Digital Asset Service Providers Regulations

Non official translation. For reference only. THE NATIONAL COMMISSION OF DIGITAL ASSETS CONSIDERING:

1. That by means of Legislative Decree No. 643 dated January 11, 2023, published in the Official Gazette No. 653, Volume No. 438, dated January 24 of the same month and year, the Law of Issuance of Digital Assets of El Salvador was issued.;
2. That by means of Art. 6 of said Law, the National Commission of Digital Assets is created as an institution of public law with legal personality and its own assets, of a technical nature, with economic, financial and administrative autonomy, for the exercise of the attributions and duties stipulated in this Law and in the rest of the applicable common legislation.;
3. hat, according to Art. 9, letter o) of the Law on Issuance of Digital Assets, it is its attribution: to dictate norms and technical standards, as well as guides and instructions, applicable to this Law and its regulations.;
4. That for the application of the Law referred to in the preceding recital, it is indispensable to establish a regulatory norm that develops the necessary aspects of the Digital Asset Service Providers.;
5. This regulation addresses the applicable regulations to the rules governing the actions of digital asset service providers as determined by the El Salvador Digital Asset Issuance Law. Digital Asset Service Providers Regulations Purpose Art.1.- The purpose of these Regulations is to establish the obligations and standards to be met by Digital Asset Service Providers in the performance of their functions, as well as the requirements and process for their definitive registration in the respective registry. Scope of Application 1

Art.2.- This regulation is applicable to all Digital Asset Service Providers that develop one or more digital asset services in the Salvadoran territory, as established in the Law of Issuance of Digital Assets. Definiciones Art.3.- For the purposes of this Act, the following terms shall have the following definitions: a) Fortuitous event: This refers to an unavoidable natural event that may or may not be foreseen by the party obliged to perform a specific action, but which, even if foreseen, cannot be avoided, thus absolutely preventing it from performing what it must perform. The fortuitous event constitutes an insurmountable physical impossibility.; b) Cyber-threat: Refers to a circumstance or event that may or may not be intentional in nature and that has the potential to exploit one or more vulnerabilities of the Digital Asset Service Providers' infrastructures, resulting in a loss of confidentiality of customer information or relevant operations, integrity of stored information, or availability of services or communication between users or employees of the Digital Asset Service Providers.; c) Cyber-attack: Set of actions directed against information systems, such as databases or computer networks of the Digital Asset Service Providers, that cause loss of confidentiality of customer information or relevant operations, of integrity of stored information, or of the availability of services or communication between users or employees of the Digital Asset Service Providers; d) Ciberinteligence: It is the collection and analysis of information that would allow understanding and mitigating the impact of cyber threats.; e) Ciberresiliencia: The ability of a Digital Asset Service Provider's infrastructure to anticipate, absorb, adapt to, or recover quickly from a cyber threat.; f) Ciberseguridad: Refers to strategies, policies and standards aimed at reducing the threats and vulnerabilities of Digital Asset Service Provider infrastructures, as well as the ability to 2

deterrence, response and cyber threat resilience systems, and recovery of relevant data and information.; g) Conflict of Interest: A situation in which the judgment of an individual, concerning his primary responsibility, and the integrity of an action tend to be unduly influenced by an economic, labor, personal, professional or family interest, contrary to the obligations that correspond to him according to the functions he performs and generates an economic impact on the equity of the shareholders or the clients or users.; h) Customer Due Diligence or CDD|: Refers to processes and measures that are mandatory for all Digital Asset Service Providers, and whose purpose is to collect and evaluate relevant information about a customer as a user of the digital asset market in order to assess the risk profile of each customer; i) Operational Due Diligence: Refers to the processes and mandatory measures that Digital Asset Service Providers, in case they operate or manage digital platforms or wallets, must implement in their IT systems to allow transactions performed on such platforms or digital wallets to be executed in a fast, transparent and accurate manner; j) Risk Factors: Inherent risks of the product or service that increase the probability of loss or failure during operation; k) Force majeure: This refers to a foreseeable or unforeseeable but unavoidable act of man, which also absolutely prevents the performance of an obligation; l) Inside Information: Is any information that has not been made public, with regards to the digital assets managed, promoted or traded by the Digital Asset Service Providers and that, if made public, could have an appreciable influence on the prices of such digital assets. It also refers to any information relevant to the technical and financial functionality of the platform or digital wallet managed by the Digital Asset Service Providers, which may adversely affect the operation of such platforms or digital wallets; m) Governance Token: Refers to a digital asset that primarily has voting rights with respect to the modification of the protocols, rules and governance system of a platform or digital wallet that uses the Distributed Logging Technology system, or a similar or analogous technology, but does not limit other rights. 3

