- MiFID II covers client categorisation, suitability, best execution, cost disclosure and transaction reporting
- Record-keeping requirements are extensive: 5 years minimum, telephone recordings included
- Product governance rules apply to both manufacturers and distributors
- ESMA enforcement has increased significantly since 2023
MiFID II has been supplemented by MiFIR, delegated regulations and ESMA guidelines that continue to evolve. For investment firms, asset managers, execution venues, and financial advisers in the EU, MiFID II sets the framework for virtually every client-facing obligation.
Related HubSecure buying path
Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo
Related AML/KYC and compliance monitoring resources
Continue with AML/KYC monitoring module, compliance workflows, HubSecure for legal teams, HubSecure for finance teams, security and trust center.
Related use case
This guide belongs to the AML and KYC Guides cluster. Continue with the product hub for aml and kyc.
1. Client categorisation
- ☐ All clients categorised as Retail, Professional, or Eligible Counterparty at onboarding
- ☐ Written notification provided to clients of their categorisation
- ☐ Client opt-up/opt-down procedures documented and applied correctly
- ☐ Categorisation reviewed when client circumstances change materially
- ☐ Records of categorisation decisions retained 5+ years
2. Suitability and appropriateness
- ☐ Suitability assessment completed before providing investment advice or portfolio management
- ☐ Appropriateness assessment completed for non-advised complex product sales to retail clients
- ☐ Client knowledge, experience, financial situation and investment objectives captured in writing
- ☐ Suitability reports provided to clients documenting why recommendations are suitable
- ☐ Suitability reassessed periodically for ongoing advisory relationships
- ☐ Negative suitability warnings documented with client acknowledgement captured
3. Best execution
- ☐ Written best execution policy covering all instruments and execution venues
- ☐ Policy reviewed and updated at least annually
- ☐ Top-5 execution venue reports published annually (RTS 28)
- ☐ Client notification when executing outside a regulated market or MTF
- ☐ Order execution quality monitored and documented
4. Costs and charges disclosure
- ☐ Ex-ante costs and charges disclosure provided before services rendered
- ☐ Ex-post annual costs and charges statement provided to retail clients
- ☐ All inducements disclosed or, where prohibited, eliminated
- ☐ Illustrations of cumulative effect of costs on returns included where required
5. Product governance
- ☐ Target market defined for each product manufactured or distributed
- ☐ Products reviewed against target market at defined intervals
- ☐ Distribution strategy aligned with target market definition
- ☐ Information exchanged with product manufacturers/distributors as required
- ☐ Products showing negative outcomes reviewed and escalated
6. Transaction reporting (MiFIR)
- ☐ All reportable transactions submitted to ARM or NCA by T+1
- ☐ LEI obtained and maintained for the firm and all reportable counterparties
- ☐ Reporting accuracy monitored with reconciliation performed
- ☐ Rejected reports identified and corrected promptly
7. Record-keeping
- ☐ All client communications (including telephone) recorded where relating to services or transactions
- ☐ Records retained for minimum 5 years (7 years if required by NCA)
- ☐ Records stored in tamper-proof format, accessible to regulators on request
- ☐ Data retention policy aligned with MiFID II and GDPR simultaneously
Common enforcement triggers 2025–2026: ESMA and national regulators are focusing on costs and charges disclosure accuracy, suitability report quality, and product governance failures. These three areas account for the majority of recent MiFID II enforcement actions.
See also: DORA Compliance Checklist — How to Choose a Compliance Platform
Frequently Asked Questions
MiFID II applies to investment firms authorised in the EU/EEA, including broker-dealers, investment advisers, portfolio managers, and execution venues. Some exemptions exist for certain commodity dealers and firms dealing only on own account.
Key additions include: mandatory telephone recording of investment-related communications, more detailed suitability requirements, entirely new product governance rules, stricter best execution reporting, expanded transaction reporting scope, and stricter inducements rules including a ban on independent advisers receiving third-party payments.
Minimum 5 years, extendable to 7 years at the request of the national competent authority. Recordings must be stored in a format that cannot be altered and must be retrievable on request.
Penalties vary by member state but can include fines up to $5 million for individuals and the higher of $15 million or 10% of annual turnover for firms. Regulators can also suspend or withdraw authorisation.
No. Pure execution-only services for non-complex instruments are exempt from the suitability requirement. However, appropriateness assessment is still required for complex products in execution-only mode.
HubSecure provides structured client onboarding with digital KYC, categorisation workflows, document collection and secure client portals for delivering required disclosures. The platform creates audit-ready records of every compliance step.
See HubSecure in action
Join compliance teams across Europe replacing spreadsheets with a platform built for regulated work.
Official sources and further reading
Use these public sources to verify regulatory background and terminology. HubSecure content is product guidance, not legal advice.
Credibility notes
This guide is written for product and operations evaluation, not as legal advice. For compliance obligations, confirm requirements with qualified counsel or the relevant regulator.
Related HubSecure references: Security · DPA · Subprocessors · AML/KYC glossary · RBAC glossary
Reviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.