32026R0255

This document is an excerpt from the EUR-Lex website

EUROPA
EUR-Lex home
Delegated regulation - EU - 2026/255 - EN - EUR-Lex

Help

Search tips

Need more search options? Use the Advanced search

Document 32026R0255

Help

Commission Delegated Regulation (EU) 2026/255 of 30 January 2026 supplementing Regulation (EU) No 1227/2011 of the European Parliament and of the Council as regards the necessary details for the authorisation and supervision of inside information platforms and registered reporting mechanisms by the European Union Agency for the Cooperation of Energy Regulators

C/2026/476

OJ L, 2026/255, 9.4.2026, ELI: http://data.europa.eu/eli/reg_del/2026/255/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_del/2026/255/oj

HTML

PDF - authentic OJ

e-signature

How to verify the authenticity of the Official Journal

Official Journal
of the European Union

L series

2026/255

9.4.2026

COMMISSION DELEGATED REGULATION (EU) 2026/255

of 30 January 2026

supplementing Regulation (EU) No 1227/2011 of the European Parliament and of the Council as regards the necessary details for the authorisation and supervision of inside information platforms and registered reporting mechanisms by the European Union Agency for the Cooperation of Energy Regulators

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 1227/2011 of the European Parliament and of the Council of 25 October 2011 on wholesale energy market integrity and transparency (1), and in particular Article 4a(8), points (a) to (g), and Article 9a(6), points (a) to (f) thereof,

Whereas:

(1)

Regulation (EU) No 1227/2011 provides that market participants are to disclose information and submit inside information reports through inside information platforms (‘IIPs’) and report the data through registered reporting mechanisms (‘RRMs’). The Commission is to set out rules which will replace the current registration procedure for IIPs and RRMs established by the European Union Agency for the Cooperation of Energy Regulators (‘the Agency’).

(2)	Since many obligations set out in Regulation (EU) No 1227/2011 are common to both IIPs and RRMs, it is appropriate to lay down the detailed rules supplementing that Regulation in a single act. This will ensure consistency and legal certainty while avoiding repetition.

(3)

In order to specify the means by which IIPs are to fulfil the obligation to make public the inside information and submit inside information reports to the Agency, and RRMs are to report data records to the Agency, which pursuant to Article 4a(1) and Article 9a(1) of Regulation (EU) No 1227/2011 requires them to be authorised by the Agency, it is necessary to set out rules on the authorisation process specifying the information to be provided to the Agency as part of an application for authorisation as IIPs or RRMs.

(4)

Clear and comprehensive definitions should apply to both IIPs and RRMs. However, given the differences in the scope of the reporting obligations for IIPs and RRMs, it is necessary to apply different definitions of the term ‘client’ for each type of reporting entity. This will enable IIPs and RRMs to understand and comply with their respective obligations vis-à-vis their respective clients in an unambiguous manner.

(5)

To enable the Agency to assess whether the applicants for an authorisation as IIPs or RRMs comply with the authorisation requirements, they should submit to the Agency information necessary to identify them and prove, inter alia, their establishment within the Union. They should also submit documents proving that they have the necessary organisational requirements in place to provide IIP or RRM services. To demonstrate compliance with Article 4a(3) of Regulation (EU) No 1227/2011, which provides that IIPs are to have adequate policies and arrangements in place to disclose the inside information as close to real time as technically possible, IIPs should provide to the Agency information about the time needed by the IIP to disclose on their platform the information received from their IIP clients and successfully validated by their data validation system. To ensure that the Agency receives accurate, complete and timely data records and inside information reports that meet regulatory standards, as part of the authorisation process, applicants should undergo a testing phase to demonstrate their ability to comply with the reporting requirements set out in in Regulation (EU) No 1227/2011 and further detailed in this Regulation.

(6)

To ensure legal certainty and reduce the administrative burden on IIPs and RRMs that were already registered by the Agency, those IIPs and RRMs should not be required to resubmit documents that are already available to the Agency. Therefore, the authorisation process should contain specific provisions for them. Those IIPs and RRMs should be eligible for a simplified authorisation process, insofar as the Agency confirms to the relevant IIPs and RRMs that it has already received, during the registration process, all the information required for authorisation. However, the Agency should maintain the right to request the resubmission of documentation already provided during the registration process, if it is necessary to ensure compatibility with its IT systems, particularly in cases where technical updates are required.

(7)

To ensure a timely and efficient authorisation process, the Agency should adopt a decision on an authorisation as an IIP or RRM within three months from receiving a complete application. Prior to the commencement of the three-month assessment period, the Agency should have performed an initial assessment regarding completeness of the application. If the Agency deems that it needs more time for adopting an authorisation decision, the Agency should, prior to the expiry of the three-month period, inform the applicant of the additional time it needs to adopt the decision. For legal certainty, if no decision is adopted within the additional time period, the Agency should be deemed to have adopted a positive decision.

(8)

In order to ensure that the applicants that submit authorisation applications have genuine intentions to perform IIP and RRM services, as well as to avoid unnecessary delays and administrative burden on the Agency, applicants who remain inactive for more than three months should be considered to have withdrawn their application, unless they inform the Agency that they still wish to be authorised.

(9)

To allow applicants and authorised IIPs and RRMs to enforce their rights linked to decisions adopted by the Agency under this Regulation, any of the Agency’s decisions referred to in this Regulation, including decisions rejecting an application for authorisation, should be subject to the legal remedies available pursuant to Articles 28 and 29 of Regulation (EU) 2019/942 of the European Parliament and of the Council (2).

(10)

To ensure the accuracy and completeness of the information disclosed and inside information reports submitted by IIPs to the Agency, as well as of the data records reported by RRMs to the Agency, the Agency should provide guidance, inter alia, on the validation principles and processes set out in this Regulation by providing technical specifications for the verification of data. That guidance should aim to ensure that the Agency receives high quality data, thereby enabling effective market monitoring. Compliance with data validation principles and processes is a key requirement to ensure that the data reported to the Agency is meaningful, coherent, and ready to be processed, thereby enabling the Agency to perform its monitoring role in an efficient manner.

(11)

IIPs and RRMs should have in place sound information security systems that ensure the secure provision of disclosing and reporting services, prevent data breaches and security incidents, and guarantee continuity of services through back-up facilities. To ensure the security and resilience of network and information systems, IIPs and RRMs should implement appropriate and proportionate technical, operational, and organisational measures to manage risks and prevent or minimise the impact of incidents on recipients of their services. Those measures should be state-of-the-art and, where applicable, comply with relevant European and international standards.

(12)

To ensure that the requirements of this Regulation are effectively implemented and complied with throughout the entire period during which IIPs and RRMs provide their services, IIPs and RRMs should be subject to regular supervision by the Agency. For that purpose, the Agency should have the right to request clarifications and information from authorised entities in case of potential non-compliance.

(13)

RRMs are to submit an annual report to the Agency, in accordance with Article 9a(2) of Regulation (EU) No 1227/2011. To ensure the least possible administrative and reporting burden on RRMs, the content of that report should be limited to the minimum necessary, while ensuring that it contains useful information for the Agency in carrying out its supervisory powers.

(14)

The withdrawal of authorisations of IIPs and RRMs should be possible on the initiative of either the Agency, based on the grounds set out in Regulation (EU) No 1227/2011, or on request of the IIP or RRM itself. If the IIP or RRM requests to have their authorisations withdrawn, an expedited procedure should apply. To ensure that an authorisation is withdrawn in a swift and efficient way, the Agency should also be able to apply the expedited procedure in cases where, after the initiation of the withdrawal procedure by the Agency, the IIP or RRM concerned expresses its willingness to have its authorisation withdrawn.

(15)

To ensure a fair and impartial decision-making process, the Agency’s decision on granting or withdrawing an authorisation should be based on a thorough examination of the relevant facts and should be well-reasoned. The Agency’s decision to withdraw an authorisation should only be based on findings on which the IIP or RRM has had the opportunity to express its views.

(16)

To enable IIPs and RRMs to take all necessary actions to comply with the requirements introduced by this Regulation, the application of the provisions detailing the authorisations process, the organisational requirements, the supervision and reporting and the withdrawal and substitution processes should be deferred.

(17)	The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (3).

