BondGovernance — Infrastructure for Secured Bonds

§ 07 — Regulation

EU frameworks for bond governance.

Primary-source references for the regimes that shape how trustees, agents and their technology providers operate. Each note is written for practitioners, cites the operative text, and is dated.

§ 07.1 — MiFID II Art. 16(6)

MiFID II Article 16(6): record-keeping duties for bond trustees and agents.

Article 16(6) of Directive 2014/65/EU sets an outcome, not a format. A firm must record every service, activity and transaction in enough detail for the competent authority to reconstruct the decision. For a bond trustee, the decision under review is rarely a trade, it is a covenant call, a waiver, a security enforcement, or an instruction to a paying agent.

Reviewed 2026-07-01

§ 07.2 — DORA, ICT third-party

DORA and ICT third-party risk: what a bond trustee's technology provider must satisfy.

The Digital Operational Resilience Act, Regulation (EU) 2022/2554, entered into application on 17 January 2025. It treats a bond trustee's governance platform as an ICT third-party service supporting a critical or important function. The contractual, exit, testing and reporting obligations are prescribed, not principles-based.

Reviewed 2026-07-01

§ 07.3 — EU AI Act, financial use

The EU AI Act in bond governance: why deterministic pipelines sit outside high-risk classification.

Regulation (EU) 2024/1689, the AI Act, entered into force on 1 August 2024. Its high-risk regime for financial use (Annex III, point 5(b)) turns on two questions: is the system an AI system as defined in Article 3(1), and is it used for one of the enumerated purposes. A deterministic rule engine, one that produces the same output from the same input without inference, sits outside the first question.

Reviewed 2026-07-01

§ 07.4 — ESMA Prospectus

ESMA Prospectus Annex 15: the information bond covenants must disclose.

Annex 15 to Regulation (EU) 2017/1129 sets the minimum disclosure for wholesale non-equity securities. It does not prescribe a covenant format, but it requires that the terms and conditions of the securities, including covenants, events of default and security arrangements, are described accurately enough for an investor to assess the investment. The disclosure is a snapshot at issuance. Continuous governance turns it into a living record.

Reviewed 2026-07-01

§ 07.5 — CSRD, ESG covenants

CSRD and ESG covenants in secured bonds: what must be monitored.

Directive (EU) 2022/2464, the Corporate Sustainability Reporting Directive, expands sustainability reporting to large undertakings, listed SMEs and certain third-country companies. For bond issuers, this means that ESG targets referenced in green bonds, sustainability-linked bonds or green securitisations must be measurable, documented and auditable in the same way as financial covenants.

Reviewed 2026-07-01

§ 07.6 — NIS2, financial entities

NIS2 and financial entities: how bond governance infrastructure is in scope.

Directive (EU) 2022/2555, the Network and Information Security Directive (NIS2), entered into force on 16 January 2023 and must be transposed by 17 October 2024. It expands cybersecurity obligations to a broader set of entities, including financial market infrastructure, payment institutions, crypto-asset service providers and ICT service providers that support them. A bond governance platform is part of that supply chain.

Reviewed 2026-07-01