CySEC Communications Compliance: The 2026 Guide to MiFID II Article 16(7), Off-Channel Surveillance, and Market Abuse

CySEC Communications Compliance: MiFID II Article 16(7), off-channel surveillance, MAR — the 2026 guide for Cyprus Investment Firms.

Sedric Team

Communications

Share article on

TL;DR — Communications compliance for Cyprus Investment Firms (CIFs) is governed by MiFID II Article 16(7), the recording obligation that requires CIFs to capture and retain telephone conversations and electronic communications relating to receipt, transmission, and execution of client orders, including communications intended to result in transactions even where no transaction follows. Records must be retained for at least five years, extendable to seven by the National Competent Authority. The Market Abuse Regulation (MAR) overlays additional surveillance and recordkeeping expectations on insider information, market manipulation, and suspicious order/transaction reporting. CySEC supervision tests not just whether the firm captures communications but whether it reviews and acts on what it captures. This guide walks the framework end-to-end and the supervisory programme that survives an examination. For the marketing-side framework see the CySEC Marketing Compliance pillar; for crypto see the CySEC MiCA Compliance pillar.

What CySEC communications compliance is, and who it applies to
The regulatory framework
MiFID II Article 16(7): the call-recording obligation
What counts as an in-scope communication
Retention: five to seven years
The off-channel problem
Supervisory review: capture is not enough
Market Abuse Regulation (MAR) surveillance overlay
The multilingual challenge
CySEC enforcement patterns in communications supervision
Building a CySEC communications-compliance programme
How Sedric helps
FAQ

What CySEC communications compliance is, and who it applies to

CySEC communications compliance is the discipline by which Cyprus-licensed regulated entities — primarily Cyprus Investment Firms (CIFs) — capture, retain, supervise, and produce on demand the telephone conversations and electronic communications that relate to their regulated activity. It is governed by Article 16 of MiFID II (organisational requirements), the MiFID II Delegated Regulation (EU) 2017/565, Cyprus Law 87(I)/2017 (the local transposition), the Market Abuse Regulation (EU) 596/2014 (MAR) on insider information and market manipulation, and the supporting CySEC Circulars.

The scope covers:

Telephone conversations on every captured channel — fixed-line trading-floor handsets, IP-PBX phones, mobile devices issued by the firm, and (where used for business) personally-owned devices.
Electronic communications — email, instant chat (Bloomberg, Reuters, Teams, Slack, internal systems), client portals, SMS, and any other electronic medium used for business communications.
Internal communications — between traders, between desks, between branches, and between Cyprus and group entities elsewhere — to the extent they relate to client orders or transactions in scope.
External communications — with clients, with prospective clients, with counterparties, with affiliates and introducers, and with other market participants.

The framework applies operationally to CIFs of all sizes — from sole-licensed Cyprus brokerages to multi-jurisdictional groups with Cyprus as one of several licensed entities. The substantive obligations do not scale down for smaller firms; CySEC has been clear in supervisory communications that proportionality applies to how firms implement the obligations, not whether they apply.

The regulatory framework

Communications compliance for CIFs sits at the intersection of several EU regulations and national instruments. The core layers:

MiFID II Article 16 (organisational requirements)

Article 16 sets the general organisational standards for investment firms — adequate policies and procedures, conflicts-of-interest management, record-keeping, and the specific recording obligation in Article 16(7). The Delegated Regulation (EU) 2017/565 fleshes out the operational detail.

MiFID II Article 16(7) — the recording obligation

The provision that specifically requires CIFs to record telephone conversations and electronic communications relating to receipt, transmission, and execution of client orders. The detail of this provision is the substantive backbone of the framework and is unpacked section-by-section below.

Cyprus Law 87(I)/2017

The Investment Services and Activities and Regulated Markets Law of 2017 — Cyprus's transposition of MiFID II. It restates the recording and retention obligations into Cyprus law and gives CySEC the supervisory and enforcement powers it needs to apply them.

