MiFID II Compliance for AI Products in Financial Services
MiFID II applies to your AI product if it touches investment services, trading, or financial advice. Most fintech teams are underestimating it.
MiFID II — in force since January 2018
The Markets in Financial Instruments Directive II has applied since 3 January 2018. It governs investment firms, trading venues, data reporting services, and the technology systems that support them across the EU. MiFID II is not solely a conduct regulation — it reaches deep into the algorithmic systems, automated advice tools, and data-driven investment products that define modern financial services AI.
If your AI system generates investment recommendations, executes or influences trading decisions, provides portfolio management support, or is used by a MiFID II-regulated firm as part of its regulated service delivery, MiFID II reaches your product — through direct obligations where your organisation is a regulated firm, and through your clients’ organisational requirements where you supply technology to one.
MiFID II’s demands on AI systems are specific and demanding: algorithmic trading controls, product governance obligations, best execution requirements, suitability and appropriateness assessment rules, and record-keeping obligations that apply to every system involved in the investment process.
These sit alongside EU AI Act high-risk obligations, DORA ICT risk management requirements, and GDPR automated decision-making rules that frequently land on the same product simultaneously.
European Compliance Suite provides specialist MiFID II compliance assessments for AI products operating in or supplying the investment services sector. We assess your system’s MiFID II obligations, map them against your EU AI Act, DORA, and GDPR position, and deliver a documented compliance record specific to your product.
MiFID II Compliance Assessment for Your AI System
A lawyer-built assessment of your AI system’s MiFID II obligations — algorithmic trading controls, suitability and appropriateness requirements, best execution obligations, product governance duties, record-keeping requirements, and a documented compliance record your regulators, enterprise clients, and compliance function can rely on.
How MiFID II works for AI fintech products
Five obligation areas. One directive. Direct requirements for AI systems in investment services.
MiFID II organises its AI-relevant requirements across five areas. Each creates specific obligations for AI systems used in or supplied to regulated investment firms and trading venues.
Algorithmic trading controls
Any system that uses algorithms to automatically determine trading parameters — including order submission, timing, price, or quantity — is subject to MiFID II’s algorithmic trading requirements. These include pre-trade risk controls, kill switch capability, annual self-assessment, and notification to competent authorities. AI systems that influence, optimise, or automate any element of the trading process must be assessed against these requirements regardless of whether they execute trades directly.
Suitability and appropriateness
Investment firms using AI to assess client suitability for investment products or the appropriateness of a service must satisfy MiFID II’s suitability and appropriateness requirements. The AI system’s methodology must produce assessments that genuinely reflect the client’s knowledge, experience, financial situation, and investment objectives — and the firm must be able to explain how the AI reached its conclusions. Automated suitability assessments that cannot be explained to a regulator are a compliance failure regardless of their statistical accuracy.
Best execution
Investment firms must take all sufficient steps to obtain the best possible result for their clients when executing orders. Where AI systems influence order routing, execution venue selection, or timing decisions, those systems must be assessed as part of the firm’s best execution framework. The AI’s decision logic must be documented, monitored, and demonstrated to produce client-optimal outcomes — not outcomes that optimise for other metrics.
Product governance
MiFID II requires investment firms that manufacture or distribute financial products to maintain product governance arrangements — including target market identification, product testing, and ongoing monitoring. Where AI systems are used in product design, target market definition, or distribution decisions, they must be integrated into the product governance framework. AI-driven product recommendations must satisfy product governance requirements at the point of each recommendation.
Record-keeping and reporting
MiFID II imposes extensive record-keeping obligations on investment firms — covering client communications, order records, transaction reports, and the parameters and results of algorithmic systems. AI systems involved in any part of the investment process must produce records that satisfy MiFID II’s retention and accessibility requirements, and must be capable of producing transaction reports in the required format for regulatory submission.
Who MiFID II applies to
MiFID II applies directly to investment firms and trading venues, and indirectly to the AI suppliers whose technology supports regulated service delivery. The obligations flow through organisational requirements and contractual relationships in the same way as DORA’s ICT third-party framework.
| Entity type | In scope of MiFID II? | Key obligation |
|---|---|---|
| EU investment firm using AI in service delivery | Yes — directly | Full MiFID II compliance including algorithmic trading controls, suitability, best execution |
| EU trading venue using AI in market operation | Yes — directly | Algorithmic trading controls, market surveillance, resilience requirements |
| Robo-adviser or automated investment platform | Yes — directly as investment firm | Suitability assessment requirements, record-keeping, disclosure obligations |
| AI company supplying algorithmic trading tools to investment firms | Yes — indirectly through organisational requirements | Contractual compliance requirements, algorithm documentation, kill switch capability |
| AI company providing suitability assessment tools | Yes — indirectly | Methodology documentation, explainability requirements, record-keeping support |
| Non-EU investment firm with EU clients | Yes — extraterritorial where serving EU retail or professional clients | Third-country firm requirements or equivalence |
| AI company with no investment services clients | No | Not in scope — but document this determination |
| Data analytics AI used for non-trading investment research | Depends — if influencing investment decisions, likely yes | Organisational requirements, conflicts of interest, record-keeping |
| AI used for regulatory reporting only | Limited scope | Record-keeping and reporting system requirements |
| Portfolio management AI used by regulated firms | Yes — indirectly | Organisational requirements imposed through client contracts |
Algorithmic trading: the MiFID II obligation AI teams underestimate
MiFID II’s algorithmic trading provisions are the requirement most AI companies and regulated firms apply too narrowly. The obligation does not apply only to systems that autonomously execute trades. It applies to any system that uses an algorithm to automatically determine trading parameters — including order parameters, timing, price, or quantity — where a human is not making each individual trading decision in real time.
