Article 7 Business continuity and back-up facilities

  1. (1)

    A data reporting services provider shall use systems and facilities that are appropriate and robust enough to ensure continuity and regularity in the performance of the services provided referred to in the Data Reporting Services Regulations 2017.

  2. (2)

    A data reporting services provider shall conduct periodic reviews, at least annually, evaluating its technical infrastructures and associated policies and procedures, including business continuity arrangements. A data reporting services provider shall remedy any deficiencies identified during the review.

  3. (3)

    A data reporting services provider shall have effective business continuity arrangements in place to address disruptive incidents, including:

    1. (a)

      the processes which are critical to ensuring the services of the data reporting services provider, including escalation procedures, relevant outsourced activities or dependencies on external providers;

    2. (b)

      specific continuity arrangements, covering an adequate range of possible scenarios, in the short and medium term, including system failures, natural disasters, communication disruptions, loss of key staff and inability to use the premises regularly used;

    3. (c)

      duplication of hardware components, allowing for failover to a back-up infrastructure, including network connectivity and communication channels;

    4. (d)

      back-up of business-critical data and up-to-date information of the necessary contacts, ensuring communication within the data reporting services provider and with clients;

    5. (e)

      the procedures for moving to and operating data reporting services from a back-up site;

    6. (f)

      the target maximum recovery time for critical functions, which shall be as short as possible and in any case no longer than six hours in the case of approved publication arrangements (APAs) and consolidated tape providers (CTPs) and until the close of business of the next working day in the case of approved reporting mechanisms (ARMs);

    7. (g)

      staff training on the operation of the business continuity arrangements, individuals' roles including specific security operations personnel ready to react immediately to a disruption of services;

  4. (4)

    A data reporting services provider shall set up a programme for periodically testing, reviewing and, where needed, modifying the business continuity arrangements.

  5. (5)

    A data reporting services provider shall publish on its website and promptly inform the competent authority and its clients of any service interruptions or connection disruptions as well as the time estimated to resume a regular service.