Login Get started
Digital Operational Resilience Notification

Last Updated: 13 February 2026

1. Purpose of this Notification

This Digital Operational Resilience Notification (the “Notification”) is published by Bitpace to provide transparency regarding the principles, governance, and organisational measures applied to ensure the digital operational resilience of its services.

This Notification is intended to support clients, counterparties, and other stakeholders in understanding Bitpace’s approach to managing ICT-related risks and operational disruptions, in line with applicable European regulatory requirements.

This Notification is provided for transparency and information purpose only and does not constitute advice, a policy, service guarantee, or contractual commitment.

2. Regulatory Context

Bitpace’s operational resilience framework is built upon adherence to a robust, regulated European structure, incorporating key legislative and standard-setting documents. These include, but are not limited to:

  • Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA);
  • Regulation (EU) 2023/1114 on markets in crypto-assets (MiCA);
  • General Data Protection Regulation (EU) 2016/679 (GDPR);
  • Recognised international standards, including ISO 22301 and ISO/IEC 27001.

Bitpace’s operational resilience framework forms part of its broader enterprise risk management and governance structure.

 

3. Scope of Digital Operational Resilience

For the purposes of this Notification, digital operational resilience refers to Bitpace’s ability to:

  • Prevent, detect, respond to, and recover from ICT-related incidents and operational disruptions;
  • Maintain the continuity and availability of critical business services;
  • Protect the confidentiality, integrity, and availability of data and systems; and
  • Adapt its controls and processes based on evolving risks, incidents, and regulatory expectations.

This scope covers Bitpace’s internally managed ICT systems, cloud-based infrastructure, and relevant third-party service dependencies supporting its regulated activities.

4. Governance and Accountability

Bitpace has established a governance framework that ensures clear accountability for operational resilience.

Key principles include:

    • Management responsibility: Senior management is responsible for overseeing digital operational resilience and ensuring appropriate resources, controls, and escalation mechanisms are in place.
    • Three Lines of Defence model:
      • Business and operational functions own and manage risks;
      • Risk and compliance functions provide independent oversight and challenge;
      • Independent assurance functions provide additional review where applicable.
    • Policy framework: Digital operational resilience is embedded within Bitpace’s approved internal policies, frameworks, and procedures.

5. ICT Risk Management and Information Security

Bitpace applies a risk-based approach to ICT and information security management.

At a high level, this includes:

  • Identification and assessment of ICT-related risks;
  • Preventive, detective, and corrective controls proportionate to the nature and scale of operations;
  • Information security principles addressing confidentiality, integrity, and availability;
  • Access control, secure configuration, and data protection measures;
  • Ongoing monitoring and periodic review of ICT risks.

Specific technical controls and internal security arrangements are not disclosed publicly for security and confidentiality reasons.

6. Incident Management and Communication

Bitpace maintains documented incident management processes designed to:

  • Detect and assess ICT-related incidents;
  • Escalate incidents internally based on impact and severity;
  • Implement containment, remediation, and recovery actions; and
  • Perform post-incident analysis to support continuous improvement.

Where appropriate and required, Bitpace communicates with affected clients and competent authorities in accordance with applicable regulatory and contractual obligations. Bitpace will notify affected clients of major ICT incidents that have a significant impact on their financial interests without undue delay. Such notifications will include information on the incident and the measures taken to mitigate its effects.

7. Business Continuity and Disaster Recovery

Bitpace has established Business Continuity and Disaster Recovery arrangements designed to support the continuity of critical business services in the event of disruptions.
These arrangements are designed to:

  • Support continued operations during adverse events;
  • Enable timely recovery of systems and services;
  • Consider dependencies on personnel, facilities, ICT systems, and third-party providers;
  • Be periodically tested and reviewed.

Business continuity planning forms part of Bitpace’s broader operational resilience framework and is proportionate to its business model and risk profile.

8. Third-Party and Outsourcing Resilience

Bitpace relies on a combination of internal resources and third-party service providers to support its operations.

In this context, Bitpace applies:

  • Due diligence and risk-based assessment of material third-party arrangements;
  • Contractual and governance measures to support operational resilience;
  • Ongoing oversight of critical dependencies.

Bitpace prioritises the use of EU-based data centres for its critical infrastructure. Our primary hosting environment is maintained within the European Economic Area (EEA), ensuring compliance with stringent EU data protection standards and jurisdictional resilience requirements.
The use of third-party providers does not transfer Bitpace’s regulatory or operational accountability.

9. Testing, Review, and Continuous Improvement

Bitpace’s operational resilience arrangements are subject to a rigorous cycle of validation and enhancement:

  • Periodic Testing: Bitpace conducts scenario-based exercises and digital operational resilience testing at least annually for all critical ICT systems. These tests ensure that our recovery protocols are effective and that our staff is prepared for diverse disruption scenarios.
  • Regular Reviews: Our resilience framework undergoes comprehensive reviews as part of our standard risk management and governance processes.
  • Dynamic Updates: We update our policies and technical controls following any material incidents, significant changes to our operations, or new regulatory developments.

Lessons learned from both real-world incidents and simulation drills are systematically incorporated into the continuous enhancement of our security controls and operational processes.

10. Relationship with Bitpace Standard Terms and Conditions

This Notification is intended to be read alongside, but not to modify or override, Bitpace’s Standard Terms of Business (“Standard Terms”) and related contractual documentation. It does not create any new contractual rights or obligations.

In particular, but not limited to:

  • Services are provided on an “as is” and “as available” basis, as set out in the Standard Terms;
  • Bitpace does not guarantee uninterrupted or error-free service availability;
  • Liability, force majeure, and service availability provisions remain governed exclusively by the applicable contractual terms.

11. Important Disclaimer

This Notification is provided for transparency and informational purposes only.

It does not constitute and should not be interpreted as, among others:

  • A warranty or representation regarding service availability or performance.
  • A formal or contractual service level agreement (SLA).
  • A disclosure of security-sensitive or confidential information.
  • Any form of advice.
  • A notification intended for reliance.
  • An offer or invitation to utilise Bitpace’s services.

Bitpace reserves the right to periodically amend, remove, or replace this Notification. Such changes may occur to address evolving business requirements, changes in regulatory obligations, or shifts in the risk environment.