Final Report on Guidelines on Periodic Information Submission

30 June 2025 ESMA80-1286971524-1379 ESMA - 201-203 rue de Bercy - CS 80910 - 75589 Paris Cedex 12 - France - Tel. +33 (0) 1 58 36 43 21 - www.esma.europa.eu 2 Final Report Guidelines on the submission of periodic information to ESMA by Benchmark Administrators, Credit Rating Agencies and Market Transparency Infrastructures

3 Table of Contents 1 Executive Summary ....................................................................................................5 2 Overview of the Guidelines on periodic information .....................................................7 3 Feedback statement....................................................................................................9 3.1 General remarks ..................................................................................................9 3.2 Cross sectoral periodic information ....................................................................10 3.2.1 Board and internal governance documents .................................................10 3.2.2 Internal controls documents ........................................................................12 3.2.3 Information technology and security documents..........................................12 3.2.4 Audited accounts documents ......................................................................14 3.3 Sectoral periodic information ..............................................................................14 3.3.1 BMAs periodic information...........................................................................14 3.3.2 CRAs periodic information...........................................................................15 3.3.3 MTIs periodic information ............................................................................16 3.4 Ad-hoc reporting requirements ...........................................................................16 3.4.1 Material Changes to initial conditions of registration....................................16 3.4.2 Cross-sectoral other ad-hoc notifications.....................................................17 3.4.3 Sectoral other ad-hoc notifications ..............................................................18 3.5 Other comments: entry into force, reporting calendars and use of templates......19 4 Annexes ....................................................................................................................20 Annex I - Cost-benefit analysis .....................................................................................21 Annex II – Guidelines....................................................................................................23

1. Scope.................................................................................................................23
2. Legislative References, abbreviations and definitions ........................................24
3. Purpose..............................................................................................................25
4. Compliance and reporting obligations ................................................................25

4 5. Guidelines on Periodic Information.....................................................................26 5.2. Reporting Principles........................................................................................27 5.3. Cross sectoral periodic information.................................................................28 5.4. Sectoral Information – BMAs ..........................................................................33 5.5. Sectoral Information – CRAs...........................................................................35 5.6. Sectoral Information – DRSPs ........................................................................37 5.7. Sectoral Information – SRs .............................................................................38 5.8. Sectoral Information – TRs .............................................................................38 5.9. Ad-Hoc Reporting Requirements ....................................................................40 5.9.2.1. Cross-sectoral notifications......................................................................41 5.9.2.2. BMAs.......................................................................................................42 5.9.2.3. CRAs.......................................................................................................43 5.9.2.4. DRSPs.....................................................................................................44 5.9.2.5. SRs .........................................................................................................44 5.9.2.6. TRs..........................................................................................................44 5.10. Reporting Calendars ...................................................................................45 5.11. Reporting Templates...................................................................................59

5 1 Executive Summary Reasons for publication On 8 July 2024, ESMA published a Consultation Paper (CP) for Guidelines on the periodic information to be submitted by Benchmark Administrators (BMAs), Credit Rating Agencies (CRAs) and Market Transparency Infrastructures (MTIs). Drawing from existing reporting requirements for CRAs and trade repositories (TRs), the CP proposed to harmonise and simplify periodic reporting to ESMA for all the abovementioned entities. The draft guidelines proposed to achieve this through:

• The creation of cross sectoral reporting requirements, to ensure consistency across supervisory mandates 1 , synergies in supervisory assessments, as well as scalability to future mandates.
• The implementation of two reporting calendars for all relevant supervisory mandates, to ensure further proportionality for lower risk entities by moving from annual to bi￾annual reporting.
• The reduction in the information to be provided to ESMA, to simplify reporting and reduce burden on supervised entities. This final report summarises the feedback received to the public consultation and includes the finalised periodic reporting guidelines. In finalising these guidelines, ESMA has striven to eliminate duplication and reduce burden on reporting entities. The finalised guidelines will ensure that ESMA receives the information it needs for its supervisory activities, including risk assessments, while at the same time significantly reducing the need for ad-hoc requests to reporting entities. The finalised guidelines also aim to provide transparency and predictability for current and prospective entities under the relevant supervisory mandates. Contents This final report is split into four main sections. Section 2 explains ESMA’s overarching rationale for updating the guidelines, providing an overview of the main areas of revision and the reasons for any change in approach. Section 3 summarises the feedback received to the Consultation and explains how ESMA has taken this into account in the final report. Annex I includes the updated cost and benefit analysis, and Annex II contains the final Guidelines on the Periodic Information. Next Steps

6 The Guidelines in Annex II will be published on ESMA’s website. They will become effective on 1 January 2026. The entry into force of these Guidelines will repeal and replace the Guidelines on the submission of periodic information to ESMA by CRAs – 2nd Edition, as well as the Guidelines on periodic information and notification of material changes to be submitted to ESMA by TRs. 1 Currently ESMA supervises Benchmarks Administrators, Credit Rating Agencies, Data Reporting Services Providers, Securitisation Repositories and Trade Repositories.

7 2 Overview of the Guidelines on periodic information

1. ESMA receives periodic information from the entities it supervises which are crucial for ESMA’s on-going supervision and risk assessment activities. Where relevant, ESMA intends to ensure a harmonised approach to periodic information reporting. Therefore, ESMA developed one common set of guidelines for the information to be received from the entities it directly supervises under the following mandates: (i) Benchmark Administrators under Regulation (EU) 2016/1011 (BMR)2 (ii) Credit Rating Agencies under Regulation (EC) No 1060/2009 (CRAR)3 (iii) Market Transparency Infrastructures (MTIs), including: • Trade Repositories under Regulation (EU) No 648/2012 (EMIR) 4 and Regulation (EU) 2015/2365 (SFTR)5 • Data Reporting Services Providers (APAs, ARMs and CTPs) 6 under Regulation (EU) No 600/2014 (MiFIR)7 • Securitisation Repositories under Regulation (EU) 2017/2402 (SECR)8
2. As per the charts below, the guidelines include (1) common cross sectoral periodic information to be submitted by all reporting entities; and (2) mandate specific information tailored to address specific supervisory needs. The same approach is taken for ad-hoc notifications. 2 Regulation (EU) 2016/1011 of the European Parliament and of the Council of 8 June 2016 on indices used as benchmarks in financial instruments and financial contracts or to measure the performance of investment funds and amending Directives 2008/48/EC and 2014/17/EU and Regulation (EU) No 596/2014 3 Regulation (EC) No 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit ratings agencies as amended by Regulation (EU) No 513/2011 of the European Parliament and of the Council of 11 May 2011, Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011, Regulation (EU) No 462/2013 of the European Parliament and of the Council of 21 May 2013, and Directive 2014/51/EU of the European Parliament and of the Council of 16 April 2014 4 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories 5 Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse and amending Regulation (EU) No 648/2012 6 ESMA expects to start supervising CTPs from H2 2025 7 Regulation (EU) No 600/2014 on markets in financial instruments (MiFIR), as amended by Regulation (EU) 2019/2175 (ESAs review) 8 Regulation (EU) 2017/2402 of the European Parliament and of the Council of 12 December 2017 laying down a general framework for securitisation and creating a specific framework for simple, transparent and standardised securitisation, and amending Directives 2009/65/EC, 2009/138/EC and 2011/61/EU and Regulations (EC) No 1060/2009 and (EU) No 648/2012

8 3. The guidelines aim to increase the consistency and usability of the information provided by reporting entities. This is done by providing specific reporting instructions for each reporting aspect as well as standardised reporting templates where possible. 4. The guidelines also aim at reducing the reporting burden where possible. This is achieved by:

9 • Reducing the overall number of items requested (38% reduction in total compared to existing guidelines); • Reducing the number of templates to be submitted (48% reduction in total compared to existing guidelines); • Avoiding double-reporting of periodic information under different items; • Reducing the frequency of reporting during the year; • Avoiding duplication between periodic information and ad-hoc notification; • Reviewing reporting requirements to take into account other regulatory requirements to avoid duplication, where applicable (e.g. Digital Operational Resilience Act (DORA)9 ). 3 Feedback statement 5. This section provides a summary of the responses to the Consultation Paper (CP) on the Guidelines on the submission of periodic information to ESMA by Benchmark Administrators, Credit Rating Agencies and Market Transparency Infrastructures”. In total 19 responses were received to the Consultation with 14 of these provided on a confidential basis. 6. Responses were received largely from market participants (six BMAs, six CRAs, five MTIs), many of which are already supervised by ESMA, as well as from two industry associations. In providing this summary, ESMA explains the changes that have been made in response to the comments provided during the consultation process. Non-confidential responses are publicly accessible on ESMA’s website. 3.1 General remarks 7. The feedback statement follows the order of the questions as they were presented in the CP, which are grouped in the following sections. • Cross sectoral periodic information; • BMAs periodic information; • CRAs periodic information; • MTIs periodic information; 9 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554&from=FR

10 • Ad-hoc reporting requirements. 8. In addition to question-specific feedback, ESMA collected more general comments in relation to other aspects of these Guidelines, notably on the entry into force, use of calendar and reporting templates. ESMA provides its response in a dedicated section. 9. Finally, ESMA notes that the items’ numbering has been updated to accommodate the introduction of an additional item for “material changes”, as mentioned in section 3.4.1. 3.2 Cross sectoral periodic information 3.2.1 Board and internal governance documents 10. Most respondents generally agreed with the proposed approach regarding the content and the frequency of the reporting of the board and internal governance documents. 11. One respondent argued that the 31 January deadline for this set of documents is too early in the year and proposed the end of the first quarter instead. 12. Regarding the board documentation, several respondents indicated that the minutes of the most recent meeting may not be available at the time of the submission. 13. One respondent argued that, considering ESMA’s parallel consultation on governance arrangements that proposes reporting of pre-board meetings, reporting of Board minutes should represent a sufficient and practical way to capture relevant discussions and updates. 14. Few respondents mentioned that board documents could contain commercially sensitive or irrelevant information which may not serve the purpose of ESMA’s supervision. 15. Certain respondents pointed out that the frequency and consistency of reporting of board documents must be proportionate to the size and complexity of the entities. 16. Concerning the date, location and agenda of board meetings, multiple respondents flagged that there could be challenges in providing those details in advance for the full year. Some respondents mentioned that extraordinary meetings may be held. Additionally, some questions were raised about the purpose of this requirement. 17. Regarding the organisational charts, few respondents asked about the format of the submission, as the table indicates some prescription in this respect. Also, there were questions on the definition of “all staff” and “group level” for the organisational charts, especially in situations where the supervised entity belongs to a wider group, not necessarily providing regulated services. 18. Few respondents argued that information on conflicts of interest should be reported only for “actual” ones, rather than “potential and actual” ones. Also, some respondents

