long balances are managed by the CSD Up to 25 numeric characters including up to 5 decimal places. If the value has more than five digits after the decimal, reporting counterparties shall round half-up. The decimal mark is not counted as a numeric character. If populated, it shall be represented by a dot. The negative symbol, if populated, is not counted as a numeric character. o Number of reconciliation problems encountered according to undue creation or deletion of securities in the issue maintained by the CSD that met Article 65(2) of Delegated Regulation (EU) 2017/392 Up to 20 numerical characters reported as whole numbers without decimals. p Mean, median, and mode for the length of time taken to remedy the error identified according to Article 65(2) of Delegated Regulation (EU) 2017/392 Mean: Up to 20 numerical characters including decimals (specifying the length of time using ISO 20022 codes (DASD / HOUR / MNUT)). Median: Up to 20 numerical characters including decimals (specifying the length of time using ISO 20022 codes (DASD / HOUR / MNUT)). Mode: Up to 20 numerical characters including decimals (specifying the length of time using ISO 20022 codes (DASD / HOUR / MNUT)).