Over two years ago, the EU Commission has published its proposal for a Regulation on financial data access (commonly known as “FIDA Regulation”) that is aimed to create the very first regulatory framework on open finance.
Open Finance is a concept that builds on the lessons learned from the open banking framework introduced by PSD2, that shall enable individuals and businesses that individuals and businesses to access, share, and control of data across a wide range of financial products and services. This includes not only data related to payment accounts, as seen with PSD2 and open banking, but also data related to savings, investments, pensions, mortgages, insurance policies, and other financial contracts.
The main idea behind is to enable consumers to have control over their financial data by having the ability to “take their data with them” (i.e. provide consent for data processing to another service provider) when switching across various financial service providers. Data portability in this regard is intended to enable customers in the EU to eventually receive better offers, automated financial planning options, as well as access to a more personalised service and product offering in the financial services industry.
FIDA Regulation in a nutshell
With this in mind, in June 2023 the EU Commission has proposed a Regulation on financial data access (FIDA Regulation) which aims to create a framework for controlled and consent-based sharing of financial data in which customers shall have effective control over their financial data and the opportunity to benefit from open, fair, and safe data-driven innovation in the financial sector.
In-scope data
In terms of the scope of financial data, the FIDA Regulation goes beyond the scope of PSD2’s open banking framework that covers solely payment account related data.
To that end, the open finance framework is going to cover a broad scope of financial data of EU customers incl. financial data related to any of the following: (i) mortgage credit agreements, loans, and accounts (except payment account related data that is already regulated under PSD2); (ii) savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets as well as economic benefits derived from such assets including data processed as part of suitability and appropriateness assessments under MiFID II; (iii) pension rights in occupational pension schemes within the scope of Institutions for Occupational Retirement Provision II and Solvency II; (iv) Non-life insurance products (e.g. car insurance); (v) creditworthiness assessments of companies (where data is collected as part of a loan application process or based on a request for a credit rating).
Scope of application
The scope of FIDA Regulation is extremely broad and captures pretty much every corner of the financial services sector. It will apply to a wide variety of financial entities operating in the EU, when they are acting as either data holders or data users (see more on this differentiation below) incl. (amongst other) to: (i) credit institutions; (ii) payment institutions including account information service providers (AISPs); (iii) e-money institutions; (iv) investment firms; (v) crypto-assets service providers (CASPs) and issuers of asset-referenced tokens as defined under the new Markets in Crypto-Assets (MiCA) Regulation; (vi) Alternative investment fund managers (AIFMs); (vii) UCITS management companies; (viii) insurance and reinsurance undertakings; (ix) insurance intermediaries and ancillary insurance intermediaries; (x) institutions for occupational retirement provision; (xi) crowdfunding service providers.
Data holders and data users
The proposed FIDA Regulation differentiates between data holders – financial entities that collect, store and otherwise processes in scope customers’ data and data users – financial entities that, following the permission of a customer, obtain lawful access to and a subsequent right to process customer data.
Upon customers’ request, financial entities that act as data holders will be obliged to make customers’ data available to them without undue delay and free of charge. The same obligation will apply where request for data access is sent by a data user that acts based on customers consent, however in this case institutions acting as data holders will be able to charge some compensation for this service.
The data users processing customer data based on the proposed framework will be required to process customer data solely for the purpose for which the customers’ consent was granted.
All in-scope financial institutions, except AISPs and financial information service providers (FISPs – see more on this below), will generally be able to act both as data holders and data users.
Financial Information Service Providers (FISPs)
The proposed Regulation creates a new authorisation framework for FISPs, entities who have access to customer data made available by one or several data holders (i.e. financial entities) upon permission of the customer with the purpose of providing a service to the customer that includes collection, processing and consolidation of customer data (defined as financial information service).
This new category of regulated financial information service providers is generally expected to capture platform operators, operating in a non-regulated space that provide customers with an online service enabling them to get aggregated overview of their financial data across various service providers and sub-sectors of the financial services industry.
Prior to commencing with their activities in the EU, FISPs will be required to obtain authorization from their national competent authorities (“NCAs” such as German BaFin or the Central Bank of Ireland).
While the proposed Regulation contains some key threshold requirements that prospective FISPs will need to meet for the purposes of authorisation, the European Supervisory Authorities are mandated to develop regulatory technical standards that will define authorization requirements in more detail.