11 suggested eliminating the “one month” expectation for the resolution of internal investigations, in favour of more flexibility. Finally, one respondent inquired whether other similar disclosures may replace the submission of the relevant template. 19. ESMA response: As regards the requests for clarifications around the frequency and content of reporting of board documents, ESMA amended the proposed Guidelines to specify that the reporting entities should provide any relevant document covering the period since the last submission. This should address all cases for which the number of board meetings within the period is uncertain. Concerning the content of board documents, ESMA does not mandate any specific structure nor level of detail, which should be inherently proportionate to the size and complexity of the entity. 20. Concerning the questions on board minutes, the minimum one-month buffer embedded in the calendar submission date should allow reporting entities sufficient time to approve the minutes before reporting, which is ESMA’s expectation. In case minutes are not available, they will be provided with the next calendar submission. 21. In response to the comment on reporting pre-board meetings, ESMA would like to highlight that there is no expectation to report pre-board meetings but rather have any discussion and decision taken in those meetings duly recorded and agreed in the next board meeting. 22. On the comment on commercially sensitive information, ESMA would like to highlight that as a supervisory authority such information can contribute to an effective and efficient risk￾based supervision. For example, potential ongoing concern issues could be detected from reporting financial information. ESMA supervisory activities are also bound by strict confidentiality and data protection policies. 23. Regarding the communication of date and location of board meetings, ESMA decided to remove this item from the guidelines, in light of the significant uncertainties raised by respondents around the accuracy of this information at early stage. ESMA may request this information on an ad-hoc basis where needed. 24. With respect to the comments on the organisational charts, ESMA introduced some clarification on the definition of “all staff” and “group” for the required functions, adding that the submission should include employees that “are entirely or partially involved in the activities of the supervised entity”. Also, ESMA intends to clarify that the table provided in the guidelines is designed only for illustrative purposes, as no defined format is prescribed for this submission. 25. Concerning the reporting of actual and potential conflicts, ESMA uses this wording to catch the specificities of the various regulatory requirements under different mandates. In this respect, reporting entities should consider “potential” conflicts as those situations that may lead to a conflict of interest and are managed by the entity, i.e. for which mitigation has already been implemented, e.g. through disclosures, business separation, etc. Regarding

12 the timeline of internal investigations, ESMA deems it useful to disclose its supervisory expectation, with the objective to support entities in designing their processes. 3.2.2 Internal controls documents 26. Several respondents agreed with the proposed approach regarding the content and frequency of reporting internal controls documents. Among entities already subject to existing guidelines, there is overall support for the removal of compliance and audit reports, acknowledging that it will reduce the administrative burden and streamline the reporting process. Few respondents mentioned that the compliance and audit work plans may already be included in the submission of board documents, and as such the board packs are sufficient, and that where needed, ESMA may ask for additional information. 27. One respondent requested more clarity on the content of the Compliance work plan while another respondent stated that the deadline for annual submission, set on 31 January, is too strict. 28. Few respondents disagreed with the proposed approach, arguing that the frequency of reporting is too high and may impose an unnecessary burden on smaller entities. 29. ESMA response: ESMA notes the support from entities already subject to existing guidelines, in particular for the removal of the compliance and audit reports. ESMA has maintained this approach in the final guidelines. 30. Regarding the potential duplication of work plans being included also in the board documents, ESMA considered the feedback provided and agreed to amend the requirements in the guidelines, by allowing reporting entities to refer to another item where the information is reported under several items. For example, in case the Compliance work program is included in the Board documents, reporting entities can indicate this in their reporting. This approach should ensure a further reduction in burden for reporting entities. 31. In terms of reporting frequency and proportionality aspects, ESMA considers that requiring that information to be submitted every two years for lower risk entities ensures proportionality while providing ESMA with the information required for supervisory purposes. 3.2.3 Information technology and security documents 32. Most of the respondents welcomed ESMA’s efforts to align periodic reporting with reporting obligations under DORA and are supportive of providing the requested information. 33. Several respondents noted that it is crucial to keep in mind that not all entities covered by the guidelines are also in scope of DORA – notably third-country benchmarks administrators – and urged for a tailored approach for these entities.

13 34. Few respondents also asked ESMA to clarify reporting requirements for the period between the entry into application of DORA and that of the guidelines. 35. One respondent highlighted the potential risk that a DORA-driven approach to periodic reporting not only overlaps with the risk reporting from DORA regulation but also lacks visibility on other types of risks to which ESMA may also direct his attention. 36. Few respondents suggested that ICT documents can already be provided as part of the board documentation submitted to ESMA and requested to check for double reporting and overlap. 37. One respondent made a comment that they normally do not perform both reviews (penetration testing and security assessment) in the same year for a given application. Given that the required frequency for this item is annual, they suggested providing the results of either a penetration test or of the security assessment, but not both, since frequency is not annual (but every two years) for each application. 38. One respondent questioned the value of providing an independent annual audit of the ICT business continuity plans when no weaknesses have been identified. 39. Another respondent agreed to submitting the corresponding ICT reports but questioned the idea of submitting summaries, as this results in an additional burden. 40. One respondent requested moving the ICT risk profile requirement from periodic to ad hoc reporting in case any material changes to the reported documents are undertaken. The same respondent suggested introducing flexible reporting deadlines for digital operational resilience tests and relevant ICT audits, as testing planning can vary from one entity to another. 41. ESMA response: In response to questions related to the information to be submitted by entities not under the scope of DORA, ESMA stresses that information on ICT and Information Security is paramount to supervisory activities. Information in these areas has been revised with flexibility and proportionality in mind and to allow a harmonised approach of information gathered across all mandates. For this purpose, the guidelines are designed to ensure that non-DORA entities also submit information even if they are not subject to DORA requirements. 42. Regarding the applicability of provisions before the entry into force of these Guidelines, ESMA can request ad-hoc information where needed in accordance with DORA provisions. 43. Regarding the potential duplication of information being included as part of other reporting items, as mentioned above a general provision has been added to allow cross-referencing of information when this is already reported under a different item. 44. ESMA also acknowledges that some testing and/or reviews might not be conducted on an annual basis. In this respect, in case no additional information is available year-on-year,

14 ESMA expects reporting entities to provide a rationale for the non-reporting. Finally, ESMA would like to retain the ICT risk profile requirement as a periodic reporting item. 3.2.4 Audited accounts documents 45. Respondents largely agreed with the proposed approach for audited accounts. The effort required to comply with the proposed reporting appeared generally reasonable and in line with the existing practice of most entities. 46. A point of disagreement related to the date of submission, as several respondents pointed out that it would be challenging to report the information in the first quarter of the year. 47. ESMA response: ESMA welcomes the broad agreement on this item, as audited accounts are generally required by the sectoral regulation related to the calculation of supervisory fees. Regarding the date, ESMA considered the feedback of several respondents and amended the reporting date to 30 September for all mandates. 48. In addition, ESMA clarified that “audited accounts” shall be submitted, rather than financial statements. Based on supervisory experience, ESMA also provides some additional clarifications in a footnote, addressing exceptional circumstances that were observed in the past years. Notably, ESMA addresses certain situations related to the lack of audited accounts and the need to provide additional information on revenues breakdown, in line with sectoral regulatory provisions for the determination of supervisory fees. 3.3 Sectoral periodic information 3.3.1 BMAs periodic information 49. Respondents partially agreed with the proposed approach regarding the content and the frequency of the reporting of the BMAs periodic information documents. 50. Few respondents argued that there will be a duplication of the information reported to the NCAs and questioned the need to require BMAs to report to ESMA in addition to NCAs. 51. One respondent argued that the proposed requirement for BMAs to submit information on FTE allocation through a standardised template represents a practically inapplicable one￾size-fits-all approach. The same respondent argues that the requirement to report on revenues and costs is not expressly mentioned in the regulation. 52. Few respondents mentioned that ESMA should also clarify that for third-country BMAs, the cost/revenue figures requested only pertain to those benchmarks provided into the EU. One respondent stressed that such figures are likely to be difficult to establish for the EU alone, where benchmarks are used both within and outside the EU.

15 53. One respondent suggested to simplify the level of detail and frequency of reporting for smaller entities based on a proportionality approach. 54. ESMA response: 55. ESMA acknowledges the concerns regarding the content and frequency of the information to be provided. At the same time, ESMA stresses that this information is not reported to any other competent authority since the guidelines are addressed only to BMAs under ESMA’s supervision. 56. As regards resourcing and FTEs reporting, in light of the outlined complexity of providing the information through a standardised reporting and in order to limit burden on BMAs, ESMA has deleted the standardised templates for the items relating to the resourcing. However, some minimal aggregated information on FTE will still need to be included in a dedicated template as this is used for ESMA risk assessment and to determine whether the supervised entity is calendar A or B. Further, as part of the ongoing supervisory dialogue, ESMA will adapt its approach and consider proportionality in relation to the size of the entity and the group structure. 57. The BMR requires BMAs to report revenues in the EU for fees calculation purposes. Regarding other financial information like overall revenues and costs, while this information is useful to assess the financial soundness of the entity and ESMA will be able to base such assessment on the fees reporting of revenues, therefore in order to reduce burden on BMAs ESMA has deleted the reporting of revenues and costs in the final guidelines. 58. Finally, for those BMAs who do not produce individual accounts, there is no expectation for submit audited accounts to ESMA. 3.3.2 CRAs periodic information 59. Respondents mostly agreed with the proposed approach to CRA-specific periodic information, highlighting that they prefer the underlying templates to be kept unchanged, in order to minimise the reporting disruption compared to the current guidelines. 60. While there was no disagreement by any respondents, one respondent pointed out that the deadline for the submission of item 20 (attestation of internal controls) should be maintained at 30 April as in the current guidelines. This is because the deadline is meant to be aligned the same provisions in other jurisdictions. 61. ESMA response: ESMA takes note of the support by respondents in maintaining the existing items and largely using the same templates to avoid additional effort. Concerning submission of the attestation on internal controls, ESMA has considered the feedback received and has reinstated the reporting deadline to 30 April, in line with current practice.

