AI Law in Action: ESMA Sets Rules for Investment Firms

On 27 June 2025, the European Securities and Markets Authority (ESMA) published critical guidance aimed at investment firms employing artificial intelligence (AI) technologies in the provision of investment services. This timely communication reflects the growing integration of AI into financial markets and underlines ESMA’s commitment to ensuring that innovation aligns with existing investor protection and market integrity frameworks under EU Law and Finance Law.

A Compliance-Focused Approach Rooted in EU Law

ESMA’s guidance does not introduce new obligations but rather clarifies the application of existing rules under MiFID II, particularly regarding governance, organisational requirements, and conduct of business rules. At its core, the guidance emphasizes the principle that the use of AI must not undermine a firm’s ability to act in the best interests of its clients — a core requirement under AI Law, EU Law, and Finance Law.

Firms are reminded that the use of AI — including machine learning models, natural language processing, and algorithmic decision-making — remains subject to existing EU financial services legislation. This includes the need for robust governance frameworks, adequate risk management controls, and transparent disclosure practices under both AI Law and Finance Law.

Key Points of Guidance

ESMA highlights several core responsibilities for firms deploying AI in investment services, reinforcing standards set under EU Law:

1. Governance and Oversight: Senior management remains ultimately accountable for AI use. Firms must ensure appropriate oversight of AI-driven tools, especially where they are used in advisory, portfolio management, or client interaction contexts.
2. Algorithmic Accountability: Investment firms must understand and be able to explain how AI models function, including their data inputs, design limitations, and potential biases. This aligns closely with evolving standards in AI Law.
3. Client Interests and Transparency: Firms must ensure that AI applications are aligned with client interests. This includes transparent communication about the use of AI and ensuring that it does not lead to discriminatory or unfair outcomes — a key concern under Finance Law.
4. Operational Resilience and Risk Mitigation: The guidance stresses the importance of testing, monitoring, and auditing AI systems to prevent unintended consequences or systemic risks. This includes fallback procedures and human oversight mechanisms, consistent with obligations under both AI Law and EU Law.

Practical Implications for Firms

For compliance officers and legal counsel, this guidance underscores the importance of integrating AI governance into existing compliance frameworks. Documentation, model validation, and record-keeping are not merely best practices — they are regulatory expectations under Finance Law and AI Law.

Firms must also evaluate whether their current staffing includes sufficient expertise to manage AI-related risks or whether additional training and recruitment are necessary. ESMA’s stance sends a clear message: technological innovation is welcome, but not at the expense of investor protection or regulatory accountability enshrined in EU Law.

Looking Ahead: AI Law Meets Financial Regulation

ESMA’s AI guidance should be seen in conjunction with the broader regulatory landscape, including the forthcoming EU AI Act and the Digital Operational Resilience Act (DORA). These legislative frameworks will further shape how AI is governed in financial services across the EU and will define the trajectory of AI Law, EU Law, and Finance Law in the years to come.

Investment firms would do well to proactively assess their AI strategies in light of this evolving framework and ensure that compliance and innovation develop hand in hand.