Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document 32025R1125

Commission Delegated Regulation (EU) 2025/1125 of 5 June 2025 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information in an application for authorisation to offer asset-referenced tokens to the public or to seek their admission to trading

C/2025/3221

OJ L, 2025/1125, 15.9.2025, ELI: http://data.europa.eu/eli/reg_del/2025/1125/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_del/2025/1125/oj

European flag

Official Journal
of the European Union

EN

L series

2025/1125

15.9.2025

COMMISSION DELEGATED REGULATION (EU) 2025/1125

of 5 June 2025

supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information in an application for authorisation to offer asset-referenced tokens to the public or to seek their admission to trading

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (1), and in particular Article 18(6), third subparagraph thereof,

Whereas:

(1)

To enable competent authorities to assess whether legal persons or other undertakings that intend to offer to the public or seek the admission to trading of asset-referenced tokens (‘applicant issuers’) meet the requirements laid down in Title III of Regulation (EU) 2023/1114 and do not fall in any of the grounds justifying the refusal of authorisation, the information to be provided in an application for authorisation to offer to the public or to seek admission to trading of an asset-referenced token submitted in accordance with Article 18(1) of that Regulation should be sufficiently detailed and comprehensive.

(2)

The applicant issuer should submit information that is true, accurate, complete and up-to-date. For that purpose, the applicant issuer should inform the competent authorities of any changes or updates, occurring after the submission of the application, and before the public offer or admission to trading of the asset-referenced token, that relate to the information provided in the application, and that could be relevant for the assessment of the application. Competent authorities should also be able to enquire whether any changes or updates have occurred before the public offer or admission to trading of the asset-referenced token.

(3)

The application for authorisation should contain information on the applicant issuer, including the identity thereof and information on the suitability of the members of the management body and the sufficiently good repute of the shareholders or members, whether direct or indirect, with qualifying holdings.

(4)

The information contained in the application for authorisation would include personal data. In compliance with the principle of data minimisation, enshrined in Article 5(1), point (c), of Regulation (EU) 2016/679 of the European Parliament and of the Council (2), only the personal data necessary to enable the competent authority to carry out a comprehensive assessment of the applicant issuer, the assessment of the members of its management body, its ability to comply with the prudential requirements of Regulation (EU) 2023/1114, and that the applicant issuer does not fall into any ground of refusal of the authorisation set out in Article 21(2), points (a) to (e), of Regulation (EU) 2023/1114 should be requested.

(5)

To provide competent authorities with a comprehensive overview of the applicant issuers’ current and planned operations and related organisation, the applicant issuers should include in their application for authorisation a programme of operations.

(6)

Issuers of an asset-referenced token that are not crypto-asset service providers or other obliged entities are not subject to Directive (EU) 2015/849 of the European Parliament and of the Council (3) or to Regulation (EU) 2023/1113 of the European Parliament and of the Council (4). However, it is crucial that the applicant issuer’s business model is structured in a manner that does not expose the applicant issuer or the financial sector to risks of money laundering and terrorist financing, since that constitutes a ground of refusal of the authorisation. Accordingly, the applicant issuer should provide an overall risk assessment containing adequate information to enable the competent authority’s assessment of the applicant issuer’s business model’s exposure and sensitivity in relation to money laundering and terrorist financing risks. The overall risk assessment should include information on the mechanisms and arrangements related to the issuance, redemption and distribution of an asset-referenced token and the envisaged involvement of crypto-asset service providers in such mechanisms. Where the applicant issuer’s business model would involve arrangements with crypto-asset service providers, the application for authorisation should include a forward-looking description prepared by such crypto-asset service provider of their internal controls and continuous compliance with the relevant anti-money laundering and counter terrorism financing Union rules.

(7)

Effective internal control frameworks, including risk management and information and information and communication technology (ICT) systems and risk management are crucial to the sound and prudent management of the activities of the applicant issuer and of the reserve assets to prevent, monitor and mitigate operational and other types of risks. Applicant issuers should therefore provide adequate documentation on their internal control framework and ICT risk management framework demonstrating that they comply with Regulation (EU) 2022/2554 of the European Parliament and of the Council (5).

(8)

Reserves of assets are crucial to ensure the effectiveness of the stabilisation mechanism underpinning the asset-referenced token and the redemption rights of token holders at all times including in case of stress. Together with the application for authorisation, applicant issuers should therefore submit clear and detailed policies on the composition, constitution, segregation, custody and investment management of such reserves of assets.