16 3.3.3 MTIs periodic information 62. Respondents mostly agreed with the proposed approach to MTI-specific periodic information, highlighting that the templates should not require supervised entities to provide more information than required pursuant to the relevant sectoral regulations and limit it at a supervised entity rather than group level. 63. Few respondents asked to align the frequency of reporting between the different MTI mandates. 64. Some respondents asked to update certain fields of the reporting templates and consider less frequent reporting. 65. One respondent advocated for the deletion of the reporting item related to Staff Numbers & Other Indicators. 66. ESMA response: ESMA notes the general agreement with MTI-specific items and agrees to keep the requested information at entity level. ESMA has also aligned the frequency of reporting between the MTI mandates in the final guidelines. To the possible extent ESMA will also consider proposed updates to the templates in use but intends to keep a separate Staff Numbers template as the item helps understand resource allocation at supervised entities. 3.4 Ad-hoc reporting requirements 3.4.1 Material Changes to initial conditions of registration 67. Respondents largely agreed with the proposed approach, recognising that it does not entail significant changes when compared to the guidelines currently in place for certain reporting entities. 68. Few respondents pointed to the fact that, compared to the previous version, the Guidelines no longer include a non-exhaustive list of the material changes, as well as the accompanying short description. Also, respondents noticed that the reporting calendars no longer include a dedicated numbering system of notifications of material changes. 69. Two respondents raised a question on the materiality assessment needed to determine the need to report a change, as well as potential duplication of reporting for certain material changes, for example in the ICT area. 70. ESMA response: Having considered various options around the addition of non￾exhaustive lists of possible material changes to the initial condition of registration, ESMA opted for a principle-based approach in this area, requiring supervised entities to notify in accordance with their respective regulatory framework. Based on supervisory experience, the pre-determined categorisation of possible material changes has shown some limitation

17 for aspects that were not explicitly covered. Hence, ESMA expects entities to submit notification of material changes without any numbering system, which should also reduce the reporting burden. 71. Regarding the comments on materiality assessments, ESMA kept unchanged the definition provided in the existing Guidelines, which considers material changes “to be any change that may affect the reporting entity’s initial conditions of registration or its compliance with the requirements of the sectoral Regulation”. To support entities’ efforts in assessing what is reportable, ESMA kept a non-exhaustive list in the reporting calendar (section 5.10), including reference to the relevant legislation. In terms of potential duplication, ESMA acknowledges that this could happen, however material changes are deemed to be reported as soon as possible, as opposed to periodic information, hence the different timing could justify some rare overlap, e.g. in the ICT area. In terms of numbering, ESMA amended the guidelines to specify that all material changes should be reported under item 36. ESMA intends to take a principle-based approach, and it expects supervised entities to have processes in place to determine what should be notified to ESMA. 3.4.2 Cross-sectoral other ad-hoc notifications 72. Respondents largely agreed with the proposed approach, recognising that it does not entail significant changes when compared to the notifications currently in place. 73. Some of the respondents welcomed ESMA’s efforts to align ICT and Information security incident notifications with reporting obligations under DORA and urged aligning the timelines with the relevant provisions in DORA. 74. Few respondents asked for incident reporting clarification in the transition period between the entry into application of the provisions of DORA and the new Guidelines. 75. Several respondents noted that it is crucial to keep in mind that not all entities covered by the guidelines are also in scope of DORA – notably third-country benchmarks administrators and urged for a tailored incident reporting approach for entities outside of DORA requirements. 76. Several respondents raised a question on the scope and materiality threshold needed to determine the need to report litigations, internal complaints submitted to the Compliance Department and potential and actual cases of non-compliance with the relevant sectoral regulation. These respondents asked to clarify what constitutes a potential case of non￾compliance and argued that reporting of “potential” breaches and legal actions is broad and ambiguous, making the reporting exercise an excessive administrative burden. 77. Same respondents noted that submission of information regarding any existing, new or potential legal actions must be limited to those cases that may adversely impact the continuity or quality of the product or service provided and/or materially impact the financial position of a reporting entity.

18 78. One respondent also noted that only litigations against the supervised entity that may adversely impact the continuity of the supervised entity should be reported as opposed to other group entities. 79. One respondent agreed with the content of the requested information but noted that litigations and Internal Complaints submitted to the Compliance Department are either part of the quarterly Board Pack or the annual compliance report. 80. Related to the previous point, one respondent suggested waving reporting requirements in those cases where information requested by ESMA has already been provided under a different item. 81. ESMA response: For entities not under the scope of DORA, ESMA amended the guidelines to allow the possibility of reporting of information about major ICT and information security incidents using any preferred mean of communication. In all cases, it is important for ESMA to receive this information in a timely and complete manner. 82. Regarding reporting of potential litigations, ESMA amended the guidelines to clarify that this should be limited to those cases that may adversely impact the continuity or quality of the product or service provided and/or materially impact the financial position of a reporting entity. ESMA expects reporting entities to have a process in place to determine which litigations should be reportable. 83. As regards reporting potential internal complaints and breaches or cases of non￾compliance, ESMA acknowledges that there could be specificities related to the sectoral legislation which require an assessment by the reporting entities to identify reportable items. ESMA expects that cases of non-compliance to be submitted in line with the relevant regulatory provisions include “possible” or “potential” cases that are to be further investigated or verified. The guidelines provide descriptions that are aimed at supporting the identification process. 3.4.3 Sectoral other ad-hoc notifications 84. Among BMAs, several respondents disagree with the use of a standardised template for error reporting, as the provision is already envisaged by the Regulation. 85. One respondent also requested clarifications on the scope of this ad-hoc notification, notably on the reportable errors in input data, while another is concerned about the lack of a materiality threshold, which could lead to a high number of notifications. 86. ESMA response: ESMA acknowledges the feedback received regarding the standardisation of reporting through templates. While the use of templates is meant to reduce the possibility of follow-up questions by ESMA and allows ESMA to set clear expectations in terms of content, in order to limit the burden on BMAs ESMA is deleting from this final report the reference to standardised templates relating to ad-hoc

19 notifications. BMAs may provide the required information without setting a specific format. ESMA stresses the importance of receiving this information in a timely and complete manner. Finally, regarding a materiality assessment, ESMA expects reporting entities to have a process in place to determine whether an error is sufficiently material to be reported, in line with the relevant provisions of the BMR. 87. CRAs generally agreed with the proposed approach, which is overall unchanged compared to the existing Guidelines. 88. ESMA response: ESMA welcomes the broad to support to keep the existing items unchanged. 89. MTIs generally agreed with the proposed approach, which is largely consistent with the existing requirements. One respondent noted that the templates should not require supervised entities to provide more information than required pursuant to the relevant sectoral regulations and limit it at a supervised entity rather than group level. Another respondent suggested certain amendments to the reporting templates for a cessation of business and portability requests. 90. ESMA response: ESMA notes the general agreement with MTI-specific items and agrees to keep requested information at entity level. To the possible extent ESMA will also consider proposed updates to the templates in use. 3.5 Other comments: entry into force, reporting calendars and use of templates 91. Some respondents enquired about the expected date for the submission of the first batch of periodic information, as well as about the applicability of notification reporting. 92. ESMA response: ESMA expects all supervised entities to adhere to these Guidelines by 1 January 2026. In practice, the first batch of periodic information should be submitted to ESMA by 31 January 2026, while ad-hoc notifications (if any) should be reported starting on 1 January of the same year. ESMA will communicate in due course to each entity the applicable calendar. Until then, entities that are already subject to existing Guidelines on periodic information should continue to apply them, with the only exception of ICT incidents for entities subject to DORA, which are replaced by DORA requirements. 93. Few respondents commented on the content and frequency of reporting, as defined in the reporting calendars, mentioning that sufficient proportionality should be applied in conjunction with the relative size of entities. 94. ESMA response: as explained in the Consultation, the Guidelines have been designed to ensure the necessary proportionality in terms of requirements, on top of burden reduction when compared to previous versions applicable to CRAs and TRs. The reporting calendar represents an important aspect to ensure proportionality, since the calendar allocation

20 decision is tailored to the market footprint and regulatory specificities of each entity. In terms of content and granularity of reporting, ESMA will ensure that supervisory expectations will also align to the principle of proportionality and will engage with entities through its regular supervisory dialogue to address any concerns in this area. 95. Regarding the use of reporting templates, several respondents requested to keep them unchanged to the extent possible, in order to minimise the adaptation burden. 96. ESMA response: ESMA took this comment into account and has kept the templates largely unchanged. ESMA will publish the templates together with the final report. ESMA remains available to discuss the structure and content of templates if needed, including before the entry into application of the guidelines. 4 Annexes

21 Annex I - Cost-benefit analysis 97. This section provides a qualitative assessment of the costs and benefits that may arise from the application of these guidelines. 98. The guidelines aim at harmonising and simplifying the reporting of the information periodically submitted to ESMA across all reporting entities. These guidelines alleviate the burden on reporting entities already subject to the existing ones, in particular small and medium-sized companies. These guidelines should contribute to the development of a more effective and efficient supervision by ESMA through the standardisation of information submitted and by aligning the information submitted to ESMA more closely to what it considers the key risks in the different sectors. Benefits These guidelines specifying the periodic information that reporting entities should provide to ESMA are mainly to the benefit of supervised entities, ESMA as a direct supervisor and ultimately to the user of services provided. In line with the European Commission 2024 work programme10 which puts a strong focus on simplifying rules for citizens and businesses across the European Union, ESMA is taking this opportunity to streamline the reporting obligations in order to reduce the administrative burdens. The existing Guidelines in place for Credit Rating Agencies (since 2015) and Trade Repositories (since 2018) demonstrated the effectiveness of this approach in terms of transmission of information, predictability of requests and ultimately on supervisory dialogue. It also supported supervised entities in improving their practices to align with industry standards. Reporting entities that already comply with existing Guidelines or for which periodic information is already established with ESMA will incur fewer overall costs when implementing these guidelines. This is because ESMA is ensuring that the existing reporting templates remain largely unchanged. For instance, ESMA is no longer requesting reporting entities to provide internal audit reports on a periodic basis. This is because a summary of this information is usually available in the board packs. Therefore, the information included in the board packs is sufficient and where needed ESMA may ask additional information. Similarly, in case an item is already reported under a different item, reporting entities can provide a simple reference to indicate the location of the information. 10 Delivering for today and preparing for tomorrow (europa.eu)

22 At the same time, ESMA believes that the application of these guidelines will improve the clarity, relevance and comparability of information provided to ESMA. This will help ESMA to develop a more accurate view of the different entities under its supervision as well as identifying those posing higher risks to its regulatory objectives. Costs As previously highlighted these guidelines aim at (i) streamlining the current reporting of periodic information to ESMA and (ii) establishing consistent reporting requirements for reporting entities within the newly established mandates. This is ensured by reducing the administrative burden on those entities through requesting only the strictly needed information for example by avoiding duplicate information. Potential costs arising from these guidelines will be borne by reporting entities. Initial costs could be higher for entities and industries not yet subject to ESMA’s supervision; however, such costs should be considered in light of predictability of information that is in all cases needed for ESMA to carry out its supervisory duties, and which would otherwise be demanded through ad￾hoc requests. ESMA notes that most of the entities in scope of these guidelines are currently supervised by ESMA and therefore will benefit from a cost reduction, in light of the simplification and reduction of several requirements. Some reporting entities may face initial costs in establishing procedures for the new reporting items and for which the supervised entity is not already under an explicit instruction to produce. These costs are linked, for example to the establishment of the different templates to provide the periodic information for those items that include a standardised template. For the remaining items, reporting entities can provide the information in the format most suitable for them. ESMA believes that the overall costs associated with the implementation of the guidelines will be balanced out by ensuring that ESMA gets timely and comprehensive information and by the expected decrease in ESMA’s ad-hoc requests for information. Additionally, the guidelines have been designed in a way to minimise the administrative burden on smaller reporting entities that pose less risk, in accordance with the principle of proportionality. These reporting entities will be categorised as calendar B and will have to provide the necessary information on a less frequent basis or upon demand.