The Market Abuse Regulation (Regulation (EU) 596/2014)

MAR overlays surveillance and recordkeeping obligations relating to insider information, insider dealing, market manipulation, and the unlawful disclosure of inside information. CIFs whose activity touches markets subject to MAR (most do) have additional surveillance, insider-list, and Suspicious Transaction and Order Report (STOR) obligations.

ESMA guidance

ESMA has published Q&A documents on call taping and electronic communications recording under MiFID II that are operationally important. The CySEC supervisory practice draws closely on these.

The data-protection overlay

Capture, retention, supervisory access, and production of communications all sit under the EU's GDPR and the Cyprus implementation. The supervisory obligation does not displace data-protection requirements; the two regimes operate concurrently, and the firm's communications-compliance programme must address both.

MiFID II Article 16(7): the call-recording obligation

Article 16(7) of MiFID II is the central substantive provision. The text says, in substance, that records of services, activities, and transactions must include the recording of telephone conversations and electronic communications relating to, at least:

transactions concluded when dealing on own account; and
the provision of client order services that relate to the reception, transmission, and execution of client orders.

The investment firm must take all reasonable steps to record relevant telephone conversations and electronic communications made with, sent from, or received by equipment provided by the firm to its employees or contractors, or the use of which by the employee or contractor has been accepted or permitted by the firm.

The CIF must also notify clients in advance that telephone conversations or electronic communications between the firm and them that result or may result in transactions will be recorded. A single notification before the provision of investment services to new and existing clients is sufficient.

If the CIF has not informed clients in advance that communications will be recorded, and the client has not given consent to the recording (where consent is needed under national law), the firm must not provide investment services and activities by telephone or electronic communications to clients in those instances.

Records of conversations and communications must also include communications that may result in transactions — meaning a pre-trade discussion that does not in fact end in a transaction is still in scope.

What counts as an in-scope communication

The scope of the recording obligation is broader than many firms initially assume. Beyond the obvious cases (a trader on the phone with a client placing an order), in-scope communications include:

The scope of communications that must be captured under MiFID II Article 16(7).

Pre-trade discussions that did not result in a transaction. The "intended to result in a transaction" framing captures lead-generation calls, sales-floor pitches, and internal coordination calls that were aimed at producing an order even where the call did not close.
Internal communications between sales and trading, between desks, and between offices — including Bloomberg / Reuters / Teams / Slack chat between covered persons — to the extent the substance relates to orders or transactions in scope.
Communications between covered employees on personal devices — if the employee uses the personal device for business, the communication falls under the obligation, and the firm is responsible for capturing or otherwise managing the surface. The communication being on a personal device does not exempt it from the obligation.
Communications with prospective clients — outbound calls aimed at acquiring business, and inbound calls from prospects that may result in account opening or transactions, both fall inside the scope.
Communications with introducers and affiliates — to the extent the activity involves the CIF's regulated services.
Communications about specific securities and instruments — internal research discussion, dealing-room discussions, internal recommendations — to the extent they relate to in-scope orders or transactions.

The substance test is whether the communication relates to a service, activity, or transaction that MiFID II places inside the firm's regulated activity. The medium of the communication, the location of the participants, and the channel are not determinative.

Retention: five to seven years

The retention period under MiFID II Article 16(7), per the explicit text of the provision: records shall be kept for a period of five years and, where requested by the competent authority, for a period of up to seven years.

What that means operationally:

MiFID II Article 16(7) retention timeline: five to seven years.

Baseline retention is five years from the date the record is created. The retention clock starts when the call is made or the communication sent or received, not from when a related transaction settles or completes.
The competent authority — CySEC — can require retention for up to seven years. The extended retention is invoked by CySEC on a basis it determines necessary for supervisory purposes. CIFs in higher-risk segments should plan retention infrastructure to the seven-year horizon by default.
Records must be in a durable medium — preserved in a form that prevents alteration, that the firm can demonstrate to a supervisor is integrity-protected, and from which the firm can reconstruct the communication accurately.
Records must be accessible. Retention without retrieval is insufficient. A firm that cannot produce specific recordings on examiner request in a reasonable time fails the substantive obligation.
Records must be made available to clients upon request. The provision specifies that records of conversations and communications shall be provided to the client involved upon request and shall be kept for the retention period.

