Article 62: Amendments to Regulation (EU) No 600/2014

Article 62: amendments to Regulation (EU) No 600/2014 requirement means you must identify whether your firm is in scope of the MiFIR changes introduced by DORA, then update your regulatory obligations mapping, procedures, and evidence so supervisory responses stay accurate and consistent. Treat it as a change-management requirement tied to trading/market-facing activities. (Regulation (EU) 2022/2554, Article 62)

Key takeaways:

• Determine whether your business relies on MiFIR obligations, then map DORA-driven MiFIR amendments into your control framework. (Regulation (EU) 2022/2554, Article 62)
• Operationalize through a single register: obligation → owner → control → evidence → supervisory response workflow. (Regulation (EU) 2022/2554, Article 62)
• Prove execution with artifacts: updated mappings, approvals, drills, and tracked remediation closure.

“Article 62: amendments to Regulation (EU) No 600/2014 requirement” is not a standalone operational control like logging or penetration testing. It is a legal change hook. DORA modifies another EU regulation (MiFIR), which can shift what competent authorities expect from firms whose services touch EU financial markets. Your job as a CCO/GRC lead is to translate that cross-regulation amendment into: (1) a clear “in scope / out of scope” position, (2) updated internal obligations and control mappings, and (3) durable evidence that you governance-manage regulatory change. (Regulation (EU) 2022/2554, Article 62)

Because the provided regulatory excerpt is high-level, the safest operational approach is to treat Article 62 as a regulatory change-management trigger: confirm applicability, update your compliance inventory, align owners across Legal/Compliance/ICT risk, and make supervisory response repeatable. If you run MiFIR-covered activities (for example, trading venues, investment services, market data/reporting flows, or third parties supporting those flows), you should assume examiners will test whether you noticed the amendment and acted on it. (Regulation (EU) 2022/2554)

Regulatory text

Excerpt (provided): “Regulation (EU) No 600/2014 is amended as follows:” (Regulation (EU) 2022/2554, Article 62)

Plain-English interpretation

Article 62 signals that DORA makes changes to MiFIR (Regulation (EU) No 600/2014). Operationally, this creates a mandatory regulatory-change event for any firm that has MiFIR-relevant obligations. Your deliverable is not “implement MiFIR,” but to incorporate the amendment into your compliance obligations, policies, and supervisory response materials so you can demonstrate you identified the change, assessed impact, assigned ownership, and embedded it into run-state controls. (Regulation (EU) 2022/2554, Article 62)

What the operator must do (what auditors will expect)

Because the excerpt does not enumerate the specific amendment text in this dataset, you should focus on the controls that are always examinable for cross-regulation amendments:

• You can show a documented determination of whether MiFIR applies to your entity and which business lines/processes are affected. (Regulation (EU) 2022/2554, Article 62)
• You can show updates to your regulatory obligations register and control mappings reflecting the amendment. (Regulation (EU) 2022/2554)
• You can produce a reliable supervisory response package (who answers, what evidence is provided, how gaps are remediated). (Regulation (EU) 2022/2554)

Who this applies to (entity + operational context)

Entity types

• Regulated entities subject to DORA, where their activities or supporting ICT services intersect with MiFIR-regulated markets activity. (Regulation (EU) 2022/2554)

Operational contexts that often trigger scope review

Use this checklist to decide whether you need deeper Legal analysis and procedure updates:

Scenario	Why Article 62 matters operationally	Typical control owners
You provide investment services or trading-related services in the EU	MiFIR obligations can be directly applicable; amendments can change supervisory expectations	Compliance, Legal, COO
You operate ICT systems supporting trading, order handling, reporting, or market connectivity	DORA connects ICT resilience to financial market obligations; mapping must be current	CISO/ICT Risk, IT Ops, Compliance
You outsource critical ICT services supporting market-facing processes	Third-party oversight must reflect the amended obligation set	Vendor/Third-Party Risk, ICT Risk, Legal

If you are clearly out of scope for MiFIR, you still need evidence that you made and approved that determination. (Regulation (EU) 2022/2554, Article 62)

What you actually need to do (step-by-step)

Step 1: Create an “Article 62 impact assessment” record

Minimum contents:

• The legal trigger: DORA Article 62 amends MiFIR. (Regulation (EU) 2022/2554, Article 62)
• Your scope statement: in scope / out of scope, plus rationale and affected entities/branches.
• Named accountable owner in Compliance/Legal.

Operator tip: make this a template used for any “amends as follows” articles, so you can reuse the workflow for other cross-regulation changes. (Regulation (EU) 2022/2554)

Step 2: Update your obligations register and control map

Build a single register entry that links:

• Requirement: “Article 62: amendments to Regulation (EU) No 600/2014 requirement.” (Regulation (EU) 2022/2554, Article 62)
• Business impact: which business processes and systems rely on MiFIR-relevant obligations.
• Controls: the specific governance controls you use to manage regulatory change (policy management, control library updates, testing, training where needed).
• Evidence: exact artifacts you will present to supervisors.

This is where teams often lose time: the legal team identifies a change, but no one updates the control framework and evidence plan.

Step 3: Assign accountable owners across lines of defense

At minimum assign:

• Legal/Compliance owner for regulatory interpretation and communications.
• ICT risk/security owner for mapping to technology controls where MiFIR-related processes depend on ICT services.
• Third-party risk owner for any external dependencies supporting affected processes.

