eu-regulations

{ "id": "DORA_RTS_OVERSIGHT", "full_name": "Commission Delegated Regulation (EU) 2025/295 - Harmonization of Oversight Activities Conditions", "celex_id": "32025R0295", "eur_lex_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32025R0295", "articles": [ { "number": "1", "text": "Information to be provided by ICT third-party service provider in the application to be designated as critical\n\n1.   The information and communication technology (ICT) third-party service provider shall submit the following information in the reasoned application for a voluntary request under Article 31(11) of Regulation (EU) 2022/2554 to be designated as critical pursuant to Article 31(1), point (a), of Regulation (EU) 2022/2554:\n\n(a)\n\nname of the legal entity;\n\n(b)\n\nlegal entity identification code;\n\n(c)\n\nname of contact person and contact details of the critical ICT third-party service provider;\n\n(d)\n\ncountry where the legal entity has registered office;\n\n(e)\n\ndescription of the corporate structure including at least information on its parent company and other related undertakings providing ICT services to Union financial entities. That information shall include where applicable;\n\n(i)\n\nname of the legal entities;\n\n(ii)\n\nlegal entity identification code;\n\n(iii)\n\ncountry where the legal entity has registered office;\n\n(f)\n\nan estimation of the market share of the ICT third-party service provider in the Union financial sector and estimation of the market share per type of financial entity as referred to in Article 2(1) of Regulation (EU) 2022/2554 as of the year of submission of the application to be designated as critical and the year before that application;\n\n(g)\n\na description of each ICT service provided to Union financial entities including:\n\n(i)\n\na description of the nature of business and the type of ICT services provided to financial entities;\n\n(ii)\n\na list of the functions of financial entities supported by the ICT services provided, where available;\n\n(iii)\n\ninformation whether the ICT services provided to financial entities support critical or important functions, where available;\n\n(h)\n\na list of financial entities that make use of the ICT services provided by the ICT third-party service provider, including the following information for each of the financial entity serviced, where available:\n\n(i)\n\nname of the legal entity;\n\n(ii)\n\nlegal entity identification code, where known to the ICT third-party service provider;\n\n(iii)\n\ntype of financial entity as specified in Article 2(1) of Regulation (EU) 2022/2554;\n\n(iv)\n\nthe geographic location from which the ICT services are provided to that specific legal entity;\n\n(i)\n\na list of the critical ICT third-party service providers included in the latest available list of such providers published by the ESAs pursuant to Article 31(9) of Regulation (EU) 2022/2554 that rely on the services provided by the applicant where available;\n\n(j)\n\na self-assessment as regards the following:\n\n(i)\n\nthe degree of substitutability for each ICT service provided by the applicant considering the following:\n\n—\n\nthe market share of the ICT third-party service provider in the Union financial sector;\n\n—\n\nthe number of known relevant competitors per type of ICT services, or group of ICT services;\n\n—\n\ndescription of specificities relating to the ICT services offered, including in relation to any proprietary technology, or the specific features of the ICT third-party service provider’s organisation or activity;\n\n(ii)\n\nknowledge about the availability of the alternative ICT third-party service providers to provide the same ICT services as the ICT third-party service provider submitting the application;\n\n(k)\n\ninformation on a future business strategy in relation to the provision of ICT services and infrastructure to financial entities in the Union, including any planned changes in the group or management structure, entry into new markets or activities;\n\n(l)\n\nidentification of the subcontractors of the ICT third-party service provider which have been designated as critical ICT third-party service providers;\n\n(m)\n\nany other reasons relevant for the ICT third-party service provider’s application to be designated as critical.\n\n2.   Where the ICT third-party service provider belongs to a group, the information referred to in paragraph 1 shall be provided in relation to the ICT services provided by the group as a whole." }, { "number": "2", "text": "Content, structure and format of the information to be submitted, disclosed or reported by critical ICT third-party service providers\n\n1.   Critical ICT third-party service providers shall provide to the Lead Overseer, upon its request, any information that is necessary by the Lead Overseer to carry out its oversight duties in accordance with the requirements of Regulation (EU) 2022/2554.\n\n2.   The information referred to in paragraph 1 includes, inter alia, the following:\n\n(a)\n\ninformation about the arrangements, and copies of contractual documents, between:\n\n(i)\n\nthe critical ICT third-party service provider and the financial entities referred to in Article 2(1) of Regulation (EU) 2022/2554;\n\n(ii)\n\nthe critical ICT third-party service provider and its subcontractors with a view to capture the technological value chain of the ICT services provided to the financial entities in the Union;\n\n(b)\n\ninformation about the organisational and group structure of the critical ICT third-party service provider, including identification of all entities belonging to the same group that directly or indirectly provide ICT services to financial entities in the Union;\n\n(c)\n\ninformation about the major shareholders, including their structure and geographical spread, of any of the following:\n\n(i)\n\nentities that hold, solely or jointly with their linked entities, 25 % or more of the capital or voting rights of the critical ICT third-party service provider;\n\n(ii)\n\nentities that hold the right to appoint or remove a majority of the members of the administrative, management, or supervisory body of the critical ICT third-party service provider;\n\n(iii)\n\nentities that control, pursuant to an agreement, a majority of shareholders’ or members’ voting rights in the critical ICT third-party service provider;\n\n(d)\n\ninformation about the critical ICT third-party service provider’s market share per type of services, in the relevant markets where it operates;\n\n(e)\n\ninformation about the internal governance arrangements of the critical ICT third-party service provider, including the structure with lines of governance responsibility and accountability rules;\n\n(f)\n\nthe meeting minutes of the critical ICT third-party service provider’s management body and any other internal relevant committees, which relate in any way to activities and risks concerning ICT third-party services supporting functions of financial entities within the Union;\n\n(g)\n\ninformation about the ICT security of the critical ICT third-party service provider, including relevant strategies, objectives, policies, procedures, protocols, processes, control measures to protect sensitive data, access controls, encryption practices, incident response plans, and information about compliance with all relevant regulations and national and international standards where applicable;\n\n(h)\n\ninformation about technical and organisational measures to ensure data protection and data confidentiality, including personal and non-personal data, implemented control measures to protect sensitive data, access controls, encryption practices, data breach response plan; when in regards processing of personal data the ICT third-party service provider is subject to laws from third-countries, including third-country government access request, list of the countries and the laws applicable:\n\n(i)\n\ninformation about the mechanisms the critical ICT third-party service provider offers to the Union financial entities for data portability, application portability and interoperability;\n\n(j)\n\ninformation about the location of the data centres and ICT production centres used for the purposes of providing services to the financial entities, including a list of all relevant premises and facilities of the critical ICT third-party service provider, including outside the Union;\n\n(k)\n\ninformation about provision of services by the critical ICT third-party service provider from third countries, including information on relevant legal provisions applicable to personal and non-personal data processed by the ICT third-party service provider;\n\n(l)\n\ninformation about measures taken to address risks arising from the provision of ICT services by the critical ICT third-party service provider and their subcontractors from third-countries;\n\n(m)\n\ninformation about the risk management framework and the incident management framework, including policies, procedures, tools, mechanisms, and governance arrangements of the critical ICT third-party service provider and of its subcontractors, including list and description of major incidents with direct or indirect impact on financial entities within the Union, including relevant details to determine the significance of the incident on financial entities and assess possible cross-border impacts;\n\n(n)\n\ninformation about the change management framework, including policies, procedures, and controls of the critical ICT third-party service provider and its subcontractors;\n\n(o)\n\ninformation about the overall response and recovery framework of the critical ICT third-party service provider, including business continuity plans and related arrangements and procedures, software development lifecycle policy, response and recovery plans and related arrangements and procedures, backup policies arrangements and procedures;\n\n(p)\n\ninformation about performance monitoring, security monitoring, and incident tracking as well as information about reporting mechanisms related to service performance, incidents, and compliance with agreed-upon service level agreements (SLAs) and service level objectives (SLOs) or similar arrangements between critical ICT third-party service providers and financial entities in the Union;\n\n(q)\n\ninformation about the ICT third-party management framework of the critical ICT third-party service provider, including strategies, policies, procedures, processes, and controls including details on the due diligence and risk assessment performed by the critical ICT third-party service provider on its subcontractors before entering into an agreement with them and to monitor the relationship covering all relevant ICT and counterparty risks;\n\n(r)\n\nextractions from the monitoring and scanning systems of the critical ICT third-party service provider and of its subcontractors, covering but not limited to network monitoring, server monitoring, application monitoring, security monitoring, vulnerability scanning, log management, performance monitoring, incident management and measurements against reliability goals, such as SLOs;\n\n(s)\n\nextractions from any production, pre-production and test system or application used by the critical ICT third-party service provider and its subcontractors, to provide directly or indirectly services to financial entities in the Union;\n\n(t)\n\ncompliance and available audit reports as well as any relevant audit findings, including audits performed by national authorities in the Union and outside the Union where cooperation agreements with the relevant authorities provide for such information exchange, or certifications achieved by the critical ICT third-party service provider or its subcontractors, including reports from internal and external auditors, certifications, or