(9)

Applicant issuers should provide the competent authority with all necessary and sufficient information enabling the competent authority to carry out a comprehensive assessment of the members of the management body with a view to ensure that they meet the suitability requirements and do not fall in any of the grounds of refusal of the authorisation set out in Article 21(2), points (a) and (b), of Regulation (EU) 2023/1114. For that purpose, the application for authorisation should contain the information relevant to the assessment of reputation including sufficient information that allows to verify that the members of the management body have not been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute, to assess their professional experience, knowledge and skills in the areas relevant to financial services, crypto-assets, other digital assets, distributed ledger technology (DLT), digital innovation, information technology (IT), cybersecurity or management and information enable to assess the adequacy of their time commitment. To ensure coherence and coordination among different financial supervisors’ decisions that information should also include any prior assessments provided by competent authorities.

(10)

In respect of shareholders and members directly or indirectly holding qualifying holdings in the applicant issuer, the application for authorisation should contain all information enabling the competent authority to carry out a comprehensive assessment of the sufficiently good repute of such shareholders or members and that they do not fall within the ground of refusal of the authorisation set out in Article 21(2), point (c), of Regulation (EU) 2023/1114. For that purpose, the application for authorisation should contain the information necessary and sufficient enabling competent authorities to verify that those shareholders or members have not been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute and to establish the certainty and legitimate origin of the funds or other assets used to set-up the applicant issuer and finance the business of that applicant issuer.

(11)

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Banking Authority, developed in close cooperation with the European Securities and Market Authority and with the European Central Bank.

(12)

The European Banking Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (6).

(13)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (7) and delivered an opinion on 17 July 2024,

HAS ADOPTED THIS REGULATION:

Article 1

Information about the identity of the applicant issuer

For the purposes of Article 18(2), points (a), (b) and (c), of Regulation (EU) 2023/1114, an application for authorisation shall contain all of the following information about the identity of the applicant issuer:

(a)

the applicant issuer’s current full legal name, trading name, logo, website addresses of all communication and marketing channels, including social media accounts and, where applicable, any intended changes to those names, accounts or addresses;

(b)

the applicant issuer’s validated, issued and duly renewed ISO 17442 legal entity identifier released in accordance with the terms of any of the accredited Local Operating Units of the Global Legal Entity Identifier System;

(c)

the applicant issuer’s legal form;

(d)

the date and Member State of the applicant issuer’s incorporation or formation;

(e)

the Member State and addresses of the applicant issuer’s registered office and, where different, of its head office, and of its principal place of business;

(f)

where the applicant issuer is registered in a central register, commercial register, companies register or similar public register different from the register referred to in the second subparagraph, the name of that register and the registration number of the applicant issuer or an equivalent means of identification in that register and a copy of the registration certificate;

(g)

the applicant issuer’s instruments of constitution or statute, and the articles of association;

(h)

where the applicant issuer is an undertaking that is not a legal person, a documentation assessing that the level of protection of third party interests, including the rights of the holders of an asset-referenced token, is equivalent to that afforded by legal persons and that the applicant issuer is subject to equivalent prudential supervision appropriate to its legal form;

(i)

the date of the accounting year end for the applicant issuer;

(j)

the full name and contact details, including the phone number and email address, of the person within the applicant issuer to contact regarding the application for authorisation;

(k)

the full name and contact details, including the phone number and email address, of the principal professional adviser, if any, used to prepare the application for authorisation.

For the purposes of points (c) to (g), as regards legal persons under the scope of Directive (EU) 2017/1132 of the European Parliament and of the Council (8), the information referred to in those points shall match the information contained in the national business register referred to in Article 16 of that Directive.

Article 2

Programme of operations: information on the business model, strategy and risk profile

1.   For the purposes of Article 18(2), point (d), of Regulation (EU) 2023/1114, the application for authorisation shall contain a programme of operations setting out the applicant issuer’s business model, strategy and risk assessment for three years following the granting of the authorisation.

2.   In accordance with Article 19 of Regulation (EU) 2023/1114, the programme of operations referred to in paragraph 1 shall include all of the following:

(a)

information on the applicant issuer’s business activities, including:

(i)

main features of the asset-referenced token for which the authorisation is sought, including all of the following:

(1)

the name and type of asset-referenced token that the applicant issuer intends to issue and for which authorisation to offer to the public or to seek admission to trading is sought;

(2)

specification as to whether the authorisation is sought for an offer to the public or an admission to trading of such asset-referenced token;

(3)

description of the mechanism through which the asset-referenced token is issued, including the smart contracts together with an explanatory document on their functioning, the method of payment to buy the asset-referenced token, and the distribution channels, in particular the crypto-asset service providers executing selling orders or crypto-asset exchange platforms;

(4)

where an agreement by the applicant issuer is entered into for the distribution of the asset-referenced token, the name and contact details of the distributors and description of the roles, responsibilities, rights and obligations of both the issuer of the asset-referenced token and the distributors, including the law applicable to the agreement;