Digital Asset Services Art.4.- Digital Asset Service Providers may perform the following activities: a) Exchange digital assets for fiat money or equivalent or for other digital assets, either using their own capital or that of a third party; b) Operating a platform for exchange or trading of digital assets or derivative digital assets; c) Evaluating the risk and pricing, as well as underwriting the issuance of digital assets; d) Placing digital assets on digital platforms or wallets; e) Promote, structure and manage all types of investment products in digital assets, as well as loans, mutuals or any form of financing of digital assets; f) The following operations when performed on behalf of and in favor of third parties.:

1. Transferring digital assets or the means to access or control them, between natural or legal persons or between different acquirers, electronic wallets or digital asset accounts;
2. Safeguarding, custody or administration of digital assets or the means to access or control them;
3. Receiving and transmitting orders for the purchase or sale of digital assets or the trading of derivative digital assets;
4. Execute orders for the purchase or sale of derivative digital assets; Definitive Registry of Digital Asset Service Providers Art.5.- All Digital Asset Service Providers, including certifiers, are required to register in the Registry of Digital Asset Service Providers. The Registry of Digital Asset Service Providers, hereinafter referred to as the Registry, will be administered by the National Commission of Digital Assets (CNAD), whose information will be public, limited only by the measures issued by the CNAD for the protection and conservation of the information. 4

Sections of the Service Provider Registry Art.6.- The Registry will be divided into four sections: a) Of natural and legal persons with provisional or definitive authorization to be Digital Asset Service Providers; b) Of certifiers; c) Issuances of digital assets made in the platforms or digital wallets of the Digital Asset Service Providers; d) Of the stable currencies issued in public offerings or admitted to trading on the platforms or digital wallets of the Digital Asset Service Providers. Application for Registration in the Service Provider Registry Art.7 Those interested in registering as Digital Asset Service Providers shall fill out the application form by electronic or physical means made available by the CNAD for such purpose. In said application the services to which the company will be dedicated must be detailed, as well as providing the following information and documentation: a) individuals must submit a simple copy of Documento Único de Identidad or resident card; b) Legal entities must submit: i) Simple copy of testimony of public deed of incorporation of corporation or branch duly registered in the Registry of Commerce, with its corresponding modifications or transformations if any; ii) A simple copy of the credential of election of the Board of Directors or Sole Administrator, duly registered in the Commercial Registry, or of the general power of attorney, with powers to represent the company before public entities; iii) A simple copy of the Tax Identification Number Card. c) Indicate domicile, physical address, e-mail and telephone number to receive notifications; d) Company registration; 5

e) Provide a detailed description of its organizational structure, including, but not limited to names positions and specific functions, including its international organizational structure, if applicable; f) Provide details of its customer service system in a coherent and efficient manner, corresponding to the nature of the service it will provide; g) All relevant information and documentation to demonstrate that it has the capacity to offer the digital asset services indicated in the registration form; h) If planning to offer the services detailed below, provide a list of the digital assets you plan to sell or trade, including the benefits, restrictions, and limits of such digital assets, as well as any financial and commercial restrictions: i) Exchange digital assets for fiat money or equivalent or for other digital assets, whether using proprietary or third-party capital; ii) Operating a platform for the exchange or trading of digital assets or derivative digital assets; iii) Placing digital assets on digital platforms or wallets; iv) The following transactions when carried out on behalf of and in favor of third parties:

1. Transferring digital assets or the means to access or control them, between natural or legal persons or between different acquirers, electronic wallets or digital asset accounts;
2. Safeguard, custody or manage digital assets or the means to access or control them;
3. Receiving and transmitting orders for the purchase or sale of digital assets or the trading of derivative digital assets. i) In case of certifiers, they may only be legal entities, which, in addition to the information and documentation mentioned above, must present: i) Accreditation of being an entity that within its organization has at least five (5) years of experience in financial, tax, legal, administrative or related matters, which may be accredited in a personal capacity by the partners or shareholders that make up the entity, who must hold university degrees of higher education, so that the entity assumes the experience of its members. In addition, the certifier must present experience in technological issues related to Digital Assets. In this last point, the certifier may hire natural or legal persons to comply with this purpose; however, this does not transfer the responsibility of its certification; 6

