DORA for MiFID II investment firms: trading-system resilience, algo controls and proportionate ICT risk management.
Investment firms authorised under MiFID II sit squarely within DORA's scope, and for many trading-driven firms ICT is not a back-office concern but the core of the business: order routing, execution, market-data ingestion and risk checks all run on systems whose downtime translates directly into missed fills, mispriced positions and best-execution failures. DORA reframes these operational dependencies as a regulated resilience obligation, requiring a documented ICT risk-management framework, incident reporting, resilience testing and tight oversight of the vendors, venues and data feeds the firm relies on.
What makes investment firms distinctive is the overlap between DORA and the pre-existing MiFID II algorithmic-trading regime. RTS 6 (Commission Delegated Regulation (EU) 2017/589) already mandates pre-trade controls, kill-switch functionality, system testing and capacity monitoring for firms engaged in algorithmic trading. DORA does not replace these obligations but wraps them in a horizontal, group-wide resilience framework, and firms that treat the two regimes as one integrated control set, rather than parallel compliance silos, will both reduce duplication and close the gaps that supervisors are most likely to probe.
DORA applies to investment firms within the meaning of MiFID II under Article 2(1)(c) of Regulation (EU) 2022/2554, so almost all authorised investment firms are in scope regardless of size. However, the regulation is proportionate: a simplified ICT risk-management framework under Article 16 is available to firms classified as small and non-interconnected under Article 12(1) of the Investment Firms Regulation (IFR, (EU) 2019/2033), broadly the IFD/IFR "class 3" cohort, while larger class 2 firms must apply the full Article 5-15 framework. Microenterprises also benefit from lighter testing and governance expectations, but no investment firm is exempt outright, and even class 3 firms must still report major incidents and manage third-party ICT risk.
DORA operates alongside MiFID II rather than overriding it: the RTS 6 obligations on algorithmic trading systems (pre-trade limits, real-time monitoring, kill-switch, conformance and stress testing, business-continuity arrangements) remain in force and now feed directly into the DORA ICT risk and resilience-testing framework. Order-routing engines, smart order routers and market-data feeds become "ICT systems supporting critical or important functions," so their availability, capacity and failover must be evidenced under DORA Articles 8-12 while still satisfying MiFID II best-execution (Article 27) and orderly-trading duties. In practice firms should map each RTS 6 control to a DORA framework element so that testing, change management and incident handling are governed once, not twice.
Order-management, execution and matching engines are ICT systems supporting critical or important functions, so DORA requires documented availability targets, capacity management and tested failover. Outages must be detectable in real time and recoverable within defined RTOs, with evidence retained for supervisors. This dovetails with RTS 6 capacity and resilience requirements already binding on algorithmic-trading firms.
RTS 6 already mandates a kill-switch to cancel orders and halt algorithms; DORA elevates this into the ICT resilience framework, requiring it to be tested, access-controlled and integrated with incident response. The firm must be able to demonstrate who can trigger it, how fast it acts, and that it is exercised regularly. Failure of the kill-switch itself should be treated as a potential major ICT-related incident.
Reliance on co-located infrastructure, exchange gateways and real-time market-data vendors creates concentration and latency-sensitivity that DORA treats as third-party ICT risk. Firms must monitor feed integrity, staleness and failover to secondary feeds, since corrupted or stale data can drive mispriced orders and best-execution breaches. Data-feed contracts must include DORA Article 30 resilience and audit clauses.
MiFID II best-execution (Article 27) depends on the integrity of pricing data, venue connectivity and the algorithms that route orders, all of which are ICT dependencies under DORA. An ICT incident degrading connectivity or data quality can therefore become a conduct as well as a resilience failure. Mapping execution-quality risks to ICT controls links DORA testing to demonstrable best-execution outcomes.
Many firms outsource order/execution management systems (OMS/EMS), post-trade processing or even whole trading platforms to third parties. Under DORA Articles 28-30 these arrangements need a register of information, exit strategies, security and audit rights, and assessment of ICT concentration. Sub-outsourcing of the OMS/EMS stack must be traced and contractually controlled.
Class 3 (small and non-interconnected) investment firms may apply the simplified ICT risk-management framework under DORA Article 16 instead of the full Articles 5-15. This still requires identifying critical functions, protective measures, incident detection and recovery, but with lighter governance and testing expectations. Firms near the class 2/class 3 boundary should monitor whether growth tips them into the full regime.
Everything tailored to your sector, ready to use on day one.
No. All MiFID II investment firms are in scope under Article 2 of DORA. However, firms classified as small and non-interconnected under IFR Article 12 (broadly class 3) may use the simplified ICT risk-management framework in DORA Article 16, and microenterprises face lighter testing and governance expectations. Even these firms must still report major ICT incidents and manage third-party ICT risk.
No, the two regimes coexist. RTS 6 (Delegated Regulation (EU) 2017/589) obligations such as pre-trade controls, kill-switch, testing and capacity monitoring remain fully in force. DORA wraps them inside a horizontal ICT risk-management and resilience-testing framework, so the cleanest approach is to map each RTS 6 control to its DORA framework element and govern them as one integrated control set.
Only a subset of firms must perform TLPT under DORA Articles 26-27; it is targeted at firms identified by authorities as significant from an ICT and systemic perspective, based on criteria in the relevant RTS. Most smaller investment firms will not be designated and instead carry out the standard digital operational resilience testing programme (vulnerability scans, scenario tests, etc.) under Article 24-25. You should confirm your status with your NCA rather than assume.
Yes. Real-time market-data feeds, co-location, exchange gateways and OMS/EMS providers are ICT third-party services supporting trading functions, so they fall under DORA Articles 28-30. They must appear in your register of information, be assessed for concentration risk, and their contracts must include the mandatory provisions on security, audit rights, sub-outsourcing and exit. Some major providers may also be designated as critical ICT third-party providers subject to direct ESA oversight.
Apply the criteria in the RTS on incident classification (Delegated Regulation (EU) 2024/1772): clients and transactions affected, data losses, reputational impact, duration, service downtime, geographical spread, economic impact and criticality of services. A trading outage, erroneous-order cascade or market-data corruption breaching these thresholds is a major incident and triggers staged reporting to your NCA. Pre-mapping desk scenarios to these thresholds speeds the reportability decision.
Best execution under MiFID II Article 27 depends on accurate pricing data, reliable venue connectivity and sound routing logic, all of which are ICT dependencies under DORA. An ICT failure that degrades data quality or connectivity can therefore become both a resilience and a conduct breach. Linking execution-quality risks to DORA ICT controls lets you evidence best execution and operational resilience from the same testing and monitoring.
Start free: check your DORA scope, run a gap analysis, or estimate implementation cost. Need the full risk view? See the Risk Assessment Toolkits or compare all kits. All prices exclude VAT; an EU VAT invoice is issued at checkout. Professional templates, not legal advice.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.