(1)

It is important to ensure that collection bodies make information available on the European Single Access Point (ESAP) in a harmonised fashion, drawing to the extent possible upon existing collection procedures and infrastructures in place at Union and at national level.

(2)

Given that the aim of the technical automated validations required by Article 5(1), point (c), of Regulation (EU) 2023/2859 is to ensure a uniform quality of information in the ESAP, the collection bodies should perform those technical automated validations in a consistent manner, having regard to Article 5(10) point (a) of Regulation (EU) 2023/2859. Specifically, it is important that entities that submit information receive any rejection notification in a timely manner. The maximum period within which collection bodies should make their best efforts to notify the entities of the rejection of information should therefore be set out. In exceptional circumstances, including major accidents and errors, deliberate attacks and natural events, collection bodies should be entitled to notify the entities beyond that maximum period.

(3)

In accordance with Article 5(9) of Regulation (EU) 2023/2859, Member States may permit the collection bodies to require a qualified electronic seal to ensure appropriate levels of authenticity, integrity and non-repudiation of the information submitted to the ESAP. To facilitate the cross-border interoperability of the qualified electronic seals accompanying the information submitted to the ESAP, those seals required by a collection body should comply with the specifications set out in Commission Implementing Decision (EU) 2015/1506 (2). To ensure that the qualified electronic seal remains valid over a long period of time, it should be at conformance level Long-Term (LT) or higher. To further strengthen the authentication of the information submitted to the ESAP, the digital certificate accompanying that seal should contain, where available, the legal entity identifier code identifying the entity using that seal when such identifier complies with ISO 17442. Such information might be available in European Digital Identity Wallets as provided by Regulation (EU) No 910/2014 of the European Parliament and of the Council (3).

(4)

Directive (EU) 2019/1024 of the European Parliament and of the Council (4) aims to promote the use of standard public licences available online for re-using public sector information. The Commission’s Guidelines on recommended standard licences, datasets and charging for the re-use of documents (5) identify Creative Commons (‘CC’) licences, and in particular the most recent version (4.0) as an example of recommended standard public licences. CC licences are developed by a non-profit organisation and have become a leading licensing solution for public sector information, research results and cultural domain material across the world. Therefore, to facilitate the use and re-use of information available, it is appropriate to refer to CC public domain dedication (CC0) for all information made available by a collection body to the ESAP, except where copyright and other related rights are attached. Accordingly, with regard to the type of information covered by copyrights or other related rights, the CC Licence BY-NC-ND should be applied, in order to restrict the commercial use of that information. Collection bodies may use a licence equivalent to CC suite.

(5)

In order for the information that is collected by collection bodies to be made available to the ESAP via an application programming interface (API), certain elements of the API should be specified. Those elements include the data exchange method through which information should be provided to the ESAP, the data formats supported, the type of protocols on which the API relies, the access control applied to enable the ESAP to collect data from the designated collection bodies and the ownership of the API update or modification process. For that reason, any changes to the API should be communicated in due time, together with a clear timetable for implementation.

(6)

For any processing of personal data in the context of collecting the information for the purpose of making it accessible on ESAP, ESMA, in its capacity as data controller of ESAP, and the collection bodies, should ensure compliance with Regulations (EU) 2016/679 (6) and (EU) 2018/1725 (7) of the European Parliament and of the Council.

(7)

Directive (EU) 2023/2864 of the European Parliament and of the Council (8) and Regulation (EU) 2023/2869 of the European Parliament and of the Council (9) specify the metadata elements which entities should make available to collection bodies when submitting information. All collection bodies should make available such metadata to the ESAP, so that the relevant metadata is available for the ESAP search function. To ensure the functioning of the ESAP, collection bodies may also have to provide additional metadata, which are technical in nature, to the ESAP. To ensure convergence and facilitate implementation, the characteristics of all metadata provided to the ESAP, should be specified.

