Article 63: Amendment to Regulation (EU) 2016/1011

Article 63 updates the EU Benchmarks Regulation (Regulation (EU) 2016/1011) by adding a paragraph to Article 6, and you must translate that change into an owned, testable compliance obligation inside your ICT and governance program. Operationalize it by mapping the amendment to controls, assigning accountable owners, and maintaining supervisor-ready evidence of execution. (Regulation (EU) 2022/2554, Article 63)

Key takeaways:

• Treat Article 63 as a “change-in-law” trigger: identify impacted benchmark-related processes and update governance, controls, and evidence. (Regulation (EU) 2022/2554, Article 63)
• Build traceability: legal text → internal requirement → control(s) → owner → testing → artifacts. (Regulation (EU) 2022/2554)
• Prepare for supervisory scrutiny by running readiness drills and tracking remediation to closure with validation evidence. (Regulation (EU) 2022/2554)

Article 63 is short, but it is operationally consequential because it amends another EU regulation that may already sit in your compliance inventory: the Benchmarks Regulation. For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat Article 63 as a governed regulatory change that must be (1) triaged for applicability, (2) translated into internal requirements, and (3) embedded into day-to-day control operation with defensible evidence.

The common failure mode with “amendment” articles is treating them as purely legal housekeeping. Examiners and supervisors rarely care that you noticed the amendment; they care that you updated the processes and controls that depend on the amended text, and that you can prove it with consistent artifacts. This page gives you requirement-level implementation guidance to operationalize the article 63: amendment to regulation (eu) 2016/1011 requirement quickly: who needs to act, what to build, what to retain, and what questions you should be able to answer in a supervisory interaction. (Regulation (EU) 2022/2554, Article 63)

Regulatory text

Excerpt (provided): “In Article 6 of Regulation (EU) 2016/1011, the following paragraph is added:” (Regulation (EU) 2022/2554, Article 63)

Operator interpretation: Article 63 does not describe a new standalone operational control by itself; it instructs you that Article 6 of the Benchmarks Regulation has been changed by adding a new paragraph. Your obligation is to (a) obtain the consolidated amended text, (b) determine whether and how it affects your benchmark-related obligations and controls, and (c) update your governance, procedures, and evidence so your program reflects the amended requirement. (Regulation (EU) 2022/2554, Article 63)

What you must be able to show on request:

• You recognized the amendment and assessed applicability to your activities and entities in scope. (Regulation (EU) 2022/2554)
• You updated internal requirements, control mappings, and operating procedures where the amendment changes expectations. (Regulation (EU) 2022/2554, Article 63)
• You can evidence ongoing operation (not just a one-time policy update). (Regulation (EU) 2022/2554)

Plain-English requirement (what this means in practice)

Treat Article 63 as a mandatory “regulatory change event” with downstream implementation work. The practical requirement for a GRC lead is: create traceability from the amended legal obligation to your internal controls and produce evidence that the controls operate and that gaps are remediated. (Regulation (EU) 2022/2554, Article 63)

Because the excerpt provided does not include the added paragraph’s content, your operational work must start with retrieving and reviewing the exact added paragraph (via your legal function or a verified consolidated text workflow). Do not guess what changed. Your audit trail should show that you worked from authoritative text and updated the right control surfaces (policies, procedures, oversight routines, and third-party requirements, if applicable). (Regulation (EU) 2022/2554)

Who it applies to (entity and operational context)

This will matter to you if:

• You are a DORA in-scope financial entity and you have exposure to benchmarks in products, pricing, risk models, index-tracking instruments, or reference rate usage, or you support those activities with ICT systems. (Regulation (EU) 2022/2554)
• You have governance responsibilities for regulatory change management, ICT risk management, or compliance oversight that must incorporate amendments into your control framework. (Regulation (EU) 2022/2554, Article 63)

Operationally, expect cross-functional impact across:

• Compliance / Legal: regulatory interpretation, change management, internal requirement drafting. (Regulation (EU) 2022/2554)
• ICT risk & security: systems supporting benchmark administration/use, access controls, logging, resilience expectations where they intersect. (Regulation (EU) 2022/2554)
• Business owners: benchmark usage inventory, product governance, model risk, operational processes. (Regulation (EU) 2022/2554)
• Third-party management: benchmark administrators, data providers, index vendors, and ICT service providers that support benchmark processes. (Regulation (EU) 2022/2554)

What you actually need to do (step-by-step)

Use this workflow to operationalize the article 63: amendment to regulation (eu) 2016/1011 requirement without wasting cycles.

1) Trigger regulatory change intake (create a case file)

• Open a tracked “Regulatory Change” item for Article 63 with scope, owner, and due dates aligned to your internal governance. (Regulation (EU) 2022/2554, Article 63)
• Attach the primary source link and excerpt in the record. (Regulation (EU) 2022/2554, Article 63)

Good artifact: Regulatory change ticket with approvals and timestamps.
Hangup to avoid: an email thread with no decision record.

