CHAPTER XOPERATIONAL RISKS(Article 45(1) to (6) of Regulation (EU) No 909/2014)
SECTION 4 Business continuity
Article 76Strategy and policy
1.
A CSD shall have a business continuity policy and associated disaster recovery plan that is:
(a)
approved by the management body;
(b)
subject to audit reviews that shall be reported to the management body.
2.
A CSD shall ensure that the business continuity policy:
(a)
identifies all its critical operations and IT systems and provides for a minimum service level to be maintained for those operations;
(b)
includes the CSD's strategy and objectives to ensure the continuity of operations and systems referred to in point (a);
(c)
takes into account any links and interdependencies to at least:
- (i)
users;
- (ii)
critical utilities and critical service providers;
- (iii)
other CSDs;
- (iv)
other market infrastructures;
(d)
defines and documents the arrangements to be applied in the event of a business continuity emergency or major disruption of the CSD's operations in order to ensure a minimum service level of critical functions of the CSD;
(e)
identifies the maximum acceptable period of time which critical functions and IT systems may be out of use.
3.
A CSD shall take all reasonable steps to ensure that settlement is completed by the end of the business day even in case of a disruption, and that all the users' positions at the time of the disruption are identified with certainty in a timely manner.