← All guides
MiFID II12 min read7 July 2026

MiFID II Compliance for Investment Firms: Suitability, Best Execution, Transaction Reporting, and ESG in 2026

A practical MiFID II compliance guide covering the 8 key pillars: client suitability and ESG preferences, costs disclosure, best execution, transaction reporting, product governance, conflicts of interest, MAR surveillance, and algorithmic trading.

MiFID II in 2026: still the most operationally demanding EU financial services regulation

Markets in Financial Instruments Directive II (Directive 2014/65/EU) and its accompanying Regulation (EU) 600/2014 (MiFIR) have been in force since January 2018. Eight years on, they remain the most operationally complex financial services regulation EU investment firms face — generating more day-to-day compliance activity than any other single framework, including DORA.

In 2026, two forces drive renewed focus: the progressive enforcement of ESG suitability preferences (mandatory since August 2022 but still a priority supervisory focus), and the MiFIR Review regulation (Regulation (EU) 2024/791) reshaping transparency and transaction reporting rules.

Who MiFID II applies to

MiFID II applies to investment firms, credit institutions providing investment services, UCITS and AIFM management companies providing individual portfolio management or investment advice, and operators of trading venues. It applies across the EU; post-Brexit UK firms operate under the FCA's retained MiFID framework which diverges increasingly from the EU position.

Key investment services covered by MiFID II Annex I Section A include: reception and transmission of orders, execution of orders, dealing on own account, portfolio management, investment advice, underwriting, placing, and operation of MTFs and OTFs.

Pillar 1: Authorisation and governance

Investment firm authorisation under MiFID II Art. 7 is the threshold requirement. Art. 9 management body requirements are increasingly scrutinised — the ESMA/EBA Joint Guidelines on suitability of management body members (EBA/GL/2021/06) set detailed expectations for knowledge, skills, experience, and diversity. Documented fit-and-proper assessments are expected for initial appointment and ongoing review.

Art. 16 internal controls requirements — compliance function, risk management function, internal audit — must be demonstrably independent of business lines. The compliance function must have direct reporting access to the management body.

Investment firm prudential requirements under the Investment Firm Regulation (IFR, EU) and IFPR (UK FCA) set capital adequacy requirements for Class 2 and Class 3 firms. Monthly monitoring and Pillar 3 disclosures are required for larger firms.

Pillar 2: Client suitability and ESG preferences

MiFID II Art. 25(2) suitability requirements for portfolio management and investment advice are the most extensively enforced provision in the regulation. ESMA's 2023 Common Supervisory Action on suitability found deficiencies at over 40% of sampled firms, primarily in three areas:

  1. Stale suitability profiles: ESMA's 2018 and 2023 Guidelines require firms to obtain updated information from clients and review suitability profiles at least annually for ongoing advisory and portfolio management relationships.
  2. Incomplete sustainability preference capture: Commission Delegated Regulation (EU) 2021/1253, effective 2 August 2022, added sustainability preferences as a mandatory suitability criterion. Firms must ask clients about their sustainability preferences across three dimensions: (a) minimum proportion allocated to sustainable investments under SFDR/Taxonomy; (b) minimum proportion of taxonomy-aligned investments; (c) consideration of principal adverse impacts (PAIs). Firms must document how product recommendations take those preferences into account, or document the client's decision to adjust/waive preferences.
  3. Inadequate suitability reports: A suitability report must be provided before each recommendation. Generic reports that don't reference the specific client's profile, financial situation, and sustainability preferences fail Art. 25(6) MiFID II.

Appropriateness testing under Art. 25(3) applies to non-advised execution of complex products. For execution-only business in non-complex instruments, neither suitability nor appropriateness testing is required — but the execution-only status must be documented.

Pillar 3: Costs and charges disclosure

Art. 24(4) MiFID II and Delegated Regulation (EU) 2017/565, Art. 50–51, require firms to provide ex-ante and ex-post costs and charges disclosure. The disclosure must cover all costs — MiFID II service costs, instrument costs, and ancillary costs — presented as a monetary amount and as a percentage. Annual (ex-post) statements are required for ongoing relationships.

ESMA's 2022 and 2023 Common Supervisory Actions on costs and charges found widespread non-compliance: missing ex-post statements, costs expressed only as percentages, and failure to include all cost components. NCAs across multiple member states issued formal warnings and fines following these reviews.