The retention obligation extends to the surrounding metadata — date, time, parties, channel, and (where applicable) the order or transaction identifier. The supervisory production of an unindexed audio file is operationally useless; the firm must be able to retrieve specific recordings tied to specific clients, dates, channels, and topics.

The off-channel problem

The single most consequential failure pattern in MiFID II communications supervision — and the one most visible across EU enforcement in recent years — is the off-channel communications problem. Employees, often including senior personnel, use personal-device WhatsApp, iMessage, Signal, SMS, personal email, and other channels that are not captured by the firm's archive. The firm's policy prohibits this on paper, but the firm lacks the detection mechanisms to enforce the policy in practice. The captured archive shows clean activity; the actual business activity flows off-channel.

This pattern is the heart of the multi-year SEC and CFTC off-channel enforcement cycle that has produced more than US$2.3 billion in cumulative penalties in the United States since fiscal year 2022, with parallel CFTC actions on top of that. EU supervisors have signalled increasing attention to the same pattern under MiFID II. The substantive failure cited in those actions is the same on either side of the Atlantic: a firm whose policy bans off-channel use but whose detection and supervisory mechanisms do not see the actual conduct has not met the supervisory obligation, regardless of what the policy says.

Detection mechanisms for off-channel use include:

How CySEC examinations detect the policy-versus-reality gap in off-channel communications surveillance.

Client-side mobile device management with messaging-app monitoring on firm-issued devices.
Sanctioned-channel routing for all business communications, with explicit prohibition of personal channels for any communication touching client orders or transactions.
Periodic attestations by covered employees confirming use of sanctioned channels only.
Targeted review of captured communications that reference off-channel activity — phrases like "let's take this to Signal," "I'll text you the details," "DM me on WhatsApp" appear in the captured archive and signal off-channel routing.
Exit-interview review of departing employees' communications history.
Periodic data-analysis of communication-volume patterns relative to business activity. A trader whose captured volume drops sharply while business activity holds is a signal.

Detection is the gap CySEC examinations increasingly test. Capture-and-retention alone is no longer a defensible posture; the firm has to be able to demonstrate that it actively looks for off-channel use and acts on what it finds.

Supervisory review: capture is not enough

The recording obligation captures communications; the supervisory obligation requires the firm to review them. Under MiFID II's organisational requirements, a CIF must establish and maintain a system to supervise the activities of its associated persons that is reasonably designed to achieve compliance with the relevant law.

Supervisory review of communications under that framework typically takes the form of:

Risk-scored sampling. The volume of captured communications at any meaningful CIF is too large for full human review. A defensible supervisory programme samples on a risk-weighted basis — by trader, by desk, by product, by time period, by client risk profile — and reviews the sampled population systematically.
Lexicon and pattern detection. Targeted screening for risk patterns — undisclosed inducement language, unauthorised guarantees, prohibited investment-advice framing in non-licensed contexts, MAR-relevant terms.
AI-assisted contextual review. Modern surveillance platforms use compliance-trained language models to identify risk patterns that lexicon-only screening misses — sentiment, intent, coercion, the off-channel routing references discussed above.
Documented decisions. Every reviewed communication produces a logged decision — flagged, escalated, cleared — with the reviewer attributable and the rationale captured. The supervisory log is what CySEC examiners ask for.
Escalation paths. Material findings are escalated through the compliance and supervisory hierarchy with documented action.
Feedback loops. Findings inform policy updates, training, and (where warranted) disciplinary action.

The supervisory programme is the part of communications compliance that has matured least in many CIFs. The capture-and-archive infrastructure is widely deployed; the review-and-act infrastructure is much more uneven. CySEC examinations increasingly focus on the review side of the equation.