2) Obtain the amended Benchmarks Regulation text (authoritative version)

• Ask Legal/Compliance to provide the consolidated text for Regulation (EU) 2016/1011 Article 6 including the added paragraph, or document the method used to obtain it from authoritative sources. (Regulation (EU) 2022/2554, Article 63)
• Store the version you reviewed (date-stamped) in your compliance repository.

Good artifact: “Text relied upon” attachment + memo stating what was reviewed and when.
Hangup to avoid: implementing control changes without preserving the exact text you implemented against.

3) Perform applicability and impact assessment (don’t stop at “N/A”)

Document:

• Which legal entities are in scope for DORA in your group. (Regulation (EU) 2022/2554)
• Whether you use benchmarks, administer benchmarks, or rely on benchmark inputs through third parties. (Regulation (EU) 2022/2554)
• Which processes, applications, and reports depend on benchmarks (inventory-level detail).

Decision matrix (simple and exam-friendly):

Question	If “Yes”	If “No”
Do we reference benchmarks in products, pricing, or models?	Treat as in scope; map impacted processes and controls	Document rationale and owners
Do we rely on a benchmark administrator/data provider?	Include third-party due diligence and contract review	Document why no third-party exposure
Do ICT systems support benchmark governance/usage?	Include ICT controls, logging, change management, resilience	Document system boundary

(Regulation (EU) 2022/2554, Article 63)

4) Translate the amendment into an internal requirement statement

Create a requirement entry written for operators, not lawyers:

• “We must comply with Article 6 (as amended) of Regulation (EU) 2016/1011; controls X/Y/Z ensure [specific obligation].” (Regulation (EU) 2022/2554, Article 63)

Then add:

• Control owners (named roles).
• Frequency of operation (policy review, monitoring, attestations).
• Evidence produced per run.

This is where teams commonly use Daydream to maintain a single register linking the requirement to controls, owners, and supervisor-ready artifacts across ICT risk, compliance, and third-party management. (Regulation (EU) 2022/2554)

5) Map to concrete controls (and fix accountability gaps)

Minimum mapping outputs:

• Control: what happens.
• Owner: who runs it.
• Approver: who signs off.
• System/process scope: where it applies.
• Evidence: what you retain.

Use the recommended controls pattern:

• Map the requirement to concrete ICT controls, accountable owners, and supervisory evidence artifacts in a single register. (Regulation (EU) 2022/2554)
• Implement a regulatory-response workflow for requests, escalations, and remedial actions with legal/compliance sign-off. (Regulation (EU) 2022/2554)
• Run periodic readiness drills and close identified gaps through tracked corrective action plans with validation evidence. (Regulation (EU) 2022/2554)

6) Update third-party controls where benchmark services are external

If benchmark dependencies exist:

• Update your third-party inventory to tag benchmark administrators/data providers and ICT providers supporting benchmark-related processes. (Regulation (EU) 2022/2554)
• Re-check contracts for audit rights, service descriptions, incident notification expectations, and continuity commitments relevant to your benchmark use. Keep it specific to your benchmark process dependencies.

Evidence: inventory extract, due diligence pack, contract addenda or review memo, and an issues log tied to remediation. (Regulation (EU) 2022/2554)

7) Validate operation (test, then remediate to closure)

Run a short, targeted “supervisory readiness” drill:

• Can you produce the amended text, your impact assessment, mapped controls, and last-run evidence quickly?
• Are there gaps (missing owners, missing evidence, unclear scope)?

Track corrective actions to closure and retain validation evidence of the fix (re-test record, screenshots, approvals). (Regulation (EU) 2022/2554)

Required evidence and artifacts to retain

Keep artifacts in one place, linked, and time-bounded:

1. Regulatory change record (ticket/case) referencing Article 63 and decision log. (Regulation (EU) 2022/2554, Article 63)
2. Authoritative text relied upon for the amended Article 6 paragraph (date-stamped). (Regulation (EU) 2022/2554, Article 63)
3. Applicability/impact assessment memo with entity scope, benchmark touchpoints, and system/process inventory references. (Regulation (EU) 2022/2554)
4. Requirement-to-control mapping register with owners and evidence fields completed. (Regulation (EU) 2022/2554)
5. Operating procedures updated to reflect any changed obligations and assigned responsibilities. (Regulation (EU) 2022/2554)
6. Test and readiness drill results plus remediation tickets and closure evidence. (Regulation (EU) 2022/2554)

Common exam/audit questions and hangups

Expect variants of these:

• “Show me how you track and implement amendments that change obligations in other EU regulations.” (Regulation (EU) 2022/2554, Article 63)
• “Where is the consolidated text you implemented against, and who approved your interpretation?” (Regulation (EU) 2022/2554)
• “Which business processes and systems are affected, and how do you know your inventory is complete?” (Regulation (EU) 2022/2554)
• “Who is accountable for ongoing operation, and what evidence is produced per cycle?” (Regulation (EU) 2022/2554)
• “Show remediation discipline: how are gaps tracked, prioritized, and validated closed?” (Regulation (EU) 2022/2554)

Hangups that trigger follow-up:

• “N/A” assessments without a benchmark exposure inventory.
• Mappings that list “Compliance” as owner for everything.
• Evidence scattered across email, SharePoint, and ticketing with no cross-links.