compliance assessments with industry-specific standards. This includes information about any type of available independent testing of the resilience of the ICT systems of the critical ICT third-party service provider, including any type of threat led penetration testing carried out by the ICT third-party service provider;\n\n(u)\n\ninformation about any assessments carried out by the critical ICT third-party service provider upon its request or on its behalf evaluating the suitability and integrity of individuals holding key positions within the critical ICT third-party service provider;\n\n(v)\n\ninformation about any remediation plan to address recommendations pursuant to Article 3, and relevant related information to confirm remedies have been implemented;\n\n(w)\n\ninformation about available employee training schemes and security awareness programs, including, where relevant, information on investments, resources and methods of the critical ICT third-party service provider in training its staff to handle sensitive financial data and maintain high levels of security;\n\n(x)\n\ninformation about the activities of the critical ICT third-party service provider and financial statements, including information on the budget and resources related to ICT and security." }, { "number": "3", "title": "Information from critical ICT third-party service providers after the issuance of recommendations", "text": "1.   The critical ICT third-party service provider shall provide to the Lead Overseer a report containing a remediation plan in relation to the recommendations and remedies that the critical ICT third-party service provider plans to implement in order to mitigate the risks identified in the recommendations referred to in Article 35(1), point (d) of Regulation (EU) 2022/2254. The report shall be consistent with the timeline set by the Lead Overseer for each recommendation.\n\n2.   To enable the monitoring of the implementation of the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provider in relation to the recommendations received, the critical ICT third-party service provider shall share with the Lead Overseer upon request:\n\n(a)\n\ninterim progress reports and related supporting documents specifying the progress of the implementation of the actions and measures set out in the report provided by the critical ICT third-party service provider to the Lead Overseer within the timeline defined by the Lead Overseer;\n\n(b)\n\nfinal reports and related supporting documents specifying the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service provider in order to mitigate the risks identified in the recommendations received." }, { "number": "4", "title": "Structure and format of information provided by critical ICT third-party service providers", "text": "1.   The critical ICT third-party service provider shall provide the requested information to the Lead Overseer through the dedicated secure electronic channels indicated by the Lead Overseer in its request and in the form set out by the Lead Overseer.\n\n2.   When providing information to the Lead Overseer, the critical ICT third-party service providers shall:\n\n(a)\n\nfollow the structure indicated by the Lead Overseer in its information request;\n\n(b)\n\nclearly locate the relevant piece of information in the submitted documentation.\n\n3.   Information submitted, disclosed or reported to the Lead Overseer by the critical ICT third-party service provider shall be in a language customary in the sphere of international finance." }, { "number": "5", "title": "Template for providing information on subcontracting arrangements", "text": "A critical ICT third-party service provider which is required to share information on subcontracting arrangements shall provide the information to the Lead Overseer according to the template set out in the Annex." }, { "number": "6", "text": "Competent authorities’ assessment of the risks addressed in the recommendations of the Lead Overseer\n\n1.   As part of their supervision of financial entities, the competent authority shall assess the impact on the financial entities of the measures taken by the critical ICT third-party service provider based on the recommendations of the Lead Overseer in accordance with the principle of proportionality.\n\n2.   When conducting the assessment referred to in paragraph 1, the competent authority shall take into account all of the following:\n\n(a)\n\nthe adequacy and the coherence of the corrective and remedial measures implemented by the financial entities to mitigate the risks identified in the recommendations;\n\n(b)\n\nthe assessment made by the Lead Overseer of the compliance of the critical ICT third-party service provider with the measures and actions included in the report where it has impacts on the exposure of the financial entities under its remit to the risks identified in the recommendations;\n\n(c)\n\nthe view of any other competent authorities who have been consulted in accordance with Article 42(5) of Regulation (EU) 2022/2554;\n\n(d)\n\nwhether the Lead Overseer has considered the actions and remedies implemented by the critical ICT third-party service provider as adequate to mitigate the exposure of the financial entities under its remit to the risks identified in the recommendations.\n\n3.   Upon request from the Lead Overseer, the competent authority shall provide in reasonable time the results of the assessment set out in paragraph 1. When requesting the results of this assessment, the Lead Overseer shall consider the principle of proportionality and the magnitude of risks associated with the recommendations, including the cross-border impacts of these risks when impacting financial entities operating in more than one Member State.\n\n4.   Where relevant, the competent authority shall request financial entities to provide any information necessary to carry out the assessment referred to in paragraph 1." }, { "number": "7", "title": "Entry into force", "text": "This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.