Mind the Gaps – Why ESMA's Algorithmic Trading Supervisory Briefing is a Turning Point for Firms

At a glance

The supervisory focus on algorithmic trading regulations has sharpened due to increasing market incidents and emerging technological developments. In 2024, as a follow-up to the 2022 flash crash in the Nordics, the European Securities and Markets Authority (ESMA), in cooperation with National Competent Authorities (NCAs), conducted a common supervisory action (CSA). Its aim was to: gain a deeper understanding of how investment firms (IFs) comply with existing regulatory requirements on pre-trade controls (PTCs); assess the adequacy of PTC implementation across jurisdictions; and identify areas where further supervisory guidance could support a more harmonised and convergent application of PTCs throughout the EU.

The findings of the CSA are reflected in ESMA’s Supervisory Briefing, published on 26 February. In it ESMA provides a non-binding but highly consequential tool for how NCAs supervise algorithmic trading. The briefing complements and clarifies expectations under MiFID II RTS 6, by setting out a far more granular and supervisory-led view of what effective control frameworks look like in practice. It signals a clear shift in supervisory focus, requiring firms to demonstrate that their controls are effective, resilient and fit for purpose in live trading environments. For IFs this amounts to much more than incremental guidance.

This note sets out our view of the key issues arising from ESMA’s brief and the priority actions for IFs’ senior management to consider.

Seven key areas are under increased supervisory focus

1. Reframing algorithmic trading: every parameter counts

At first glance, ESMA revisits familiar definitions such as what constitutes an algorithm, algorithmic trading and a trading strategy. However, by reinforcing that any algorithm determining even a single order parameter qualifies as algorithmic trading, ESMA effectively removes the interpretation flexibility firms have historically relied on. This covers decisions on whether to initiate an order, its timing, price, quantity or how to manage it post submission. Even where a human intervenes in the trading process, if a computer algorithm has determined any individual parameter (other than routing or post-trade processing), the activity is algorithmic.

This definitional precision directly affects the scope of controls applied, completeness of algorithmic inventories and the population subject to testing, monitoring, and validation. Firms will need to reassess what they classify as ‘algorithmic’, and the adequacy of their controls may need to expand accordingly.

Senior management should consider the following

• Reassess definitions and classifications - ensure the scope of what is considered ‘algorithmic’ reflects ESMA’s interpretation, including activities that determine any single order parameter.

2. Algorithmic trading strategies: a new level of granularity

One area that has until now received less attention in firms’ compliance frameworks is the concept of an algorithmic trading strategy. While MiFID II (Article 17(2)) and RTS 6 (Articles 5(4) and 9) refer to strategies in the context of reporting, testing, documentation, and market abuse surveillance, they do not detail what constitutes an algorithmic trading strategy.

ESMA’s supervisory briefing provides a standardised concept. An algorithmic trading strategy is defined as a set of decision logic, implemented through one or more algorithms, that autonomously pursues a defined trading objective such as market making, arbitrage, or execution optimisation. Each strategy must be:

• testable and distinguishable from other strategies;
• subject to separate supervisory scrutiny;
• linked to observable trading behaviour; and.
• documented in a way that allows pre-deployment and post-change review.

This is important because the granularity of the strategy classification determines the scope of testing obligations.

Firms that bundle multiple strategies into a single testing exercise would be expected by supervisors to demonstrate that each strategy has been individually validated. Strategies must be sufficiently distinguishable that surveillance systems can isolate their behaviour and detect potential abusive patterns.

Senior management should consider the following:

• Strengthen algorithm inventories and strategy definitions – ensure each algorithmic trading strategy is clearly defined, testable, distinguishable, and linked to market abuse surveillance.

3. Pre-trade controls: the shift from presence to precision

A significant portion of the briefing is dedicated to PTCs, emphasising their critical role in preventing erroneous orders and maintaining market orderliness. ESMA’s message is clear that it is necessary but not sufficient for firms to have controls; to be sufficient firms must be able to demonstrate their controls are well-calibrated and effective. This means firms:

• applying controls across all orders and instruments;
• ensuring cumulative checks (preventing circumvention via order slicing);
• distinguishing clearly between hard blocks (non-overridable) and soft blocks (alerts requiring intervention); and
• supporting calibration with quantitative evidence.

The real shift is that PTCs are no longer solely operational safeguards; they are becoming risk models in their own right, meaning that firms should apply the same rigour to PTCs as they apply to market risk models.

Firms will need to move from static, point-in-time calibration to dynamic, evidence-based frameworks. They will need documented methodologies for threshold setting, regular back-testing against real trading data, clear escalation processes when limits are breached, and formal governance sign-off on calibration decisions.

Senior management should consider the following:

• Revalidate PTC calibration frameworks – treat PTCs as dynamic risk models requiring quantitative evidence of PTC calibrations, ongoing back-testing and formal governance sign-off.

