MiFID II: Markets in Financial Instruments Directive and Security Token Classification
MiFID II was not written with blockchain in mind, but its concept of 'transferable security' is broad enough to capture most security tokens. For compliance officers at tokenization platforms, MiFID II is the EU regulatory framework you are most likely in scope for — not just MiCA.
Definition
MiFID II (Markets in Financial Instruments Directive II — Directive 2014/65/EU) is the European Union’s comprehensive framework governing investment services and activities, financial instruments, and trading venues. Together with its accompanying regulation MiFIR (Markets in Financial Instruments Regulation — Regulation 600/2014/EU), MiFID II regulates: who can provide investment services, what services require authorization, how trading must be conducted, what information clients must receive, and how markets must be organized and supervised.
MiFID II applies throughout the EU and EEA. Firms providing investment services in relation to financial instruments — which include transferable securities, money market instruments, units in collective investment undertakings, derivatives, and certain other instruments — require authorization as investment firms unless a specific exemption applies.
Why MiFID II Matters for Tokenization
The tokenization compliance question most frequently asked in EU/EEA contexts is: “Does my security token require MiFID II authorization or just MiCA authorization?” The answer: both, in most cases.
MiCA governs crypto-asset services providers (CASPs) dealing in crypto-assets that are not financial instruments. MiCA explicitly excludes financial instruments from its scope — “crypto-assets that qualify as financial instruments… shall be excluded from the scope of this Regulation.” (MiCA Recital 10).
MiFID II governs investment services in relation to financial instruments, which includes transferable securities. A security token that represents equity, debt, or other instrument-type claims on an issuer is almost certainly a MiFID II transferable security.
The practical consequence: platforms trading or intermediating security tokens in the EU generally require both a MiFID II investment firm authorization and (for any crypto-asset services relating to crypto-assets that are not financial instruments) a MiCA CASP authorization. The two regimes apply to different asset classes; the same platform may operate in both.
Transferable Securities: The Classification Test
MiFID II defines “transferable securities” as “classes of securities which are negotiable on the capital market, with the exception of instruments of payment.” The definition includes shares, bonds, and “other securities giving the right to acquire or sell any such transferable securities.”
ESMA’s guidance on the classification of crypto-assets under existing EU law (published 2019) provided the framework for applying the transferable securities definition to tokens:
- Shares: A token representing a share in a company (equity token) is a transferable security
- Bonds: A token representing a bond (entitlement to principal repayment and periodic interest) is a transferable security
- Collective investment scheme units: A token representing units in a UCITS or AIF is a transferable security
- Hybrid tokens: A token with both utility and security characteristics may or may not be a transferable security depending on which characteristics predominate
The classification analysis is asset-by-asset, not category-by-category. ESMA recommends a substance-over-form approach: what rights does the token actually convey, rather than what the issuer calls it?
MiFID II Authorization Requirements
An entity providing investment services in relation to financial instruments — including security tokens that are transferable securities — requires authorization from the relevant national competent authority as a MiFID II investment firm. Core authorization requirements:
- Adequate initial capital (minimum EUR 730,000 for investment firms dealing on own account or underwriting; EUR 150,000 for those receiving, transmitting, or executing orders without holding client funds; EUR 75,000 for investment advisers)
- Fit and proper management (directors and senior managers with appropriate qualifications and clean criminal records)
- Adequate organizational arrangements: compliance function, internal audit, risk management, segregation of client funds and securities
- Best execution policy and monitoring
- Conflicts of interest identification and management policy
- Appropriate client categorization (retail, professional, eligible counterparty)
- Transaction reporting to competent authority via Approved Reporting Mechanism (ARM)
EU passport: A MiFID II authorization obtained in one EU/EEA member state can be passported to all other EU/EEA member states. A Luxembourg-authorized investment firm can provide services across the entire EU/EEA without obtaining separate authorizations in each jurisdiction — a significant advantage over platforms without EU authorization.
Ongoing Obligations: Best Execution and Reporting
MiFID II’s ongoing obligations for authorized investment firms include compliance requirements that differ from MiCA’s CASP framework:
Best execution: Firms must take all sufficient steps to obtain the best possible result for clients when executing orders, considering price, costs, speed, likelihood of execution, size, nature, and other relevant factors. For security token trading on DLT-based venues, best execution policies must address the limited number of trading venues and liquidity fragmentation in current digital securities markets.
Transaction reporting: All transactions in financial instruments must be reported to national competent authorities (via an ARM) or directly, on T+1. Report content includes instrument identifiers (ISIN, CFI codes), counterparty identifiers (LEI), quantity, price, venue, and client identifiers. Security tokens must have ISINs to enable reporting.
Product governance (MiFID II Product Governance Regime): Manufacturers (issuers) and distributors (platforms) of security tokens must define and maintain the target market for each product, ensure distribution to the target market, and conduct regular product reviews.
ESMA Guidance and Evolution
ESMA’s 2019 assessment of crypto-assets under EU financial law established the framework for applying MiFID II to security tokens. ESMA subsequently published detailed guidance on: crypto-asset classification, technical standards for DLT-based market infrastructure under the EU DLT Pilot Regime, and the interaction between MiCA and MiFID II.
The EU DLT Pilot Regime (2023) creates specific exemptions from MiFID II requirements for DLT market infrastructure — allowing DLT trading venues and settlement systems to operate with modified compliance requirements during the pilot period. These exemptions acknowledge that some MiFID II requirements (particularly around CSD settlement) do not translate well to DLT architecture.