Market Abuse Regulation (MAR) surveillance overlay

The Market Abuse Regulation imposes additional, MAR-specific surveillance obligations on CIFs whose activity touches markets in scope. Operationally, this means:

Insider lists. Firms with access to inside information must maintain insider lists and produce them to CySEC on request. The lists cover specific persons, specific events, and specific dates.
Suspicious Transaction and Order Reports (STORs). Firms that arrange or execute transactions must report suspicious orders and transactions that may constitute insider dealing, market manipulation, or attempted market abuse. The STOR framework requires detection systems capable of identifying suspicious activity.
Personal-account dealing surveillance. Firms must monitor personal-account dealing by employees with access to inside information.
Communications surveillance for MAR-relevant indicators. Communications between covered persons that suggest insider dealing, market manipulation, or unlawful disclosure of inside information must be detected through the firm's communications-surveillance programme.

The MAR surveillance overlay is integrated with the broader Article 16 communications-compliance framework. The same captured archive feeds both — supervisors review the same communications against the Article 16 rule library and the MAR rule library, and the same flag-and-decision audit trail covers both.

For CIFs offering CFDs, leveraged products, and other instruments whose underlying may be subject to MAR (most equity-linked instruments, regulated commodity markets), MAR surveillance is a significant component of the supervisory programme.

The multilingual challenge

Cyprus is one of the EU's most multilingual CIF jurisdictions. Cyprus-licensed firms market and serve clients across the EU and beyond, and the captured communications archive of a typical CIF includes business communications in English, Greek, German, French, Italian, Spanish, Portuguese, Dutch, Polish, Romanian, Russian (for client populations from non-EU CIS jurisdictions where the CIF has business), Arabic, and other languages.

The supervisory implications are operational, not legal:

Lexicon-only surveillance in a single language — typically English — misses the high-risk content in every other language the firm operates in. A regex for "guaranteed return" does not catch the same concept expressed in Spanish, Greek, or Polish.
Translation pipelines are operationally expensive and lose nuance — particularly the kind of contextual signals (sentiment, urgency, coercion) that matter most in supervisory review.
Native review in the source language is the standard. The firm's supervisory infrastructure has to read each language as a native speaker would, applying the local idiom, the local sales-culture vocabulary, and the local regulatory framing.
Examiner expectation is that the firm reviews each language to the same standard. A CIF that captures Polish communications but reviews only the English ones has a partial supervisory programme.

Modern compliance-dedicated language models can read each language natively at scale. This is the operational lift the multilingual environment requires that a traditional lexicon-based programme cannot easily deliver.

CySEC enforcement patterns in communications supervision

CySEC enforcement on communications compliance follows recognisable patterns across cases. The categories of finding:

Article 16(7) recording failures. Failure to record specific channels (recorded mobile not in place, or in place but not actually capturing), failure to retain in the durable form required, gaps in the captured archive across certain time windows or specific employees.
Indexing and retrieval gaps. Captured communications exist but cannot be retrieved on examiner request in a reasonable time, or cannot be tied to specific clients, dates, channels, or transactions.
Supervisory review gaps. Recording in place, but no documented review programme over the captured archive. The firm captured but did not act.
Off-channel use. Personal-device WhatsApp, Signal, iMessage, or personal email being used for business by covered employees without firm capture mechanisms.
Cold-calling-rule breaches. Outbound retail-prospect calls that breach the cold-calling restrictions in the CySEC Circulars, made on captured or off-channel surfaces.
MAR insider-list failures. Incomplete lists, lists not updated promptly, lists that do not cover all the relevant persons or events.
STOR failures. Suspicious orders or transactions that should have been reported but were not, often because the firm's detection systems did not flag them.
Client-notification failures. Failure to inform clients in advance that communications will be recorded, with downstream consequence that the firm cannot use the recordings against the client in disputes and is exposed to client-data complaints.

CySEC's enforcement toolkit includes administrative fines, restrictions, withdrawal of authorisation, and public notices. The Article 16(7) failure modes are particularly damaging because they signal a programme that does not produce the audit trail required to defend against any other supervisory finding — a Article 16(7) finding can compound into broader findings on the firm's conduct of business.

Building a CySEC communications-compliance programme

A defensible CySEC communications-compliance programme has five operational pillars.

1. Sanctioned-channel policy with detection enforcement

The firm's communications policy enumerates the firm-sanctioned channels for business communications (recorded fixed-line, recorded mobile with capture, the firm's chat platform, the firm's email infrastructure, sanctioned text-messaging products that route to the archive) and prohibits business communications on any other channel. The policy is enforced through specific detection mechanisms — not just attestations.