Make ownership explicit in the register so “who does what” is not tribal knowledge. This aligns to the governance risk factors called out in the guidance data. (Regulation (EU) 2022/2554, Article 62)

Step 4: Implement a regulatory-response workflow (supervisory readiness)

Define a lightweight but strict workflow for:

• Intake of supervisory requests about DORA/MiFIR intersection topics
• Evidence collection and validation
• Escalation path for gaps and exceptions
• Legal/Compliance sign-off prior to submission

If you already have an exam management process, add Article 62 to the set of “cross-regulation amendment” triggers that require special handling and documented interpretation. (Regulation (EU) 2022/2554)

Where Daydream fits: Daydream is a practical place to maintain the obligation-to-control-to-evidence register and run the response workflow as a repeatable playbook, so updates do not sit in email threads.

Step 5: Run readiness drills and close gaps with tracked remediation

Do a tabletop-style drill focused on one realistic scenario: a supervisor asks how you incorporated DORA’s amendments impacting MiFIR obligations into your governance and ICT risk posture. The drill should force:

• Pulling the mapping from your register
• Producing the evidence packet
• Logging gaps and opening remediation items
• Documenting validation of closure

The goal is evidence of execution, not just policy text. This matches the evidence fragmentation risk flagged in the guidance data. (Regulation (EU) 2022/2554, Article 62)

Required evidence and artifacts to retain

Keep artifacts in a single evidence folder indexed to your register entry:

1. Article 62 impact assessment memo with approvals (Legal/Compliance). (Regulation (EU) 2022/2554, Article 62)
2. Updated obligations register entry showing applicability, owners, controls, and evidence pointers.
3. Control mapping record linking the amendment trigger to governance controls (policy/change management, risk assessment updates, third-party oversight updates).
4. Regulatory response SOP (intake, escalation, sign-off, submission recordkeeping).
5. Readiness drill record: agenda, attendees, evidence produced, gaps identified.
6. Remediation tracker: corrective action plans, owners, due dates, closure evidence, and validation sign-off.

Common exam/audit questions and hangups

Expect these lines of questioning:

• “Show me how you identified that DORA amended MiFIR and what changed internally as a result.” (Regulation (EU) 2022/2554, Article 62)
• “Who owns the obligation and how do you ensure ICT and third-party teams implemented any required changes?” (Regulation (EU) 2022/2554)
• “Produce evidence of operation: drills, remediation closure, and sign-offs.”
• “How do you prevent regulatory updates from being missed or inconsistently implemented across entities?”

Hangup: teams provide legal analysis but cannot show control mapping and operational evidence. Supervisors tend to test execution discipline, not just interpretation. (Regulation (EU) 2022/2554)

Frequent implementation mistakes (and how to avoid them)

1. Treating Article 62 as “informational only.”
   Fix: open a formal regulatory change ticket and require documented applicability determination and approvals. (Regulation (EU) 2022/2554, Article 62)

2. No single source of truth for obligations, owners, and evidence.
   Fix: maintain one register entry that ties to evidence artifacts; avoid scattered spreadsheets and ad hoc folders.

3. ICT and third-party dependencies ignored.
   Fix: require ICT risk and third-party risk sign-off when MiFIR-relevant processes rely on external services or critical systems.

4. Evidence is retrospective and incomplete.
   Fix: define evidence requirements up front (what you will show), then run a drill to confirm you can produce it quickly.

Enforcement context and risk implications

No public enforcement cases are provided in the source catalog for this requirement, so you should not anchor your program to specific penalty narratives here. The practical risk is supervisory criticism for weak regulatory change management: unclear ownership, missing traceability from requirement to controls, and inability to produce evidence under time pressure. (Regulation (EU) 2022/2554)

Practical execution plan (30/60/90-day)

Timelines below are recommended sequencing, not regulatory deadlines.

First 30 days (Immediate stabilization)

• Create the Article 62 impact assessment record with Legal/Compliance approval. (Regulation (EU) 2022/2554, Article 62)
• Decide scope: which entities and processes could be affected by MiFIR amendments.
• Stand up the obligation → owner → control → evidence register entry.

By 60 days (Operational embedding)

• Update procedures: regulatory change management SOP, supervisory response workflow, and evidence pack structure.
• Assign cross-functional owners and require sign-offs (Compliance, ICT risk, third-party risk).
• Identify gaps in evidence and open remediation items with owners.

By 90 days (Prove repeatability)

• Run a readiness drill and produce the evidence packet end-to-end.
• Close high-risk gaps and document validation.
• Schedule periodic reviews as part of your standard regulatory change cycle and internal audit plan.

Frequently Asked Questions

Does Article 62 require me to implement new ICT controls by itself?

Article 62 is an amendment clause, so your operational obligation is to identify what changed for your MiFIR-relevant obligations and update your control mapping and evidence. The specific ICT control changes depend on how MiFIR applies to your services. (Regulation (EU) 2022/2554, Article 62)

What if we believe MiFIR does not apply to our firm?

Keep a documented “out of scope” determination with rationale and approvals, and link it to your obligations register. Auditors often accept “not applicable” when it is explicit, owned, and reviewed. (Regulation (EU) 2022/2554, Article 62)

What evidence should I have ready for a supervisor on short notice?

Have a single evidence pack that includes your impact assessment, the register entry, owner assignments, the supervisory response workflow, and proof of drills/remediation closure. These artifacts show governance and execution. (Regulation (EU) 2022/2554)

Who should own this requirement internally?

Compliance or Legal should own interpretation and sign-off, but ICT risk and third-party risk should be accountable for any dependent control updates and evidence. Put names and responsibilities in the register so ownership survives org changes. (Regulation (EU) 2022/2554)

How do we operationalize this without boiling the ocean?

Start with one mapped register entry and one drill scenario tied to your most market-facing process or system. Expand scope only after you can reliably produce evidence end-to-end. (Regulation (EU) 2022/2554, Article 62)

Can Daydream help with Article 62 implementation?

Yes, if you use Daydream as the system of record for your obligations register, control mapping, evidence indexing, and supervisory response workflow. It reduces fragmentation across tickets, documents, and spreadsheets.