23 Annex II – Guidelines Guidelines on the submission of periodic information to ESMA by Benchmark Administrators, Credit Rating Agencies and Market Transparency Infrastructures

1. Scope Who?
2. These guidelines apply to third country Benchmark Administrators (BMAs) recognised in the EU, to EU administrators of critical benchmarks authorised under the BMR, Credit Rating Agencies (CRAs) registered in the EU, Data Reporting Services Providers (DRSPs) registered in the EU and supervised by ESMA, Securitisation Repositories (SRs) registered in the EU and Trade Repositories (TRs) registered in the EU (together “reporting entities”). These guidelines do not apply to certified CRAs. What?
3. These guidelines are based on Article 16 of Regulation (EU) No 1095/2010, Articles 8(7a) 8a(3), 8(6aa), 14(3), 21(5) of Regulation (EC) No 1060/2009, Articles 6(5), 7(4), 14(1), 14(2), 24(3), 26(2) and 34(2) of Regulation (EU) 2016/1011, Article 55(4) of Regulation (EU) No 648/2012; Articles 27c(3) of Regulation (EU) No 600/2014; Article 10(4) of Regulation (EU) 2017/2402; Article 5(4) of Regulation (EU) 2015/2365.
4. The final texts will be published on ESMA’s website together with all relevant templates and reporting calendars. In addition, and with a view to improving their visibility and integration within reporting entities’ internal processes, ESMA will also publish the reporting calendars and the templates as standalone items that can be downloaded from the ESMA’s website.
5. These guidelines will repeal and replace the Guidelines on the submission of periodic information to ESMA by Credit Rating Agencies – 2nd Edition, published by ESMA on 7 April 2021 (ESMA33-9-295) and the Guidelines on periodic information and notification of material changes to be submitted to ESMA by Trade Repositories published by ESMA on 23 March 2021 (ESMA74-362-249). When?
6. These guidelines will apply from 01/01/2026.

24 2. Legislative References, abbreviations and definitions Legislative references BMR Regulation (EU) 2016/1011 of the European Parliament and of the Council of 8 June 2016 on indices used as benchmarks in financial instruments and financial contracts or to measure the performance of investment funds and amending Directives 2008/48/EC and 2014/17/EU and Regulation (EU) No 596/2014 CRA Regulation Regulation (EC) No 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit ratings agencies EMIR Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories ESMA Regulation Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC MiFIR Regulation (EU) No 600/2014 on markets in financial instruments Securitisation Regulation Regulation (EU) 2017/2402 of the European Parliament and of the Council of 12 December 2017 laying down a general framework for securitisation and creating a specific framework for simple, transparent and standardised securitisation, and amending Directives 2009/65/EC, 2009/138/EC and 2011/61/EU and Regulations (EC) No 1060/2009 and (EU) No 648/2012 SFTR Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse and amending Regulation (EU) No 648/2012

25 Abbreviations BMA Benchmark Administrator CP Consultation Paper DRSP Data Reporting Services Provider ESMA European Securities and Markets Authority EU European Union CRA Credit Rating Agency registered with ESMA FTE Full Time Equivalent INED Independent Non-Executive Director RTS Regulatory Technical Standards SR Securitisation Repository TR Trade Repository 3. Purpose 6. The objectives of these guidelines are to establish consistent, efficient and effective supervisory practices within ESMA and to ensure common, uniform and consistent application of Union law. In particular, the guidelines set out the information that should be submitted by BMAs, CRAs, DRSPs, SRs and TRs to support ESMA’s ongoing supervisory activities. The guidelines also clarify the format and frequency of the different categories of information which ESMA expects to receive in its role as supervisor. 4. Compliance and reporting obligations 7. In accordance with Article 16(3) of the ESMA Regulation, financial market participants must make every effort to comply with these guidelines.

26 5. Guidelines on Periodic Information 8. These guidelines are split into eight parts: Section 5.1 – Reporting assignment. This section describes how reporting entities are assigned different reporting calendars by ESMA for the purpose of these guidelines. Section 5.2 – Reporting principles. This section explains the different reporting periods and submission deadlines that apply to the different reporting calendars. Section 5.3 – Cross sectoral periodic information. This section explains the information that should be reported by all reporting entities to ESMA. Section 5.4 – Sectoral periodic information. This section explains the information that should be reported by reporting entities to ESMA in accordance with sector-specific regulatory requirements. Section 5.5 – Ad-hoc reporting requirements. This section explains the information that should be reported by reporting entities when certain events materialise, in accordance with relevant regulatory requirements. Section 5.6 – Reporting for the purpose of supervisory fees. This section explains the information that should be reported by reporting entities in accordance with the relevant delegated acts on supervisory fees. Section 5.7 – Reporting calendars. This section includes the reporting calendars by sectoral requirements for the categories “Calendar A” and “Calendar B”. Section 5.8 – Reporting templates. This section includes the reporting templates to be used by reporting entities. 5.1. Reporting Assignment 9. ESMA applies a risk-based approach to supervision which has two key pillars: i) assessment of the importance of a firm relative to other reporting entities, and ii) assessment of key risk areas within each firm. The basis for ESMA’s risk assessment is the information available to ESMA. This information can come from a wide variety of sources i.e., (periodic) information reported by reporting entities, information communicated to ESMA by NCAs, supervisory activities or requests for information, information from market participants and third country regulators and information obtained through ESMA’s own market intelligence.

27 10. For the purposes of these guidelines each supervised entity will be assigned to a reporting calendar based on ESMA’s internal supervisory assessment. There will be two reporting calendars “Calendar A” and “Calendar B”. Reporting entities will be informed of the applicable reporting calendar via formal correspondence. Unless a change is communicated by ESMA, reporting entities should assume no change to their reporting calendar. 5.2. Reporting Principles 5.2.1. Reporting Periods and Submission Deadlines 11. Reporting entities should submit to ESMA information on a quarterly, semi-annual, annual, bi-annual or ad-hoc basis according to one of two calendars. The reporting periods and applicable deadlines for each category of entity are set out in Table 1. For scheduled reporting, reporting entities should submit the information within one month following the end of the reporting period concerned (submission deadline). For ad-hoc reporting, reporting entities should submit the information as soon as possible. 5.2.2. General Reporting Principles 12. Documents should be provided in an unlocked machine-readable format11 . Table 1 REPORTING FREQUENCIES AND SUBMISSION DEADLINES Reporting calendar Reporting Frequency Reporting Period Submission Deadline(s) following the end of the Reporting Period Calendar A Annual 1 July to 30 June or 1 January to 31 December 31 July or 31 May12 31 January13 11 Information shall only be considered machine readable where all of the following conditions are met: (a) it is in an electronic format designed to be directly and automatically read by a computer. The electronic format shall be specified by free, non￾proprietary and open standards. Electronic format shall include the type of files or messages, the rules to identify them, and the name and data type of the fields they contain; (b) it is stored in an IT architecture that enables automatic access; (c) it is robust enough to ensure continuity and regularity in the performance of the services provided and ensures adequate access in terms of speed; (d) it can be accessed, read, used and copied by computer software that is free of charge and publicly available. 12 The Template for Costs and Revenues should be reported on the basis of the previous financial year up by 31st May. 13 Depending on the item some annual reporting items under Calendar A should be provided by 31 Jan. These are typically those reporting items arising from the entity’s own internal control reporting structures, which are prepared on a calendar year cycle and

28 Calendar A Semi-Annual 1 January to 30 June 1 July to 31 December 31 July 31 January Calendar A Quarterly 31 March, 30 June, 30 Sept, 31 Dec 30 April, 31 July, 31 October, 31 Jan Calendar B Biennial 1 July to 30 June of the second following year Or 1 July to 31 December of the following year 31 July 31 January Calendar B Annual 1 July to 30 June Or 1 January to 31 December 31 July or 31st May14 31 January Calendar B Quarterly 31 March, 30 June, 30 Sept, 31 Dec 30 April, 31 July, 31 October, 31 Jan 13. Should any of the requested information be provided under multiple items, reporting entities may indicate so and provide a clear reference to the item that contains the requested information, instead of submitting the related document(s) multiple times. 14. Concerning file transmission, each document under each reporting item and each reporting template should be transmitted according to the instructions referred to in Annex II. 5.2.3. Scheduled Reporting 15. Reporting of each item under this heading should occur in accordance with the Scheduled Reporting Calendars provided in section 5.10 of these guidelines. 5.3.Cross sectoral periodic information 5.3.1. Board Documents and Internal Governance Item 1. Board Documents for which a 31 July reporting date would be unsuitable. Should these documents change between their submission in January and 31 July of that year, the updated document should be notified to ESMA by 31 July 14 The Template for Costs and Revenues should be reported on the basis of the previous financial year up by 31st May.