4. Governance and outsourcing: accountability stays at home

One of the most direct reminders in the briefing is also one of the most important: outsourcing activities does not mean outsourcing responsibility. Whether firms rely on third-party algorithms, vendor platforms, or Direct Electronic Access (DEA) arrangements, they remain fully accountable for compliance.

ESMA’s emphasis reflects a recognition that many firms have not fully internalised what this means in practice. The briefing challenges the assumption that relying on a vendor platform transfers supervisory accountability. Firms must ensure contractual agreements with technology, algorithm and outsourced trading providers allow them to:

• have full transparency into how algorithms function;
• access testing and validation evidence;
• maintain clearly documented allocations of roles and operational responsibilities; and
• exercise unconditional ability to intervene, suspend, or terminate trading.

Many firms operate with limited visibility over third-party components. ESMA’s briefing makes it clear that this is not sustainable. For firms operating complex vendor ecosystems, the real challenge is how to evidence control where execution is distributed across multiple parties.

Senior management should consider the following:

• Review outsourcing arrangements for control gaps – ensure contractual arrangements provide transparency, access to testing evidence and kill-switch capabilities.
• Conduct a structured review of all third-party algorithmic trading arrangements, assessing whether current contracts provide adequate rights of access, information and intervention. Where gaps exist, firms should consider renegotiating contracts or implementing compensating controls and document the relevant rationale either way.

5. Testing: from a one-off exercise to continuous validation

Testing is no longer a checkpoint. It is an ongoing control mechanism embedded into the trading lifecycle. ESMA expects firms to ensure that their algorithms, algorithmic trading systems or algorithmic trading strategies are tested to avoid contributing to disorderly markets or facilitating abusive practices. RTS 6 (and 7) require IFs to conduct conformance testing, stress testing, and scenario analysis. The expectation is to move beyond periodic validation towards continuous, lifecycle-based testing, including:

• testing across the full trading lifecycle;
• retesting following material or substantial changes; and
• capacity and stress testing aligned to real trading volumes.

Importantly, ESMA also highlights the risk of a series of incremental changes amounting to a material impact, which is particularly relevant for adaptive and AI-driven models. This introduces a layer of complexity that many traditional testing frameworks were not designed to handle.

Testing methodologies, procedures and internal authorisations to deploy algorithmic trading must be well documented; supervisors will assess compliance based on the quality and completeness of documentation, not simply based on the existence of a process.

Senior management should consider the following:

• enhance testing capabilities and documentation – move to continuous, lifecycle-based validation;
• implement proportionate stress testing of the full order cycle; and
• document methodologies, authorisations, and change triggers.

6. Real-time monitoring: the true test of control effectiveness

If PTCs are the first line of defence, real-time monitoring is where control frameworks are truly tested. Firms are expected to implement continuous monitoring of all algorithmic activity, integration of alerts and breaches into control workflows and a clear two-lines-of-defence model for trading desks and independent risk management. IT functions should not be considered as having the appropriate powers, tools and procedures to challenge a trader Independently.

Many monitoring systems were not designed for today’s trading speeds and complexity. For many firms, this is where gaps become most visible, particularly where systems, alerts and governance processes have evolved separately. Supervisors are increasingly focused on whether firms can detect, escalate, and act fast enough to prevent disorderly market impact.

Senior management should consider the following:

• Upgrade real-time monitoring and escalation processes – close the gap between alert generation and governance response;
• clearly document the two-lines-of-defence model.

7. AI in trading: an emerging area of supervisory focus

ESMA introduces AI-specific expectations within the MiFID II RTS 6 framework. Recognising the increasing integration of AI into algorithmic trading workflows, the briefing explicitly addresses the interaction between algorithmic trading requirements and obligations under the EU AI Act. ESMA identifies two existing RTS 6 provisions as the primary anchor for AI oversight:

• Article 9 (Annual self-assessment and validation): NCAs should assess how firms are taking into consideration the use of AI as part of their self-assessment and validation under Article 9 of RTS 6.
• Article 2 (Role of compliance function): compliance staff must have at least a general understanding of how algorithmic trading systems operate, including AI where applicable.

By anchoring AI governance to existing RTS 6 obligations, ESMA signals that firms should not wait for AI-specific regulation before acting. With the EU AI Act now directly referenced, AI governance in trading is becoming a dual regulatory obligation. Firms will need to satisfy both the MiFID II framework and, where applicable, the risk management requirements of the EU AI Act.

Senior management should consider the following:

• embed AI governance into existing RTS 6 frameworks – map AI use cases to Article 9 and Article 2;
• prepare for dual regulatory scrutiny under the EU AI Act; andevidence compliance function AI literacy.

How Deloitte can help

Our experience in supporting global banks on enhancing electronic and algorithmic trading risk management frameworks, MiFID II RTS 6 self-assessments and validations, real-time monitoring operating models and the broader PTC suite leaves us ideally placed to support firms with mitigating the potential risks discussed above.

Our teams have assisted firms on their journey through a variety of means, including industry benchmarking, regulatory gap assessments, framework design and implementation support.

To find out how we can support please get in touch.