Pillar 4: Best execution

MiFID II Art. 27 requires investment firms to take all sufficient steps to obtain the best possible result for clients when executing orders, taking into account price, costs, speed, likelihood of execution and settlement, size, and nature of the order.

The best execution policy must be documented, provided to clients, and reviewed at least annually. The MiFIR Review (Regulation (EU) 2024/791) abolished RTS 27 venue-level reports from early 2024 and reformed RTS 28 firm-level report requirements. Post-trade monitoring of execution quality is increasingly a supervisory expectation.

Pillar 5: Transaction reporting and record-keeping

MiFIR Art. 25 transaction reporting requires reporting of all transactions in financial instruments admitted to trading by T+1. 65 data fields are required per RTS 22. Submission is via an Approved Reporting Mechanism (ARM) or directly to the NCA. NCAs conduct regular data quality reviews — incorrect LEIs, wrong instrument identification, and mislabelled transaction types are common errors.

MiFID II Art. 16(7) requires retention of telephone conversations and electronic communications relating to transactions for five years (seven years for pension products). Clients may request copies. Recording failures are the most common enforcement action in EU and UK financial services — in 2022–2024, both FCA and EU NCAs issued significant fines for off-channel communications (WhatsApp, personal SMS) used for business.

Pillar 6: Product governance

Commission Delegated Directive 2017/593, Arts. 9–10, establish a two-sided product governance regime. For each product, manufacturers must define a target market using five criteria: client type, knowledge and experience, financial situation, risk tolerance, and client objectives. ESMA's 2021 Product Governance Guidelines added explicit ESG considerations.

Distributors must collect target market data from manufacturers, align their distribution strategy accordingly, and conduct periodic product reviews. Selling a product outside the positive target market requires specific documentation.

Pillar 7: Conflicts of interest and inducements

MiFID II Art. 23 requires firms to identify and manage all conflicts of interest. The conflicts of interest policy must be documented, maintained, and disclosed in summary form to clients. A live conflicts register is expected by NCAs, updated when new services or products are introduced.

The inducements rules under Art. 24(7)–(8) are complex for advisory and portfolio management firms: those providing independent investment advice or portfolio management may not accept or retain third-party fees or commissions. Research from third parties must be treated as an inducement unless paid via a Research Payment Account (RPA). Note: the UK FCA has diverged significantly — EU firms remain subject to full MiFID II research unbundling.

Pillar 8: Market abuse surveillance and algorithmic trading

Market Abuse Regulation (EU) 596/2014 Art. 16 requires detection and reporting of suspicious transactions and orders (STORs) to the NCA without delay. Surveillance systems must cover all financial instruments the firm transacts in. ESMA and NCAs have significantly increased STOR enforcement in 2024–2026 — firms with consistently low STOR rates face enhanced supervisory attention.

MiFID II Art. 17 algorithmic trading controls require: a kill switch, pre-trade risk filters, post-trade risk controls, written annual self-assessment, and NCA submission of that self-assessment.

MiFID II penalties under Art. 70

  • Natural persons (senior management): Up to €5 million for most violations
  • Legal persons (firms): Up to €10 million or 5% of total annual turnover; up to €15 million or 10% for MiFIR transaction reporting violations
  • Authorisation withdrawal: NCAs can withdraw authorisation — the equivalent of a business-ending sanction for an investment firm
  • Public disclosure: Most NCAs are required to publish enforcement decisions, creating significant reputational exposure

Priority compliance gaps in 2026

  1. ESG suitability preferences not collected or matched: Four years after the delegation regulation took effect, ESMA common supervisory actions still find widespread non-compliance.
  2. Off-channel communications: Staff using personal devices and messaging apps for business communications outside the recording infrastructure remains a top enforcement target.
  3. Stale suitability profiles: Annual refresh obligations for ongoing portfolio management and investment advisory clients are frequently missed.
  4. Missing ex-post cost statements: Many firms have ex-ante disclosure in place but fail to produce annual ex-post cost statements for retail clients.
  5. Transaction reporting data quality: Incorrect LEIs, missing transaction flags, and instrument misclassification are systemic issues.

ComplyKit's MiFID II / MiFIR Compliance Checklist takes you through 30 compliance checks across all 8 pillars, scores your firm's regulatory posture, and generates a complete MiFID II compliance assessment report with NCA-ready remediation guidance. Free, no account required.

See also: DORA Technical Standards Compliance Checklist and Incident Response Plan Generator.