(18)

Any processing of personal data performed by IIPs and RRMs under this Regulation should be carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (4). Any processing of personal data performed by the Agency under this Regulation should be carried out in accordance with Regulation (EU) 2018/1725. Following the withdrawal of an IIP or RRM, the personal data previously collected should be retained by the Agency for 10 years, as indicated in the Agency’s retention policy and in line with Regulation (EU) 2018/1725,

HAS ADOPTED THIS REGULATION:

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject matter

This Regulation lays down the details of the information to be provided to the Agency for obtaining the authorisation to provide IIP or RRM services and the organisational requirements for IIP and RRM authorisations. It also establishes the procedures for the supervision of IIPs and RRMs, for the withdrawal of their authorisations and for their orderly substitution in case of such withdrawal.

Article 2

Definitions

For the purpose of this Regulation, the following definitions shall apply:

(1)	‘application’ means an application for authorisation by the Agency to provide IIP or RRM services pursuant to Articles 4a(1) and 9a(1) of Regulation (EU) No 1227/2011;

(2)	‘applicant’ means a legal person submitting an application;

(3)	‘IIP client’ means market participants and authorities competent for emergency planning referred to in Article 3(4), point (c), of Regulation (EU) No 1227/2011, on whose behalf an IIP publishes information and submits inside information reports to the Agency;

(4)

‘RRM client’ means an entity subject to reporting obligations pursuant to Articles 7c and 8 of Regulation (EU) No 1227/2011, on whose behalf the RRM submits data records to the Agency, or an entity that, for the purposes of order book reporting pursuant to Article 8(1a) of Regulation (EU) No 1227/2011, is listed in Article 8(4), point (d), of Regulation (EU) No 1227/2011;

(5)	‘data record’ means any transaction, including orders to trade, and fundamental data to be reported to the Agency pursuant to Articles 7c and 8 of Regulation (EU) No 1227/2011 and in accordance with Commission Implementing Regulation (EU) 2026/256 (5);

(6)	‘inside information report’ means the report including the information disclosed and reported to the Agency in compliance with Articles 4 and 4a of Regulation (EU) No 1227/2011 and in accordance with Implementing Regulation (EU) 2026/256;

(7)	‘working day’ means any day other than a Saturday, Sunday, or public holiday within the meaning of Regulation (EEC, Euratom) No 1182/71 of the Council (6).

CHAPTER II

AUTHORISATION PROCESS FOR IIPs AND RRMs

SECTION I

Content of the application

Article 3

Identification and legal status of the applicant and access to the Agency’s data exchange systems

1. The application shall identify the applicant and the activities that it intends to carry out and that require it to be authorised as an IIP or a RRM.

2. The application shall contain the following documentation and information:

(a)	the legal name and address of the applicant;

(b)	proof of the applicant’s establishment in the Union;

(c)

a completed legal entity form as set out in Annex I, including an excerpt from the relevant commercial or court register in the Union, or other forms of certified evidence of the place of incorporation, scope of business activity and the applicant’s value added tax (VAT) identification number in the Union, valid on the application date;

(d)	the name and business contact details of the persons responsible for compliance with the requirements set out in this Regulation and with Regulation (EU) No 1227/2011, and any other staff involved in assessing the applicant’s compliance with the abovementioned requirements;

(e)	the name and business contact details of the persons responsible for communication with the Agency and with IIP clients and RRM clients, including as a result of follow up communication from the Agency to the IIP or RRM.

3. In addition to the documentation and information referred to in paragraph 2, IIP applicants shall indicate in their application the planned starting date for operating their platform.

4. In addition to the documentation and information referred to in paragraph 2, RRM applicants shall indicate in their application the planned starting date for the reporting of data records.

5. The application shall be signed by the applicant’s duly empowered legal representative. Evidence proving such empowerment, such as a power of attorney, shall be submitted to the Agency, including name and surname and business contact details of the duly empowered legal representative, as follows:

(a)

name,

(b)

surname,

(c)	business phone number,

(d)	business email address,

(e)	the nature of the legal relationship with the IIP or the RRM.

6. Applicants shall conclude a non-disclosure agreement with the Agency in order to access the Agency’s data exchange systems.

Article 4

Supporting documents

1. The application shall include supporting documents describing compliance with the general organisational requirements for IIPs and RRMs set out in Articles 11 to 18 and the policies and procedures that the applicant has in place to ensure orderly substitution pursuant to Article 38.

In addition to the documents referred to in the first subparagraph, IIP applicants shall include supporting documents describing compliance with the IIP requirements set out in Articles 19 to 25 and RRM applicants shall include supporting documents describing compliance with the RRM requirements set out in Articles 26 to 29.

2. The application shall include the following:

(a)

information on the policies, contingency plans and arrangements of the IIP or RRM to ensure compliance with the timing of disclosure of information and submitting inside information reports and reporting data records to the Agency, in accordance with Article 11, including the related supporting documents;

(b)	information on the data validation system of the IIP or the RRM to check the accuracy and completeness of inside information reports or data records, including compliance with data validation principles and processes, in accordance with Article 12, including the related supporting documents;

(c)	information on the arrangements of the IIP or the RRM designed to guarantee the compliance with security requirements in accordance with Article 13, including the related supporting documents;

(d)	the organisational chart of the IIP or the RRM, relating to the functions and structures relevant to activities carried out under Regulation (EU) No 1227/2011;

(e)	the programme of operations of the IIP or the RRM, relating to the activities carried out under Regulation (EU) No 1227/2011;

(f)	information on the administrative arrangements of the IIP or the RRM to prevent conflicts of interest and discrimination referred to in Article 16, including the related supporting documents;

(g)	information on the resources of the IIP or the RRM and the implemented back-up facilities to maintain their respective services in accordance with Article 17, including the related supporting documents;

(h)	information on the implementation of technical standards, including any updates thereof, to ensure the secure and efficient operation of the data collection process and the subsequent reporting to the Agency, including the related supporting documents.

3. The organisational chart of the IIP or RRM referred to in paragraph 2, point (d), shall:

(a)	display the group structure and ownership links between the parent undertaking and its subsidiaries or any other associated entities or branches, and indicate their respective activities;

(b)	indicate the legal name and address of the undertakings shown in the organisational chart;

(c)	identify the persons responsible for reporting of data records or operating the platform for the disclosure of information and submission of inside information reports to the Agency and provide descriptions of their tasks and business contact details.

4. The programme of operations referred to in paragraph 2, point (e), shall describe in detail the operational framework and the internal control mechanisms to ensure compliance with this Regulation and Regulation (EU) No 1227/2011.

The description of the operational framework shall illustrate the business model of the applicant, including the services and products offered related to this Regulation and Regulation (EU) No 1227/2011, and indicate any relevant outsourcing arrangements, in which case it shall specify how such outsourcing arrangements ensure compliance with the requirements laid down in this Regulation and with Regulation (EU) No 1227/2011.

The description of the internal control mechanisms shall illustrate the mechanisms to ensure effective governance and risk management, procedures and systems for monitoring and managing risks related to this Regulation and Regulation (EU) No 1227/2011, including the identification of potential risks and corresponding mitigation strategies.

5. Applicants may demonstrate compliance with any of the requirements referred to in paragraphs 2, 3 and 4 through submission to the Agency of a valid ISO/IEC 27000 standard series certificate on information security management systems or equivalent certifications. The Agency may ask the applicants for further clarifications regarding the certification provided, any missing information to demonstrate compliance with the requirements referred to in paragraphs 2, 3 and 4 and for an update of such certification after its expiration date.

6. IIP applicants shall provide to the Agency information about the time needed by the IIPs to disclose on their platform the information received from their IIP clients and successfully validated by their data validation systems. IIP applicants shall provide to the Agency information about the manner in which they set the fees to be paid by their IIP clients in accordance with Article 25.

7. RRM applicants shall provide supporting documents regarding the information systems they have in place to ensure data transfers from other systems or platforms in accordance with Article 15. RRM applicants shall indicate the name of such systems or platform, and of any user facilities generating reportable data to the technical solution implemented by the applicant, together with information on any data transformation having occurred in that process.