29 16. For reporting under this item, reporting entities should submit the following, covering the period starting from the previous submission: • The minutes of their most recent board and/or management body and/or oversight function meetings, as applicable; • A copy of documents sent to the management body, supervisory board and oversight function members in advance of the respective board meetings, as well as additional documents discussed in the meeting (for instance, reports made by Compliance, Internal Audit, Risk, external audit, other functions such as internal review reports function for CRAs, oversight function reports for BMAs, information security and risk function, etc.), minutes of the Board meetings. Item 2. Organisational Charts 17. Reporting entities should submit their internal organisation charts to ESMA. The information included in the charts should include the information set out in the table below. Category Examples of Function(s) Coverage Scope Management Board or management body members (including INEDs for CRAs, oversight function for BMR) All Staff Supervised entity Executive Committee Members All Staff Supervised entity Senior Management All Staff Supervised entity Business / Operations Analytical or Operations management Last Manager Supervised entity Analytical or Operations support management (data management) Last Manager Supervised entity Methodology / criteria / model development, where applicable All Staff Supervised entity Methodology / criteria / model review / validation, where applicable All Staff Supervised entity Control Functions Compliance (all teams) All Staff Group

30 Risk management All Staff Group Information Security All Staff Group Internal Audit All Staff Group Other Internal Control Functions All Staff Group Support Functions Information Technology Last Manager Supervised entity Human Resources Last Manager Supervised entity Finance Last Manager Supervised entity Commercial staff and business relationship managers Last Manager Supervised entity Legal Last Manager Supervised entity 18. With regards to the section “Functions” each position in the organisational charts should include at least the following information: i) Name ii) Role iii) Location (country) iv) Seniority (managerial/non-managerial role, according the supervised entity￾specific grades) v) Reporting line with Function and Name (If an employee reports outside the EU, please provide the global reporting line) 19. With regards to the section “Coverage”: i) “Last manager” means that the organisational chart should include the full hierarchy down to the last managerial position (i.e. staff with no managerial duties could not be reported);

31 ii) “All Staff” means that the organisational chart should include all employees allocated to a function, which are entirely or partially involved in the activities of the supervised entity. 20. With regards to the section “Scope”: i) “Group” means that the organisational chart should include staff at Group level, in case these are entirely or partially involved in the activities of the supervised entity. ii) “Supervised entity” means that the organisational chart should include only staff from the supervised entity. Item 3. New and Potential Conflicts of Interest 21. Reporting entities should submit according to the specific template on Conflicts of Interest any changes during the reporting period to the existing or potential conflicts of interest that were notified to ESMA during the supervised entity’s registration process. 22. The template should include the following information: i) A description of each actual or potential conflict of interest. Reporting entities should report all potential conflicts arising from the operation of the entity, including those arising from monitoring activities performed by internal control functions, and internal complaints; ii) The description should explain the circumstances surrounding the actual or potential conflict of interests, how it was identified and what impact it had; iii) A statement of the reasons why the actual or potential conflict of interests has arisen, identifying the root cause; iv) A statement of the actions undertaken to address the actual or potential conflict of interest and to prevent the recurrence of similar instances in future; v) An explanation of whether an internal investigation has been opened in relation to the actual or potential conflict of interest and whether the investigation is still ongoing at the date of reporting or has been completed. ESMA expects an internal investigation to have been completed within one month of the date the potential case of non-compliance was identified. 5.3.2. Internal Controls Item 4. Compliance Work Plan

32 23. Reporting entities should submit a copy of their Compliance Work Plan to ESMA. Item 5. Internal Audit Work Plan 24. Where a supervised entity has established an Internal Audit function or commissioned internal audits from an external party, the supervised entity should submit a copy of its annual Internal Audit work plan. This document should be reported on an individual basis, in addition to where it may have been included as part of any Board Pack. Item 6. Internal Control Monitoring: Assessments 25. Reporting entities should submit the template on [IC_CM & IA Overview] to provide information regarding their assessments of the adequacy and effectiveness of their systems, internal control mechanisms and arrangements established to ensure compliance with the relevant regulatory requirements. 26. The template should be completed with respect of internal control assessments that were completed during the reporting period, either at the request of ESMA or the internal control functions (e.g. compliance, risk management, internal control, internal audit, information security), as well as any remedial actions that were implemented following an assessment. 4.1.1 Information Technology and Information Security15 Item 7. ICT Risk Management Framework 27. Reporting entities should provide complete and updated information on their ICT risk management framework. The framework should provide an overview of the measures that reporting entities have put in place to implement their ICT and information security objectives, address ICT risk, detect and mitigate ICT-related incidents, and ensure high level of digital operational resilience. Item 8. ICT risk profile 28. Reporting entities should provide complete and updated information on their ICT risk profile (or outcome of the annual ICT risk assessment). The ICT risk profile should include information on the risk appetite, tolerance levels for ICT risk, and key risk metrics. Entities should provide information on the planned/ongoing ICT risk mitigation activities for all significant risks that fall outside the tolerance levels. Item 9. Review or audit report of the ICT risk management framework 15 For reporting entities subject to DORA, the requirements of this section shall be fulfilled by providing the documentation required by the relevant articles of the DORA regulation and of the related delegated regulation.

33 29. Reporting entities should submit an annual or periodic review of the ICT risk management framework or report it as part of the audit report . The reports should include information on the improvements suggested to ICT risk management framework as a result of the review/audit. Item 10. Summary of findings from annual tests of ICT business continuity plans and the ICT response and recovery plans 30. Reporting entities should submit a summary of the results of the ICT business continuity tests and ICT response and recovery tests (Disaster Recovery). The information should contain a summary of the findings from the tests as well as information on remediation actions or plans. ESMA also requests to provide the outcome of the review, or to report it as part of regular and independent audits of the ICT business continuity plans and the ICT response and recovery plans. Item 11. Summary of findings from the digital operational resilience tests (including any relevant ICT audits) 31. Reporting entities should provide a summary of findings and remediation actions stemming from: • digital operational resilience testing, and • any relevant ICT audits. 5.3.3. Audited Accounts Item 12. Audited accounts 32. Reporting entities should report to ESMA their audited accounts16. If the financial year does not correspond to the calendar year, the reporting entities should submit the breakdown of revenues and expenses certified by an independent auditor by the 30 September deadline. 5.4.Sectoral Information – BMAs 5.4.1. Methodology Item 13. Resourcing: Operations and Benchmarks 16 Audited accounts should include all information relevant for the purpose of the calculation of supervisory fees, including breakdown of revenues from core and ancillary services, in accordance with the relevant sectoral regulatory framework. In case the reporting entity is not subject to audit obligations for its accounts, an equivalent statement certifying the required information for the calculation of supervisory fees could be provided.

34 33. BMAs should indicate per business line or asset class the number of FTEs directly involved in the provision of the benchmarks in addition to the number of benchmarks as well as an estimate of the use of these benchmarks in the EU for which they are responsible. Item 14. Resourcing: Methodologies 34. BMAs should indicate the number of staff assigned to the review, validation and development of the methodologies of the BMA as well as the implementation of these methodologies. This should be completed at the group level of the BMA. 5.4.2. External audit Item 15. External audit reports 35. Where a BMA conducts external audits on compliance with the BMR or with IOSCO Principles for financial benchmarks, such BMA should submit to ESMA copies of any reports or assessments conducted by the external audit or third parties during the reporting period or when requested by ESMA related to the benchmark’s activities. 5.4.3. FTE & Headcount Item 16. BMR Staff Numbers & Other Indicators 36. BMAs should submit the Template on [ BMR Staff Numbers and Other Indicators] providing information on total Full Time Employees (FTE) at supervised entity and group level, providing a breakdown of staff numbers according to the following areas: i) Operations ii) Information Technology iii)Information Security iv) Compliance v) Internal Audit vi) Risk Management

35 5.5.Sectoral Information – CRAs 5.5.1. Ratings and methodologies Item 17. Resourcing: Analysts and Credit Ratings 37. CRAs should submit the relevant template [Resource planning AF] in which they should indicate per business line the number of analysts employed by the CRA in addition to the number of credit ratings for which they are responsible. This should be completed at the level of the EU group of CRAs. Item 18. Resourcing: Methodologies and Models 38. CRAs should submit the relevant template [Resource planning IRF] in which they should indicate the number of staff assigned to the review or validation of the methodologies and models of the CRA. This should be completed at the group level of the CRA. Item 19. Objective Reasons for endorsement 39. CRAs should submit the relevant template [Objective reasons] in which they should provide a description of the objective reasons for the elaboration of any credit rating on EU entities or instruments by the CRA outside of the EU17 . 5.5.2. Internal Controls Item 20. Attestation on Internal Controls 40. Where a CRA’s governing body attests on the effectiveness of its internal control environment and, without prejudice to confidentiality obligations laid down in other relevant legislative acts, CRAs should submit a copy of the attestation. 5.5.3. Financials, FTE & Headcount Item 21. Staff Numbers & Other Indicators 17 ESMA determines the location of an entity or instrument for the purposes of this item in accordance with the RTS on the European Rating Platform. As outlined in footnote 16 of ESMA’s November 2017 Guidelines on the application of the CRA endorsement regime “For the purposes of these Guidelines, the country of an entity or financial instrument follows Articles 4-6, as well as Field 10 of Table 1 of Part 2 of Annex I of the Commission delegated Regulation 2015/2 of 30 September 2014 with regard to regulatory technical standards for the presentation of the information that CRAs make available to ESMA.

36 41. CRAs should submit the relevant template [Staff Numbers and Other Indicators] providing information on total FTE at EU and group level, providing a breakdown of staff numbers according to the following areas: i) Analytical ii) Information Technology iii) Information Security iv) Compliance v) Internal Audit vi)Risk Management 42. CRAs should submit Template 11 [Staff Numbers and Other Indicators] providing information on the number of IT rating applications in use and the on-going IT projects across the following areas: i) Rating Process ii) Methodology Development, validation and review iii) Commercial and Business Development Process Item 22. Revenues and Costs 43. CRAs should submit the relevant template [Financials], to provide a breakdown of the costs and revenues generated from credit ratings and other products or services (including ancillary services) for the preceding calendar year. For other products or services, CRAs should include a brief description of each type of product or service reported. Costs and revenues should be determined according to the same accounting principles used in preparation of the CRA’s financial statements. 44. For credit ratings, CRAs should report annual revenues broken down by following types of credit ratings: Corporate Non Financials; Corporate Financials; Corporate Insurance; Sovereign / Public Finance; Structured Finance; Covered Bonds. For other products or services, CRAs should report annual revenues broken down by each type of product or service offered. 45. For credit ratings, CRAs should report annual costs per type of credit rating, broken down by operating and non-operating costs. Operating Costs should be further disaggregated between compensation costs (e.g. payroll expenses) and other operating costs. For other products or services, CRAs should report annual costs per product, or service broken down

37 by operating and non-operating costs in the same manner. Non-operating costs may include interest and tax charges. 5.6.Sectoral Information – DRSPs 5.6.1. Data reporting Item 23. Participants overview 46. DRSPs should submit the statistics and DRSP participants’ profile, in accordance with the designated template. The information to be submitted through the template includes, among others: Number, home country and typology of investment firms to which, or on behalf of which, the DRSP provides services, split between ARM and APA. Item 24. Regulatory access status 47. DRSPs (ARMs only) should submit the template listing established connections between ARMs and NCAs. Item 25. Data volume 48. DRSPs should report, among others, the statistics on data volumes. The information to be submitted through the template includes quarterly data referring to outbound and inbound data flows. 5.6.2. FTE & Headcount Item 26. DRSP Staff Numbers & Other Indicators 49. DRSPs should submit the template providing information on total FTEs at supervised entity, providing a breakdown of staff numbers according to the following areas: i) Operations ii) Information Technology iii) Information Security iv) Compliance v) Internal Audit vi) Risk Management