ii) List of shareholders iii) Curricula vitae of the partners or shareholders, with their respective attachments and certifications of the titles accrediting them.. Reception, Prevention and Resolution Art.8.- The Registry will issue a certificate of receipt of the form with its attached documentation. The physical or electronic proof of receipt shall be issued in chronological order and shall contain at least the following: a) The correlative number, date and time of presentation of the document b) Object of the application for registration; c) Acknowledgement of receipt. CNAD will have up to twenty (20) working days from the receipt of the form and its attached documentation to issue a favorable or unfavorable resolution; or to warn the applicant, in case the application is incomplete, to add the missing information and documentation within ten (10) working days. The CNAD's resolution will consider the economic needs of the market and the applicant's reputation. The Registry may request additional necessary information from the applicant, which must be requested prior to the expiration of the term for issuing the resolution, and must specify the term granted for compliance with the delivery of the requested information and documentation. The applicant shall provide a response within the term granted. If no response is submitted or if the additional information requested is not provided, the Commission will issue an unfavorable resolution, and the service provider may resubmit its application for registration. If the resolution is favorable, the service provider will be requested to make the corresponding payment through the channels designated by the CNAD for such purpose. 7

Significant Changes in Information Art.9.- Any significant change in the information submitted as part of the application for registration must be immediately reported to the CNAD, provided that the CNAD has not issued its resolution, especially if the changes will affect the Service Provider's compliance with the obligations set forth in the Law on Issuance of Digital Assets or in these Regulations. For each relevant change notified to the CNAD in the registration application, the CNAD is granted five (5) additional working days to issue its resolution. Initial Registration Feel Art.10.-Applicants with a favorable resolution from the Registry must pay an initial registration fee equivalent to fifteen minimum monthly salaries of the commerce and services sector (equivalent to a total of US$ 5,475 as of the date of approval of these Regulations), within ten (10) business days from the notification of the favorable resolution. If payment is not received in due time and form, the Service Provider will not be considered registered and qualified. Assignment of Final Registration Number and Qualification of Exemption Art.11.- Once the payment of the corresponding initial registration fee has been verified, a definitive registration number will be assigned to the Service Provider. A service provider with a definitive registration number shall enjoy the benefits set forth in article thirty-six (36) of the Law on Issuance of Digital Assets as of the date of notification of the provisional registration number. The Registry shall forward within the following three (3) business days to the Ministry of Finance the favorable resolution of the Digital Asset Service Provider, which is duly registered. The General Directorate of Internal Taxes shall issue the tax and duty exemption qualification of such service providers in accordance with the provisions of the Law of Issuance of Digital Assets, which shall be notified in legal form to the beneficiary 8

Renewal Registration Fee Art.12.- Duly registered Service Providers must pay an annual renewal fee equivalent to ten minimum monthly salaries of the commerce and services sector during the first quarter of the calendar year (equivalent to a total of US$ 3,650 as of the date of approval of these Regulations), regardless of the date of initial registration. In case the payment is not verified during said period, the registration will be cancelled ex officio and the tax benefits granted in article thirty-six (36) of the Law of Issuance of Digital Assets will be automatically lost. Modification of the Service Providers and Certifiers Registry Art.13.- Service Providers may expand the services they offer to the public, for which they must submit an application for modification to the Registry, together with the documentation corresponding to the services they indicate in their application. In addition, they must also file a request for modification of the Registry when the following situations occur: a) They wish to reduce the services they provide; b) There is any substantial change in the information required for registration, such as change of corporate name, information related to security systems, organizational structure, domicile, among others. The Registry shall issue proof of receipt of the request for modification, and notify the Service Provider of the changes made to its registration within twenty (20) business days. Cancellation of Registration Art.14.- The registration in the Register of Suppliers or Certifiers shall be totally cancelled for the following reasons: a) By request of the Supplier or Certifier due to the definitive cessation of its activities; b) For lack of payment of the renewal registration fee; 9