(5)

description of the mechanism through which the asset-referenced token is redeemed, including, where applicable, the indication whether crypto-asset service providers will be involved in the execution of the redemption;

(6)

the protocol or consensus mechanism used for validating transactions, including the description of the settlement finality features;

(7)

the single or the multiple distributed ledger technology (DLT) where the asset-referenced token is issued and the interoperability bridges between such different DTLs that are available at the time of the application for authorisation, as indicated in the white paper;

(ii)

any already existing, outstanding asset-referenced token, e-money token, crypto-assets or other digital assets issued by the applicant issuer, with the indication of the related outstanding amounts, the networks and markets where those are distributed and traded, the amount, composition, custody arrangements and custodians of the related reserve of assets, or safeguarding requirements for e-money tokens, as applicable;

(iii)

any other financial and non-financial activity that is carried out by the applicant issuer and that the applicant issuer intends to continue to carry out in case the authorisation is granted, and the interaction among such activities, if any;

(iv)

where the applicant issuer belongs to a group, an overview of the organisation and structure of that group, describing the activities of the entities in the group and indicating the parent undertakings, financial holding companies as defined in Article 4(1), point (20), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (9), mixed financial holding companies as defined in Article 4(1), point (21), of that Regulation, and investment holding companies as defined in Article 4(1), point (20a), of that Regulation, within the group, as well as any authorisation, registration or other licences granted by a competent authority in the financial sector held by any such group entity or by the applicant issuer;

(b)

description of the business environment where the applicant issuer will operate, focusing on the crypto-asset and payment sectors, including:

(i)

the main existing market players and principal peers;

(ii)

the likely development of the business environment and any related potential risks;

(iii)

an analysis of the applicant issuer’s competitive position in the market;

(c)

description of the applicant issuer’s overall business strategy and, where the applicant issuer belongs to a group, the overall group strategy, including:

(i)

explanation of the strategic goals;

(ii)

indication of the key business drivers;

(iii)

indication of any identified competitive advantage, including any prior experience in the digital sector, size and scalability of the business, DLT specificities, including permissioned or permissionless access to the blockchain network granted by the network owner or governing arrangements, related validation protocols and consensus mechanisms or the planned number of transactions per second;

(iv)

description of the target customers, including retail, corporate, institutional, small and medium enterprises, public entities, of the target markets and geographical distribution, including the list of host Member States as referred to in Article 18(2), point (r), of Regulation (EU) 2023/1114;

(v)

a risk assessment covering the actual or potential risks that the planned business may be exposed to, including:

(1)

business risk factors, such as failure to reach the minimum target subscription goal of the asset-referenced token issuance, where provided;

(2)

operational risk, fraud, ICT and cyber-security risks;

(3)

financial risks including liquidity risk, market and credit risk;

(4)

risks related to the significant third-party providers;

(5)

inherent and residual risks of money laundering and terrorist financing, also having regard to the mechanisms and arrangements relating to the issuance, redemption and distribution of the asset-referenced token;

(vi)

matrix resulting from the interaction of the strengths, weaknesses, opportunities and threats of the business strategy.

For the purposes of point (a)(i)(4), where, upon being granted authorisation, the applicant issuer intends to appoint by consent and in writing other entities to carry out the offer to the public or the admission to trading of the asset-referenced token, the application for authorisation shall include policies and procedures clarifying, inter alia, that the responsibility for the compliance with Title III of Regulation (EU) 2023/1114 will remain with the issuer of an asset-referenced token that has been granted authorisation and that such other entities will be subject to the conduct and marketing requirements laid down in Article 16(1), second subparagraph, of that Regulation.

Article 3

Programme of operations: financial information on the business plan

1.   The application for authorisation shall contain a business plan explaining the initial viability and the ongoing sustainability of the applicant issuer’s business model and the applicant issuer’s capability to comply with the prudential requirements set out in Regulation (EU) 2023/1114 for at least, a period of three years from the grant of authorisation on a baseline and on a stress scenario.

2.   The stress scenario referred to in paragraph 1 shall rely on severe but plausible stress situations, designed on the basis of Commission Delegated Regulation (EU) 2025/415 (10). For an application for authorisation relating to the offer to the public or admission to trading of an asset-referenced token for which voluntary classification as significant asset-referenced token is requested as referred to in paragraph 4 of this Article, the stress scenario shall pay particular attention to liquidity stress situations.

3.   Any business plan assumptions shall be credible and realistic and rely on official macroeconomic forecasts elaborated by a Union or public national institution.