2. Capture infrastructure across every sanctioned channel

For every sanctioned channel, a capture mechanism that routes communications to the archive. Email and the firm's chat platform are typically well-handled; the harder cases are recorded calls, video conferencing, screen sharing, and (where sanctioned) mobile messaging. The firm should be able to produce a current map of every channel and the capture status of each.

3. Archive layer compliant with Article 16(7)

Retention in a durable, integrity-protected, retrievable form for the applicable period (five years standard, seven years where CySEC has invoked the extension). The archive should be tested annually with a mock-production exercise. Smarsh, Global Relay, Bloomberg Vault, Microsoft Purview, and comparable platforms are the typical operational solutions; the platform layer above the archive (Sedric and similar) provides the intelligence.

4. Supervisory review with AI-assisted intelligence

A supervisory-review programme over the captured archive that combines risk-scored sampling, lexicon-based screening, and AI-assisted contextual review. Decisions are logged and attributable. The programme reads each language the firm operates in, natively.

5. MAR integration and STOR detection

The same captured archive feeds MAR surveillance. The detection platform identifies MAR-relevant patterns (insider-information indicators, market-manipulation indicators, suspicious order or transaction patterns) and routes them through the firm's STOR-decision and insider-list workflows.

The five pillars work together. Policy drives channel definition; channel definition drives capture; capture feeds retention; retention feeds supervisory review and MAR surveillance; the entire programme produces the audit trail and the supervisory log that CySEC examines.

How Sedric helps

Sedric is the AI supervisory-review and surveillance platform over the captured communications archive. CySEC-licensed CIFs run Sedric across the supervisory side of communications compliance — the layer where the captured archive becomes audit-ready evidence.

Supervisory review of recorded calls and electronic communications. Sedric reads captured telephone-call transcripts and electronic communications from the firm's archive (Smarsh, Global Relay, Bloomberg Vault, Microsoft Purview, or comparable), surfaces risk patterns, routes flagged items to the right supervisor, and produces the audit trail an Article 16 examination expects.

Native multilingual coverage. The platform reads each language CIFs operate in across the EU — English, Greek, German, French, Italian, Spanish, Portuguese, Dutch, Polish, Romanian, Russian, and others — at compliance-grade accuracy. The firm does not have to translate before review; the platform reads the source.

Off-channel detection. Sedric identifies references to off-channel use within the captured archive ("let's take this to Signal," "I'll text you," "DM me on WhatsApp") and surfaces communication-volume anomalies that may indicate off-channel routing. Detection is the gap CySEC examinations test; Sedric closes it.

MAR surveillance integration. The same captured archive feeds MAR surveillance — insider-information indicators, market-manipulation patterns, suspicious order/transaction signals routed to the firm's STOR workflow.

Supervisory decision logging. Every reviewed communication, every flag, every decision, every override is logged with timestamp and attributable decision-maker. The audit export is what a CySEC examiner asks for, in the form expected.

Compliance-dedicated language model. The intelligence layer is built on a model trained specifically on regulatory text and reviewed compliance decisions, grounded in retrieval against the firm's policy library. Generic large language models are not deployable in this environment.

For CIFs that already run Sedric for marketing review — see the CySEC Marketing Compliance pillar — adding the communications-surveillance side completes the operating model. The same policy library, the same audit trail, and the same export format cover the full conduct programme.

Frequently asked questions

What is the basic legal source of the CIF call-recording obligation?

Article 16(7) of MiFID II (Directive 2014/65/EU), as transposed into Cyprus law by the Investment Services and Activities and Regulated Markets Law of 2017 (Law 87(I)/2017), and as elaborated in the MiFID II Delegated Regulation (EU) 2017/565. Operational supervisory expectations are stated in CySEC Circulars and ESMA Q&A documents on call taping.

How long must we keep recordings?

Five years from the date the record is made, extendable to seven years where requested by CySEC. The retention period applies equally to call recordings and electronic communications in scope of Article 16(7).