Article 5

Testing phase

1. Applicants shall demonstrate their ability to submit inside information reports and report data records to the Agency. The Agency shall assess their reporting ability through a testing phase that is to take place in the course of the application procedure.

2. For the purpose of the testing, applicants shall provide the Agency with the following:

(a)	for IIP applicants, details regarding the types of inside information reports to be published on the platform and submitted to the Agency and for RRM applicants, details regarding the types of data records to be reported to the Agency;

(b)	data samples in the testing phase in accordance with the rules set out in Implementing Regulation (EU) 2026/256 and using the standard electronic formats in accordance with that Implementing Regulation, and applying the principles set out in the related manuals adopted by the Agency.

Article 6

Material changes during the application process

1. When applicants or their IIP clients or RRM clients initiate any material changes during the application process, the applicants shall notify the Agency of such changes no later than ten working days after the material change has taken place. The notification shall describe the change in detail and be accompanied by the relevant supporting documents pursuant to Article 4, insofar as those documents have been amended.

2. If the notification pursuant to paragraph 1 is made after the Agency has issued the notification referred to in Article 10(2), the Agency may assess again the completeness of the application.

3. A change shall be considered material if it concerns any of the following:

(a)	the manner in which the submission of inside information reports and the reporting of data records is carried out;

(b)	the information contained in the supporting documents to be provided pursuant to Article 4;

(c)	the types of data disclosed on IIP platforms or reported to the Agency by IIPs and RRMs;

(d)	the relevant standard electronic formats in which data referred to in point (c) is reported.

Article 7

Request for additional information during the authorisation process

Upon request by the Agency, applicants shall provide additional information during the examination of their application, where such information is necessary for the Agency to assess the completeness of their application and the applicants’ compliance with the requirements set out in this Regulation and in Regulation (EU) No 1227/2011.

Article 8

Application process for already registered IIPs and RRMs

1. IIPs and RRMs that have already been registered by the Agency shall apply for an authorisation from the Agency pursuant to Article 10 before 29 April 2028, in accordance with the rules set out in Articles 3 to 7.

2. IIPs and RRMs referred to in paragraph 1 of this Article shall, in their application, provide the Agency with the information referred to in Articles 3 to 7, unless that information was already provided in the framework of the registration process.

3. The Agency shall inform the IIPs and RRMs referred to in paragraph 1 if additional information is necessary to assess the completeness of the application and the applicants’ compliance with the requirements set out in this Regulation and in Regulation (EU) No 1227/2011.

Article 9

Guidance by the Agency

No later than 29 November 2026, and after consulting relevant stakeholders, the Agency shall provide guidance on the following:

(a)	the technical process for the testing phase as referred to in Article 5(1);

(b)	the application process for already registered IIPs and RRMs as referred to in Article 8(1);

(c)	the data validation principles and processes as referred to in Article 12(1) and (2) by providing technical specifications for the verification of data;

(d)	the security measures referred to in Article 13(1), point (d);

(e)	the format of the report on unplanned downtime or disruption as referred to in Article 18(3);

(f)	the flagging process set out in Article 24(4), if applicable;

(g)	the mechanisms to identify completeness, omissions and obvious errors in inside information reports and data records as referred to in Article 23(1) for IIPs and Article 27(1) for RRMs;

(h)	the format of the annual report as referred to in Article 33(1).

SECTION II

Granting of authorisation

Article 10

Decision on the authorisation and related safeguards

1. The application shall be considered complete when the Agency receives all the required information, as laid down in Articles 3 to 7.

2. When the Agency deems the application complete, it shall without undue delay notify the applicant.

3. When the application has been deemed complete, the Agency shall assess whether the applicant complies with the requirements set out in Articles 11 to 29 of this Regulation, Article 4a(3) to (5), and Article 9a(1) and (3) of Regulation (EU) No 1227/2011. If the applicant complies with those requirements, the authorisation shall be granted and otherwise the application shall be rejected. The decision to grant or reject the application shall be adopted within three months from the date of receipt of the notification referred to in paragraph 2.

4. If the Agency deems that it needs more time for adopting an authorisation decision, the Agency shall, prior to the expiry of the three-month period referred to in paragraph 3, inform the applicant of the additional time it needs to adopt the decision. Such additional time shall not exceed two months from the expiry of the three-month period. If the Agency does not adopt a decision within that additional time period, it shall be deemed to have granted the authorisation.

5. The Agency shall, within five working days from the adoption of the authorisation or rejection decision, notify that decision to the following parties:

(a)	the applicant IIP or RRM;

(b)	the national regulatory authority of the Member State in which the IIP or the RRM is established.

6. Where an applicant fails to communicate or to provide the required information for more than three months after the submission of the application or, where applicable, after a request for clarification from the Agency, the Agency may consider the application withdrawn. At least two weeks prior to the expiry of the three-month period, the Agency shall notify the applicant of their inactive status and remind them of the consequences deriving from it.

7. Any decision by the Agency in the context of an authorisation process shall be subject to procedural safeguards, including the legal remedies available pursuant to Articles 28 and 29 of Regulation (EU) 2019/942.

CHAPTER III

ORGANISATIONAL REQUIREMENTS

SECTION I

General organisational requirements

Article 11

Timely compliance with reporting obligations

IIPs and RRMs shall implement policies, contingency plans, and arrangements to ensure timely compliance with the requirements on submission of inside information reports set out in Article 4a(3) of Regulation (EU) No 1227/2011 and the requirements on reporting data records set out in Articles 7, 10, 13 and 17 of Implementing Regulation (EU) 2026/256.

Article 12

Data validation systems

1. IIPs shall have data validation systems in place to comply with the principles and follow the processes set out in Articles 22, 23 and 24.

2. RRMs shall have data validation systems in place to comply with the principles and follow the processes set out in Articles 26, 27 and 29.

3. IIPs and RRMs shall submit to the Agency only inside information reports and data records that have been successfully assessed by their data validation systems in accordance with paragraphs 1 and 2.

Article 13

Security requirements

1. IIPs and RRMs shall set up and maintain policies, procedures and arrangements for physical and electronic security which are based on best practices, and which are consistent with internationally recognised standards. Those policies, procedures and arrangements shall be designed to:

(a)	protect the IT systems of the IIPs and RRMs from misuse or unauthorised access;

(b)	minimise the risks of incidents against information systems, as defined in Article 6(6) of Directive (EU) 2022/2555 of the European Parliament and of the Council (7);

(c)	prevent unauthorised disclosure of confidential information flowing from IIP clients and RRM clients to the IIP or RRM and from the IIP or RRM to the Agency;

(d)	ensure the confidentiality, integrity, availability, authenticity, accountability and reliability of the information processed within the IIP’s and RRM’s systems and, for IIPs, prevent leakages of the processed information before its publication;

(e)	ensure non-repudiation through electronic signatures or certificates, or through any other mechanisms that provide an equivalent level of non-repudiation.

2. IIPs and RRMs shall establish the requirements for data access permissions as well as the purpose and the scope of data access, and any restrictions on the use of the data. They shall set up and maintain security mechanisms to promptly identify and manage the risks referred to in paragraph 1, including the following:

(a)	a secure environment for the collection and management of data from IIP clients and RRM clients and for the submission of inside information reports and reporting of data records to the Agency;

(b)	application interfaces as specified by the Agency;

(c)	a protected and segregated network connection with the Agency as specified by the Agency.

3. Applicants may demonstrate compliance with the physical and electronic security requirements referred to in paragraph 1 through submission to the Agency of a valid ISO/IEC 27000 standard series certificate on information security management systems or equivalent certifications. The Agency may ask the applicants for further clarifications regarding the certification provided and for an update of such certification after its expiration date.

Article 14

Security incidents

1. IIPs and RRMs shall take the actions listed in paragraph 2 in case of an occurrence of any of the following incidents:

(a)	misuse or unauthorised access of the IIP’s or RRM’s IT systems;

(b)	incidents against information systems, as defined in Article 6(6) of Directive (EU) 2022/2555;

(c)	unauthorised disclosure of confidential information flowing from IIP clients and RRM clients to the IIP or RRM and from the IIP or RRM to the Agency;

(d)	breach of the confidentiality, integrity, availability, authenticity, accountability and reliability of the information processed within the IIPs’ and RRMs’ systems and, for IIPs, leakages of the processed information before its publication;

(e)	any event that would impede or impact the non-repudiation of the data.