\n\nThis Regulation shall be binding in its entirety and directly applicable in all Member States.\n\nDone at Brussels, 24 October 2024.\n\nFor the Commission\n\nThe President\n\nUrsula VON DER LEYEN\n\n(1)\n\nOJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj.\n\n(2)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).\n\n(3)  Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj).\n\n(4)  Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj).\n\n(5)  Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj).\n\nANNEX\n\nTEMPLATE FOR SHARING INFORMATION ON SUBCONTRACTING ARRANGEMENTS\n\nInformation Category\n\nKey Information Elements\n\nGeneral Information\n\n—\n\nName of the critical ICT third-party service provider.\n\n—\n\nIdentification code of the critical ICT third-party service provider.\n\n—\n\nName of contact person and contact details of the critical ICT third-party service provider.\n\n—\n\nDate of submission of the template.\n\nOverview of Subcontracting Arrangements\n\n—\n\nMapping of the subcontracting arrangements, including a short description of the purpose and scope of the subcontracting relationships (including an indication on the level of criticality or importance of the subcontracting arrangements for the critical ICT third-party service provider).\n\n—\n\nSpecification and description of the types of ICT services subcontracted and their significance to the ICT services provided to financial entities, in line with the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554.\n\n—\n\nWhen specifying the types of ICT services, please refer to the list in Annex IV of the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554.\n\nSubcontractors’ Information\n\n—\n\nName and legal entity details (including identification code) of each subcontractor.\n\n—\n\nContact information of the staff members responsible for each of the subcontracting relationships in the critical ICT third-party provider management structure.\n\n—\n\nOverview for each subcontractor of the expertise, experience and qualifications related to the contracted ICT services.\n\nDescription of Services Provided by Subcontractors\n\n—\n\nDetailed description of the specific ICT services provided by each subcontractor.\n\n—\n\nBreakdown of the responsibilities and tasks allocated to subcontractors by detailing the different roles in the different stages of the ICT processes.\n\n—\n\nInformation on the level of access subcontractors have to personal or otherwise sensitive data or systems regarding the ICT services provided to financial entities.\n\n—\n\nInformation on the sites from which the services of subcontractors are provided and on the measures taken to address risks arising from services provided outside the Union.\n\nSubcontracting Governance and Oversight\n\n—\n\nDescription of the contractual and governance framework in place to manage subcontracting relationships, including clauses restricting the usage of sensitive data.\n\n—\n\nExplanation of the processes for selecting, engaging and monitoring subcontractors.\n\n—\n\nOverview of performance metrics, service level objectives and agreements, and key performance indicators used to assess subcontractor’s performance and reliability monitoring.\n\nRisk Management and Compliance\n\n—\n\nAssessment of the subcontractor’s risk profiles and potential impact on the ICT services provided to financial entities.\n\n—\n\nExplanation of the risk mitigation measures implemented to address subcontracting-related risks.\n\n—\n\nDetails of subcontractor’s compliance with relevant regulations, including on data protection and industry standards.\n\nBusiness Continuity and Contingency Planning\n\n—\n\nOverview of the subcontractor’s business continuity and response and recovery plans.\n\n—\n\nDescription of the arrangements in place to ensure service continuity in case of disruptions or termination by the subcontractor.\n\n—\n\nFrequency of tests of the business continuity plans and response and recovery plans by the subcontractors, dates of the latest tests over the past 3 years, and specification if the critical ICT third-party service provider has been involved in those tests.\n\nReporting\n\n—\n\nDescription of the reporting mechanisms and frequency of reporting between the critical ICT third-party service provider and its subcontractors.\n\nRemediation and Incident Management\n\n—\n\nOutline of the procedures for addressing subcontractor-related incidents, breaches or non-compliance.\n\nCertifications and Audits\n\n—\n\nInformation on any certifications, independent audits or assessments conducted on subcontractors to validate their security controls, quality standards or regulatory compliance.\n\n—\n\nDate and frequency of the audits of the subcontractors conducted by the critical ICT third-party service provider.\n\nELI: http://data.europa.eu/eli/reg_del/2025/295/oj\n\nISSN 1977-0677 (electronic edition)\n\n////////////////////////$(document).ready(function(){generateTOC(true,'', 'Top','false');scrollToCurrentUrlAnchor();});" } ], "definitions": [], "recitals": [ { "recital_number": 1, "text": "The framework on digital operational resilience for the financial sector established by Regulation (EU) 2022/2554 introduces a Union oversight framework for the information and communication technology (ICT) third-party service providers to the financial sector designated as critical in accordance with Article 31 of that Regulation." }, { "recital_number": 2, "text": "An ICT third-party service provider which decides to submit a voluntary request to be designated as critical should provide the receiving European Supervisory Authority (ESA) with all the necessary information to demonstrate its criticality according to the principles and criteria set out in Regulation (EU) 2022/2554. For