(8)

The Global Legal Entity Identifier Foundation (GLEIF) database is an online global source for open, standardised and high-quality legal entity reference data maintained by GLEIF. To ensure that the ESAP can provide a search function on the basis of the criteria set out in Article 7(3) of Regulation (EU) 2023/2859 without creating an additional burden on entities, the European Securities and Markets Authority (ESMA) and collection bodies should be able as far as possible to derive certain metadata from the GLEIF Database on the basis of the legal entity identifier referred to in Article 2 of Commission Implementing Regulation (EU) 2025/1338 (10) which is provided to them. That would limit the burden of reporting, since entities would make available metadata to the Global LEI Index and update it only where relevant, rather than providing those metadata alongside each submission to collection bodies. Those metadata include the names of the entity that submitted the information, the names of the legal person to which the information relates, and the country of the registered office of the legal person to which the information relates.

(9)

Article 5(6) Regulation (EU) 2023/2859 requires entities to identify and indicate the inclusion of personal data in the information that they submit to a collection body. The indication that the information contains personal data is to be provided to ESAP by means of metadata accompanying the submitted information; ESMA should ensure that such information is not retained or made accessible on ESAP for more than five years, unless otherwise specified in the relevant Union law.

(10)

To ensure that the information is valuable to users, it should be available on the ESAP as soon as possible. Therefore, the time limit for collection bodies to make available the information to the ESAP should be as short as possible and strive to limit the delay between the information being available to the public and it being accessible on the ESAP. For that purpose, the point of reference for the start of the time limit should always be the moment when information has been submitted to the collection body by an entity for the purpose of making that information accessible on the ESAP and the submission of the information has passed the technical automated validations. That time limit should be triggered only when the purpose of the submission of the information is making that information accessible on the ESAP. Therefore, where information is submitted to the competent authority for other purposes, including approval of that information or where a document cannot be made available to the public before a specified point in time in the future, that information should not be deemed to have been submitted to the collection body for the purpose of making it accessible on the ESAP. The time limits should be without prejudice to other obligations that might apply to collection bodies stemming from other Union legislative acts, including the obligation to perform additional data validations or the obligation to make information accessible to ESMA within other time limits than those specified in this Regulation. In duly justified exceptional circumstances, including major accidents, errors, deliberate attacks and natural events, collection bodies should be entitled to provide the information beyond the specified time limits, provided that ESMA is duly informed. Since that process cannot be carried out fully automatically, collection bodies should not be required to inform ESMA of such circumstances outside of their working hours.

(11)

In light of the current technological options and of the formats used for the preparation of the information in scope of the ESAP, the collection bodies should accept information in HTML, PDF and txt format as data extractable as long as the text contained therein can be extracted. The collection bodies should accept information in XBRL, XBRL-xml, XBRL-csv and XML and Inline XBRL formats as machine readable because software applications can easily identify, recognise and extract specific data contained therein. Those formats should be included in the indicative list of acceptable formats because those are the formats currently required for disclosure frameworks in scope of the ESAP. That list is, however, not restrictive and therefore additional data extractable and machine-readable formats should be accepted for information in the scope of the ESAP. Since machine-readable formats also fulfil the requirements of data extractability, all machine-readable formats should also be accepted as data extractable formats.

(12)

This Regulation is based on the draft implementing technical standards submitted to the Commission by ESMA, the European Banking Authority and the European Insurance and Occupational Pensions Authority.

(13)

ESMA, the European Banking Authority and the European Insurance and Occupational Pensions Authority have conducted open public consultations on the draft implementing technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (11), the Insurance and Reinsurance Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (12), and the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (13).

(14)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered formal comments on 29 April 2025.

(15)

Having regard to Article 23a of Directive 2004/109/EC, Article 11a of Regulation (EU) No 236/2012 of the European Parliament and of the Council (14) and Article 21a of Regulation (EU) 2017/1129 of the European Parliament and of the Council (15), this Regulation should apply at the latest from 10 July 2026,

(a)

allow collection bodies to make available the information, the accompanying metadata for that information and, where required, the qualified electronic seal to the ESAP and receive feedback on the data exchanged;

(b)

support the formats for the information specified in Article 7;

(c)

support the formats for the metadata specified in Article 5;

(d)

rely on secure internet protocols, including SFTP or HTTPS to exchange data via the transfer of files;

(e)

allow the European Securities and Markets Authority (ESMA) to implement access control procedures; and

(f)

incorporate any changes or update requested by ESMA to ensure compliance with points (a) to (e).