c) By revocation issued by the CNAD by means of a reasoned resolution detailing the causes of the cancellation and identifying the specific non-compliances of the Provider or Certifier as a result of the corresponding administrative process, the foregoing as a result of an administrative sanctioning procedure that allows the service provider to present arguments and evidence of defense, prior to the final resolution that establishes the revocation of the cancellation. The Service Provider or Certifier whose registration is cancelled may reapply for registration by complying with the requirements established in the Law on Issuance of Digital Assets and these Regulations. Emissions Registration Art.15.- Service Providers shall submit a quarterly report to the CNAD, such report shall be confidential, within the first twenty (20) days of the months of April, July, October of the current year and January of the following year, on the Issuances of Digital Assets traded through their digital wallets or platforms. The report shall contain at least the following: a) Name of the Issuer; b) Name of the marketed digital asset; c) Name of the Project; d) Start date of commercialization; e) Technical and commercial characteristics of the digital assets; f) Evolution of the inherent risks of the product and its management since the last report submitted to the CNAD. The Register shall be updated according to the information provided by the Service Providers. Registry of Stable Currencies Art.16.- Service Providers shall submit a quarterly report, within the first twenty (20) days of the months of April, July, October of the current year, and January of the following year, on the stable currencies admitted to trading in their digital wallets or platforms. 10

The report shall contain at least the following: a) Name of the Issuer b) Name of the Stable Currency; c) Name of the Project; d) Start date of commercialization; e) Technical and commercial characteristics of said stable currency; f) Evolution of the inherent risks of the product and its management since the last report submitted to the CNAD. The Register shall be updated according to the information provided by the Service Providers. Bona Fides and Fairness in the Digital Asset Markets Art.17.- Digital Asset Service Providers must act impartially without putting their own interests before those of their clients, and in the best interest of their clients and the proper functioning of the digital assets they manage, market or promote. Therefore, they must comply with the following: a) They must not cause artificial evolutions of the quotations or prices of the digital assets admitted to trading on the platform or digital wallet they manage, whether for their own benefit or for the benefit of third parties; b) Ensure that sufficient funds are safeguarded in their balances to satisfy the withdrawal of funds for the users of their platforms; c) In cases in which the purchase or sale of digital assets is managed for its own account or for the account of third parties, the values or sale prices assigned to investors must be made respecting the principle of investor priority, under the first in time first in right rule, ensuring that no prejudice is caused to any particular investor; d) Refrain from carrying out transactions for the sole purpose of receiving commissions or multiplying them in an abusive manner and without benefit to the clients affected by such transactions; 11

d) Políticas de Trato Justo al Cliente; e) Shall contribute to transparency in the formation of market prices of digital assets, avoiding the disclosure to the public of false, inaccurate or biased information; f) hall collaborate with the control and surveillance functions of the National Commission of Digital Assets; g) In the event that the investments of the acquirer of digital assets have been directly advised by the Digital Asset Service Provider - and due to variations in market prices, new information, changes in estimates or market risks that affect the investment recommendation and vary to the detriment of the investor - shall communicate it to the investor and request instructions in this regard, in any case it is presumed that the Digital Asset Service Provider will act in the best interest of the investor and carry out the transaction at the best price possible. Standards of conduct Art.18.- Each Digital Asset Service Provider shall prepare a Code of Ethics within six (6) calendar months of its final registration in the Registry of Digital Asset Service Providers, which shall be made available to all its clients on its LRU site or attached to the corresponding offers. Such Code shall contain at least the following: a) General and Specific Principles that shall govern the conduct of all employees; b) Normas Éticas que deben regir el comportamiento de los empleados; c) Ethical standards that should govern the behavior of employees , e) Policies related to the prevention of money laundering, financing of terrorism and proliferation of weapons of destruction f) Non-Pecuniary Sanctioning Regime for employees. The Code of Ethics of each Digital Asset Service Provider shall be supervised and implemented and such aspects shall be communicated to the CNAD. 12

o r r a d a e n l a The National Commission of Digital Assets may require modifications to the Codes of Ethics and the way in which they are implemented and supervised. In addition, it shall hear complaints submitted to the Ethics Committee, including its decisions in this respect. Prevention of Money Laundering, Financing of Terrorism and the Proliferation of Weapons of Mass Destruction Art.19.- Digital Asset Service Providers shall maintain an anti-money laundering, counter-terrorist financing and weapons of mass destruction proliferation program that complies with the Anti-Money Laundering Act and international best practices articulated by the Financial Action Task Force (GAFI). Operational Due Diligence Art.20.- Each Digital Asset Service Provider, in case it operates platforms or digital wallets or analogous applications, shall have computer systems that perform the following: a) Fast, correct and accurate settlement of all transactions made on such platforms or digital wallets; b) Provide an Electronic Ledger that confirms and keeps an accurate, auditable and verifiable record of each transaction and that includes all the details of each transaction, such as the date, the type of transaction, the users that participated and the total amount of the transaction c) A permanent and effective monitoring system for all operations that allows the detection of errors and failures of any nature. Said system shall have the capacity to recover damaged information. d) Suspend and close the accounts of customers who have breached the terms and conditions for the use of the platform or digital wallet 13