2. IIPs and RRMs shall:

(a)	notify the Agency of the incident within 24 hours of becoming aware of it;

(b)	notify any IIP clients and RRM clients, if applicable, who have or may have been impacted by the incident within 48 hours of becoming aware of it;

(c)	provide the Agency with an initial assessment of the incident within 72 hours of becoming aware of it;

(d)	provide the Agency with a detailed incident report within one month of becoming aware of it, outlining the nature of the incident, the measures taken to address it, and the initiatives implemented to prevent similar occurrences in the future.

Article 15

Data transfers

IIPs and RRMs shall have in place information systems for effective data transfers from other systems or platforms ensuring an efficient data collection process and subsequent reporting to the Agency.

Article 16

Conflicts of interest

1. IIPs and RRMs shall maintain effective administrative arrangements, designed to prevent conflicts of interest with their IIP clients and RRM clients. Such arrangements shall include policies and procedures for identifying, managing and disclosing existing and potential conflicts of interest and shall:

(a)	ensure that the relevant IIP clients and RRM clients are aware of those policies and procedures;

(b)

ensure the separation of duties and business functions within the IIP or RRM, including through:

(i)	measures to prevent or control the exchange of information where a risk of conflicts of interest may arise;

(ii)	the separate supervision of relevant persons whose main functions involve interests that are potentially in conflict with those of IIP clients or RRM clients;

(iii)

measures to remedy potential or existing conflicts of interest;

(c)	map any existing and potential conflicts of interest and list them in an inventory, which shall contain their description, identification, prevention and management measures, and disclosure.

2. IIPs and RRMs shall have policies in place to ensure the handling of the reported data in a non-discriminatory manner.

Article 17

Business continuity and back-up facilities

1. IIPs and RRMs shall ensure that they have sufficient staff, infrastructure, capital and financial resources to guarantee the continuity and regularity in the performance of their respective services, as well as the adequate protection of the IIP or RRM against operational, legal and business risks.

2. Upon registering new IIP clients, IIPs shall provide the clients with instructions on the use of back-up facilities and shall subsequently issue periodic reminders to them throughout the duration of the IIP services provided.

3. IIPs and RRMs shall have in place robust operational risk controls and procedures to secure the availability of adequate resources and back-up facilities. Such controls and procedures shall be documented within an operational risk policy or an operational risk framework which ensures that disruptions to the provided services are minimised. Such policy or framework shall include the following:

(a)	a version control system to track and archive any changes made to the IIPs’ and RRMs’ software;

(b)	a quality assurance policy ensuring that all changes to the hardware and software architecture of the IIPs and RRMs are tracked;

(c)	automated monitoring and alert systems to track the availability of all system components and services, providing immediate notifications to the IIP clients and RRM clients regarding any service disruptions;

(d)

redundancy of hardware components and network infrastructure, allowing failover to backup systems, including:

(i)	for IIPs, procedures to ensure that any planned maintenance of the IIP services is performed with minimal or no disruptions of the service, making use of duplication and redundancy of hardware and software components;

(ii)	for RRMs, procedures for minimal disruption during planned maintenance, with maintenance windows scheduled during periods of low activity;

(e)	the conduct of periodic reviews, at least annually, evaluating the IIPs’ and RRMs’ technical infrastructures and associated policies and procedures, including business continuity arrangements and, for IIPs, information security arrangements;

(f)	comprehensive data back-up measures ensuring no data losses, including retention of data reported to the Agency in the last five years after the termination of the corresponding event for IIPs and five years for RRMs;

(g)

effective business continuity arrangements addressing unplanned events, including the following:

(i)

arrangements for the continuity of the processes which are critical to ensuring the effectiveness of data reporting services, including escalation procedures, relevant outsourced activities or dependencies on external providers, which as regards an IIPs back-up infrastructure, may include contractual arrangement with another IIP authorised by the Agency where IIP clients will be redirected for the disclosure of their information in case of an incident, at no additional cost for the IIP client;

(ii)	specific continuity arrangements, covering an adequate range of possible scenarios, in the short and medium term, including system failures, natural disasters, communication disruptions, loss of key staff and inability to use the premises regularly used;

(iii)

the establishment of failover and fallback procedures that specify the redirection of IIP clients for the disclosure of their information to back-up IIP facilities;

(iv)	the establishment of a target maximum recovery time for critical functions;

(v)	the provision of obligatory staff trainings on the operation of business continuity;

(vi)	the identification of key personnel responsible for business continuity, including the identification of personnel responsible for immediate reaction to a disruption of services.

4. Applicants may demonstrate compliance with any of the requirements referred to in paragraph 3 through submission to the Agency of a valid ISO/IEC 27000 standard series certificate on information security management systems or equivalent certifications. The Agency may ask the applicants for further clarifications regarding the certification provided, any missing information to demonstrate compliance with the requirements referred to in paragraph 3 and for an update of such certification after its expiration date.

5. IIPs and RRMs shall ensure that any deficiencies identified during the review referred to in paragraph 3, point (e), are remedied.

6. IIPs shall make available to the public all information related to the alternative means of disclosure that their IIP clients can use in case of a downtime of the platform. When planned maintenance may result in disruptions, it shall be planned for time windows where minimal activity is foreseen.

7. IIP services related to the disclosure and publication of information and submission of inside information reports shall be available at least 99,5 % of the time. The same applies where IIP services or parts thereof are outsourced to external providers.

8. In the circumstance where IIP clients have been notified by the IIP of planned maintenance or unplanned downtime or other disruption in accordance with Article 18, or the IIP clients themselves notice that, exceptionally, neither the IIP nor its back-up facilities are in operation, the IIP clients may decide whether to disclose on their website the information they would have disclosed on the IIP, or to rely on another IIP for prompt disclosure, until the IIP or its back-up facilities are restored.

9. IIPs shall publish on their platform the information disclosed by their IIP clients in accordance with paragraph 8 as soon as it is technically possible after the restoration of the services.

Article 18

Planned maintenance or unplanned downtime or other disruption

1. IIPs shall establish processes to notify, on their website, their IIP clients of any planned maintenance activities impacting the availability of IIP services related to the disclosure of information and submission of inside information reports. The notification shall be made at least five working days prior to the start of the maintenance window. It shall indicate the scheduled service interruption period and shall include instructions on how to use the alternative means for the disclosure of inside information or submission of inside information reports.

IIPs shall also establish processes to notify, on their website, their IIP clients of any unplanned downtime or other disruption impacting the availability of IIP services related to the disclosure of information and submission of inside information reports. Each IIP client shall be notified individually, as soon as possible after the disruption happens, and shall be given instructions on how to use the alternative means for the disclosure of information.

2. RRMs shall establish processes to notify their RRM clients of any planned maintenance activities on the RRM’s interface or reporting system. The notification shall be made at least five working days prior to the start of the maintenance window. It shall indicate the scheduled service interruption period.

RRMs shall also establish processes to notify their RRM clients of any unplanned downtime or other disruption. The notification shall be made as soon as possible after the disruption through the channels referred to in Article 17, including the publishing of a notification on their website providing an estimated time for resuming regular service.

Where an RRM and its clients belong to the same legal entity, the RRM shall not be required to comply with the requirements set out in this paragraph.

3. IIPs and RRMs shall notify the Agency of any unplanned downtime or other disruption affecting their ability to comply with the requirements laid down in Articles 11 to 29 within 24 hours of becoming aware of the disruption. No later than one month after becoming aware of the disruption, IIPs and RRMs shall submit a report to the Agency detailing the causes of the disruption and the actions taken to prevent any reoccurrence.

4. The Agency may ask for additional information or clarifications in relation to the IIPs’ and RRMs’ compliance with the requirements set out in this Article.

SECTION II

Requirements for IIPs

Article 19

Operation of the platform

1. IIPs shall have arrangements in place to ensure the proper functioning of the platform and the disclosure of information as close to real time as technically possible.