Three things AI teams in investment services consistently misunderstand:
- An AI system that generates trading signals, optimises order timing, or recommends execution venues is influencing trading parameters within the meaning of MiFID II. The fact that a human trader reviews and approves each recommendation does not remove the algorithmic trading classification if the human’s role is to approve rather than to independently determine the parameters.
- Annual self-assessment of algorithmic trading systems is a mandatory MiFID II requirement — not an internal best practice. The assessment must cover the system’s compliance with the firm’s algorithmic trading controls, its kill switch functionality, and its pre-trade and post-trade risk controls. AI systems that have not been through a documented annual assessment are non-compliant regardless of their technical performance.
- Kill switch capability is a hard technical requirement. Every algorithmic trading system must be capable of being shut down immediately — cancelling all open orders and preventing new order submission — without disrupting the broader trading infrastructure. AI systems designed without genuine kill switch capability cannot be used in algorithmic trading contexts regardless of their other characteristics.
What MiFID II compliance requires for AI products
These are the MiFID II requirements that apply most directly to AI products used in or supplied to investment firms and trading venues and to AI companies that operate as regulated firms in their own right.
Cross-framework mapping — identification of where MiFID II organisational requirements overlap with DORA ICT risk management, EU AI Act high-risk obligations, and GDPR Article 22 automated decision-making duties and where satisfying one regime contributes to compliance with another
Regulated activity determination — assessment of whether your AI system’s function constitutes a regulated activity under MiFID II — investment advice, portfolio management, order execution, or operation of a trading venue — and whether your organisation requires authorisation as an investment firm
Algorithmic trading classification — determination of whether your AI system meets the MiFID II definition of algorithmic trading, high-frequency trading, or direct electronic access. This classification triggers the most demanding technical and organisational requirements
Pre-trade and post-trade risk controls — documented risk controls that prevent erroneous orders, set position limits, and enforce trading thresholds, assessed against MiFID II’s requirements and your AI system’s specific trading logic and risk profile.
Kill switch documentation — technical and operational documentation of your AI system’s kill switch capability, covering order cancellation scope, activation mechanism, testing frequency, and the operational procedures for activation in normal and emergency circumstances.
Suitability and appropriateness methodology — where your AI system assesses client suitability or appropriateness, documentation of the methodology — input variables, weighting, output logic, and the basis on which the assessment satisfies MiFID II’s suitability requirements, including the explainability requirement for automated assessments.
Best execution framework integration — assessment of how your AI system’s decisions interact with the firm’s best execution obligations, including order routing logic, venue selection criteria, execution quality monitoring, and the documentation required to demonstrate client-optimal outcomes.
Product governance integration — where your AI system is used in product design, target market definition, or distribution, assessment of its integration into the firm’s MiFID II product governance framework, including target market documentation, scenario testing, and ongoing monitoring obligations.
Record-keeping architecture — assessment of your AI system’s record-keeping outputs against MiFID II’s retention requirements, covering client communications, order records, algorithm parameters, decision logs, and transaction reports — including the five-year retention period and accessibility requirements.
Conflicts of interest assessment — identification of conflicts of interest arising from your AI system’s design or operation, including data sourcing, model training incentives, and revenue-linked optimisation, as well as the organisational measures required to manage or disclose them under MiFID II.
One engagement. Every MiFID II obligation mapped for your AI system.
A lawyer-built MiFID II assessment covering regulated activity determination, algorithmic trading classification, pre-trade and post-trade risk controls, kill switch documentation, suitability and appropriateness methodology, best execution framework, product governance integration, record-keeping architecture, and conflicts of interest assessment — documented and specific to your AI system, mapped against your EU AI Act, DORA, and GDPR position where all apply.
Frequently Asked Questions About MiFID II Compliance
What is MiFID II and who does it apply to?
The Markets in Financial Instruments Directive II is the EU’s primary regulatory framework for investment services and financial markets, applicable since 3 January 2018.
MiFID II applies to investment firms, trading venues, data reporting services, and credit institutions providing investment services across the EU. It governs the conduct of investment business, the operation of trading venues, and the organisational requirements of regulated firms — including the algorithmic systems, automated advice tools, and data-driven investment products those firms use.
MiFID II has been implemented into national law across all EU member states and applies on a passporting basis across the single market.
Does MiFID II apply to AI systems specifically?