4.   Where the application for authorisation relates to the offer to the public or admission to trading of an asset-referenced token for which voluntary classification as significant asset-referenced token is requested, the business plan shall clearly demonstrate that the proposed issuance meets the requirements set out in Article 44 of Regulation (EU) 2023/1114 and shall adequately reflect the applicant issuer’s higher complexity and risk profile.

5.   The business plan shall contain the forecast financial information on the applicant issuer at individual level and, where applicable, at consolidated level, supporting the explanation of the business profitability and its credibility, including:

(a)

forecast accounting plans for the three years following the granting of authorisation, including:

(i)

forecast balance sheets;

(ii)

forecast profit and loss accounts or income statements, detailing the envisaged sources of revenues (including fees or revaluation of reserve of assets), fixed and variable costs (notably labour, administrative, DLT, ICT, custody and management of reserve of assets or third-party arrangements);

(iii)

forecast cash flow statements, where applicable;

(iv)

forecast growth rates with an explanation of the associated risk assumptions, including the applicant issuer’s risk management capabilities;

(b)

an explanation linking the elements of the programme of operations set out in Article 3(2) with the forecasts referred to in point (a) of this paragraph;

(c)

planning assumptions for the forecasts referred to in point (a), including the expected number of token holders, the expected number and value of transactions per day and the expected average number and average aggregate value of transactions per day for the business plan time horizon, profitability drivers, and explanations of the quantitative information set out in that business plan;

(d)

calculations of the applicant issuer’s own funds requirements pursuant to Article 35(1) of Regulation (EU) 2023/1114 covering the three-year business plan time horizon;

(e)

supporting evidence (including audited financial statement, or extract from the companies register) of the issued capital, paid-up capital and capital which has not yet been paid-up, including:

(i)

for capital corresponding to the calculated own funds which has not yet been paid up, evidence of the deposit of such amount in escrow account with a credit institution;

(ii)

information on the legitimate origin of the funds used or to be used to pay up the capital, set out in Article 8 of Commission Delegated Regulation (EU) 2025/413 (11);

(f)

forecast calculations of the amount and composition of the reserve of assets and their adequacy to ensure the permanent exercise of the redemption rights throughout the business plan time horizon.

6.   The programme of operations shall also contain the applicant issuer’s past financial information, including:

(a)

statutory financial statements of the applicant issuer, at individual level and, where applicable, at consolidated and sub-consolidated level, approved by the statutory auditor, where applicable, or external audit firm, covering at least the last three financial years preceding the application for authorisation, including:

(i)

the balance sheet at individual and consolidated or sub-consolidated level where applicable;

(ii)

the profit and loss accounts or income statements at individual, consolidated and sub-consolidated level where applicable;

(iii)

cash flows statement at individual, consolidated and sub-consolidated level where applicable;

(b)

an outline of any indebtedness incurred or expected to be incurred by the applicant issuer prior to the offer to the public or the admission to trading of the asset-referenced token, including, where applicable, the name of the lenders, the maturities and terms of such indebtedness, the use of the proceeds and, where the lender is not a supervised financial institution, information on the origin of the funds borrowed or expected to be borrowed;

(c)

an outline of any security interests, guarantees or indemnities granted or expected to be granted by the applicant issuer prior to the offer to the public or the admission to trading of the asset-referenced tokens;

(d)

where available, information about the credit rating of the applicant issuer and, where applicable, the overall rating of any group it be a part of;

(e)

where the applicant issuer has been set-up for less than three years, for the years not covered by financial statements, an updated summary dated as close as possible to the date of application for authorisation, of the applicant issuer’s financial situation and for the shareholders or members with qualifying holdings the financial statements of the previous three years in case of legal persons or their tax declaration in case of natural persons.

Article 4

Information about the internal governance arrangements and the structural organisation

1.   For the purposes of Article 18(2), point (f), of Regulation (EU) 2023/1114, the application for authorisation shall contain clear and comprehensive information on the applicant issuer’s organisation, operational structure and governance arrangements demonstrating that they are well designed and that they ensure the sound and prudent management of the applicant issuer. That information shall include:

(a)

the organisational chart laying down the operational structure in terms of business lines and units and related allocation of staff, the interactions between the applicant issuer’s various functions, the indication of clear and effective reporting lines and allocation of responsibilities reflecting the applicant issuer’s business activities;

(b)

the terms of reference of the management body, with a mapping of the roles, duties and reporting lines of each member;

(c)

a detailed and comprehensive description of the foreseen number and profile of human resources, including seniority, skills, expertise of those, and technical resources, including specific features and functions, up-to-datedness, innovative character with an explanation of the adequacy of human and technical resources to implement the business plan;