Risk Factors Art.21.- Digital Asset Service Providers must adopt and update their policies and mechanisms for risk management, and must, among other actions, identify, evaluate, mitigate and disclose them in accordance with international best practices. Said policies must include the measures to be adopted to prevent possible non-compliance with regulatory requirements and those to be adopted in the event of having incurred in them, defining in both situations the parameters that will guide the action and those responsible for implementing them. Client Communication Art.22.- Any communication regarding digital assets that Digital Asset Service Providers that market, promote or manage must be available at all times at the LRU address on the responsible provider's website. Such information must be submitted in accordance with all of the requirements listed below: a) It shall be clear, transparent and easily accessible; b) The information presented shall not be misleading or biased c) In case information from a third party is cited, the source of the information shall be identified; d) Identification of the issuer of the digital asset, its LRU address and contact details; e) general explanation of each digital asset that must include its most relevant characteristics, such as its interchangeability with other digital assets, its current price, its price history during the last twelve months and its current trading volume in the platform or digital wallet. The updating of this information must be regular and reasonable according to the product; f) The manner in which digital assets may be sold and purchased on the platform or digital wallet managed or promoted by the digital asset service provider; 14

g) Fees applicable to the transaction; h) List and explanation of the other complementary products offered, such as custody, loans and forms of deposits. The updating of this information must be regular and reasonable according to the product. At all times, Digital Asset Service Providers shall have all relevant information regarding the services and digital assets they market or manage available at their LRU address. The updating of this information must be regular and reasonable in accordance with the product. Insider Trading Prohibitions Art.23.- No Digital Asset Service Provider may engage in insider trading of issuers, and therefore shall refrain from the following actions: a) Use insider information about digital assets to acquire such digital assets, or to transfer them, either directly or indirectly, for its own account or for the account of third parties; b) Recommending, on the basis of inside information, that another person acquire or dispose of those digital assets to which the inside information relates, or inducing that person to make such acquisition or disposal; Recommend, on the basis of such information, that another person cancel or modify an order relating to those digital assets to which the information relates, or induce such person to make such cancellation or modification. In the event that access to this privileged information of an issuer has materialized by accident, or any other circumstance and the executive or employee exposed to this information disclosed it to the Compliance Officer or the person in charge of seeing this type of conflict of interest, the service provider may carry out operations with the company in question provided that this executive or employee is prohibited from carrying out any type of operation with the exposed company and from sharing such information with any other executive or employee of the service provider. 15

Prohibition of Unlawful Communication of Inside Information. Art.24.- No Service Provider in possession of inside information shall communicate it to any other person, natural or legal, except when such communication is made in the normal course of his work, profession or duties. Cybersecurity Art.25.- Digital Asset Service Providers shall, at all times, establish procedures related to the following aspects of cybersecurity: a) Governance: They shall establish internal procedures to manage cyber risks. Such procedures must include internal cybersecurity assessments, as well as the performance of external audits, performed by unrelated and independent subjects, focusing specifically on the cyber resilience of the infrastructure. Additionally, one of the members of the Board of Directors or one of the managers of the service provider should be appointed as the person responsible for coordinating the cybersecurity plan. This person should have authority and independence in his or her management and, in addition, direct access to the Board of Directors or President of the service provider. The position that this person would occupy will be called the Information Security Officer b) Identificacion: They should place special emphasis on creating suitable mechanisms to safeguard information and identify potential weaknesses in their information systems. Cada Proveedor de Servicios de Activos Digitales deberá detectar aquellos Each Digital Asset Service Provider shall identify those critical processes and operations of its infrastructure that should be protected as a priority against cyber threats in order to prioritize the use of resources. The processes and operations to be included, as a minimum, shall be the following:Sistemas de gestión y ejecución de órdenes de compra y venta o transferencia de cualquier naturaleza de activos digitales; i) Infrastructure risk management systems; ii) Custody and Supervision Systems for digital assets or fiat money; iii) Information Dissemination Systems 16

