AI Act · MiFID II sector

The EU AI Act for Investment Firms

Your trading algorithms are not high-risk under the AI Act. They are, however, already governed by MiFID II and RTS 6 — which is why nobody should be rebuilding that governance from scratch.

Check your exposure — free

Your algos are regulated. Just not by this Act.

Annex III does not mention algorithmic trading, best execution, portfolio optimisation or investment advice. Not once. An investment firm can run its entire AI estate and touch the AI Act's high-risk chapter only through the side door — as an employer, or if it lends to retail clients. What governs your algos is MiFID II Article 17 and RTS 6, and ESMA has already told you how it reads AI against them.

Your AI systems, classified

Read this the way the Act reads it: Annex III is a list of named use cases, not a judgement about how important a system is to your business. The most consequential model you run may well be the one the Act says nothing about.

SystemUnder the AI ActWhy
Algorithmic and high-frequency trading Not high-risk Not high-risk — but see MiFID II Absent from Annex III. Governed instead by MiFID II Art. 17 and RTS 6 (Delegated Regulation (EU) 2017/589): governance, pre-deployment testing, kill functionality, annual self-assessment. ESMA published a supervisory briefing on algorithmic trading in February 2026.
Robo-advice and automated suitability assessment Not high-risk Not high-risk Not named in Annex III. Governed by the MiFID II suitability regime — and by ESMA's Public Statement on AI and investment services of 30 May 2024, which expects organisational rigour, transparency about AI's role, and the duty to act in the client's best interest.
Best execution and smart order routing Not high-risk Not high-risk Not in Annex III. This is MiFID II best-execution territory.
Market abuse surveillance Not high-risk Not high-risk Not in Annex III. MAR obligations, unchanged.
Margin lending or credit to retail clients Applies High-risk — Annex III 5(b) If you assess the creditworthiness of a natural person, you are in 5(b) — whatever the wrapper. This is the one route by which a pure investment firm lands in the high-risk chapter.
Generated research, client reporting, marketing copy Applies Transparency — Art. 50 Synthetic content must be machine-readably marked. The grace period ends 2 December 2026. Also a MiFID II fair-clear-and-not-misleading question.
CV screening and employee evaluation Applies High-risk — Annex III point 4 Catches you as an employer. The most common way an investment firm ends up deploying a high-risk AI system without knowing it.

How it sits on the regime you already carry

This is the sector where the AI Act is most often over-scoped. The instinct is understandable — trading is the most consequential AI in the building — but the Act simply does not reach it. Annex III is a list of use cases, and trading is not on the list.

What you should be doing instead is mapping, not rebuilding. Your RTS 6 algo governance already gives you pre-deployment testing, change control, kill switches and an annual self-assessment. Where the AI Act does apply — a retail credit line, an HR screening tool, generated client comms — you can hang those obligations off the control framework you already run, rather than standing up a parallel one.

Read the text

We describe the delta. The Act itself — all 113 articles, in 24 EU languages — lives on our sister site.

Frequently asked questions

Is algorithmic trading high-risk under the EU AI Act?
No. Annex III does not list algorithmic trading, high-frequency trading, best execution or portfolio optimisation. Those systems are governed by MiFID II Article 17 and RTS 6 (Commission Delegated Regulation (EU) 2017/589), which already require governance, pre-deployment testing, kill functionality and an annual self-assessment. The AI Act adds no high-risk obligations to them.
Is robo-advice high-risk?
No. Investment advice is not named in Annex III. It is governed by the MiFID II suitability regime and by ESMA's Public Statement on AI and investment services of 30 May 2024, which expects firms to be transparent about the role AI plays in investment decision-making, to test and monitor proportionately, and to act in the client's best interest.
So does the AI Act reach an investment firm at all?
Yes, through three routes. As an employer, if you use AI for recruitment or worker evaluation (Annex III point 4). Through Article 50, if you generate content for clients or run a customer-facing bot. And through Annex III point 5(b), if you assess the creditworthiness of natural persons - margin lending to retail clients is the usual path.
Do we need a separate AI governance framework?
Almost certainly not. You already run algo governance under RTS 6 and ICT risk governance under DORA. The right move is to map the AI Act obligations that genuinely apply onto those frameworks, rather than building a third one in parallel. Duplicated governance is how firms end up with three registers that disagree.
When is our first AI Act deadline?
For most investment firms: 2 August 2026, when the Article 50 transparency obligations apply, with the marking of AI-generated content following on 2 December 2026. The high-risk regime runs to 2 December 2027 and will only reach you through HR or retail credit.

Start free: run the AI Act exposure check to classify a specific system, or read the cross-obligation table showing what the AI Act adds to a DORA programme. Already working on DORA? See DORA for Investment Firms. Analytical guidance for compliance teams, not legal advice.

How Compliant Is Your Institution?

Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.

Get Your Free DORA Score Join Free Monthly Webinar