Article 59: Amendments to Regulation (EC) No 1060/2009

Article 59 is a “cross-regulation change” in DORA: it amends Regulation (EC) No 1060/2009, so your job is to identify whether those amendments affect your firm’s regulatory perimeter (especially if you interact with credit ratings) and then update your compliance mapping, ownership, and evidence so you can show the amended obligations are implemented. (Regulation (EU) 2022/2554, Article 59)

Key takeaways:

• Treat Article 59 as a change-management requirement: determine applicability, map impacts, assign owners, and retain proof. (Regulation (EU) 2022/2554, Article 59)
• Operationalize via a single obligation-to-control register that links legal text to controls, testing, and supervisory-ready artifacts. (Regulation (EU) 2022/2554, Article 59)
• Examiners will ask “what changed because of DORA?”; have a dated gap assessment and implementation trail. (Regulation (EU) 2022/2554, Article 59)

Article 59 is not written like a typical operational control requirement. It is a legislative “amendment hook” that changes another EU regulation: Regulation (EC) No 1060/2009. (Regulation (EU) 2022/2554, Article 59) For a Compliance Officer, CCO, or GRC lead, that means your success criteria is simple: you can explain whether the amendment affects your organization, and you can prove you updated your control framework and governance accordingly.

This is a common failure point in real programs. Teams implement the obvious DORA chapters (ICT risk management, incident reporting, resilience testing, third-party risk) but miss the cross-cutting articles that modify related regimes. Article 59 forces you to run regulatory change management with discipline: legal interpretation, applicability analysis, stakeholder sign-off, control mapping, and evidence retention.

This page gives you requirement-level implementation guidance for the target keyword “article 59: amendments to regulation (ec) no 1060/2009 requirement,” with a practical workflow you can execute quickly, even if you are not the subject-matter expert on credit rating agencies. All citations below are limited to the provided DORA sources. (Regulation (EU) 2022/2554, Article 59; Regulation (EU) 2022/2554)

Requirement: Article 59 amendments to Regulation (EC) No 1060/2009 (what it means operationally)

Plain-English interpretation

Article 59 states that Regulation (EC) No 1060/2009 “is amended.” (Regulation (EU) 2022/2554, Article 59) Operationally, you must:

1. identify the exact amendments introduced by DORA,
2. decide if they apply to your entity and activities, and
3. implement and evidence any resulting changes to policies, controls, disclosures, reporting, oversight, or third-party arrangements.

If you stop at “DORA amended something else,” you will fail a basic supervisory question: “Show me your assessment of the Article 59 impacts and what you changed.”

Who it applies to (entity + operational context)

Direct applicability depends on whether your organization has obligations under Regulation (EC) No 1060/2009 as amended, or relies on activities governed by it (for example, if you are a regulated financial entity that uses credit ratings in risk, investment, or regulatory reporting workflows). Article 59 is part of DORA, so it can also matter to any entity implementing DORA that must manage regulatory change across connected requirements. (Regulation (EU) 2022/2554, Article 59; Regulation (EU) 2022/2554)

Practical scoping questions to determine applicability:

• Do you consume credit ratings in prudential calculations, investment mandates, client reporting, or product governance?
• Do you contract with third parties whose services include ratings, ratings data, rating-derived analytics, or related outsourced processes?
• Do you maintain policies or procedures that reference Regulation (EC) No 1060/2009 or “CRA Regulation”?

Even if you conclude “not applicable,” you still need a documented determination and sign-off.

Regulatory text

Excerpt (provided): “Regulation (EC) No 1060/2009 is amended as follows:” (Regulation (EU) 2022/2554, Article 59)

Operator interpretation: This excerpt is a trigger for a change-control obligation. Your required action is not to “comply with a single control,” but to (a) locate the amended provisions, (b) assess applicability, and (c) align your internal governance and evidence to the amended regime. (Regulation (EU) 2022/2554, Article 59)

What an examiner expects you to have ready:

• A dated memo or ticket that identifies the amendment, the impacted business processes, and the owner accountable for remediation.
• A mapping that connects the amendment to concrete controls and artifacts, not just a legal note. (Regulation (EU) 2022/2554, Article 59)

What you actually need to do (step-by-step)

Use the workflow below. Keep it lightweight, but make it auditable.