iv) Systems for safeguarding non-public information of acquirers. c) Protection. The infrastructures of the Digital Asset Service Providers must implement control mechanisms and measures. The measures may be organizational, such as the creation of operation security centers, or technical, such as antivirus and intrusion prevention systems. Such mechanisms shall include, as a minimum, the following: i) Protection of acquirers' information: Special emphasis should be placed on safeguarding the information of all persons, natural and legal, who have transferred, sold or purchased digital assets through the Service Provider; ii) Interconnections: Protective measures should be put in place to mitigate the risks of interconnections with other computer systems, platforms or digital wallets; iii) Internal threats: Digital Asset Service Providers should make their best efforts to detect anomalous behavior of their employees and establish access controls for all authorized personnel. iv) Training: All employees should be trained in cybersecurity issues, but particularly personnel who have access to restricted systems and processes. d) Detection. The computer systems of the Digital Asset Service Providers shall have the capacity to recognize potential incidents or, failing that, to detect that a breach of security has been committed in the systems. Such computer systems shall perform at least the following: i) Continuous monitoring in real time or with the lowest possible latency in order to detect anomalous activities; ii) Monitoring of a wide range of external and internal factors that may represent a risk, such as unauthorized or suspicious access attempts; iii) Multi-level security and access controls for all employees. iv) Response and Recovery IT systems must have the infrastructure to continue essential functions, restore critical systems after a cyber-attack and reduce the systemic risk that would result from a business interruption. The infrastructure shall have the capacity required by the response and recovery policy. This policy shall detail at least the following: 17

v) Response plan. A plan should be in place to determine the damage of a potential cybersecurity attack, the scope of the attack, and appropriate containment measures; vi) Resumption of activity within six hours. The computer systems must have the capacity to resume critical processes and operations within six (6) hours after the attack and complete the settlement of any unfinished transactions within twenty-four (24) hours after the attack. In case the transactions that took place during the cyber￾attack could not be settled according to the market conditions at that time, the Digital Asset Service Provider shall give a special bonus to the affected acquirers; vii) Contingency plan. In the event that it is not possible to resume critical operations within a six-hour period, an alternative plan must be in place to ensure the resumption of operations within a reasonable period of time or the orderly cessation of operations; viii) Planning and preparedness. The infrastructure must have an attack response and recovery plan prepared and regularly tested. Tests and Simulations Art.26.- Digital Asset Service Providers must perform periodic and rigorous testing of the security levels of their IT systems in order to verify their effectiveness and identify flaws and weaknesses, duly supervised by the external cybersecurity auditor. Cybersecurity testing should include at least the following three scenarios: a) Scenario 1: Breach of Confidentiality This scenario must contemplate the theft or attempted theft of customer information and relevant operations; b) Scenario 2: Availability Breach 18

This scenario must assume that the infrastructure services are not available or that communication between users or employees of the service provider and the infrastructure is achieved only to an extremely limited extent; c) Scenario 3: Integrity Breakdown This scenario assumes that critical infrastructure services are under attack and that it is extremely difficult to guarantee the integrity of stored information. Each of the security tests in the different scenarios must incorporate, at least, the following: i) Vulnerability assessment, including solutions to detected flaws; ii) Scenario-based tests, in which response, resolution and recovery plans are evaluated, and extreme but possible scenarios are considered. These tests should use models that contemplate possible threats and attacks; iii) Invasion or intrusion testing. Digital Asset Service Providers shall design reaction and contingency plans for each of these scenarios. Transactions in Digital Assets Art.27.- The purchase and sale or transfer operations of digital assets may only be carried out on the digital platform that the Digital Asset Service Provider has submitted for approval of the CNAD in its registry and may be carried out in cash, forward, or optional purchase and sale. Likewise, the CNAD may approve any other type of transactions. Cash Transactions Art.28.- Cash transactions are those that must be settled within the time agreed between the acquirer and the service provider or at the latest within twenty-four (24) hours from the closing of the transaction. In order to carry out such transactions, investors must comply with all relevant obligations at least one day prior to the settlement of the transaction. Within the spot transactions, there are the so-called "Today's Transactions", which are settled on the same day on which they were arranged, no later than midnight of said day.