(d)

detailed description of the procedures and arrangements to ensure the accurate and timely reporting of data relating to the asset-referenced token;

(e)

a description of the code of conduct laying down the applicant issuer’s ethical and professional corporate values and the risk culture;

(f)

a description of the complaints handling procedures as referred to in Article 31 of Regulation (EU) 2023/1114 and in accordance with Commission Delegated Regulation (EU) 2025/293 (12);

(g)

a description of the conflicts of interest policy as referred to in Article 32 of Regulation (EU) 2023/1114, and in accordance with Commission Delegated Regulation establishing regulatory technical standards adopted pursuant to Article 32(5) of Regulation (EU) 2023/1114;

(h)

a description of the procedures ensuring that the applicant issuer will comply with all the disclosure requirements towards the holders of the asset-referenced token set out in Article 30 of Regulation (EU) 2023/1114;

For the purposes of point (c), the application for authorisation shall also illustrate the actual state of play of the implementation of the envisaged operational structure, including the recruiting plan for the human resources, and the acquisition and operationalisation of the technical resources.

2.   The application for authorisation shall contain the names and contact details of all third-party service providers that the applicant issuer intends to conclude or has concluded arrangements with for operating the reserve of assets, and for the investment of the reserve assets, the custody of the reserve assets and, where applicable, the distribution of the asset-referenced tokens to the public as referred to in Article 34(5) of Regulation (EU) 2023/1114, and a description of such third-party arrangements, including all of the following:

(a)

the rationale for the use of a third-party service provider to support or perform critical or important functions;

(b)

the location of the third-party service provider and where applicable the location where the data are stored or processed;

(c)

the human, financial and technical resources of the third-party service provider related to critical or important functions;

(d)

the applicant issuer’s internal control system for monitoring and managing the arrangement with the third-party provider;

(e)

the business continuity plans in the event that the third-party service provider cannot provide continuity of service;

(f)

the content of the contractual arrangements regarding the obligation to ensure information access and inspection and audit rights to both the applicant issuer and the competent authority;

(g)

the reporting line to the management body.

Article 5

Information on the internal control framework

1.   The application for authorisation shall contain a comprehensive description of the applicant issuer’s internal control framework, including all of the following:

(a)

a comprehensive description of the internal compliance function as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114 having sufficient authority, stature, resources and direct access to the management body;

(b)

a comprehensive description of the risk management framework, and of the risk management function where it is established, or where in accordance with proportionality in terms of size, complexity and risk profile, it is entrusted to a third-party provider, of the related third-party arrangements in accordance with Article 4(2);

(c)

a comprehensive description of the risk management systems and controls, explaining the applicant issuer’s strategy for identifying, assessing, monitoring, mitigating and reporting all risks the applicant issuer is or might be exposed to, including risks to the holders of an asset-referenced token, market, liquidity, concentration, operational, ICT, reputational, legal, conduct, compliance, ESG, money laundering and terrorism financing and strategic risks;

(d)

a comprehensive description of the internal audit function as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114 where that is established, or, where in accordance with proportionality in terms of size, complexity and risk profile of the activities of the issuer applicant, that mechanism has been entrusted to a third party provider, a comprehensive description of the arrangements with the third-party that shall include all of the elements referred to in Article 4(2), points (a) to (g) of this Regulation, as well as the name and contact details of the external auditor appointed;

(e)

an explanation of the governance arrangements implemented to ensure the separation and adequate segregation of duties of the business lines and units from the internal control functions as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114, and an explanation of the arrangements implemented to ensure the independence of the internal control functions, including through their direct access to the management body in its management and in its supervisory function.

For the purposes of point (c), the description shall also include the applicant issuer’s risk appetite statement and its risk tolerance, including the envisaged procedures and measures to manage the identified risks within the risk appetite.

2.   The application for authorisation shall contain a description of the arrangements and assigned ICT and human resources to ensure that the applicant issuer complies with Regulation (EU) 2022/2554, including all of the following information in relation to the applicant issuer’s ICT systems, protocols and tools:

(a)

a detailed technical documentation including a description of the ICT risk management framework in accordance with Article 6(1) of Regulation (EU) 2022/2554, demonstrating the applicant issuer’s ability to address ICT risk rapidly, efficiently and comprehensively and to ensure a high level of digital operational resilience;

(b)

details showing that the applicant issuer maintains updated ICT systems, protocols and tools that are appropriate, reliable, equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and technologically resilient in accordance with Article 7 of Regulation (EU) 2022/2254;

(c)

a detailed description of the security policy demonstrating that the applicant issuer’s systems and procedures are capable to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers in accordance with Article 9(4) of Regulation (EU) 2022/2554;

(d)

a comprehensive description of the ICT process and systems showing the ability to provide the applicant issuer with reliable information and data to support data reporting requirements.