Step 1: Capture Article 59 as a tracked regulatory change item

• Create a regulatory change record titled: “DORA Article 59 – Amendments to Regulation (EC) No 1060/2009.” (Regulation (EU) 2022/2554, Article 59)
• Assign one accountable owner (Compliance or Legal) and named supporting owners (Risk, Security, Third-Party Risk, Procurement, relevant business line).

Deliverable: Regulatory change ticket with scope, owner, due dates, and evidence fields.

Step 2: Perform applicability and impact assessment (documented)

• Identify where your firm interacts with obligations related to Regulation (EC) No 1060/2009 (policies, models, product docs, vendor contracts, data feeds).
• Determine if any DORA-driven amendments affect:
  • governance/oversight expectations,
  • documentation or recordkeeping,
  • third-party contracting,
  • reporting or information exchange with authorities.

Control point: Require Legal/Compliance sign-off on the applicability conclusion. (Regulation (EU) 2022/2554, Article 59)

Deliverable: “Applicability & Impact Assessment” memo, with references to where in your operations the regulation is touched.

Step 3: Map obligations to controls in a single register (make it inspectable)

Create (or update) an obligations register with columns like:

• Legal requirement (Article 59 amendment reference)
• Applicability (Y/N/Partial) + rationale
• Business process impacted
• Control(s) that satisfy it
• Control owner
• Evidence artifact(s)
• Testing method and frequency (your internal schedule)
• Open gaps and remediation plan

This is where tools like Daydream fit naturally: one register that links regulatory obligations to control owners and evidence requests reduces fragmentation and “tribal knowledge” risk during an exam.

Deliverable: Updated obligation-to-control mapping entry for Article 59. (Regulation (EU) 2022/2554, Article 59)

Step 4: Update operational documents and workflows where impacts exist

Based on the assessment:

• Update policies and procedures (risk management, model governance, outsourcing/third-party risk, compliance monitoring) that reference the amended regime.
• Update third-party due diligence checklists and contract templates if the amendment changes oversight expectations tied to ratings-related services.
• Add or refine compliance monitoring steps (sampling, QA checks, attestations) tied to the amended requirement.

Deliverable: Redlined policy/procedure updates and an implementation log referencing Article 59. (Regulation (EU) 2022/2554, Article 59)

Step 5: Implement a regulatory-response workflow for supervisory requests

Supervisors tend to ask cross-cutting questions: “How did you implement DORA and track connected amendments?” Build a small workflow:

• intake channel (email alias or ticket type),
• triage SLA (internal),
• data owners and backup owners,
• approval chain (Legal/Compliance),
• evidence packaging (index + hash or read-only repository).

Deliverable: Documented “Regulatory Request & Response Procedure” and an evidence index template. (Regulation (EU) 2022/2554, Article 59)

Step 6: Run readiness drills and close gaps with tracked remediation

Perform a tabletop review where you simulate an examiner request:

• “Show your Article 59 applicability analysis.”
• “Show what you changed and when.”
• “Show proof controls operate.”

Track any gaps as corrective actions with an owner and completion evidence.

Deliverable: Readiness drill notes + corrective action tracker + closure evidence. (Regulation (EU) 2022/2554, Article 59)

Required evidence and artifacts to retain

Maintain an “Article 59 evidence pack” that is easy to hand to Internal Audit or supervisors:

1. Applicability & Impact Assessment memo (dated; Legal/Compliance sign-off)
2. Obligation-to-control mapping entry (register export or screenshot)
3. Implementation log (what changed; links to policies, procedures, controls)
4. Updated documents (policies/standards/procedures; version history)
5. Third-party artifacts where relevant (due diligence updates, contract addenda, governance minutes)
6. Testing and monitoring evidence (control testing plan, results, remediation closure)
7. Readiness drill outputs (agenda, attendees, findings, closure evidence)

Common exam/audit questions and hangups

Expect these questions and prepare short, indexed answers:

• “How did you assess Article 59 applicability?” Provide the memo, data sources used, and sign-offs. (Regulation (EU) 2022/2554, Article 59)
• “Show me the control mapping.” Auditors want traceability from the amendment to owners and evidence. (Regulation (EU) 2022/2554, Article 59)
• “What changed in your operating model?” Point to specific procedural updates, not a statement that “Legal reviewed it.”
• “How do you ensure ongoing compliance as interpretations evolve?” Show your regulatory change process and monitoring plan. (Regulation (EU) 2022/2554)