19

Term Transactions Art.29.- Transactions shall be forward transactions when the delivery of the fiat money or of the digital assets must be made some time after they have been concluded. The term for delivery or payment of the digital assets traded may not be less than one (1) business day nor more than one (1) year. Optional Purchase or Sale Transactions Art.30.- Operations shall be optional for purchase or sale when the purchaser or the seller, or both parties reserve the right to rescind the contract and not to carry out the operation within the agreed term, which may not exceed one calendar year. The optional operations may include a premium, which must be previously fixed. Premium is the amount of money that the beneficiary of the option must pay to whom it has been granted, in order to have the right to abandon the operation in the term between the date on which it was made and the date on which it should be settled. In this type of transaction, the Digital Asset Service Provider that trades it must establish the rules for its negotiation. These rules shall include the procedures for setting premiums and guarantees to the buyers and sellers of the optional operations. Settlement of Transactions Art.31.- Digital Asset Service Providers shall establish settlement and clearing procedures for all transactions carried out. The settlement, delivery and receipt of digital assets and fiat money of transactions carried out in a digital wallet or platform of a Digital Asset Service Provider is mandatory for such Provider, which shall be carried out, as established in these regulations and other provisions issued by the CNAD. 20

Foreclosures Art.32.- In the event that a seizure is decreed on digital assets or fiat money registered in a digital wallet or platform, the competent court shall notify the Service Provider that manages or owns such digital wallet or platform, as well as the CNAD, immediately. In such situation, the Service Provider shall freeze and suspend any transaction on the seized digital assets or fiat money, as of the legal notification of the seizure issued by the competent court or tribunal. The CNAD will audit the actions taken by the Digital Asset Service Provider regarding the suspension of transactions with the seized digital assets or trust money. Arbitrage Art.33.- Parties involved in digital asset transactions carried out in a digital wallet or platform managed or owned by a Digital Asset Service Provider may submit their disputes to the decision of an arbitration venue to be determined by the parties involved in the transaction. The parties shall communicate and update CNAD on a monthly basis on the initiation, processing and completion of the arbitration process. If for any reason, the parties do not expressly submit to arbitration or have not expressly submitted to the jurisdiction of the courts or tribunals of any country, it shall be understood that they have submitted to the jurisdiction of the courts of the Republic of El Salvador. Protection of Acquirers' Assets Art.34.- The Digital Asset Service Providers shall have timely mechanisms to safeguard the personal information provided by the acquirers, clients and users, keeping it confidential at all times and being directly responsible for its safeguarding. In case of any leakage of such information, the responsibility will be of the Digital Asset Service Providers who will have to pay an economic compensation to their clients as well as the payment of the corresponding fine. 21

Investments Art.35.- Regarding the investments made through the Digital Assets Service Providers, the latter shall be responsible for guaranteeing the investment within the term and conditions contracted, in the event of an act of God or force majeure, the Service Providers shall be obliged to terminate the operation and credit the client's wallet within forty-eight (48) hours the funds delivered for the realization of the investment. Termination of Activities Art.36.- This regulation contemplates two types of cessation of activities by the Digital Asset Service Providers: a) Temporary Termination; b) Definitive Termination Notifications Art. 37.- Service Providers must notify the Commission, immediately, if they have a warning or have had information that reasonably suggests the possible occurrence or future occurrence of the following situations: (i) The Service Provider failing to satisfy one or more of the reserves that may be required, according to its operation, (ii) Any matter that may have a significant negative impact on the reputation of the service provider: (iii) Any matter that may affect the ability of the service provider in its ability to continue to adequately project services to its customers and that may result in serious detriment to the service provider's customers; (iv) Any matter related to the service provider that may result in a serious financial consequence to the financial system of El Salvador or other service providers. 22

Procedure for Request for Termination of Activities Art. 38.- The Digital Asset Service Provider shall file a request for temporary or definitive termination with the CNAD, by physical or electronic means, which shall contain the following: a) State its intention to cease operations, detailing whether it will be temporary or definitive, and a statement of reasons on which its decision is based, such as: business decision or fortuitous event or force majeure; b) In the case of temporary cessation, an action plan must be submitted, including the date of cessation and resumption of activities, and identifying the procedures for the safekeeping of the digital assets and fiduciary money that the service provider manages and the return of such digital assets and fiduciary money to their owners, if requested by them; c) in the case of definitive termination, it shall indicate the date of termination of activities, and submit a plan for liquidation of the assets and employees, as well as establish the procedure for returning the digital assets and fiduciary money to their owners. Once the request has been submitted, the CNAD will have a term of five (5) business days to authorize or deny the termination, whether temporary or definitive, and will notify its resolution to the respective Service Provider. In case the required information and documentation is not complete, the National Commission of Digital Assets will warn and establish a maximum term of ten (10) business days for the Service Provider to submit the missing information and documentation, and then issue its pronouncement within the term established in the previous paragraph. In case the information and documentation is not completed, the request for temporary or definitive termination shall be denied, and the Service Provider shall be entitled to submit it again. In case of definitive termination, the NADC will grant a prudential term, which may not be less than twenty (20) business days, as indicated in its request, to execute its liquidation plan, comply with any pending obligations, and close the operation in the country. Once the term established by the CNAD has expired, the CNAD will order the cancellation of the Service Provider's ex officio registration in the Registry and consequently, all rights related to such registration. 23

