REGIS-TR Hit With Record ESMA Fine Over Governance and Data Protection Failures

Why Did ESMA Fine REGIS-TR?

The European Securities and Markets Authority (ESMA) has imposed a €1,374,000 fine on trade repository REGIS-TR for what it described as serious breaches of organisational obligations under the European Market Infrastructure Regulation (EMIR) and the Securities Financing Transactions Regulation (SFTR). The sanction is the largest ever levied by ESMA on a trade repository and the first enforcement action tied specifically to SFTR breaches.

In a public statement, ESMA said REGIS-TR failed to comply with core requirements related to governance, operational risk management and the protection of confidential information. The authority identified seven infringements, citing fragilenesses in policies and procedures, deficiencies in organisational structure, failures to properly identify and mitigate operational risks, and shortcomings in secureguarding data reported under EMIR and SFTR.

The case stemmed from what ESMA described as “long-lasting serious overarching issues” at the repository. The regulator has ordered REGIS-TR to end three infringements that remain unresolved.

Investor Takeaway

What Role Do Trade Repositories Play Under EMIR and SFTR?

Trade repositories sit at the center of the EU’s post-2008 reporting framework. Under EMIR, introduced in 2012, counterparties to derivatives contracts must report detailed transaction data to authorized repositories. Regulators then use those datasets to monitor counterparty exposures, systemic risk and market stability.

SFTR extended the reporting regime to securities financing transactions such as repurchase agreements, securities lending and margin lending. Phased in from 2020 onward, the regulation increased both the volume and granularity of data that repositories must collect, validate and transmit to authorities.

Unlike many financial firms supervised by national regulators, trade repositories fall directly under ESMA’s oversight. That structure gives enforcement decisions institutional weight, particularly when they relate to data integrity and governance.

REGIS-TR, originally established as a joint venture between and Iberclear, provides reporting services for derivatives and securities financing transactions across the European Union. The authority’s findings focused on internal governance clarity, operational controls and protections against misuse of confidential data.

Why Is Confidentiality Central to the Case?

Trade data reported under EMIR and SFTR contain detailed information on counterparties, transaction terms and collateral arrangements. The information is intended for supervisory use and must be protected against unauthorized access or misuse.

ESMA said REGIS-TR failed to ensure adequate secureguards over confidentiality and integrity of reported data. The regulator also pointed to fragilenesses in preventing potential misuse of information received under EMIR.

“REGIS-TR failed to comply with its obligations under said. “Data on trades made available to public authorities is essential for market surveillance, enabling ahead detection of exposure concentrations, cross-border risks, and changes in liquidity and leverage.”

Ross added: “Our decision highlights ESMA’s commitment to enforcing essential requirements that ensure transparency and contribute to well-functioning markets.”

Investor Takeaway

What Does This Mean for EU Market Infrastructure?

The €1.374 million sanction is the highest fine ESMA has imposed on a trade repository since assuming direct supervisory authority over the sector. While the regulator said it weighed aggravating and mitigating factors under EMIR, it did not disclose detailed calculations behind the penalty.

The enforcement action comes as EU authorities continue to refine derivatives and clearing rules, including updates to EMIR designed to strengthen the resilience of the bloc’s financial system. Reliable trade reporting is a foundation of those reforms, as supervisory decisions depend on the accuracy and completeness of repository data.

The public notice accompanying the fine requires REGIS-TR to correct ongoing deficiencies. ESMA has not indicated whether additional sanctions could follow if remaining issues are not addressed.

The case clarifies that implementation challenges tied to SFTR’s rollout do not shield infrastructure providers from enforcement. Governance clarity, operational risk controls and remain core supervisory expectations.