38 5.7.Sectoral Information – SRs 5.7.1. Data reporting Item 27. Participants overview 50. SRs should submit the statistics and SR participants’ profile, in accordance with the designated template. The information to be submitted through the template includes, among others: Number, home country and typology of investment firms to which, or on behalf of which, the SR provides services. Item 28. Regulatory access status 51. SRs should submit the list of regulatory authorities that have requested and those that have established access to the SR, including through TRACE, in accordance with the designated template. 5.7.2. FTE & Headcount Item 29. SR Staff Numbers & Other Indicators 52. SRs should submit the Template providing information on total FTEs at supervised entity, providing a breakdown of staff numbers according to the following areas: i) Operations ii) Information Technology iii) Information Security iv) Compliance v) Internal Audit vi) Risk Management 5.8.Sectoral Information – TRs 5.8.1. Data reporting Item 30. Participants overview

39 53. TRs should submit the statistics and TR participants’ profile, in accordance with the designated template. The information to be submitted through the template includes, among others: the Regulation under which they report, country, whether they are direct or indirect reporting entities, and their share. Item 31. Regulatory access status 54. TRs should submit the list of regulatory authorities that have requested and those that have established access to the TR, including through TRACE, in accordance with the designated template. Item 32. Data volume 55. TRs should report the statistics on (i) the total number of trades and reports received from the start of reporting for each Regulation and (ii) the number of derivatives and SFTs per each jurisdiction, entities participating in the reporting and Data Quality Category (for EMIR), in accordance with the designated template. Item 33. Reconciliation statistics 56. TRs should provide ESMA with the statistics on reconciliation of derivatives and SFTs in accordance with the designated templates. 5.8.2. FTE & Headcount Item 34. TR Staff Numbers & Other Indicators 57. TRs should submit the Template providing information on total FTEs at supervised entity, providing a breakdown of staff numbers according to the following areas: i) Operations ii) Information Technology iii) Information Security iv) Compliance v) Internal Audit vi) Risk Management

40 5.9.Ad-Hoc Reporting Requirements 58. Reporting under this heading should be conducted as soon as possible in accordance with the reporting calendar in Section 5.10. in particular, ESMA should be notified of any issue without undue delay, taking into account the urgency and significance of the matter. The initial notification should be followed up with a more substantial notification within one month in the event further information becomes available. 5.9.1. Notifications of material changes to the conditions for initial registration Item 35. Material changes to the conditions of initial registration 59. ESMA considers a “material change” to be any change that may affect the reporting entities initial conditions of registration, notably its compliance with the requirements of the sectoral Regulation. In this regard, reporting entities should notify ESMA as soon as possible of any material changes to the conditions of its initial registration, including but not limited to the following matters referred in Section 5.7 [reporting calendars] for each mandate and based on the information to be provided in a registration application required by each sectoral regulation18 . Item 36. Change to Membership of Supervisory / Administrative Board 60. Reporting entities should use the relevant template on Board Members Details in order to notify ESMA of any changes to the membership of its Supervisory or Administrative Board. In the event of a new member, reporting entities should also submit an updated version of the template19 . 18 For BMR, please refer to the Commission Delegated Regulation (EU) 2018/1645 of 13 July 2018 on the form and content of the application for recognition as well as Commission Delegated Regulation (EU) 2018/1646 on the information to be provided in an application for authorisation and in an application for registration. These Delegated Regulations are subject to review as suggested by ESMA in the relevant final reports. For CRAs, please refer to the Commission Delegated Regulation (EU) No 449/2012 of 21 March 2012 supplementing Regulation (EC) No 1060/2009 of the European Parliament and of the Council with regard to regulatory technical standards on information for registration and certification of credit rating agencies. For TRs, in this respect, Article 55(4) of EMIR and Article 5(4) of SFTR require registered TRs to ‘comply at all times with the conditions for registration’, and to, ‘without undue delay, notify ESMA of any material changes to the conditions for registration’. For DRSPs, please refer to Article 1 of Commission Delegated Regulation (EU) 2017/571 of 2 June 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council with regard to regulatory technical standards on the authorisation, organisational requirements and the publication of transactions for data reporting services providers, requiring data reporting services provider to promptly inform the competent authority of its home Member State of any material change to the information provided at the time of the authorisation and thereafter. For SRs, please refer to Article 10 of Regulation (EU) 2017/2402 of the European Parliament and of the Council of 12 December 2017 laying down a general framework for securitisation, requiring registered securitisation repository to comply at all times with the conditions for registration. A securitisation repository shall, without undue delay, notify ESMA of any material changes to the conditions for registration. 19 Any notification under this item is without prejudice to CRA’s requirements under Article 15 ‘Fitness and Appropriateness’ of Commission Delegated Regulation (EU) 449/2012, supplementing Regulation (EC) No 1060/2009.

41 5.9.2. Other Ad-Hoc Notifications 5.9.2.1. Cross-sectoral notifications Item 37. ICT and Information security incidents notifications 61. Reporting entities should complete the relevant templates. For reporting entities subject to DORA, the notification of major ICT and Information security incidents shall be fulfilled by providing such information according to the corresponding template under DORA. Reporting entities not subject to DORA, notwithstanding the option to use voluntarily the DORA templates, shall provide information on major ICT and information security incidents using the preferred means of communication. Item 38. Potential and actual cases of non-compliance with the relevant sectoral regulation 62. For reporting under this item, reporting entities should complete the relevant template on Actual or Potential Breach to provide information regarding possible cases that may result in non-compliance with any of the initial conditions for registration, including: • A description of each case which may result in a possible non-compliance with the initial conditions for registration including cases resulting from activities performed by any control function; • A statement of the reasons why such case has arisen; • A statement of the actions undertaken by the supervised entity following the identification of the case concerned; • A statement of whether an internal investigation has been opened in relation to the case concerned and of whether such investigation is ongoing or closed; and where closed, furnish a copy of any consequent report made in respect of the investigation. 63. This notification should be provided in accordance with Section 5.3.3 of these guidelines. Item 39. Litigation 64. Reporting entities should submit to ESMA information on any existing, new or potential legal actions that have been or that the supervised entity is aware may be taken against the group, and which may adversely impact the continuity or quality of the product or service provided and/or materially impact the financial position of a supervised entity.

42 65. ESMA expects to receive a brief description of, and updated information on pending and current court proceedings, arbitration proceedings and any form of binding dispute resolution proceedings., and which may adversely impact the continuity or quality of the product or service provided and/or materially impact the financial position of a supervised entity. This description should include a summary of the proceedings and of the potential outcome of the proceedings in terms of liability. Item 40. Internal Complaints submitted to the Compliance Department 66. Following the receipt of a complaint within the scope of the relevant sectoral Regulation by its Compliance Department, reporting entities should complete the relevant template on Internal Complaints to notify ESMA of the following information: i) A description of the content of the complaint; ii) The follow-up actions undertaken by the supervised entity; iii) Information on whether an internal investigation was opened as a consequence, including whether the investigation is ongoing or closed at the date of reporting; where the investigation has been closed, a copy of any consequent report made in respect of the investigation. 5.9.2.2. BMAs Item 41. Identification of errors in input data or determination of benchmarks 67. BMAs should provide information regarding errors in the input data and the determination of the benchmarks. Item 42. Notification of New / Material change to existing Methodology 68. BMAs should provide ESMA with information following the publication of any new methodology, or change to an existing methodology. This information should be submitted after the completion of any consultation conducted in respect of Article 13(1)(c) of the BMR. Item 43. External complaints submitted to the administrator 69. Following the receipt of a complaint made by external parties about the administrator's determination process, for instance on benchmark representativeness, on proposed changes to the benchmark methodology or application of the methodology, or any other decision related to the benchmark determination process. BMAs should notify ESMA of the following information: i) A description of the content of the complaint;

43 ii) The follow-up actions undertaken by the BMA; iii) Information on whether an internal investigation was opened as a consequence, including whether the investigation is ongoing or closed at the date of reporting; where the investigation has been closed, a copy of any consequent report made in respect of the investigation. 5.9.2.3. CRAs Item 44. Identification of errors in methodologies/model processes 70. CRAs should complete Template 17 [Error] to provide information regarding errors in the CRAs’ methodologies or models, in accordance with ESMA’s Q&A on the identification of errors in methodologies or models 20 . Item 45. Sovereign Rating Calendar 71. CRAs should submit to ESMA the calendar for sovereign rating actions for the forthcoming year that is published on the CRA’s website. In cases where a CRA deviates from the calendar and the CRA publishes an amended calendar on their website, the CRA should provide this updated calendar to ESMA with a detailed explanation of the reasons for the deviation. Item 46. Notification of New / Change to existing Methodology 72. CRAs should complete Template 19 [Methodologies] in order to provide ESMA with information following the publication of any new methodology or change to an existing methodology or underlying model. This template should be submitted after the completion of any consultation conducted in respect of Article 8(5a) of the CRA Regulation and is without prejudice to CRA’s ongoing obligations under Article 14(3) of the CRA Regulation. Item 47. Endorsed Credit Ratings 73. CRAs should notify ESMA of the results of any internal review that was conducted by the CRA in accordance with Guideline 4.2 Line 17 of ESMA’s guidelines on the application of the endorsement regime. Such a notification should include an update on the appropriate steps taken by the CRA. 20 Questions and Answers on the CRA Regulation (Question 8)

44 5.9.2.4. DRSPs Item 48. Cessation of business 74. The DRSPs should provide ESMA with a wind-down plan in the context of a withdrawal of registration foreseen under Article 27e(1) MiFIR using the designated template and in accordance with the relevant timeline indicated in the template. 5.9.2.5. SRs Item 49. Cessation of business 75. The SRs should provide ESMA with a wind-down plan in the context of a withdrawal of registration foreseen under Article 15(1) of Securitisation Regulation using the designated template and in accordance with the relevant timeline indicated in the template. 5.9.2.6. TRs Item 50. Notification of a portability request 76. TRs should notify ESMA upon receipt of a portability request from a TR participant, in accordance with the designated template. Item 51. Cessation of business 77. The TRs should provide ESMA with a wind-down plan, in accordance with Article 79(3) EMIR and Article 5(2) SFTR in the context of a withdrawal of registration foreseen under Article 71(1) EMIR or Article 73(1)(d) EMIR and under Article 9(1) or Article 10(1) SFTR using the designated template and in accordance with the relevant timeline indicated in the template.