In case of temporary cessation, the date of cessation will be the date indicated by the Provider in the application, and it will be the obligation of the same to reestablish its operation within a maximum period of twenty (20) working days as of that date. Suspension of activities ex officious Art. 39.- The CNAD, upon suspicion or complaint of non-compliance with the obligations of a Digital Asset Service Provider, shall initiate an investigation to decide whether suspension is warranted; if responsibility is determined, the activity of the service provider shall be suspended, unless doing so may affect the interests of the users. The CNAD will warn the Provider of the initiation of the investigation, and if sufficient evidence or proof is gathered to justify the decision, the suspension will proceed. In accordance with the foregoing, the CNAD will immediately initiate an exhaustive audit process of the activities of the Digital Asset Service Provider, and must issue a resolution within the suspension period. If as a result of such audit it is concluded that there is non-compliance with the obligations, the corresponding sanction will be determined and the implementation of the improvement plan of the Service Provider will be ordered. In case it is concluded that there was no non-compliance, the CNAD will cancel the provisional measure, if any, and the Service Provider will exercise all its rights. Information Requirements from Public Authorities Art. 40.- The National Commission on Digital Assets, in its powers of surveillance, inspection and control of the activities of the Digital Asset Service Providers, and with the objective of ensuring effective compliance with the obligations of the same, may require any relevant information it deems necessary from the public officials or employees who exercise any regulatory function over said Providers.. 24

For such purposes it may require the following: a) Specific information on operations and subjects related to digital asset operations; b) Specific documents on commercial, technological, legal and operational aspects of the Digital Asset Service Providers; or c) Attend meetings with any competent authority to provide information related to Digital Asset Service Providers. Obligation to Provide Information Art. 41.- The Digital Asset Service Providers are under the obligation to provide information, records, notices, data, explanations and complete extensions that may be required by the CNAD, or by any other public authority, in and for the exercise of its powers. In particular, the CNAD may require information related to public offerings of digital assets, stable currencies that are admitted or traded in digital wallets or platforms, digital asset services, and users of digital platforms or applications, as applicable. Justified Cause in Incomplete Information Art. 42.- The Digital Asset Service Providers may at no time provide incomplete reports, including data related to the public offerings of digital assets, without just cause, whether due to an act of God or force majeure; for which purpose it shall respond to the requirements with proof of the justification of the impediment to provide what is requested. Minimum Time Limit for Providing Information Art. 43.- The CNAD or any other competent authority shall grant a term of no less than ten (10) working days for the delivery of the information, proofs, notices, data, explanations and complete extensions that may be required from the Service Providers. 25

Extension of Time Limits Art. 44.- The CNAD or any other competent authority may agree, ex officio or at the request of the interested party, to extend the time periods established in the Law or those granted for the response to the information requests, which must be justified and may not exceed half of the established time, provided that the circumstances so require and that this does not prejudice the rights of third parties or the public interest. Notifications by Technical Means Art. 45.- When a decision is notified by technical means, a record shall be made in the process of the referral made. In this case, the notification shall be deemed to have been made twenty-four (24) hours after the sending thereof, provided that there is evidence of having been sent by e-mail that has been indicated to the CNAD. The evidence of receipt in the case of electronic notification will be generated in an automated manner by the system for sending notifications, once the notification sent enters the mailbox provided by the Service Provider in its registration application; for which an electronic notification form will be generated detailing the dates and times of sending and receipt, among other data. Financial System Entities Art. 46.- The entities supervised by the Superintendencia del Sistema Financiero can request their registry as Digital Assets Service Providers as long as they fullfill all requirements according to the Law for the Issuance of Digital Assets and its regulation. 26

Effectiveness Art. 48.- The present decree shall enter into effect eight (8) days after its publication on the Commission's web page. These regulations were approved by the National Commission of Digital Assets through its Board of Directors, in Session No. CNAD-035-2023, dated August tenth, two thousand twenty-three and published in its web page on August eleventh, two thousand twenty-three. 27