2. IIPs shall not publish the same information twice.

3. Information on the IIP platform shall be made available at least in the English language.

4. The IIP platform shall allow for:

(a)	the filtering of disclosed information, including historical information, by relevant data categories;

(b)	the downloading of filtered information in a format that conforms to a standard structure and naming convention, in line with Annex II;

(c)	the downloading of filtered information and any further use of the downloaded information for legitimate purposes free of charge.

5. If the platform provides multiple means of accessing the disclosed information, including an application programming interface (API), the content of the information made available through each such means shall be identical.

6. IIPs shall retain all disclosed information of historical nature, including any amended or updated information and shall make it available to the public for a minimum period of five years following the conclusion of the relevant disclosed events to which the information relates.

7. IIPs shall maintain an accessible record of prior disclosures related to the same event and provide a clear and user-friendly linking functionality to previous disclosures.

Article 20

Submission of inside information reports

IIPs shall have in place a procedure and the technical means to report to the Agency, in a standard electronic format established by the Agency in line with Annex II, all information disclosed on their platform that has been successfully validated through their data validation systems, including any subsequent modifications, no later than one day following the disclosure or modification.

Article 21

Equal treatment in the provision of services

IIPs shall have in place a procedure and the technical means to provide non-discriminatory access to their services to market participants and authorities competent for emergency planning that are to ensure publication in accordance with Article 3(4), point (c), of Regulation (EU) No 1227/2011.

Article 22

Assessment of inside information reports before submission to the Agency

The IIP data validation system referred to in Article 12 shall:

(a)	detect whether the information to be disclosed has been already published by the same IIP;

(b)	detect whether the inside information report contains all the required information as specified in Annex II, and in the related manuals adopted by the Agency;

(c)	detect any data corruption the IIP might have caused while processing the inside information report;

(d)

enable the authentication of the source of information and verify the following:

(i)	the identity of the IIP client;

(ii)	the identity of any other person submitting information on behalf of the IIP client.

Article 23

Detection and correction of invalid inside information reports before submission to the Agency

1. Where data validation systems detect or identify any data inconsistencies or missing data (‘invalid data’), prior to the disclosure of the information on the IIP platform or the submission of inside information reports to the Agency, IIPs shall provide their IIP clients with detailed information regarding the validation results and shall request the clients to resubmit the information to the IIP with the necessary corrections or missing data. When receiving that information from the clients, the IIP shall submit those reports to the Agency as soon as technically possible.

2. IIPs shall maintain a register of invalid data submitted by their IIP clients and not subsequently corrected. The invalid data shall be retained for 18 months as of the date of the submission. The Agency may access the register and may notify the relevant national regulatory authorities of instances in which IIP clients submitted invalid data as well as the identity of such clients.

Article 24

Receipt of inside information reports submitted by IIPs

1. When receiving inside information reports, the Agency shall issue receipts to the IIPs. Those receipts shall include at least the following information:

(a)	the identification of the submitted inside information report;

(b)	an indication of whether the inside information report has been successfully collected by the Agency.

In case the information has not been successfully collected by the Agency due to an error, the receipt shall also indicate the information affected by the error and, if possible, the cause of the error.

2. In case the error referred to in paragraph 1, second subparagraph, is attributable to the IIP, the IIP shall resubmit the corrected inside information report within five working days. That timeline may be extended by the Agency upon request by the IIP, in duly justified cases.

3. If the error is attributable to the IIP clients, the IIP shall provide those clients with guidance on how to correct the inside information report and shall subsequently submit the corrected inside information report to the Agency within ten working days. That timeline may be extended by the Agency upon request by the IIP, in duly justified cases. IIPs shall implement automated alert systems capable of performing the following actions:

(a)	notify the IIP clients of the Agency’s receipt;

(b)	make available to the IIP client a copy of the IIP client’s inside information reports as submitted to the Agency.

4. By way of derogation from Article 12(3), for the purposes of ensuring timely and efficient disclosure of information, the IIP may publish and submit inside information reports to the Agency that may require further clarifications from the IIP client, provided that the content in the reports is relevant for market participants’ trading choices according to Regulation (EU) No 1227/2011. In such cases, the information in the report shall be flagged by the IIP upon the publication and submission of the report to the Agency. In case the information needs to be corrected following the Agency’s indication, IIPs shall collaborate with their IIP clients to correct it. Once the information is corrected, IIPs shall republish it and resubmit it to the Agency as soon as it is technically possible.

Article 25

Obligation to provide IIP services on a reasonable commercial basis

IIPs may establish and charge fees for the provision of their services at a reasonable and commercially justified level. Such fees shall be determined in a manner that reflects the actual costs incurred by the IIPs in collecting and disseminating the inside information, including the costs of ensuring timely disclosure of information and the provision of back-up solutions to ensure continuity of the service.

SECTION III

Requirements for RRMs

Article 26

Assessment of data records before submission to the Agency

The RRM data validation system referred to in Article 12 shall:

(a)	detect whether the data record contains all the required information as set out in Implementing Regulation (EU) 2026/256 and in the related manuals adopted by the Agency;

(b)	detect any data corruption that the RRM might have caused while processing the data record;

(c)

enable the authentication of the source of information and verify the following:

(i)	the identity of the RRM client;

(ii)	the identity of any other person submitting information on behalf of the RRM client.

Where an RRM and its clients belong to the same legal entity, the RRM does not need to comply with the obligation set out in point (c).

Article 27

Detection and correction of invalid data records before submission to the Agency

1. Where data validation systems detect or identify any data inconsistencies or missing data (‘invalid data’) prior to the reporting of data records to the Agency, RRM shall provide their RRM clients with detailed information regarding the validation results and shall request their RRM clients to resubmit the data records to the RRM with the necessary corrections or missing data. When receiving that information from the clients, the RRM shall submit those records to the Agency as soon as technically possible.

Where the RRM and its clients belong to the same legal entity, the RRM shall submit the data records to the Agency with the necessary corrections or missing data as soon as technically possible in cases where its data validation system detects or identifies any invalid data prior to the reporting of data records to the Agency.

2. RRMs shall maintain a register of invalid data submitted by their RRM clients and not subsequently corrected. The invalid data shall be retained for 18 months as of the date of the submission. The Agency may access the register and may notify the relevant national regulatory authorities of instances in which RRM clients submitted invalid data as well as the identity of such clients.

Where an RRM and its clients belong to the same legal entity, the RRM shall maintain a register of invalid data submitted by their RRM clients and not subsequently corrected. The invalid data shall be retained for 18 months as of the date of the submission. The Agency may access the register and may notify the relevant national regulatory authorities of instances in which RRM clients submitted invalid data as well as the identity of such clients.

Article 28

Data reconciliation

1. RRMs shall reconcile the data records received from their RRM clients that are related to transactions other than orders to trade in the wholesale energy market and that are concluded or executed on an organised market place. The reconciliation shall be carried out by verifying whether they have received a corresponding data record related to the other party to the transaction, provided that all of the following conditions are met:

(a)	the transaction was concluded at an organised market place on whose behalf the RRM is reporting data pursuant to Article 8(1a) of Regulation (EU) No 1227/2011;

(b)	the transaction was not concluded as a result of single intraday coupling, an auction, or primary capacity allocation;

(c)	the data record has not been categorised as erroneous by the RRM client.

2. Prior to submitting the data record to the Agency, RRMs shall, for those transactions for which reconciliation pursuant to paragraph 1 was not successful, communicate to the organised market place the following values in accordance with Article 7 of Implementing Regulation (EU) 2026/256:

(a)	‘Unique Transaction Identifier’;

(b)	‘ID of the market participant or counterparty’;

(c)	‘Transaction timestamp’.

3. Prior to submitting the data record to the Agency, RRMs shall request that the organised market place provide the missing corresponding data records from the other party to the transaction.

Article 29

Receipt of data records submitted by RRMs

1. The Agency shall issue receipts of reported data records to RRMs. Those receipts shall include at least the following information:

(a)	the identification of the reported data record;

(b)	an indication of whether the data record has been successfully collected by the Agency.

In case the data record has not successfully been collected by the Agency due to an error, the receipt shall also indicate the data affected by the error and, if possible, the cause of the error.

2. In case the error referred to in paragraph 1, second subparagraph, is attributable to the RRM, the RRM shall resubmit the corrected data record to the Agency within five working days. That timeline may be extended by the Agency upon request by the RRM, in duly justified cases.