Yes, where the AI system performs functions that fall within MiFID II’s scope — algorithmic trading, investment advice, portfolio management, suitability assessment, or order execution support. MiFID II does not regulate AI as a technology category; it regulates the activities and the organisational requirements of regulated firms.
Where an AI system performs a regulated activity or supports a regulated firm in delivering one, MiFID II’s requirements apply to that system through the firm’s organisational obligations. AI suppliers to regulated firms face these obligations through their clients’ contractual and oversight requirements.
What is the MiFID II definition of algorithmic trading?
MiFID II defines algorithmic trading as trading in financial instruments where a computer algorithm automatically determines individual parameters of orders such as whether to initiate the order, the timing, price, or quantity, with limited or no human intervention. The definition is broad — it covers systems that optimise order parameters, not only systems that autonomously execute trades. An AI system that recommends execution timing, optimises order sizing, or selects execution venues based on automated analysis of market conditions is likely within the algorithmic trading definition even where a human approves each recommendation.
What are MiFID II’s suitability requirements for AI-driven investment advice?
MiFID II requires investment firms to obtain information about a client’s knowledge and experience, financial situation, and investment objectives, and to recommend only products that are suitable for that client.
Where AI systems perform suitability assessments, the methodology must genuinely reflect the client’s individual circumstances — not a statistical approximation of a client category. The firm must be able to explain how the AI reached its suitability conclusion for a specific client, to both the client and the regulator. Automated suitability assessments that function as black boxes are non-compliant regardless of their aggregate accuracy.
How does MiFID II interact with the EU AI Act for investment services AI?
Investment services AI frequently triggers both MiFID II and EU AI Act obligations simultaneously. AI used in credit decisions, employment, and certain financial services is classified as high-risk under the EU AI Act’s Annex III — requiring technical documentation, conformity assessment, and human oversight measures that overlap with MiFID II’s organisational requirements.
A cross-framework assessment identifies where EU AI Act technical documentation satisfies MiFID II record-keeping requirements, where MiFID II’s suitability methodology documentation contributes to EU AI Act transparency obligations, and where the two regimes impose distinct and non-overlapping requirements on the same system.
How does MiFID II interact with DORA for investment services AI?
DORA and MiFID II both apply to investment firms and both impose ICT risk management, incident reporting, and third-party oversight requirements. DORA is lex specialis for ICT operational resilience — where both apply to the same obligation, DORA takes precedence.
In practice, an investment firm that satisfies DORA’s ICT risk management framework for its AI systems will satisfy the equivalent MiFID II organisational requirements on ICT governance.
The two regimes are complementary rather than duplicative, with DORA providing the more granular ICT-specific requirements and MiFID II providing the investment-services-specific conduct framework.
What record-keeping obligations does MiFID II impose on AI systems?
MiFID II requires investment firms to keep records of all services, activities, and transactions for a minimum of five years — and up to seven years where required by a competent authority. For AI systems, this includes records of algorithm parameters and changes, order generation and modification logs, client communications involving AI-generated content, suitability and appropriateness assessment outputs, and transaction reports.
Records must be kept in a durable medium, be accessible to the competent authority on request, and be capable of reconstruction in the event of system failure. AI systems that do not produce records satisfying these requirements cannot be used in MiFID II-regulated activities.
Does MiFID II apply to non-EU investment firms and AI companies?
Third-country investment firms serving EU professional clients and eligible counterparties may operate under MiFID II’s third-country regime — which requires either an equivalence decision for the firm’s home jurisdiction or registration with ESMA for certain activities. Third-country firms serving EU retail clients generally require authorisation in an EU member state.
Non-EU AI companies supplying MiFID II-regulated firms face the same organisational requirements through their clients’ third-party oversight obligations as EU-established suppliers — DORA’s ICT third-party framework applies regardless of the supplier’s establishment.
What are the penalties for MiFID II non-compliance?
MiFID II penalties are set at member state level within EU-wide minima. For legal persons, maximum administrative fines reach €5 million or 10% of total annual turnover for the most serious violations. For natural persons, fines reach €5 million.
Competent authorities can also impose public statements identifying the responsible person and the violation, orders requiring cessation of conduct, temporary prohibition of management functions, and — for the most serious violations — withdrawal of authorisation.
The commercial consequence of MiFID II non-compliance — loss of authorisation or restriction of regulated activities — is typically more damaging than the direct financial penalty for an investment firm dependent on its regulatory permissions.
How do I start MiFID II compliance for my AI system?
Four steps in order. First, determine whether your AI system performs a regulated activity under MiFID II or supports a regulated firm in performing one — this establishes whether MiFID II applies directly to your organisation or through your clients’ organisational requirements.
Second, assess whether your system meets the algorithmic trading definition — if yes, the most demanding technical controls apply.
Third, assess your suitability and appropriateness methodology, best execution framework, and product governance integration against MiFID II’s requirements.
Fourth, review your record-keeping architecture against MiFID II’s retention and accessibility requirements.
A lawyer-built assessment covers all four steps and delivers a documented compliance position specific to your AI system — mapped against your EU AI Act, DORA, and GDPR position where all apply.