45 5.10. Reporting Calendars 5.10.1. BMAs Scheduled Returns under Calendar A Return Name Return Frequency Reporting Deadline Template Available Item Board Documents and Internal Governance 1 Board documents Quarterly 31 Jan, 30 April, 31 July, 31 Oct No 2 Organisational Charts Annual 31 January No 3 New and Potential Conflicts of Interest Annual 31 January Yes Internal Controls 4 Compliance Work Plan Annual 31 January No 5 Internal Audit Work Plan Annual 31 January No 6 Internal Control Monitoring Assessments Annual 31 January Yes Information Technology Reporting 7 ICT Risk Management Framework Annual 31 January No 8 ICT Risk profile Annual 31 January No 9 Review or audit report of the ICT risk management framework Annual 31 January No 10 Summary of the findings of BCP testing activities Annual 31 January No 11 Summary of the findings of digital operational resilience testing activities Annual 31 January No Audited accounts 12 Audited accounts Annual 30 September No Benchmarks and Methodologies 13 Resourcing: Operations and benchmarks Annual 31 January No 14 Resourcing: Methodologies Annual 31 January No External audit 15 External audit reports Biennial 31 January No Staff Numbers & Other Indicators 16 Financials, FTE & Headcount Annual 31 January Yes

46 Scheduled Returns under Calendar B Return Name Return Frequency Reporting Deadline Template Available Item Board Documents and Internal Governance 1 Board documents Annual 31 January No 2 Organisational Charts Annual 31 January No 3 New and Potential Conflicts of Interest Annual 31 January Yes Internal Controls 4 Compliance Work Plan Biennial 31 January No 5 Internal Audit Work Plan Biennial 31 January No 6 Internal Control Monitoring Assessments Biennial 31 January Yes Information Technology Reporting 7 ICT Risk Management Framework Biennial 31 January No 8 ICT Risk profile Upon Demand No 9 Review or audit report of the ICT risk management framework Upon Demand No 10 Summary of the findings of BCP testing activities Upon Demand No 11 Summary of the findings of digital operational resilience testing activities Upon Demand No Audited accounts 12 Audited accounts Annual 30 September No Benchmarks and Methodologies 13 Resourcing: Operations and benchmarks Annual 31 January No 14 Resourcing: Methodologies Annual 31 January No External audit 15 External audit report Upon Demand No Staff Numbers & Other Indicators 16 Financials, FTE & Headcount Annual 31 January Yes

47 Ad-Hoc Reporting Requirements Applicable Calendar A and Calendar B Item Return Name RTS on authorisation RTS on recognition Return Frequency Template Available Notification of Material Changes to Conditions of Registration 35 Continuing Right to Exemptions NA Annex Section B.9(i) As soon as possible No 35 Outsourcing Arrangements Annex I.7 Annex Section A.6 As soon as possible No 35 Legal Form Annex I.1(c) Annex Section A.1(c) As soon as possible No 35 Business Structure Annex I.2(a) Annex Section A.3(a) As soon as possible No 35 Type of Business Activities Annex I.5(a) Annex Section B.9(e) /9(f) /9(g) As soon as possible No 35 Ownership Structure Annex I.1(i) Annex Section A.1(g) As soon as possible No 35 Control framework and oversight function Annex I.4(a)(iii) and 4(a)(iv) Annex Section A.5(a)(iii) and 5(a)(iv) As soon as possible No 35 Change to Procedures used to provide and review benchmarks Annex I.5(d), 5(e) and 6(b)(ii) Annex Section B.9(j), 9(k) and 10(b)(ii) As soon as possible No 35 IT Processes and Information Processing Systems Annex I.4(a)(i)Annex Section A.5(a)(i) As soon as possible No 36 Change to Membership of Supervisory / Administrative Board Annex 1.2 (a) Annex Section A.3 (a) As soon as possible Yes Other Notifications – Non-Material Changes 37 IT and Information security incidents notification As soon as possible Yes 38 Potential and actual cases of non￾compliance with the relevant sectoral regulation As soon as possible Yes 39 Litigations As soon as possible No 40 Internal Complaints Submitted to the Compliance Department As soon as Possible Yes 41 Identification of errors in methodologies process As soon as possible No 42 Notification of New/Change to Methodology As soon as possible No 43 External complaints submitted to the administrator As soon as possible No

48 5.10.2. CRAs Scheduled Returns under Calendar A Return Name Return Frequency Reporting Deadline Template Available Item Board Documents and Internal Governance 1 Board documents Quarterly 31 Jan, 30 April, 31 July, 31 Oct No 2 Organisational Charts Annual 31 January No 3 New and Potential Conflicts of Interest Annual 31 January Yes Internal Controls 4 Compliance Work Plan Annual 31 January No 5 Internal Audit Work Plan Annual 31 January No 6 Internal Control Monitoring Assessments Annual 31 January Yes 20 Attestation on Internal Controls Annual 30 April No Information Technology Reporting 7 ICT Risk Management Framework Annual 31 January No 8 ICT Risk profile Annual 31 January No 9 Review or audit report of the ICT risk management framework Annual 31 January No 10 Summary of the findings of BCP testing activities Annual 31 January No 11 Summary of the findings of digital operational resilience testing activities Annual 31 January No Audited Accounts 12 Audited accounts Annual 30 September No Ratings and Methodologies 17 Resourcing: Analysts Annual 31 January Yes 18 Resourcing: Methodologies & Models Annual 31 January Yes 19 Objective Reasons Annual 31 January Yes Staff Numbers & Other Indicators 21 Staff Numbers and Other Indicators Annual 31 January Yes 22 Revenues and Costs Annual 30 September Yes

49 Scheduled Returns under Calendar B Return Name Return Frequency Reporting Deadline Template Available Item Board Documents and Internal Governance 1 Board documents Annual 31 January No 2 Organisational Charts Annual 31 January No 3 New and Potential Conflicts of Interest Annual 31 January Yes Internal Controls 4 Compliance Work Plan Biennial 31 January No 5 Internal Audit Work Plan Biennial 31 January No 6 Internal Control Monitoring Assessments Biennial 31 January Yes 20 Attestation on Internal Controls Upon Demand NA No Information Technology Reporting 7 ICT Risk Management Framework Biennial 31 January No 8 ICT Risk profile Upon Demand NA No 9 Review or audit report of the ICT risk management framework Upon Demand NA No 10 Summary of the findings of BCP testing activities Upon Demand NA No 11 Summary of the findings of digital operational resilience testing activities Upon Demand NA No Audited Accounts 12 Audited accounts Annual 30 September No Ratings and Methodologies 17 Resourcing: Analysts Annual 31 January Yes 18 Resourcing: Methodologies & Models Annual 31 January Yes 19 Objective Reasons Annual 31 January Yes Staff Numbers & Other Indicators 21 Staff Numbers and Other Indicators Annual 31 January Yes 22 Revenues and Costs Annual 30 September Yes

50 Ad-Hoc Reporting Requirements Applicable Calendar A and Calendar B Item Return Name RTS on registration Return Frequency Template Available Notification of Material Changes to Conditions of Registration 35 Opening and Closing of Branches Art. 9 As soon as possible No 35 Use of Endorsement Art. 24 As soon as possible No 35 Continuing Right to Exemptions Art. 2 As soon as possible No 35 Outsourcing Arrangements Art. 25 As soon as possible No 35 Legal Form Art. 7 As soon as possible No 35 Business Structure Art. 7 As soon as possible No 35 Type of Business Activities Art. 7 As soon as possible No 35 Ownership Structure Art. 8 As soon as possible No 35 Compliance Function and Review Function Art. 23 As soon as possible No 35 Change to Procedures used to issue and review credit ratings Art. 16 As soon as possible No 35 Financial Resources Art. 13 As soon as possible No 35 IT Processes and Information Processing Systems Art. 11 As soon as possible No 36 Change to Membership of Supervisory / Administrative Board Art. 7 As soon as possible Yes Other Ad-Hoc Notifications 37 IT and Information security incidents notifications As soon as possible Yes 38 Potential and actual cases of non-compliance with the relevant sectoral regulation As soon as possible Yes 39 Litigations As soon as possible No 40 Internal Complaints Submitted to the Compliance Department As soon as Possible Yes 44 Identification of errors in methodologies/ model process As soon as possible Yes 45 Sovereign Rating Calendar As soon as possible No 46 Notification of New/Change to Methodology As soon as possible Yes 47 Outcome of Endorsement Review As soon as Possible No

51 5.10.3. DRSPs Scheduled Returns under Calendar A Return Name Return Frequency Reporting Deadline Template Available Item Board Documents and Internal Governance 1 Board documents Quarterly 31 Jan, 30 April, 31 July, 31 Oct No 2 Organisational Charts Annual 31 January No 3 New and Potential Conflicts of Interest Annual 31 January No Internal Controls 4 Compliance Work Plan Annual 31 January No 5 Internal Audit Work Plan Annual 31 January No 6 Internal Control Monitoring Assessments Annual 31 January Yes Information Technology Reporting 7 ICT Risk Management Framework Annual 31 January No 8 ICT Risk profile Annual 31 January No 9 Review or audit report of the ICT risk management framework Annual 31 January No 10 Summary of the findings of BCP testing activities Annual 31 January No 11 Summary of the findings of digital operational resilience testing activities Annual 31 January No Financial Reporting 12 Audited accounts Annual 30 September No Data Reporting 23 Participants Overview Semi-Annual 31 January, 31 July Yes 24 Regulatory access status Annual 31 January Yes 25 Data volume Quarterly 31 Jan, 30 April, 31 July, 31 Oct Yes Staff Numbers & Other Indicators 26 Staff Numbers and Other Indicators Annual 31 January Yes

52 Scheduled Returns under Calendar B Return Name Return Frequency Reporting Deadline Template Available Item Board Documents and Internal Governance 1 Board documents Annual 31 January No 2 Organisational Charts Annual 31 January No 3 New and Potential Conflicts of Interest Annual 31 January No Internal Controls 4 Compliance Work Plan Biennial 31 January No 5 Internal Audit Work Plan Biennial 31 January No 6 Internal Control Monitoring Assessments Biennial 31 January Yes Information Technology Reporting 7 ICT Risk Management Framework Biennial 31 January No 8 ICT Risk profile Upon Demand No 9 Review or audit report of the ICT risk management framework Upon Demand No 10 Summary of the findings of BCP testing activities Upon Demand No 11 Summary of the findings of digital operational resilience testing activities Upon Demand No Financial Reporting 12 Audited accounts Annual 30 September No Data Reporting 23 Participants Overview Annual 31 January Yes 24 Regulatory access status Annual 31 January Yes 25 Data volume Quarterly 31 Jan, 30 April, 31 July, 31 Oct Yes Staff Numbers & Other Indicators 26 Staff Numbers and Other Indicators Annual 31 January Yes