Hangups that slow teams down:

• The amendment feels “legal-only,” so execution gets stuck in Legal without operational ownership.
• Evidence lives in email. That fails under time pressure.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	How to avoid
Treating Article 59 as informational only	No proof of assessment or change management	Create a tracked change item with a memo, sign-offs, and mapping. (Regulation (EU) 2022/2554, Article 59)
“Not applicable” with no rationale	Auditors read this as incomplete	Document the business/process review and references checked.
No named control owners	Work falls between Compliance, Risk, and Procurement	Use a RACI with one accountable owner per impacted process.
Fragmented evidence	Response delays and inconsistent answers	Build an evidence index; store artifacts in a controlled repository.
No rehearsal	First time you assemble evidence is during an exam	Run a readiness drill; track and close gaps.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for Article 59, so this page does not list enforcement examples. (Regulation (EU) 2022/2554, Article 59)

Risk still matters. Article 59 sits in the “regulatory plumbing” layer: if you ignore it, you create latent non-compliance that surfaces during supervisory reviews, internal audit, or due diligence by counterparties. The operational risk pattern is predictable: unclear ownership plus incomplete evidence. (Regulation (EU) 2022/2554, Article 59)

Practical 30/60/90-day execution plan

Use this as a fast-start plan. Adjust sequencing to your governance calendar.

First 30 days (establish control over the change)

• Open a tracked regulatory change item for Article 59 and assign an accountable owner. (Regulation (EU) 2022/2554, Article 59)
• Complete an initial applicability scan across policies, key processes, and third-party contracts that reference ratings or Regulation (EC) No 1060/2009.
• Draft the Applicability & Impact Assessment memo; obtain Legal/Compliance sign-off.

By 60 days (implement what changed and make it provable)

• Update the obligation-to-control register: owners, controls, and required evidence for Article 59. (Regulation (EU) 2022/2554, Article 59)
• Remediate gaps: policy updates, third-party checklist changes, contract addenda where needed.
• Stand up the regulatory-response workflow (intake, approvals, evidence packaging). (Regulation (EU) 2022/2554, Article 59)

By 90 days (test, rehearse, and harden)

• Run a readiness drill focused on “show me the Article 59 trail.” (Regulation (EU) 2022/2554, Article 59)
• Execute control testing or compliance monitoring checks tied to the impacted processes.
• Close corrective actions with validation evidence and management sign-off.

If you already run DORA in a platform like Daydream, this plan maps cleanly to: register entry, evidence tasks, owner assignments, and a packaged exam binder output.

Frequently Asked Questions

Does Article 59 impose new ICT security controls by itself?

Article 59 is drafted as an amendment to another regulation, so the operational requirement is to assess and implement the resulting changes where applicable. Treat it as regulatory change management with traceable evidence. (Regulation (EU) 2022/2554, Article 59)

What if we do not use credit ratings anywhere?

Document that conclusion with a scoped review and sign-off, then keep it in your evidence pack. Auditors accept “not applicable” when you show how you determined it. (Regulation (EU) 2022/2554, Article 59)

What evidence is the fastest win for supervisory readiness?

A dated applicability memo, an obligation-to-control mapping entry with named owners, and an indexed evidence folder that points to updated policies and monitoring results. These three artifacts answer most first-round questions. (Regulation (EU) 2022/2554, Article 59)

Who should own Article 59 internally: Legal or Compliance?

Put accountability in Compliance (or the CCO’s GRC function) and require Legal sign-off on interpretation. The failure mode is “legal-only” ownership with no operational follow-through. (Regulation (EU) 2022/2554, Article 59)

How do we operationalize this if we have multiple EU entities?

Run one group-level interpretation and then record entity-level applicability determinations, because business models and use of ratings can differ across subsidiaries. Keep entity-by-entity sign-offs in the same evidence index. (Regulation (EU) 2022/2554, Article 59)

What should we tell Internal Audit if the amendment’s impact is unclear?

Show the work: sources reviewed, stakeholders consulted, interim risk decision, and a follow-up action to refine once additional internal legal analysis is completed. Auditors look for governance discipline and a closed-loop plan. (Regulation (EU) 2022/2554, Article 59)