The Markets in Financial Instruments Directive (2004/39/EC) has been applicable across Europe since late 2007 and was updated to MiFID II in January 2018. MiFID II aimed to improve the functioning of financial markets and to strengthen investor protection (in light of the financial crisis). MiFID II is made up of both the updated MiFID (2014/65/EU) and the Markets in Financial Instruments Regulation (600/2014/EU). MiFR, being a regulation, is legally binding in its entirety.
MiFID II (2004/39/EC) requirements on organisations in relation to data security
Whilst MiFID II is focused on the protection of investors through the principle of transparency, it all places some specific requirements on organisations in relation to data security. There are four articles within the directive that relate to security. These are:
Article 16:
“An investment firm shall have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for information processing systems. Without prejudice to the ability of competent authorities to require access to communications in accordance with this Directive and Regulation (EU) No 600/2014, an investment firm shall have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.”
Article 64:
“The home Member State shall require the approved publication arrangement (APA) to have sound security mechanisms in place designed to guarantee the security of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage before publication. The APA shall maintain adequate resources and have back-up facilities in place in order to offer and maintain its services at all times.”
Article 65:
“The home Member State shall require the consolidated tape provider (CTP) to have sound security mechanisms in place designed to guarantee the security of the means of transfer of information and to minimise the risk of data corruption and unauthorised access. The home Member State shall require the CTP to maintain adequate resources and have back-up facilities in place in order to offer and maintain its services at all times.”
Article 66:
“The home Member State shall require the approved reporting mechanism (ARM) to have sound security mechanisms in place designed to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage, maintaining the confidentiality of the data at all times. The home Member State shall require the ARM to maintain adequate resources and have back-up facilities in place in order to offer and maintain its services at all times.”
Get in touch with our security experts
Our team is available for a quick call or video meeting. Let's connect and discuss your security challenges, dive into vendor comparison reports, or talk about your upcoming IT-projects. We are here to help.