this reason, the information to be included in the voluntary request application should be sufficiently detailed and complete to enable a clear and complete assessment of criticality under Article 31(11) of that Regulation. The relevant ESA should reject any incomplete application and request the missing information." }, { "recital_number": 3, "text": "The legal identification of ICT third-party service providers within the scope of this Regulatory Technical Standard should be aligned with the identification code set out in Commission Implementing Regulation adopted in accordance with Article 28(9) from Regulation (EU) 2022/2554." }, { "recital_number": 4, "text": "As a follow-up to the recommendations issued by the Lead Overseer to critical ICT third-party service providers, the Lead Overseer should monitor critical ICT third-party service providers’ compliance with the recommendations. With a view to ensure efficient and effective monitoring of the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service providers in relation to these recommendations, the Lead Overseer should be able to require the reports referred to in Article 35(1), point (c), of Regulation (EU) 2022/2554, which should be intended as interim progress reports and final reports." }, { "recital_number": 5, "text": "For the purpose of the assessment specified in Article 42(1) of Regulation (EU) 2022/2554, according to which Lead Overseer is obliged to evaluate whether the explanation provided by critical ICT third-party service provider is sufficient, the notification to the Lead Overseer by the critical ICT third-party service provider of its intention to follow the recommendations received should be complemented by a description of the actions and measures that have been taken to mitigate the risks outlined in the recommendations, along with their respective deadlines. Such explanation should take the form of a remediation plan." }, { "recital_number": 6, "text": "As the Lead Overseer is expected to assess the subcontracting arrangements of the critical ICT third-party service provider, a template needs to be developed for providing information on those arrangements. The template should take into account the fact that the critical ICT third-party service providers have different structures than financial entities." }, { "recital_number": 7, "text": "Once the recommendations to a critical ICT third-party service provider are issued by the Lead Overseer, and competent authorities have informed the relevant financial entities of the risks identified in that recommendations, the Lead Overseer should monitor and assess the implementation by the critical ICT third-party service provider of the actions and remedies to comply with the recommendations. Competent authorities should monitor and assess the extent to which the financial entities are exposed to the risks identified in these recommendations. With a view to maintain a level playing field while carrying out their respective tasks, particularly when the risks identified in the recommendations are severe and shared among a large number of financial entities in multiple Member States, both the competent authorities and the Lead Overseer should share among each other any relevant findings which are necessary for them to carry out their respective tasks. The objective of the information sharing is to ensure that the feedback of the Lead Overseer to the critical ICT third-party service provider in relation to the actions and remedies the latter is implementing takes into account the impact on the risks of the financial entities, and that the supervisory activities performed by the competent authorities are informed by the assessment carried out by the Lead Overseer." }, { "recital_number": 8, "text": "To allow for an efficient and effective sharing of information, the competent authorities should assess, as part of their supervisory activities, the extent to which the financial entities supervised by them are exposed to the risks identified in the recommendations. This assessment should be carried out in a proportionate and risk-based manner. The Lead Overseer should request the competent authorities to share the results of this assessment in the specific cases when the risks associated with the recommendations are severe and shared among a large number of financial entities in multiple Member States. To make the best use of the resources of the competent authorities, when asking to provide the results of this assessment, the Lead Overseer should always take into account that the objective of these requests is to evaluate the implementation of actions and remedies of the critical ICT third-party service providers." }, { "recital_number": 9, "text": "The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (2) and delivered an opinion on 22 July 2024." }, { "recital_number": 10, "text": "This Regulation is based on the draft regulatory technical standards submitted to the Commission by the ESAs." }, { "recital_number": 11, "text": "The Joint Committee of the ESAs has conducted open public consultations on the draft regulatory technical standards upon which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (3), the Insurance and Reinsurance Stakeholder Group and the Occupational Pensions Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (4), and the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (5),\n\nHAS ADOPTED THIS REGULATION:" }, { "recital_number": 11, "text": "The Joint Committee of the ESAs has conducted open public consultations on the draft regulatory technical standards upon which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (3), the Insurance and Reinsurance Stakeholder Group and the Occupational Pensions Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (4), and the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (5),\n\nHAS ADOPTED THIS REGULATION:" } ], "effective_date": "2025-01-17" }