ASIC updates technological and operational resilience guidance for securities and futures markets

On 18 December 2025, the Australian Securities and Investments Commission released a series of updates to improve and simplify its regulatory guidance on complying with technological and operational resilience rules for market participants and market operators. The updates are intended to support resilient market participants and market operators, which are described as essential to the integrity of Australia’s securities and futures markets and to the efficient functioning of the economy.

These updates form the third stage of ASIC’s work to review and clarify guidance relating to the technological and operational resilience rules in Chapters 8A and 8B of the ASIC Market Integrity Rules (Securities Markets) 2017 and the ASIC Market Integrity Rules (Futures Markets) 2017. The resilience rules are set out in three key guidance documents: Regulatory Guide 265 (guidance for participants of securities markets), Regulatory Guide 266 (guidance for participants of futures markets), and Regulatory Guide 172 (financial markets, including domestic and overseas operators).

A central feature of the changes is regulatory simplification. ASIC states that the updates align with its commitment to simplifying regulation and include changes intended to reduce repetition and shorten the overall length of guidance, alongside structural improvements.

Within that simplification effort, ASIC highlights several specific updates.

First, the revised guidance incorporates arrangements for identifying critical business services that ASIC previously shared with market participants in a September 2024 letter. This means the updated guidance reflects and embeds earlier direction ASIC communicated directly to participants about how they should approach identifying the services that are critical to their operations under the resilience rules.

Second, ASIC states that the updated guidance provides certainty that critical business services arrangements may leverage existing resilience frameworks where suitable. This includes leveraging a service provider’s business continuity plans and redundancy arrangements in outsourcing arrangements, where appropriate. In effect, ASIC is clarifying that resilience arrangements for critical business services can, in suitable circumstances, rely on existing frameworks rather than requiring wholly new or bespoke structures in every case.

Third, ASIC confirms that, in some situations, full redundancy arrangements may not be required for all critical business services. This is presented as a clarification within the updated guidance on how critical business services should be supported through resilience arrangements.

Fourth, ASIC clarifies thresholds for identifying and reporting major events to ASIC. The updated guidance therefore addresses how market participants and market operators should determine when an event meets the threshold for reporting and how that reporting should be approached.

Fifth, ASIC removes references to superseded Australian Prudential Regulation Authority standards and guidance. This change is presented as part of the simplification and updating of the guidance set that supports compliance with ASIC’s resilience rules.

ASIC also notes that the updates incorporate class waivers granted in August 2025. These class waivers provide relief from some requirements for outsourcing arrangements where the supply of energy or communications services were identified as critical business services. In other words, where energy or communications supply is treated as a critical business service, ASIC’s August 2025 waivers are reflected in the updated guidance set.

ASIC places these changes within a broader context of resilience and market infrastructure. It states that strengthening operational, digital, and data resilience and safety is one of its strategic priorities for 2025 to 2026. ASIC also states that it is conducting an inquiry into the ASX group, led by a panel of experts, focusing on governance, capability, and risk management frameworks and practices. According to ASIC, the expert panel will make recommendations to address any shortcomings or deficiencies identified, and ASIC will publish a report on the outcome of the inquiry by March 2026.

While that inquiry is underway, ASIC states that it is critical that ASX continues to prioritise the safe and efficient operation of its infrastructure, including progress towards Release 1 of the CHESS replacement project by mid 2026. ASIC states it will continue to closely monitor the CHESS replacement project and ASX more broadly. ASIC also states that the expert technical review of CHESS, announced on 31 March 2025, will continue alongside the ASX inquiry.

In addition, ASIC states it will continue work to implement financial market infrastructure reforms, and that it will consult on updated guidance in 2026.

Finally, ASIC summarises the staged path that led to the December 2025 updates. The resilience rules came into effect on 10 March 2023 and aim to promote the technological and operational resilience of market participants and market operators. As a first step in its review of guidance, ASIC made revisions in May 2024 to correct minor drafting errors in Regulatory Guide 265, Regulatory Guide 266, and Regulatory Guide 172. ASIC states these May 2024 changes addressed confusion around the identification of critical business services and clarified the meaning of “immediately” when notifying ASIC of a major event. As a second step, ASIC published a letter to market participants sharing observations and guidance from a 2023 thematic review of market participants’ arrangements for identifying critical business services and dealing with a major event. The December 2025 updates are described as ASIC’s third step, making further updates to improve and simplify its guidance on complying with the resilience rules, following further engagement with market participants and industry bodies.

Source: ASIC improves and simplifies technological and operational resilience guidance | ASIC