Article 61: Amendments to Regulation (EU) No 909/2014

Article 61 updates the EU Central Securities Depositories Regulation (CSDR), specifically by amending Article 45 of Regulation (EU) No 909/2014. To operationalize it, you must (1) determine whether your firm is in scope through CSDR touchpoints, then (2) update your regulatory mapping, governance, and evidence so you can demonstrate you accounted for the amended requirement. (Regulation (EU) 2022/2554, Article 61)

Key takeaways:

• Treat Article 61 as a “regulatory change to absorb”: assess CSDR relevance, then update your control mapping and supervisory evidence. (Regulation (EU) 2022/2554, Article 61)
• Your fastest path is a single register that links the amended legal obligation to owners, controls, and retained artifacts. (Regulation (EU) 2022/2554, Article 61)
• Auditors will focus on traceability: “Show me where you captured the amendment, who owns it, what changed, and what proof you keep.” (Regulation (EU) 2022/2554, Article 61)

Article 61 is one of DORA’s “consequential amendments” articles. It does not read like a typical operational control requirement; instead, it changes another EU regulation (CSDR) by amending Article 45 of Regulation (EU) No 909/2014. Your job as a Compliance Officer, CCO, or GRC lead is to make sure your program recognizes that change, evaluates whether and where it matters, and can prove you implemented the update in the parts of the business that rely on CSDR-regulated services or activities. (Regulation (EU) 2022/2554, Article 61)

In practice, this becomes a regulatory-change intake and mapping exercise with real operational consequences: scoped impact assessment, clear ownership, update of control descriptions and testing, and clean evidence. The most common failure mode is “we saw it but didn’t translate it” — the amendment exists in legal trackers, but it never becomes a change in procedures, control language, third-party due diligence, or supervisory-response playbooks. This page gives you a requirement-level implementation path that you can run quickly and defend under audit, without guessing beyond the text provided. (Regulation (EU) 2022/2554, Article 61)

Requirement: article 61: amendments to regulation (eu) no 909/2014 requirement (plain-English)

Article 61 requires you to absorb a change DORA makes to CSDR: DORA amends Article 45 of Regulation (EU) No 909/2014. Operationally, that means you must treat the amendment as a regulatory change event, determine whether your business is affected, and update your compliance mapping and evidence so you can demonstrate you addressed the amended CSDR obligation wherever relevant. (Regulation (EU) 2022/2554, Article 61)

What this is (and what it isn’t)

• This is not a standalone “do X control” requirement in the DORA text excerpt you were given.
• This is a binding legal change that you must track and implement through your regulatory change management process, so your CSDR obligations reflect the amended Article 45 language. (Regulation (EU) 2022/2554, Article 61)

Regulatory text

Provided excerpt: “Article 45 of Regulation (EU) No 909/2014 is amended as follows:” (Regulation (EU) 2022/2554, Article 61)

Operator interpretation of the excerpt

Because the excerpt indicates a modification to an existing CSDR article, your operational requirement is to:

1. Identify whether Article 45 of CSDR is relevant to your activities, services, or role in securities settlement/market infrastructure.
2. Capture the amendment in your regulatory obligations register so it is not lost as “legal-only.”
3. Update affected controls, procedures, and oversight (including third-party controls where CSDR-relevant functions are outsourced or supported).
4. Retain evidence that (a) you assessed impact, (b) you made updates where needed, and (c) you can respond to regulator/auditor questions with traceability. (Regulation (EU) 2022/2554, Article 61)

Source for the article: (Regulation (EU) 2022/2554, Article 61) and the full regulation context: (Regulation (EU) 2022/2554)

Who it applies to (entity and operational context)

In-scope entity types (practical view)

You should treat this as applicable if you are a DORA-regulated financial entity and you have any operational dependency on CSDR-regulated services or functions, for example:

• You are a central securities depository (CSD) or operate functions tightly coupled with CSD activities.
• You are a financial entity consuming services from a CSD or interfacing with securities settlement infrastructure.
• You run ICT systems and operational processes that support CSDR-related obligations (reporting, settlement processing, participant connectivity, operational resilience measures connected to those services). (Regulation (EU) 2022/2554, Article 61)

Scoping decision (fast triage)

Use this quick decision matrix:

Question	If “Yes”	If “No”
Do we have CSDR obligations today (directly or via membership/participation/contractual arrangements)?	Perform full impact assessment and mapping update.	Document rationale; keep monitoring.
Do our critical ICT services support securities settlement flows or connectivity to market infrastructure?	Include ICT risk and change owners in assessment.	Keep assessment narrow; avoid over-scoping.
Are any relevant services operated by third parties (cloud, SaaS, managed services, connectivity providers)?	Extend assessment into third-party due diligence and contract artifacts.	Focus on internal controls and procedures.