What counts as a communication in scope?

Telephone conversations and electronic communications that relate to receipt, transmission, and execution of client orders, including communications intended to result in transactions even where no transaction follows. The substance test is whether the communication relates to a regulated service or activity; the channel and the location of the participants are not determinative.

Do we have to capture communications on personally-owned devices?

If a covered employee uses a personal device for business communications relating to in-scope services, the obligation extends to that communication. The firm has the operational choice of capturing it (through device-management infrastructure on the personal device, with the employee's consent) or routing all business communications to firm-managed devices. What the firm cannot do is allow business communications to flow on personal devices without any capture or detection mechanism.

What about WhatsApp, Signal, and other encrypted messengers?

The rules do not prohibit any specific app. They prohibit conducting business communications on channels that are not captured for the books and records. Some apps offer enterprise / business versions with compliance-grade capture (WhatsApp Business has options); consumer-grade encrypted apps generally do not. Where a firm has not solved capture, business communications on that channel are prohibited.

What does "intended to result in transactions" mean in practice?

Communications aimed at producing a transaction, regardless of whether one actually results. A sales call to a prospect that does not convert, an internal coordination call that does not close, a chat between traders about a possible trade — all are in scope. Casual conversation unrelated to any in-scope service or activity is not.

Do internal communications need to be recorded too?

To the extent internal communications relate to in-scope orders or transactions — yes. The typical internal scope includes Bloomberg / Reuters chats between covered persons, the firm's enterprise chat platform when used by trading or sales personnel for business, and internal calls between desks or branches that touch client orders.

How does MAR surveillance fit?

The MAR overlay imposes additional surveillance and recordkeeping on insider information, market manipulation, and STOR reporting. Operationally, the MAR programme uses the same captured archive as the Article 16 programme, with additional rule-library overlays for MAR-relevant patterns and an integrated STOR-decision workflow.

What does a CySEC communications examination look like in practice?

Examiners typically request: the firm's communications policy and the channel inventory; samples of captured calls and electronic communications across channels and time periods; the supervisory-review log; the index that ties captured communications to clients, dates, and orders; the retention configuration and a mock-production exercise on the system; the firm's MAR insider lists and STOR-decision file; the client-notification documentation for the recording obligation. A CIF that can produce all of these on demand in the form requested is in a defensible posture.

Can AI do the supervisory review?

AI assists the screening, pattern-identification, and risk-prioritisation work. Human supervisors make the supervisory decisions and document the reasoning. The audit trail must show human accountability for supervisory outcomes. AI-only supervisory review without human accountability is not a defensible posture.

How does this regime relate to GDPR?

The recording obligation and the data-protection obligation run concurrently. The CIF must inform clients in advance that communications will be recorded, retain the communications in line with Article 16(7), respond to client-data subject access requests, and handle the cross-border transfer aspects of the captured archive. The two regimes do not conflict; they impose complementary requirements that the firm's programme must satisfy together.

How do we evidence the supervisory programme to CySEC?

Through the audit trail. The firm should be able to produce: the list of channels under capture; the supervisory-review log (who reviewed what, when, with what outcome); the override log; the policy library that the review applied; and a sample export of the captured-and-reviewed evidence for a defined period and population. The audit trail is the supervisory programme.

What about marketing communications?

Marketing communications are governed by MiFID II Article 24 and the ESMA / CySEC product-intervention framework, covered in the dedicated CySEC Marketing Compliance pillar. They are separately part of the books and records under Article 16, and the same retention principles apply.

Closing the off-channel gap?

Sedric is the AI supervisory-review layer over your captured communications archive. We read captured telephone and electronic communications natively in the languages your firm operates in, surface the patterns examiners look for, integrate with the major archive vendors, route flagged items to the right supervisor, and produce the audit trail that survives a CySEC examination.

Book a working session with our team. We'll walk through your current capture-and-archive setup, show you what supervisory review looks like with real flags on real communications across English, Greek, and the other languages your firm uses, and walk through the exam-ready export your firm would produce on request.

Book a demo · For trading and wealth-management firms