3. If the error is attributable to the RRM clients, the RRMs shall provide them with guidance on how to correct the data record and subsequently submit the corrected data record to the Agency within ten working days. That timeline may be extended by the Agency upon request by the RRM, in duly justified cases. RRMs shall implement automated alert systems that are capable of performing the following actions:

(a)	notify the RRM clients of the Agency’s receipt;

(b)	make available to the RRM client a copy of the RRM client’s data records as reported to the Agency.

4. The copy of the RRM client’s data record and the Agency’s receipts related to LNG market data shall be made available to the RRM client as soon as possible after it is received from the Agency.

5. RRMs shall act as single points of contact between the Agency and their RRM clients by establishing communication channels with their RRM clients and shall ensure that the RRM clients are informed of any non-compliance or missing data.

6. By way of derogation from paragraph 5, the Agency may directly contact the RRM clients in case clarifications and corrections are needed with regard to reported LNG market data.

7. RRMs that do not have clients and report data records to the Agency solely on their own behalf shall not be required to comply with paragraphs 3, 4 and 5.

CHAPTER IV

SUPERVISION

Article 30

Compliance monitoring and assessment

Upon request by the Agency, IIPs and RRMs shall provide, within the timeframe indicated by the Agency, information necessary for the assessment of their continued compliance with this Regulation and with Regulation (EU) No 1227/2011. The timeframe for the submission of information shall be reasonable and proportionate to the request. The Agency may also request information regarding the IIP client or RRM client on whose behalf the IIP or the RRM is reporting. In such case, the IIP or RRM shall liaise with the relevant IIP client or RRM client to the extent necessary to obtain the requested information.

Article 31

Material changes after authorisation

1. When IIPs or RRMs or their IIP clients or RRM clients initiate material changes as referred to in Article 6(3), the IIPs or RRMs shall notify the Agency of such changes no later than ten working days after the change has taken place. The notification shall describe the change in detail and be accompanied by the relevant supporting documents as referred to in Article 4, insofar as those documents have been amended.

2. RRMs shall also notify the Agency of any changes to the reported volumes, prior to their implementation.

3. The Agency shall respond to the IIP or RRM within 15 working days, informing them whether the change is in compliance with the requirements set out in this Regulation and in Regulation (EU) No 1227/2011, or whether any additional information or action is required. Where the IIP or RRM is no longer compliant with any of the requirements set out in this Regulation and in Regulation (EU) No 1227/2011 as a result of a material change, the Agency may adopt a decision pursuant to Article 34.

Article 32

Non-compliance detection and consequences

1. If the Agency, acting on its own initiative or following the submission of information by a third party, considers that an IIP or RRM has not followed any of the requirements set out in this Regulation or in Regulation (EU) No 1227/2011, it may contact the concerned IIPs or RRMs and require that they undertake all following actions:

(a)	take the necessary measures to comply with the requirements of this Regulation or of Regulation (EU) No 1227/2011 as soon as possible, mitigate the effects of such conduct, and implement measures to prevent similar occurrences in the future;

(b)	provide the Agency with explanations of their conduct and, to the extent relevant, inform the Agency of the measures taken to mitigate the effects of such conduct as well as the measures implemented to prevent similar occurrences in the future;

(c)

inform the IIP clients and the RRM clients and any persons who have or may have been impacted by the IIP’s or RRM’s conduct, detailing the nature of such conduct, and, to the extent relevant, inform the IIP client and the RRM client of the measures taken to mitigate the effects of such conduct as well as the measures implemented to prevent similar occurrences in the future.

2. In cases where the IIP’s or RRM’s conduct poses a risk to the secure exchange and handling of information or the operational availability of the Agency’s information system, the Agency may suspend data collection from IIPs and RRMs on a temporary basis. In such case, the Agency shall notify the IIPs and RRMs in writing, explaining the reasons for, and the indicative duration of, the suspension. The suspension may last until the risk is effectively mitigated.

Article 33

Annual reporting by RRMs

1. The annual report to be submitted to the Agency pursuant to Article 9a(2) of Regulation (EU) No 1227/2011 shall cover all activities conducted during a full calendar year (the ‘reference year’) and shall be submitted to the Agency in an electronic format. The first reference year shall be the full calendar year following authorisation. The annual reports shall be submitted no later than the 31 March of the year following the reference year.

2. The annual report shall provide the following information for the reference year:

(a)	the number of invalid data records that were not submitted to the Agency, including the identity of the relevant market participants;

(b)	the number of instances of invalid data records for which the RRM followed up with its respective RRM clients in order to correct the data record in accordance with Article 27;

(c)	in case of bilateral trades, the list of market participants who are not RRM clients, but who are the counterparties of RRM clients in the respective bilateral trades.

3. The annual report shall be signed by a legal representative of the RRM.

4. The Agency may request RRMs to amend their annual report, in case it does not include all the elements set out in this Article. Such request shall specify the missing information or the clarifications that the Agency needs based on the submitted information. The RRM shall amend the annual report accordingly and resubmit it within 30 working days from the receipt of the request.

CHAPTER V

WITHDRAWAL OF AN AUTHORISATION AND ORDERLY SUBSTITUTION

SECTION I

Common provisions on withdrawal

Article 34

Withdrawal decision

1. The Agency may adopt a decision withdrawing an IIP authorisation and remove it from the public register where the IIP:

(a)	does not make use of the authorisation within 12 months from the date on which the authorisation was issued;

(b)	expressly renounces the authorisation or has provided no services in the six months from the date on which the authorisation was issued;

(c)	obtained the authorisation by making false statements or by any other irregular means;

(d)	no longer meets the requirements for authorisation set out in Article 4a of Regulation (EU) No 1227/2011 and in this Regulation;

(e)	has seriously and systematically infringed Regulation (EU) No 1227/2011 without bringing the infringement to an end.

2. The Agency may adopt a decision withdrawing a RRM authorisation and remove it from the public register where the RRM:

(a)	does not make use of the authorisation within 18 months from the date on which the authorisation was issued;

(b)	expressly renounces the authorisation or has provided no services in the 18 months from the date on which the authorisation was issued;

(c)	obtained the authorisation by making false statements or by any other irregular means;

(d)	no longer meets the requirements for authorisation set out in Article 9a of Regulation (EU) No 1227/2011 and in this Regulation;

(e)	has seriously and systematically infringed Regulation (EU) No 1227/2011.

3. In the decision pursuant to paragraphs 1 or 2, the Agency shall indicate the period for orderly substitution pursuant to Article 39 of this Regulation, state the reasons for the withdrawal and outline the IIP’s or RRM’s legal remedies in accordance with Articles 28 and 29 of Regulation (EU) 2019/942.

Article 35

Procedure for withdrawal on the initiative of the Agency

1. Prior to the issuance of any withdrawal decision and the related preliminary assessment, the Agency may request IIPs and RRMs to provide all information necessary for the Agency to assess whether that IIP or RRM has met any of the conditions set out in in Article 34(1) or (2) respectively. The Agency shall state the legal basis and the purpose of the request, specify what information is requested and indicate the time limit within which the IIP or RRM shall submit the requested information.

2. Prior to replying to the preliminary assessment pursuant to paragraph 1, the IIP or RRM shall have the right, upon request, to access the documents on which the Agency has based its preliminary assessment, with the exception of business secrets, confidential information and internal documents of the Agency.

3. The Agency shall base its withdrawal decision on a preliminary assessment on whether the concerned IIP or RRM has met any of the conditions set out in Article 34(1) or (2), respectively, as indicated in paragraph 1. The Agency shall give the IIP or RRM concerned the opportunity to comment in writing on the preliminary assessment within a certain time limit. In determining such time limit, the Agency shall have due regard to the urgency, complexity and potential consequences of the matter at hand, and shall ensure that the time limit is proportionate to the circumstances of the case.

4. Following the IIP’s or RRM’s reply to the preliminary assessment pursuant to paragraph 3 and prior to the Agency adopting a decision, the Agency shall organise an oral hearing upon a written request of the IIP or RRM concerned. Such request for a hearing shall be submitted no later than 20 working days following the granting of access to the documents as set out in paragraph 2, or, in case the IIP or RRM has not exercised its right pursuant to paragraph 2, one month from the notification of the Agency’s preliminary assessment to the concerned IIP or RRM. In case no written request for an oral hearing is made, the Agency may organise one on its own initiative.