3.   The application for authorisation shall contain a description of the business continuity plan and policy ensuring the applicant issuer’s ability to operate on an ongoing basis and to limit losses in the event of severe business disruption. For that purpose, the business continuity plan shall include:

(a)

the mapping of the essential data and functions;

(b)

an overview of available back-up and recovery systems;

(c)

a description of the availability of key staff in business continuity situations in accordance with Article 34(8) of Regulation (EU) 2023/1114 and Article 11(1) of Regulation (EU) 2022/2554.

4.   Where asset-referenced tokens are issued, stored and transferred using a proprietary DLT or similar technology operated by the applicant issuer or by a third party acting on its behalf, the application for authorisation shall demonstrate the functioning of the DLT or similar technology covering all the following:

(a)

the description of the applicant issuer’s legal title towards the DLT or similar technology, whether it is right of property or other contractual relationships providing control of the distributed ledger technology or of the similar technology to the applicant issuer, irrespective of the circumstance that the DLT is operated by a different undertaking;

(b)

the name and contact details of the operator or operators of the DLT, if different from the applicant issuer;

(c)

the applicant issuer’s or third-party operator’s plan on risk identification, monitoring, assessment, mitigation, and prevention, also having regard to the potential spill-over to other crypto-assets issued, transferred or stored on that DLT and the related crypto-asset service providers, and the plan on the regular technological maintenance and update of the DLT or of similar technology;

(d)

a technical and security audit report on the consistency of the DLT functioning with quality standards in use in the market, and on the appropriateness and adequacy of the plans referred to in point (c);

(e)

in case the proprietary DLT is permissioned, a detailed description of the transparency mechanisms.

5.   Where cooperation arrangements between the applicant issuer and specific crypto-assets service providers are envisaged, the application for authorisation shall contain a detailed description of the crypto-asset service provider’s current internal control mechanisms and procedures ensuring compliance with the obligations in relation to the prevention of money laundering and terrorist financing under Directive (EU) 2015/849 and, where applicable, Regulation (EU) 2023/1113. Such detailed description shall include a forward-looking assessment of the continuous compliance with such obligation for the three-year time horizon of the applicant issuer’s business plan. Such description and forward-looking assessment prepared by the specific crypto-asset service provider may be exchanged by the competent authority with the competent authorities for anti-money laundering and counter-terrorist financing, financial intelligence units or other public bodies, in accordance with Article 20(2), second subparagraph, of Regulation (EU) 2023/1114.

Article 6

Liquidity management, reserve of assets and redemption rights

1.   The application for authorisation shall contain the following information ensuring compliance with the requirements on liquidity management and on the reserve of assets:

(a)

the comprehensive and detailed framework illustrating the constitution, composition, management, and segregation of the reserve of assets, in accordance with Commission Delegated Regulation establishing technical standards adopted pursuant to Article 36(4) of Regulation (EU) 2023/1114;

(b)

the clear and detailed policy describing the stabilisation mechanism of the asset-referenced token for which the authorisation is sought, in accordance with Article 36(8) of Regulation (EU) 2023/1114;

(c)

the name of the external consultant that will be in charge of the independent audit on the reserve of assets every six months in accordance with Article 36(9) of Regulation (EU) 2023/1114;

(d)

the detailed policy and procedures on the custody of the reserve of assets, including the selected custody modality, ensuring compliance with Article 37 of Regulation (EU) 2023/1114;

(e)

the clear and detailed investment policy of the reserve of assets in accordance with Commission Delegated Regulation establishing technical standards adopted pursuant to Article 38(5) of Regulation (EU) 2023/1114;

(f)

the details of the contractual arrangements entered into with third parties for the operation, the investment and the custody of the reserve of assets, in accordance with the policies referred to in points (d) and (e).

For the purposes of point (a), where the applicant issuer applies for voluntary classification of the asset-referenced token as significant asset-referenced token, the framework shall contain the liquidity management policy and procedures. The framework shall also illustrate the reporting lines to the management body and how the management body’s responsibility for the prudent management of the reserve of assets will be ensured.

For the purposes of point (f), the detailed description shall indicate the name and contact details of the third-party service providers, and illustrate the roles, responsibilities, rights and obligations of both the issuer of an asset-referenced tokens and the third-party service providers in going concern and in case of the implementation of the redemption plan including the law applicable to the contract. Where such services are considered critical activities for the orderly redemption in accordance with Article 47(2), second subparagraph, of Regulation (EU) 2023/1114, the description shall also indicate that the contract cannot be terminated, but will be operational in case of implementation of the redemption plan in accordance with Article 47(1) of that Regulation. The description of the contractual arrangements shall also include the information referred to in Article 5(2) of this Regulation, as applicable.

