1.A CSD shall have a business continuity policy and associated disaster recovery plan that is:
(a)approved by the management body;
(b)subject to audit reviews that shall be reported to the management body.
2.A CSD shall ensure that the business continuity policy:
(a)identifies all its critical operations and IT systems and provides for a minimum service level to be maintained for those operations;
(b)includes the CSD's strategy and objectives to ensure the continuity of operations and systems referred to in point (a);
(c)takes into account any links and interdependencies to at least:
users;
critical utilities and critical service providers;
other CSDs;
other market infrastructures;
(d)defines and documents the arrangements to be applied in the event of a business continuity emergency or major disruption of the CSD's operations in order to ensure a minimum service level of critical functions of the CSD;
(e)identifies the maximum acceptable period of time which critical functions and IT systems may be out of use.
3.A CSD shall take all reasonable steps to ensure that settlement is completed by the end of the business day even in case of a disruption, and that all the users' positions at the time of the disruption are identified with certainty in a timely manner.