5. The Agency shall base its decision only on findings on which the IIP or RRM had the opportunity to express its views, either via written replies or, to the extent applicable, via additional clarifications in writing or during the oral hearing.

6. In the event that during the course of the procedure pursuant to this Article, the concerned IIP or RRM notifies the Agency of its intention to expressly renounce its authorisation, the Agency may decide to discontinue that procedure and instead apply the procedure set out in Article 36.

Article 36

Procedure for withdrawal at the request of IIPs and RRMs

1. IIPs and RRMs that intend to renounce their authorisation shall notify the Agency of that intention, indicating the following:

(a)	the proposed timeframe for the orderly transfer and substitution of their functions, which shall be at least six months;

(b)	the reasons for renouncing the authorisation;

(c)	the concrete steps they plan to undertake to implement the orderly substitution.

2. Upon receipt of the notification referred to in paragraph 1, the Agency may request additional information or clarifications related to the notification. The Agency shall set a time limit within which the IIP or the RRM is to reply in writing. In determining such time limit, the Agency shall have due regard to the urgency, complexity and potential consequences of the matter at hand, and shall ensure that the time limit is proportionate to the circumstances of the case.

3. The Agency’s decision on withdrawal, indicating the appropriate timing for withdrawal requested by the IIP or the RRM, shall be based solely on findings on which the IIP or the RRM had the opportunity to express its views, either in its initial notification or, to the extent applicable, in its written replies to the Agency’s requests for additional information or clarifications.

Article 37

Notifications by the Agency following the adoption of the decision on withdrawal

1. The Agency shall inform the concerned IIP or RRM of the outcome of the withdrawal procedure referred to in Articles 34, 35 and 36. Such outcome shall take the form of a decision in case of the withdrawal of the authorisation. A withdrawal decision shall be notified to the concerned IIP or RRM within five working days of its adoption.

2. In case of a withdrawal decision, the Agency shall remove the concerned IIP or RRM from the public register on the working day following the notification of the decision and shall announce such removal on the Agency’s website. The Agency shall notify all national regulatory authorities of such announcement. The Agency shall publish on its website a non-confidential version of the withdrawal decision.

SECTION II

Common provisions on orderly substitution in case of withdrawal of an authorisation

Article 38

Procedure for the orderly substitution

1. No later than two working days following the notification of a withdrawal decision, the IIP or RRM whose authorisation has been withdrawn (the ‘withdrawing IIP or RRM’) shall inform its IIP clients or RRM clients, in writing, of the arrangements and procedures to be followed for the transfer of relevant data and the redirection of reporting flows to an alternative IIP or RRM chosen by the IIP client or the RRM client. In the same communication, the withdrawing IIP or RRM shall request the relevant IIP clients or RRM clients whether, for the purpose of ensuring orderly substitution, they intend to arrange the redirection of data flow to another IIP or RRM (the ‘selected IIP or RRM’) themselves or to leave this arrangement to the withdrawing IIP or RRM.

2. In the request referred to in paragraph 1, the withdrawing IIP or RRM shall ask for the following details:

(a)	the legal name of the entity of the selected IIP or RRM;

(b)	the legal registered address of the selected IIP or RRM;

(c)	the contact details of the selected IIP or RRM.

3. The selected IIP or RRM shall start the relevant services for the relevant IIP client or RRM client at the latest the working day following the termination of the period for the orderly substitution, as established by the Agency’s decision, provided that the IIP client or the RRM client has signed the service agreement for the relevant IIP or RRM services.

4. The withdrawing IIP or RRM shall obtain from the relevant IIP client or RRM client the information of the selected IIP or RRM in written form within two months from the notification mentioned in paragraph 1. If the relevant IIP client or RRM client fails to do so, the Agency shall notify the national regulatory authority of the Member State where the IIP client or RRM client is registered. The notified national regulatory authority shall assess the need for possible enforcement action.

5. After the period for the orderly substitution established by the Agency has expired, the withdrawing IIP or RRM shall notify the Agency, without undue delay, of the selection made by each of their IIP clients or RRM clients. That notification shall also indicate the exact date on which the withdrawing IIP or RRM notified the relevant IIP client or RRM client in accordance with paragraph 1, as well as the date on which the information of the selected IIP or RRM was received by the withdrawing IIP or RRM.

6. During the period for the orderly substitution established by the Agency, the selected IIP or RRM shall receive the following:

(a)	the details of inside information reports or data records, as applicable, that have been reported or submitted to the Agency after the date of the adoption of the withdrawal decision;

(b)

the details of inside information reports or data records, as applicable, submitted to the Agency one year prior to the date of the adoption of the withdrawal decision and any contract related to the submission of inside information reports or data records, as applicable, that is ongoing on the date of the adoption of the withdrawal decision by the Agency;

(c)	any other information relevant to the transfer of the withdrawing IIP’s or RRM’s services to the selected IIP or RRM.

The details and information set out in the first subparagraph shall be transferred to the selected IIP or RRM by the withdrawing IIP or RRM, unless their IIP or RRM clients have indicated the intention to arrange the redirection of data flow to the selected IIP or RRM themselves. In such a case, details and information set out in the first subparagraph shall be transferred by the IIP or RRM client.

7. The withdrawing IIP or RRM shall provide its IIP clients or RRM clients, upon their request, with any additional information or clarifications with respect to the transfers referred to in paragraph 1.

8. A withdrawing RRM which is reporting data records on its own behalf shall inform the Agency, in writing and within two months from the receipt of the withdrawal decision, about its selected RRM for the purpose of ensuring orderly substitution. The notification shall include the information referred to in paragraph 2. Paragraphs 3, 5 and 6 of this Article shall apply mutatis mutandis.

Article 39

Timing for the orderly substitution

1. In its withdrawal decision, the Agency shall duly justify any deviation from the six-month period referred to in Articles 4a and 9a of Regulation (EU) No 1227/2011.

2. In exceptional circumstances, the IIP or RRM may submit a written request to the Agency for an extension of the period for the orderly substitution established in the withdrawal decision. Such request shall be duly justified and shall include the details of the exceptional circumstances preventing the IIP or the RRM from performing the orderly substitution in accordance with the time period set out by the Agency, as well as supporting evidence for such circumstances. The request shall be submitted to the Agency no later than one month prior to the end of the period for the orderly substitution as established in the withdrawal decision and shall be subject to the Agency’s approval.

CHAPTER VI

FINAL PROVISIONS

Article 40

Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Articles 3 to 8 and 10 to 39, including Annexes I and II, shall apply from 29 October 2027.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 30 January 2026.

For the Commission

The President

Ursula VON DER LEYEN

(1) OJ L 326, 8.12.2011, p. 1, ELI: http://data.europa.eu/eli/reg/2011/1227/oj.

(2) Regulation (EU) 2019/942 of the European Parliament and of the Council of 5 June 2019 establishing a European Union Agency for the Cooperation of Energy Regulators (OJ L 158, 14.6.2019, p. 22, ELI: http://data.europa.eu/eli/reg/2019/942/oj).

(3) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

(4) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(5) Commission Implementing Regulation (EU) 2026/256 of 30 January 2026 on data reporting implementing Article 7c(2), Article 8(1a), Article 8(2) and Article 8(6) of Regulation (EU) No 1227/2011 of the European Parliament and of the Council on wholesale energy market integrity and transparency and repealing Commission Implementing Regulation (EU) No 1348/2014 (OJ L, 2026/256, 9.4.2026, ELI: http://data.europa.eu/eli/reg_impl/2026/256/oj).

(6) Regulation (EEC, Euratom) No 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits (OJ L 124, 8.6.1971, p. 1, ELI: http://data.europa.eu/eli/reg/1971/1182/oj).

(7) Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80, ELI: http://data.europa.eu/eli/dir/2022/2555/oj).

ANNEX I

LEGAL ENTITY FORM

IDENTIFICATION FORM

PRIVATE LAW BODY

PRIVACY STATEMENT (https://commission.europa.eu/document/download/2230f5f6-9b83-45f3-b591-3b9258559a34_en?filename=lef_baf_prviacy_notice-en.pdf)

By submitting this form, you acknowledge that you have been informed about the processing of your personal data by the European Commission for accounting and contractual purposes.