Frequent implementation mistakes (and how to avoid them)

1. Treating Article 63 as informational.
   Fix: open a change record and force an applicability decision with approvals. (Regulation (EU) 2022/2554, Article 63)

2. Skipping the “text relied upon” step.
   Fix: retain the consolidated amended paragraph and cite it in internal requirement language. (Regulation (EU) 2022/2554)

3. No control-evidence design.
   Fix: for every mapped control, define the artifact produced and where it is stored. (Regulation (EU) 2022/2554)

4. Weak cross-functional accountability.
   Fix: name operational owners in ICT/security/business lines; Compliance owns oversight, not execution of every control. (Regulation (EU) 2022/2554)

5. No proof of operation over time.
   Fix: run readiness drills and retain test results and remediation closures. (Regulation (EU) 2022/2554)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific amendment, so you should manage it as a supervisory-risk item rather than relying on enforcement patterns. (Regulation (EU) 2022/2554)

Practical risk if you mishandle amendments:

• You may appear unable to translate EU legal changes into control operation, which invites deeper supervisory sampling across your ICT risk and governance program. (Regulation (EU) 2022/2554)
• Gaps often surface indirectly: during an incident, an outsourcing review, or a model/product governance assessment that touches benchmark dependencies. (Regulation (EU) 2022/2554)

Practical execution plan (30/60/90-day)

You asked for speed. Use staged work with clear deliverables.

First 30 days (stabilize and decide)

• Create the Article 63 change record and assign a single accountable owner. (Regulation (EU) 2022/2554, Article 63)
• Obtain and store the amended Article 6 paragraph text relied upon. (Regulation (EU) 2022/2554, Article 63)
• Complete an applicability assessment with a benchmark exposure inventory and entity scope statement.

Deliverable: signed applicability memo + mapped list of impacted processes/systems. (Regulation (EU) 2022/2554)

By 60 days (implement and map)

• Write internal requirement language and update the requirement-to-control register with owners and evidence fields. (Regulation (EU) 2022/2554)
• Update procedures and third-party records where benchmark services are external. (Regulation (EU) 2022/2554)
• Stand up a regulatory-response workflow for supervisory questions and escalations.

Deliverable: updated mapping register + updated procedures + third-party inventory tags and review notes. (Regulation (EU) 2022/2554)

By 90 days (prove operation)

• Run a readiness drill: produce a complete evidence pack as if requested by a competent authority. (Regulation (EU) 2022/2554)
• Log gaps, execute corrective actions, and retain closure validation evidence. (Regulation (EU) 2022/2554)

Deliverable: readiness drill report + remediation log with closed items and validation artifacts. (Regulation (EU) 2022/2554)

Frequently Asked Questions

What is the actionable requirement in Article 63 if the text only says a paragraph is added?

Your actionable requirement is to treat it as a governed regulatory change and implement the amended obligation in your internal control framework. Start by obtaining the consolidated amended text, then document applicability, mapping, and evidence. (Regulation (EU) 2022/2554, Article 63)

Does Article 63 apply if we don’t “administer” a benchmark but we reference benchmarks in products or models?

You still need an applicability assessment because benchmark use can create obligations and control expectations even if you are not an administrator. Document your benchmark touchpoints and the systems/processes that support them. (Regulation (EU) 2022/2554)

What evidence will a supervisor expect first?

A clean audit trail: the text you relied on, an approved impact assessment, mapped controls with named owners, and proof of operation (recent run evidence and remediation closure). (Regulation (EU) 2022/2554)

How do we handle third parties involved in benchmark data or benchmark administration?

Tag them in your third-party inventory, tie them to the benchmark-dependent business process, and retain due diligence and contract review artifacts that support your control expectations. Keep the linkage from third party to benchmark use case explicit. (Regulation (EU) 2022/2554)

What’s the most common “soft fail” during audit for amendments like this?

Teams record the amendment but cannot show downstream procedure updates, ownership, and evidence. Fix it by maintaining a single requirement-to-control register and running readiness drills that produce a supervisor-ready evidence pack. (Regulation (EU) 2022/2554)

Where does Daydream fit without turning this into a tool exercise?

Use Daydream where it reduces supervisory friction: one register that ties Article 63 to controls, owners, and artifacts, plus a workflow to manage regulatory requests, escalations, and remediation closure with sign-off. Keep your legal interpretation and operational evidence connected. (Regulation (EU) 2022/2554)