The current European regulatory horizon: MiFID, DORA, and developing AI rules

November 7, 2024

Key Takeaways

  • MiFID II and operational resilience regulations continue to evolve
  • Firms must be aware as UK and EU develop frameworks
  • AI regulations in UK and EU present challenges and opportunities

At ION Markets, we are constantly scanning the regulatory horizon to support our customers in keeping abreast of the latest developments. We recently welcomed clients to our London office for a Fidessa Regulation for Breakfast event, a wide-ranging discussion on the current developments in the European Union (EU) and United Kingdom (UK).

As well as the continuing development of MiFID II, we explored the nuances between FCA operational resilience and EU DORA regulatory requirements, and looked at how regulators are responding to the growing use of artificial intelligence tools.

Latest developments in MiFID II

The landscape of MiFID II regulations continues to evolve with a series of revisions and consultations aimed at refining and enhancing the framework. A key focus remains the establishment of a consolidated tape, which serves as a backdrop to many impactful changes.

The UK has been proactive in reviewing and updating its regulatory standards, and the FCA has just published its review of RTS 2, which aims to simplify non-equity transparency. In April, the UK also introduced changes to transparency aspects and the use of post-trade flags, alongside the Designated Reporter Regime (DRR).

The EU is also actively consulting on various MiFID II RTS through four main consultation packages. The timeline for these consultations is available on the ESMA website, with the first final report anticipated in December. The significant date to watch is 29 September 2025, although the specific requirements until then remain unclear.

  • Package 1: Reviews RTS 2, focusing on aspects of non-equity transparency that were not changed in January, the Reasonable Commercial Basis for market data, and instrument reference data that are largely exchange-focused.
  • Package 2: Concentrates on establishing the consolidated tape.
  • Package 3: This package revises RTS 1, looking at pre-trade data in preparation for the consolidated tape. The implications of these pre-trade changes for firms and exchanges are yet to be fully understood, with a possible application date in May 2025.
  • Package 4: the latest package published at the start of October, reviews RTS 22 on transaction reporting and order-book data in RTS 24.

The timelines are tight, and there is concern around implementation periods, particularly the knock-on effects of late publication of final rules through to implementation by exchanges and then member firms. Pre-trade transparency changes by a possible May date are also of concern.

Although investment firms are no longer required to annually report detailed information on trading venues and execution quality through RTS 28 reports, best execution is now back on the agenda. The EU is consulting on best execution policy and obligations to monitor its effectiveness.

The UK introduced the DRR in April 2024, and a similar regime is set to go live in Europe on 3 February. This regime includes a register of Designated Publishing Entities (DPEs), which may replace the need for some Systematic Internalisers (SIs). The impact of the UK DRR is already becoming evident.

The ongoing revisions and consultations around MiFID II regulations highlight a dynamic regulatory environment aimed at enhancing transparency and efficiency in capital markets. Firms must stay abreast of these developments to ensure compliance and leverage the opportunities presented by these regulatory changes. The journey towards a consolidated tape and improved market data transparency remains a central theme in these regulatory efforts.

Digital Operational Resilience Act Regulation (DORA)

The discussion at ION Fidessa’s Regulation for Breakfast event provided valuable insights into strengthening firms’ operational resilience strategies and underscored the necessary steps for compliance with forthcoming regulations. The UK Financial Conduct Authority (FCA) is intensifying its focus on how financial institutions must demonstrate their ability to prevent, respond to, recover from, and learn from operational disruptions.

UK regulators, including the FCA, the Prudential Regulation Authority (PRA), and the Bank of England (BoE), emphasize that operational resilience should not be approached as a mere regulatory formality. Instead, firms are encouraged to integrate resilience practices across the entire organization, ensuring a dynamic and comprehensive approach to business continuity.

Regulatory guidance outlines key principles for building operational resilience, including:

  • Minimizing harm to customers during disruptions.
  • Defining and mapping Important Business Services (IBS) end-to-end to uncover dependencies and vulnerabilities.
  • Setting impact tolerances to assess a firm’s threshold for unplanned interruptions.
  • Conducting resilience testing through ‘severe but plausible’ operational scenarios.

Firms must demonstrate a continuous evolution of their resilience strategies, ensuring they are robust and adaptable, extending beyond the regulatory implementation deadline of 31 March 2025.

With the Digital Operational Resilience Act (DORA) set to take effect on 17 January 2025, ION Fidessa emphasized the critical deliverables that firms must prioritize to ensure regulatory compliance. DORA marks a significant shift toward enhancing digital resilience across the EU, with the regulation focusing on five key pillars:

  • ICT risk management
  • ICT-related incident reporting
  • Digital operational resilience testing
  • ICT third-party risk management
  • Information and intelligence sharing

The core objective of DORA is to establish a robust framework for digital resilience across the EU, including oversight of ICT third-party providers supporting essential IT infrastructure. This regulatory initiative aims to equip financial institutions with the capabilities to effectively respond to, recover from, and adapt to the growing threats posed by cyberattacks and ICT disruptions.

The impact of AI regulation on financial firms 

The regulatory landscape for artificial intelligence (AI) is rapidly evolving, with significant implications for financial firms in both the UK and the EU. As AI technologies become more integrated into financial services, understanding, and complying with these regulations is crucial.

The EU AI Act, which will apply from August 2026, represents a comprehensive approach to AI regulation. This act categorizes AI applications by risk level, with high-risk categories including areas like self-driving cars and medical use. For financial firms, the use of AI and machine learning is becoming increasingly common, and it is important to review upcoming AI regulations and be aware of the potential impacts.

Conducting risk assessments to determine the applicable category for AI applications is key. For lower-risk categories, minimal action is required, but documenting due diligence and assessments is advisable. High-risk applications will necessitate more stringent compliance measures.

AI is used in various financial applications, from chatbots and client assistance to fraud detection, compliance document reading, and complex data analysis. The EU’s focus is on understanding the risks that AI poses to people, including transparency and accountability. There are challenges, however, if firms are required to provide information on how their AI models are trained and their size, especially when using pre-trained models from third parties.

Transparency is a significant concern, particularly in explaining how AI models produce specific outcomes, due to their complex nature. Additionally, firms must ensure that customers are aware when they are interacting with AI and comply with data protection/GDPR requirements around the use of personal data.

The UK’s approach to AI is more focused on proportionality and principles-based regulation. The BoE, FCA, and other existing bodies will regulate AI, rather than establishing a new central body as in the EU. This approach aims to ensure AI is used for the right purposes and aligns with existing regulatory frameworks.

AI regulation affects all companies operating in Europe. However, both the EU and UK face challenges in regulating AI models developed in other jurisdictions. This global dimension adds another layer of complexity to the regulatory landscape.

The evolving AI regulations in the UK and EU present both challenges and opportunities for financial firms. As the use of AI tools continues to expand, by staying informed and being proactive in their compliance efforts, firms can navigate this complex landscape and leverage AI technologies to enhance their services while ensuring they meet regulatory requirements.

 

ION Markets

Don't miss out

Subscribe to our blog to stay up to date on industry trends and technology innovations.