European Securities and Markets Authority (ESMA): the report on the adoption of AI in EU securities markets has been issued.

The European Securities and Markets Authority has published a new risk analysis report  in the context of Trends, Risks and Vulnerabilities, dedicated to the adoption of artificial intelligence in the securities markets of the European Union. The document is based on an empirical survey conducted between June and September 2025, which involved 728 entities operating in 19 Member States, and offers a useful snapshot also in terms of compliance, because it identifies the areas in which technological innovation is affecting organizational choices and, above all, the risk profiles considered most sensitive by supervision.

First of all, the report shows that the adoption of artificial intelligence is uneven: larger operators are more advanced in terms of investment capacity and structuring of controls, while smaller companies show a delay, with both competitive implications and the maintenance of internal controls. At the same time, the investment trend appears to be growth-oriented: a very high share of companies say they expect an increase in spending related to artificial intelligence by 2027, signaling that the integration of these tools is destined to consolidate as a structural component of business processes.

As for applications, the Authority notes that artificial intelligence is now used mainly for internal purposes and operational efficiency, while uses directly aimed at customers are more limited. This approach confirms that, at present, adoption is mainly driven by cost and time optimization objectives, rather than by strategies for immediate revenue generation through new services. On the risk side, the report particularly highlights critical issues related to data and models (quality, governance, reliability and controllability), as well as cybersecurity profiles, which tend to intensify with the increase in technological dependencies and the complexity of supply chains.

An important step, also from a legal-organisational point of view, concerns the infrastructural dependence on a small number of providers of cloud services and artificial intelligence infrastructures, largely not based in the Union. The Authority points out that a significant share of operators rely exclusively on commercial infrastructures and draws attention to concentration and third-party risks, which translate into possible systemic vulnerabilities and a strengthening of governance, due diligence and contractual control expectations of critical suppliers.

Overall, the report lends itself to an operational reading: in the face of an adoption destined to accelerate, the supervisory trajectory appears oriented towards requiring more mature safeguards on internal policies, training and skills, risk management on data and models, security and governance of technological outsourcing, with increasing attention to resilience and strategic dependencies along the artificial intelligence supply chain.