What you actually need to do (step-by-step)

The goal is “audit-ready traceability” from Article 61 to whatever changed in your control environment.

Step 1 — Intake the legal change into your regulatory change workflow

• Create a tracked regulatory change item for “Article 61: Amendments to Regulation (EU) No 909/2014 (CSDR Article 45)” with the authoritative reference. (Regulation (EU) 2022/2554, Article 61)
• Assign a primary owner (Compliance/Legal) and operational co-owners (ICT risk, Security, relevant business line, third-party risk).

Output: Regulatory change ticket/work item with ownership and scope hypothesis.

Step 2 — Perform a scoped impact assessment

• Identify where CSDR Article 45 is referenced in your policies, procedures, product documentation, operational runbooks, control library, and third-party contracts.
• Map business processes and systems that could be implicated (settlement processing, operational continuity for relevant services, incident pathways, reporting pathways).
• Decide one of three outcomes and document it:
  1. No impact (not applicable in your context),
  2. Impact with documentation-only changes (language, references, roles),
  3. Impact with control/process changes (control design, testing, monitoring). (Regulation (EU) 2022/2554, Article 61)

Operator tip: Auditors accept “no impact” if the reasoning is specific and evidenced. They reject “we don’t think so” with no trace.

Step 3 — Update your obligations register and control mapping (single source of truth)

Create or update a register entry that includes:

• Legal reference: Article 61 and the fact it amends CSDR Article 45. (Regulation (EU) 2022/2554, Article 61)
• Applicability statement (what business line/system/process is in or out).
• Control mapping: which internal controls satisfy the amended obligation.
• Accountable owner for each mapped control.
• Evidence list: what artifacts you will produce and retain.

This is where teams commonly standardize in Daydream: one record ties requirement → owners → controls → evidence, so you can answer supervisory questions without stitching documents together under pressure.

Step 4 — Implement operational changes (only where your assessment shows impact)

Depending on your scope, changes usually fall into a few buckets:

• Policy/procedure maintenance: update regulatory citations and role responsibilities.
• Control description updates: revise control statements so they clearly satisfy the amended obligation; update control rationale and boundaries.
• Testing updates: adjust control test steps and expected evidence; re-run tests if the control changed materially.
• Third-party risk updates: if third parties support impacted processes, update due diligence questions, contractual obligations tracking, and oversight plans so the amended obligation is not missed in supplier-managed environments.

Keep the changes narrow and defensible. Avoid “boiling the ocean” by rewriting unrelated DORA controls.

Step 5 — Build a regulator/auditor response pack

Prepare a lightweight “show-me” pack that includes:

• The change record and approval trail.
• The impact assessment memo.
• Updated register entry and control mapping.
• Evidence that changes were implemented (policy versioning, control updates, test results, remediation items closed). (Regulation (EU) 2022/2554, Article 61)

Step 6 — Run a readiness drill

Run a tabletop-style drill where you ask internal stakeholders:

• “Where did we capture the Article 61 amendment?”
• “Who owns implementation?”
• “Which controls changed?”
• “Show the evidence.”

Log gaps as corrective actions and close them with validation evidence. This aligns to the practical expectation that you can demonstrate operational execution, not just documentation. (Regulation (EU) 2022/2554, Article 61)

Required evidence and artifacts to retain

Maintain these artifacts in a retrievable location (GRC tool or controlled repository) with version control:

1. Regulatory change intake record referencing Article 61. (Regulation (EU) 2022/2554, Article 61)
2. Impact assessment memo (scope, stakeholders consulted, systems/processes reviewed, applicability conclusion).
3. Obligations register entry showing mapping from Article 61 → amended CSDR Article 45 → internal controls/owners.
4. Change approvals (Compliance/Legal sign-off; relevant operational owner sign-off).
5. Updated documents (policies, procedures, control narratives) with redlines or version history.
6. Test evidence if control design/operation changed (test scripts, results, exceptions).
7. Remediation tracking for any gaps found (ticket IDs, closure evidence, validation notes).
8. Third-party artifacts where relevant (due diligence updates, contract clause mapping, oversight meeting notes).