53 Ad-Hoc Reporting Requirements Applicable Calendar A and Calendar B Item Return Name Return Frequency Template Available Notification of Material Changes to Conditions of Registration 35 Key Staff As soon as possible Yes 35 Change to ownership structure As soon as possible Yes 35 Launch of new services (including ancillary or any other services) As soon as possible Yes 35 Change in the fee structure/ Pricing policy As soon as possible No 35 Establishment of subsidiaries and branches, reorganisation or restructuring of the DRSP activities or change to name, address, statutory documentation or legal status As soon as possible No 35 Copies of regulator templates As soon as possible No 35 Copies of DRSP participant contract templates As soon as possible No 35 Material changes in the outsourcing arrangements relative to core DRSP functions As soon as possible No 35 Any other material changes to the conditions of registration As soon as possible No 36 Membership of the supervisory/administrative board As soon as possible Yes Other Notifications – Non-Material Changes 37 IT and Information security incidents notifications As soon as possible Yes 38 Potential and actual cases of non-compliance with the relevant sectoral regulation As soon as possible Yes 39 Litigations As soon as possible No 40 Internal Complaints submitted to the Compliance Department As soon as possible Yes 48 Cessation of business As soon as possible Yes

54 5.10.4. SRs Scheduled Returns under Calendar A Return Name Return Frequency Reporting Deadline Template Available Item Board Documents and Internal Governance 1 Board documents Quarterly 31 Jan, 30 April, 31 July, 31 Oct No 2 Organisational Charts Annual 31 January No 3 New and Potential Conflicts of Interest Annual 31 January No Internal Controls 4 Compliance Work Plan Annual 31 January No 5 Internal Audit Work Plan Annual 31 January No 6 Internal Control Monitoring Assessments Annual 31 January Yes Information Technology Reporting 7 ICT Risk Management Framework Annual 31 January No 8 ICT Risk profile Annual 31 January No 9 Review or audit report of the ICT risk management framework Annual 31 January No 10 Summary of the findings of BCP testing activities Annual 31 January No 11 Summary of the findings of digital operational resilience testing activities Annual 31 January No Financial Reporting 12 Audited accounts Annual 30 September No Data Reporting 27 Participants Overview Semi-Annual 31 January, 31 July Yes 28 Regulatory access status Annual 31 January Yes Staff Numbers & Other Indicators 29 Staff Numbers and Other Indicators Annual 31 January Yes

55 Scheduled Returns under Calendar B Return Name Return Frequency Reporting Deadline Template Available Item Board Documents and Internal Governance 1 Board documents Annual 31 January No 2 Organisational Charts Annual 31 January No 3 New and Potential Conflicts of Interest Annual 31 January No Internal Controls 4 Compliance Work Plan Biennial 31 January No 5 Internal Audit Work Plan Biennial 31 January No 6 Internal Control Monitoring Assessments Biennial 31 January Yes Information Technology Reporting 7 ICT Risk Management Framework Biennial 31 January No 8 ICT Risk profile Upon Demand No 9 Review or audit report of the ICT risk management framework Upon Demand No 10 Summary of the findings of BCP testing activities Upon Demand No 11 Summary of the findings of digital operational resilience testing activities Upon Demand No Financial Reporting 12 Audited accounts Annual 30 September No Data Reporting 27 Participants Overview Annual 31 January Yes 28 Regulatory access status Annual 31 January Yes Staff Numbers & Other Indicators 29 Staff Numbers and Other Indicators Annual 31 January Yes

56 Ad-Hoc Reporting Requirements Applicable Calendar A and Calendar B Item Return Name Return Frequency Template Available Notification of Material Changes to Conditions of Registration 35 Key Staff As soon as possible Yes 35 Change to ownership structure As soon as possible Yes 35 Launch of new services (including ancillary or any other services) As soon as possible Yes 35 Change in the fee structure/ Pricing policy As soon as possible No 35 Establishment of subsidiaries and branches, reorganisation or restructuring of the SR activities or change to name, address, statutory documentation or legal status As soon as possible No 35 Material changes in the outsourcing arrangements relative to core SR functions As soon as possible No 35 Any other material changes to the conditions of registration As soon as possible No 36 Membership of the supervisory/administrative board As soon as possible Yes 40 Other Notifications – Non-Material Changes 37 IT and Information security incidents notifications As soon as possible Yes 38 Potential and actual cases of non-compliance with the relevant sectoral regulation As soon as possible Yes 39 Litigations As soon as possible No 40 Internal Complaints submitted to the Compliance Department As soon as possible Yes 49 Cessation of business As soon as possible Yes

57 5.10.5. TRs Scheduled Returns under Calendar A Return Name Return Frequency Reporting Deadline Template Available Applicable to Item Board Documents and Internal Governance 1 Board documents Quarterly 31 Jan, 30 April, 31 July, 31 Oct No EMIR and SFTR jointly 2 Organisational Charts Annual 31 January No EMIR and SFTR jointly 3 New and Potential Conflicts of Interest Annual 31 January No EMIR and SFTR jointly Internal Controls 4 Compliance Work Plan Annual 31 January No EMIR and SFTR separately 5 Internal Audit Work Plan Annual 31 January No EMIR and SFTR separately 6 Internal Control Monitoring Assessments Annual 31 January Yes EMIR and SFTR separately Information Technology Reporting 7 ICT Risk Management Framework Annual 31 January No EMIR and SFTR separately 8 ICT Risk profile Annual 31 January No EMIR and SFTR separately 9 Review or audit report of the ICT risk management framework Annual 31 January No EMIR and SFTR separately 10 Summary of the findings of BCP testing activities Annual 31 January No EMIR and SFTR separately 11 Summary of the findings of digital operational resilience testing activities Annual 31 January No EMIR and SFTR separately Financial Reporting 12 Audited accounts Annual 30 September No EMIR and SFTR jointly Data Reporting 30 Participants overview Semi-Annually31 January, 31 July Yes EMIR and SFTR separately 31 Regulatory access status Quarterly 31 Jan, 30 April, 31 July, 31 Oct Yes EMIR and SFTR separately 32 Data volume Quarterly 31 Jan, 30 April, 31 July, 31 Oct Yes EMIR and SFTR separately 33 Reconciliation statistics Monthly By the 15th of the following month Yes EMIR and SFTR separately Staff Numbers and Other Indicators 34 Staff Numbers and Other Indicators Annual 31 January Yes EMIR and SFTR separately

58 Scheduled Returns under Calendar B Return Name Return Frequency Reporting Deadline Template Available Applicable to Item Board Documents and Internal Governance 1 Board documents Annual 31 January No EMIR and SFTR jointly 2 Organisational Charts Annual 31 January No EMIR and SFTR jointly 3 New and Potential Conflicts of Interest Annual 31 January No EMIR and SFTR jointly Internal Controls 4 Compliance Work Plan Biennial 31 January No EMIR and SFTR separately 5 Internal Audit Work Plan Biennial 31 January No EMIR and SFTR separately 6 Internal Control Monitoring Assessments Biennial 31 January Yes EMIR and SFTR separately Information Technology Reporting 7 ICT Risk Management Framework Biennial 31 January No EMIR and SFTR separately 8 ICT Risk profile Upon Demand No EMIR and SFTR separately 9 Review or audit report of the ICT risk management framework Upon Demand No EMIR and SFTR separately 10 Summary of the findings of BCP testing activities Upon Demand No EMIR and SFTR separately 11 Summary of the findings of digital operational resilience testing activities Upon Demand No EMIR and SFTR separately Financial Reporting 12 Audited accounts Annual 30 September No EMIR and SFTR jointly Data Reporting 30 Participants Overview Annual 31 January Yes EMIR and SFTR separately 31 Regulatory access status Quarterly 31 Jan, 30 April, 31 July, 31 Oct Yes EMIR and SFTR separately 32 Data volume Quarterly 31 Jan, 30 April, 31 July, 31 Oct Yes EMIR and SFTR separately 33 Reconciliation statistics Monthly By the 15th of the following month Yes EMIR and SFTR separately Staff Numbers and Other Indicators 34 Staff Numbers and Other Indicators Annual 31 January Yes EMIR and SFTR separately

59 Ad-Hoc Reporting Requirements Applicable Calendar A and Calendar B Item Return Name Return Frequency Template Available Notification of Material Changes to Conditions of Registration 35 Key Staff As soon as possible Yes EMIR and SFTR separately 35 Change to ownership structure As soon as possible Yes EMIR and SFTR jointly 35 Establishment of subsidiaries and branches, reorganisation or restructuring of the TR activities or change to name, address, statutory documentation or legal status As soon as possible No EMIR and SFTR jointly 35 Copies of regulator templates As soon as possible No EMIR and SFTR separately 35 Copies of TR participant contract templates As soon as possible No EMIR and SFTR separately 35 Changes to the Internal Audit Charter and Methodology As soon as possible No EMIR and SFTR separately 35 Material changes in the outsourcing arrangements relative to core TR functions As soon as possible No EMIR and SFTR separately 35 Launch of new services (including ancillary or any other services) As soon as possible Yes EMIR and SFTR separately 35 Change in the fee structure/ Pricing policy As soon as possible No EMIR and SFTR separately 35 Quality Assurance of IA As soon as possible No EMIR and SFTR jointly 35 Any other material changes to the conditions of registration As soon as possible No EMIR and SFTR separately 36 Membership of the supervisory/administrative board As soon as possible Yes EMIR and SFTR jointly Other Notifications – Non-Material Changes 37 IT and Information security incidents notifications As soon as possible Yes EMIR and SFTR separately 38 Potential and actual cases of non-compliance with the relevant sectoral regulation As soon as possible Yes EMIR and SFTR separately 39 Litigations As soon as possible No EMIR and SFTR jointly 40 Internal Complaints submitted to the Compliance Department As soon as possible Yes EMIR and SFTR separately 50 Notification of a portability request As soon as possible Yes EMIR and SFTR separately 51 Cessation of business As soon as possible Yes EMIR and SFTR separately 5.11. Reporting Templates 78. The most recent version of reporting templates will be made available for download on ESMA’s website. The files include high level description of the fields as well as more detailed instructions in terms of expected content at field level. 79. ESMA may require reporting entities to transmit certain templates through different reporting channels, for example, through web-based applications managed by ESMA.