Please use CAPITAL LETTERS and LATIN CHARACTERS when filling in the form.

ORGANISATION DETAILS

National denomination and its translation in EN or FR if existing.

Official Name	___________________________________________________________________________
Business/Trading name	___________________________________________________________________________
Abbreviation	___________________________________________________________________________
Adress of Head Office	___________________________________________________________________________
Address	___________________________________________________________________________
Postal Code	______________	City	_______________________________________________
P.O. BOX	_____________	Country	_______________________________________________
Email	___________________________________________________________________________

ORGANISATION IDENTIFIER

Legal Form	________________________________________________________________________________
Organisation type	For Profit ☐
	Non For Profit ☐			NGO ☐ Yes		☐ No
				NGO = Non-Governmental Organization, to be completed if NFPO is indicated.
Main registration number	________________________________________________________________________________
	Registration number in the national register of companies. See table with corresponding denominations by country.
Secondary registration number (if applicable)			_____________________________________________________________________
Place of Main registration			____________________		Issuing country		_______________________________
Date of Main registration			_____________________________________________________________________
VAT Number		______________________________________________________________________________

BANKING

Enter the final bank data and not the data of the intermediary bank

Account Name	________________________________________________________________________________
	This does not refer to the type of account. The account name is usually the one of the account holder. However, the account holder may have chosen to give a different name to its bank account.
IBAN/Bank account number	________________________________________________________________________________
	Fill in the IBAN Code (International Bank Account Number) if it exists in the country where your bank is established
Bank Name	________________________________________________________________________________
BIC/SWIFT code	_______________________	Branch code	________________________________________
			Only applicable for US (ABA code), for AU/NZ /BSB code) and for CA (Transit code). Does not apply for other countries.

Remark – Payment reference

Adress of the bank branch

Address	___________________________________________________________________________________
Postal code	_____________________		City	____________________________________________
P.O. BOX	_____________________		Country	____________________________________________
Account holder’s data		____________________________________________________________________________
Account holder’s name		____________________________________________________________________________
		Legal owner of the bank account

To complete if the address declared to the bank is different to the head office address

Address	____________________________________________________________________________________
Postal code	_____________________	City	__________________________________________
P.O. BOX	_____________________	Country	__________________________________________

AUTHORISED REPRESENTATIVE’S SIGNATURE AND STAMP	BANK REPRESENTATIVE’S SIGNATURE AND BANK’S STAMP
Date:
Please complete and sign this form and attach copies of official supporting documents (Resolution, law, register(s) of companies, official gazette, VAT registration, etc.)	It is preferable to attach a copy of RECENT bank statement. With a bank statement, the stamp of the bank and the signature of the bank’s representative are not required. Please note that the bank statement has to conﬁrm all the information listed above under ‘ACCOUNT NAME’, ‘IBAN/BANK ACCOUNT NUMBER’ and ‘BANK NAME’.

ISO CODE	MAIN REGISTRATION NUMBER	ISO CODE	MAIN REGISTRATION NUMBER
AT	Firmenbuchnummer (FN) ZentraleVereinregister (ZVR-Zahl) Ordnungsnummer	HR	Matični broj subjekta (MBS) Registarski broj Matični broj obrta (MBO) Registarski broj zakladnog uloška
AT		HU	Cégjegyzékszám
BE	Numéro d’entreprise – Ondernemingsnummer – Unternehmensnummer	IE	Company number Grouping registration number in Ireland
BG	Булстат (Bulstat Code) Единен идентфикационен код (ЕИК/ПИК) (Uniﬁed Identiﬁcation Code (UIC))	IT	Repertorio Economico Amministrativo (REA)
BG		LT	Kodas
CY	Αριθμός εγγραφής Αριθμός μητρώου	LU	Registre de commerce et des sociétés RCS Numéro d’immatriculation Handelsregisternummer
CZ	Identiﬁkační číslo (IČO)	LU
DE	Handelsregister Genossenschaftsregister (Nummer der Firma) Vereinsregister (Nummer des Vereins) Nummer der Partnerschaft (Partnerschaftsregister)	LV	Vienotais reģistrācijas numurs
DK	Det centrale virksomhedsregister (CVR-nummer)	MT	Registration number Register of Voluntary Organisation (Identiﬁcation number)
EE	Registrikood	NL	Kamer van Koophandel (KvK-nummer) Dossiernummer
ES	HOJA number	PL	REGON
FI	Yritys- ja yhteisötunnus (Y-tunnus) Företags- och organisationsnummer (FO-nummer) Business Identity code (Business ID)	PT	Numero de identiﬁcaçao de pessoa colectiva (NIPC)
FI		RO	Numar de ordine in registrul comertulu Numarul inscrierii in registrul special
FR	Immatriculation au registre du commerce et des sociétés (RCS) Système informatique pour le répertoire des entreprises et des établissements (SIRENE)	SE	Organisationsnummer
GB	Company number	SI	Matična številka
GR	Αριθμός Γ.Ε.ΜΗ (Γενικού Εμπορικού Μητρώου) Δικηγορικός Σύλλογος Αθηνών (Δ.Σ.Α)	SK	Identifikačné číslo organizácie (IČO)

ANNEX II

REPORTABLE DETAILS OF INSIDE INFORMATION

Field No	Field Identifier	Description
1	Message ID	The field indicates the identification code of the inside information report.
2	Event status	The field indicates the position of the inside information report and its relevance for trading decisions.
3	Type of information	The field indicates the type of inside information being disclosed.
4	Type of unavailability	The field indicates whether the unavailability event was planned or unplanned.
5	Type of event	The field indicates the type of the subject or the assets/units affected by the unavailability.
6	Date and time of publication	The field indicates the date and time when the inside information report was made publicly available.
7	Date and time of the beginning of event	The field indicates the estimated/actual starting date and time of the relevant event.
8	Date and time of the end of event	The field indicates the estimated/actual ending date and time of the relevant event.
9	Unit of measurement	The field indicates the unit of measure in which the capacity is expressed.
10	Unavailable capacity	The field indicates the unavailable capacity of the affected asset or unit due to the reported event.
11	Available capacity	The field indicates the remaining available capacity of the affected asset or unit.
12	Installed capacity (applicable for electricity unavailability)	The field indicates the nominal generating, transmission, or consumption capacity of the affected asset or unit.
13	Technical capacity (applicable for gas unavailability)	The field indicates the maximum net sustained (flow) capacity that the affected asset or unit can produce, transmit, store, or consume continuously throughout a long period of operation in normal conditions, under relevant security standards.
14	Reason for the unavailability	The field indicates the explanation of the reason(s) behind the unavailability event.
15	Remarks	The field indicates any other information that facilitates the full understanding of the potential impact of the event on wholesale energy prices.
16	Type of fuel	The field indicates the classification of electricity production types (applicable to electricity unavailability events).
17	Bidding or balancing zone	The field identifies the bidding or balancing zone(s) where the affected asset or unit is located or feeds into.
18	Affected asset or unit	The field identifies the official name of the generation or production unit, consumption unit, transmission, or other – gas or electricity – asset.
19	Affected asset or unit EIC code	The field indicates the applicable unique identifier (EIC code) of the affected asset or unit.
20	Market participant	The field indicates the official name of the market participant(s) or authority with obligations regarding the specific event under Article 4 or 3(4) of Regulation (EU) No 1227/2011, respectively.
21	Market participant ID	The field identifies the market participant(s) or authority indicated in field 20 by using a unique code.
22	Inside Information Platform ID	The field identifies the inside information platform by using a unique code.
23	Direction	The field indicates whether the outage is at the entry or exit direction in relation to a specified balancing zone, or from which of the indicated bidding zones the electricity flows.
24	Interval start	The field indicates the estimated/actual starting date and time of the sub-interval of relevant event.
25	Interval stop	The field indicates the estimated/actual ending date and time of the sub-interval of relevant event.

ELI: http://data.europa.eu/eli/reg_del/2026/255/oj

ISSN 1977-0677 (electronic edition)

Top

Choose the experimental features you want to try