Art. 6 Amendments to Directive 2014/65/EU | DORA directive | DORA

This article amends MiFID II (Directive 2014/65/EU) to integrate DORA requirements across several of its provisions.

It updates obligations for investment firms and regulated markets by explicitly anchoring ICT-related requirements — such as continuity, security mechanisms, algorithmic trading controls, and business continuity planning — to the corresponding chapters and articles of Regulation (EU) 2022/2554 (DORA).

In doing so, it ensures that where MiFID II previously contained standalone ICT or operational resilience obligations, those are now aligned with and governed by DORA's framework, avoiding duplication and clarifying the boundary between the two instruments.

Important points:

Ensure ICT systems supporting the continuity and regularity of investment services are set up and managed in accordance with DORA, and that security mechanisms protecting data transfer meet DORA's requirements.
Investment firms engaged in algorithmic trading must have business continuity arrangements, including ICT business continuity and recovery plans, established in accordance with DORA, with systems fully tested and monitored against DORA's standards.
Member States are required to ensure regulated markets establish and maintain operational resilience in line with DORA's Chapter II, with algorithm testing requirements also subject to DORA's Chapters II and IV.

Directive 2014/65/EU is amended as follows:

Article 16 is amended as follows:
1. paragraph 4 is replaced by the following:
  An investment firm shall take reasonable steps to ensure continuity and regularity in the performance of investment services and activities. To that end, the investment firm shall employ appropriate and proportionate systems, including information and communication technology (“ICT”) systems that are set up and managed in accordance with Article 7 of Regulation (EU) 2022/2554 of the European Parliament and of the Council(²⁰), as well as appropriate and proportionate resources and procedures.
2. in paragraph 5, the second and third subparagraphs are replaced by the following:
  ‘An investment firm shall have sound administrative and accounting procedures, internal control mechanisms and effective procedures for risk assessment.
  Without prejudice to the ability of competent authorities to require access to communications in accordance with this Directive and Regulation (EU) No 600/2014, an investment firm shall have sound security mechanisms in place to ensure, in accordance with the requirements laid down in Regulation (EU) 2022/2554, the security and authentication of the means of transfer of information, to minimise the risk of data corruption and unauthorised access and to prevent information leakage, thereby maintaining the confidentiality of the data at all times.’;
Article 17 is amended as follows:
1. paragraph 1 is replaced by the following:
  An investment firm that engages in algorithmic trading shall have in place effective systems and risk controls suitable to the business it operates to ensure that its trading systems are resilient and have sufficient capacity in accordance with the requirements laid down in Chapter II of Regulation (EU) 2022/2554, are subject to appropriate trading thresholds and limits and prevent the sending of erroneous orders or the systems otherwise functioning in a way that may create or contribute to a disorderly market.
  Such a firm shall also have in place effective systems and risk controls to ensure the trading systems cannot be used for any purpose that is contrary to Regulation (EU) No 596/2014 or to the rules of a trading venue to which it is connected.
  The investment firm shall have in place effective business continuity arrangements to deal with any failure of its trading systems, including ICT business continuity policy and plans and ICT response and recovery plans established in accordance with Article 11 of Regulation (EU) 2022/2554, and shall ensure its systems are fully tested and properly monitored to ensure that they meet the general requirements laid down in this paragraph and any specific requirements laid down in Chapters II and IV of Regulation (EU) 2022/2554.’;
2. in paragraph 7, point (a) is replaced by the following:
  ‘the details of organisational requirements laid down in paragraphs 1 to 6, other than those related to ICT risk management, which are to be imposed on investment firms providing different investment services, investment activities, ancillary services or combinations thereof, whereby the specifications in relation to the organisational requirements laid down in paragraph 5 shall set out specific requirements for direct market access and for sponsored access in such a way as to ensure that the controls applied to sponsored access are at least equivalent to those applied to direct market access;’;
in Article 47, paragraph 1 is amended as follows:
1. point (b) is replaced by the following:
  ‘to be adequately equipped to manage the risks to which it is exposed, including to manage ICT risk in accordance with Chapter II of Regulation (EU) 2022/2554, to implement appropriate arrangements and systems for identifying significant risks to its operation, and to put in place effective measures to mitigate those risks;’;
2. point (c) is deleted;
Article 48 is amended as follows:
1. paragraph 1 is replaced by the following:
  Member States shall require a regulated market to establish and maintain its operational resilience in accordance with the requirements laid down in Chapter II of Regulation (EU) 2022/2554 to ensure its trading systems are resilient, have sufficient capacity to deal with peak order and message volumes, are able to ensure orderly trading under conditions of severe market stress, are fully tested to ensure such conditions are met and are subject to effective business continuity arrangements, including ICT business continuity policy and plans and ICT response and recovery plans established in accordance with Article 11 of Regulation (EU) 2022/2554, to ensure continuity of its services if there is any failure of its trading systems.’;
2. paragraph 6 is replaced by the following:
  Member States shall require a regulated market to have in place effective systems, procedures and arrangements, including requiring members or participants to carry out appropriate testing of algorithms and providing environments to facilitate such testing in accordance with the requirements laid down in Chapters II and IV of Regulation (EU) 2022/2554, to ensure that algorithmic trading systems cannot create or contribute to disorderly trading conditions on the market and to manage any disorderly trading conditions which do arise from such algorithmic trading systems, including systems to limit the ratio of unexecuted orders to transactions that may be entered into the system by a member or participant, to be able to slow down the flow of orders if there is a risk of its system capacity being reached and to limit and enforce the minimum tick size that may be executed on the market.’;
3. paragraph 12 is amended as follows:
  point (a) is replaced by the following:
  ‘the requirements to ensure trading systems of regulated markets are resilient and have adequate capacity, except the requirements related to digital operational resilience;’;
  point (g) is replaced by the following:
  ‘the requirements to ensure appropriate testing of algorithms, other than digital operational resilience testing, so as to ensure that algorithmic trading systems including high-frequency algorithmic trading systems cannot create or contribute to disorderly trading conditions on the market.’.