The description of the contractual arrangements with third party service providers for the custody of the reserve of assets shall include the measures taken by the third-party service provider to ensure legal and operational separation from its own assets.

2.   The application for authorisation shall also contain the following:

(a)

a clear and detailed policy and procedures ensuring the respect of the rights of redemption granted to the holders of the asset-referenced token in accordance with Article 39 of Regulation (EU) 2023/1114;

(b)

an outline of the recovery plan to be developed in accordance with Article 46 of Regulation (EU) 2023/1114;

(c)

the redemption plan to be submitted in accordance with Article 47 of Regulation (EU) 2023/1114.

Article 7

Identity and proof of good repute, knowledge, skills, experience and of sufficient time commitment of the members of the management body

1.   An application for authorisation shall provide for each member of the management body all of the following personal individual details and proof of good repute, knowledge, skills, experience, and ability to commit sufficient time to perform their duties:

(a)

full name and, where different, name at birth;

(b)

place and date of birth, address and contact details of the current place of residence, nationality or nationalities, and personal identification number or copy of an ID card or equivalent;

(c)

details of the position held or to be held, including whether the position is executive or non-executive, the start date or planned start date and, where applicable, the duration of the mandate, and a description of the key duties and responsibilities;

(d)

a curriculum vitae containing details of education and experience, including professional experience, academic qualifications, other relevant training, including the name and nature of all organisations for which the person has worked and the nature and duration of the functions performed, in particular highlighting any activities, within the scope of the position sought, relevant to financial services, crypto-assets, or other digital assets, DLT, information technology, cybersecurity, digital innovation or management experience;

(e)

personal history, including all the following, in respect of the nationality or nationalities held by the person, and of the person’s places of residence of the last 10 years if different from the country of nationality or nationalities:

(i)

the absence of a criminal record in respect of convictions or the absence of penalties imposed under the applicable commercial law, insolvency law and financial services law, or in relation to anti-money laundering and counter-terrorist financing, to fraud or to professional liability through an official certificate or an equivalent document or, where such certificates do not exist, any reliable source of information concerning the absence of criminal convictions, investigations and proceedings;

(ii)

information about refusal of registration, authorisation, membership or licence to carry out a trade, business or profession, or the withdrawal, revocation or termination of registration, authorisation, membership or licence, or expulsion by a regulatory or government body or by a professional body or association;

(iii)

information about dismissal from employment or a position of trust, fiduciary relationship or similar situation, or the fact that the person was asked to resign from employment in such a position, excluding redundancies;

(iv)

information about whether another competent authority has assessed the reputation of the person concerned, including the identity of that authority, the date of the assessment and the evidence of the outcome of that assessment;

(v)

information about whether an authority from another, non-financial, sector has assessed the individual, person concerned, including the identity of that authority, the date of the assessment and evidence of the outcome of that assessment;

(f)

a description of all financial and non-financial interests that could create potential material conflicts of interest affecting the perceived trustworthiness of the person concerned in the performance of the mandate as member of the management body of the applicant issuer, including:

(i)

any financial interests, including crypto assets, other digital assets, loans, shareholdings, guarantees or security interests, whether granted or received, and non-financial interests or relationships, including close relations such as spouse, registered partner, cohabitant, child, parent or other relation with whom the person shares living accommodation, between the person or that person’s close relatives or any company that the person is closely connected with, and the applicant issuer, its parent undertaking or subsidiaries, including any members of the management body or any person holding a qualifying holding in the applicant issuer;

(ii)

whether or not the person conducts any business or has any commercial relationship, or has had such relationship over the past two years, with any of the persons listed in point (i), or is involved in any legal proceedings with any such persons;

(iii)

whether or not the person and those in close relation to them as specified in point (i) have any competing interests with the applicant issuer, its parent undertaking or its subsidiaries;

(iv)

any financial obligations to the applicant issuer, its parent or its subsidiaries;

(v)

whether the person was a politically exposed person as defined in Article 3, point (9), of Directive (EU) 2015/849 over the past two years;

(vi)

where a material conflict of interest is identified, a statement of how that conflict will be mitigated or remedied, including a reference to the outline of the conflicts of interest policy;

(g)

information on the ability to commit sufficient time to perform their duties in the applicant issuer, including:

(i)

the estimated minimum time, per year and per month, that the person concerned will devote to the performance of that person’s functions within the applicant issuer;

(ii)

a list of the commercial mandates that the person concerned holds;

(iii)

a list of duties which relate to non-commercial activities or are set up for the sole purposes of managing the economic interests of the person concerned;

(iv)

a list of any additional responsibilities associated with the duties referred to in point (iii), including chairing a committee;

(v)

the estimated time in days per year dedicated to each mandate;

(vi)

the number of meetings per year dedicated to each duty.