Common exam/audit questions and hangups

Expect questions framed around traceability and governance:

• “Show where you captured the Article 61 amendment and how you assessed applicability.” (Regulation (EU) 2022/2554, Article 61)
• “Which business services and ICT assets did you review for impact?”
• “What changed in your control environment because of the amendment?”
• “Who approved the conclusion and when?”
• “If you concluded ‘no impact,’ show the rationale and the evidence you reviewed.”
• “How do you make sure future DORA consequential amendments are not missed?”

Hangups auditors repeatedly focus on:

• Orphaned legal trackers: Legal identified it; operations never saw it.
• Weak scoping logic: No defined criteria for applicability, so conclusions look arbitrary.
• Evidence scatter: Artifacts spread across email and shared drives with no index.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating Article 61 as “informational” because it amends another regulation.
   Fix: Create a formal change item and close it with evidence, even if outcome is “no impact.” (Regulation (EU) 2022/2554, Article 61)

2. Mistake: No clear control owner.
   Fix: Assign named accountable owners for each mapped control in your register; require explicit acceptance.

3. Mistake: Updating policies but not testing or monitoring.
   Fix: If control language changes, update test procedures and run at least one cycle to prove operation.

4. Mistake: Ignoring third parties that run critical parts of the process.
   Fix: Extend the impact assessment into third-party inventory and contract clause tracking for affected services.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for Article 61. (Regulation (EU) 2022/2554, Article 61)

Risk still matters because supervisory reviews often treat “consequential amendments” as a test of your regulatory change management discipline. If you cannot show traceability from a published amendment to implemented controls and evidence, you create avoidable findings: governance weaknesses, incomplete compliance mapping, and inconsistent control operation across lines of business.

Practical execution plan (30/60/90-day)

You asked for speed; this plan prioritizes fast control and evidence maturity without assuming any specific calendar durations for your organization’s change cycles.

First 30 days (stabilize and scope)

• Open the regulatory change item for Article 61; assign owners. (Regulation (EU) 2022/2554, Article 61)
• Complete a scoping workshop with Compliance/Legal, ICT risk, Security, and relevant business owners.
• Draft and approve the impact assessment memo (including “no impact” if that is the conclusion).
• Create/update the single register entry: requirement → owners → controls → evidence list.

By 60 days (implement and align)

• Update affected policies/procedures/control narratives and approvals.
• Update control testing steps and monitoring expectations if anything changed.
• Review impacted third-party relationships; update due diligence/oversight artifacts if the service supports the scoped processes.
• Assemble the response pack and store it in a controlled repository.

By 90 days (prove operation and close gaps)

• Run a readiness drill using the response pack; log gaps as corrective actions.
• Close corrective actions with validation evidence and management sign-off.
• Add Article 61 to your regulatory horizon scanning cadence so similar consequential amendments follow the same path. (Regulation (EU) 2022/2554, Article 61)

Frequently Asked Questions

Does Article 61 create new operational controls by itself?

Article 61, as provided, states that CSDR Article 45 is amended. Your operational obligation is to intake the amendment, assess applicability, and update mapped controls and evidence where relevant. (Regulation (EU) 2022/2554, Article 61)

What if we are not a CSD and don’t think CSDR applies?

Document that conclusion with a scoped impact assessment that lists the business services and systems reviewed and why they do not create CSDR obligations. Keep the memo and approvals as evidence. (Regulation (EU) 2022/2554, Article 61)

What evidence do auditors usually want for consequential amendments like this?

They look for a clear chain: change intake record, impact assessment, updated obligations register/control mapping, and proof of any implemented changes (versions, approvals, tests, remediation closure). (Regulation (EU) 2022/2554, Article 61)

How do third parties fit into Article 61 implementation?

If third parties operate or support services within your CSDR-relevant scope, extend the assessment into those relationships and update oversight artifacts so the amended obligation is not missed in outsourced operations. (Regulation (EU) 2022/2554, Article 61)

We captured the amendment in Legal’s tracker. Is that enough?

Not by itself. You need operational traceability: named owners, mapped controls, and retained artifacts that show whether anything changed and how you validated execution. (Regulation (EU) 2022/2554, Article 61)

How should we represent Article 61 in our GRC tool?

Create a requirement entry that references Article 61, notes it amends CSDR Article 45, links to owners and controls, and lists the specific evidence artifacts you will produce and retain. (Regulation (EU) 2022/2554, Article 61)