For the purposes of point (e)(i), official records, certificates and documents shall have been issued within three months prior to the submission of application for authorisation.

2.   The results of any suitability assessment of each member of the management body, performed by the applicant issuer, including the following information:

(a)

the relevant board minutes;

(b)

the decision on the suitability assessment;

(c)

where the person concerned has been assessed as not having the experience required, and provided that the minimum experience required is met, details of the training plan imposed, including the content, provider and date by which the training plan has been or will be completed.

3.   A statement regarding the applicant issuer’s overall assessment of the collective suitability of the management body documenting that collectively the management body possesses the appropriate knowledge, skills and experience to manage the applicant issuer, including relevant board minutes or suitability assessment report or documents.

Article 8

Information relating to shareholders or members with qualifying holdings

The application for authorisation shall contain information on the sufficiently good repute of shareholders and members with direct and indirect qualifying holdings in the applicant issuer, including all of the following:

(a)

a chart setting out the holding structure of the applicant issuer, including the breakdown of its capital and voting rights and the names of the shareholders or members with both direct and indirect qualifying holdings;

(b)

for each shareholder or member holding a direct or indirect qualifying holding in the applicant issuer, the information and documents on their identify and reputation set out in:

(i)

Article 1(1), Article 2(1), points (a), (b), (c), and (e) and Article 2(2), points (a) and (b), of Delegated Regulation (EU) 2025/413, in case of natural persons; or

(ii)

Article 1(2), (3), (4) or (5), Article 3(1), points (a), (b), (c), (e), and (f) and, where applicable, Article 3(3) of Delegated Regulation (EU) 2025/413, in case of legal persons;

(c)

the identity of each member of the management body of the applicant issuer who has been or will be appointed by, or following a nomination from, such person with qualifying holdings, together with the information set out in Article 8(1) and (2), where that information has not already been provided;

(d)

for each shareholder or member holding a direct qualifying holding, the following information about its holding, whether shares or other holdings:

(i)

number and type;

(ii)

nominal value;

(iii)

any premium paid or to be paid;

(iv)

any security interests or encumbrances created over such holding, including the identity of the secured parties;

(e)

the information referred to in Article 6, points (b), (d) and (e) of Delegated Regulation (EU) 2025/413;

(f)

the information referred to in Article 8 of Delegated Regulation (EU) 2025/413.

For the purposes of point (b), indirect qualifying holdings are identified in accordance with Article 4(1) and (2) of Delegated Regulation (EU) 2025/413.

Article 9

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 5 June 2025.

For the Commission

The President

Ursula VON DER LEYEN

(1)   OJ L 150, 9.6.2023, p. 40, ELI: http://data.europa.eu/eli/reg/2023/1114/oj.

(2)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(3)  Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73, ELI: http://data.europa.eu/eli/dir/2015/849/oj).

(4)  Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (OJ L 150, 9.6.2023, p. 1, ELI: http://data.europa.eu/eli/reg/2023/1113/oj).

(5)  Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj).

(6)  Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj).

(7)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC ( OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

(8)  Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law (OJ L 169, 30.6.2017, p. 46, ELI: http://data.europa.eu/eli/dir/2017/1132/oj).

(9)  Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1, ELI: http://data.europa.eu/eli/reg/2013/575/oj).

(10)  Commission Delegated Regulation (EU) 2025/415 of 13 December 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regards to regulatory technical standards specifying adjustment of own funds requirement and minimum features of stress testing programmes of issuers of asset-referenced tokens or of e-money tokens (OJ L, 2025/415, 24.3.2025, ELI: http://data.europa.eu/eli/reg_del/2025/415/oj).

(11)  Commission Delegated Regulation (EU) 2025/413 of 18 December 2024 supplementing Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of information necessary to carry out the assessment of a proposed acquisition of a qualifying holding in an issuer of an asset-referenced token (OJ L, 2025/413, 31.3.2025, ELI: http://data.europa.eu/eli/reg_del/2025/413/oj).

(12)  Commission Delegated Regulation (EU) 2025/293 of 30 September 2024 of the European Parliament and of the Council with regard to regulatory technical standards specifying the requirements, templates and procedures for the handling of complaints relating to asset referenced tokens (OJ L, 2025/293, 13.2.2025, ELI: http://data.europa.eu/eli/reg_del/2025/293/oj).

ELI: http://data.europa.eu/eli/reg_del/2025/1125/oj

ISSN 1977-0677 (electronic edition)

Top