Industry pushback
Right from the outset, the FIDA proposal has experienced some industry pushback, particularly amongst the large established financial institutions that primarily see their future role within this new framework as data holders. Whereas some institutions and industry associations have claimed that the new framework will create only more bureaucracy without bringing any tangible benefits for consumers, some were ready to go as far as to claim that the entire proposal is a “Trojan Horse” for Big Tech ambitions in the financial services sector.
Some other critical voices in the industry, made an argument that the implementation would require them to bear significant costs of investments in IT infrastructure, data interfaces and related processes and procedures, effectively taking money out of their pocket that could be spent more wisely elsewhere: like on the improvement of their digital operational resilience and operational efficiency, deployment of AI systems etc.
The original text published in June 2023 has experienced some significant amendments as it was finding its way through the EU Parliament and the Council (starting with the EU Parliament’s proposal dated 30 April 2024, over the Council’s proposal dated 2 December 2024, to the latest consolidated positions of the EU Parliament and the Council published by the Council on 10 March 2025). The amendments have largely started to reduce the level of ambiguity around FISPs, scope of financial data that is covered as well as to streamline some operational and technical requirements that will effectively underpin the proper functioning of the open finance framework.
Beginning of February this year, critical voices in the industry have welcomed a piece of misinformation that found its way in the press, stating that allegedly the EU Commission has taken a U-Turn on the proposal as part of its broader agenda to cut the red tape and simplify the regulatory framework in the EU. The enthusiasm quickly vanished when the EU Commission published its Action Plan shortly thereafter, with the FIDA Proposal on its to-do list for 2025.
Gatekeepers at the closed gate
The EU Parliament and the Council were particularly mindful of the criticism of a possibility that big US tech companies become FISPs and effectively use their dominant position and massive pools of personal data in their vaults to enter the financial services space. Despite the fact that FISPs are explicitly prohibited from engaging in the provision of financial services and despite the fact that some big US tech companies already provide regulated financial services through their respective subsidiaries (primarily in the payment space), the EU lawmakers were conscious of some reasonable industry concerns that they could leverage their existing positions and effectively erect high barriers to entry for other smaller entities that may be looking to become FISPs.
In its position on the FIDA Proposal, the EU Parliament was first to introduce a ban on companies that are designated as gatekeepers within the meaning of Art. 3 of Regulation (EU) 2022/1925 (Digital Markets Act “DMA”) from eligibility to apply for a FISP license under the new framework. Practically speaking, these are undertakings that provide core platform services (like large search engines, social media platforms etc.) that are designated as such by the EU Commission under Art. 3 DMA.
With respect to subsidiaries owned by gatekeepers, both the EU Parliament and the Council have found a common ground by clarifying that their license applications shall be particularly scrutinized by the NCAs and subject to mandatory round of consultations between NCAs, ESAs and the EU Commission prior to their authorisation. Further, where a data user (like a FISP or a regulated payment institution/investment firm/credit institution) is part of a group in which at least one entity is designated as gatekeeper, it must be ensured that solely that entity has access to financial data of the customers. In the same vein, both the EU Parliament and the Council have proposed strict separation between the data obtained by data users under FIDA framework and the data that their related entities as gatekeepers may hold (like personal data collected through social media platforms or search engines), effectively looking to prevent them from leveraging their dominant positions in the digital market space.
Simplification
Against the backdrop of the rising number of critical voices in the industry, on 16 May 2025 the EU Commission has disclosed a non-paper outlining several steps that the Commission suggests being taken for the sake of simplification of the FIDA proposal.
Customer data
The scope of the financial data to which the new framework will apply, shall be limited from all retail and corporate financial data solely to financial data of natural persons and small and medium enterprises. With this limitation, the EU Commission looks to exclude around 51.000 of large corporations in the EU, whose benefits from the new rules in their potential role as customers is rather questionable.
The EU Commission is also looking to impose a time limitation on in-scope financial data: any financial data older than ten years and data from terminated contracts will be out of scope.
Addressees
From the long list of the addressees of the new requirements (in-scope financial institutions required to ensure compliance with the new rules), the EU Commission would be looking to remove credit rating agencies and reinsurance firms.
The rationale behind the idea lies in the fact that their participation in the open finance ecosystem would highly unlikely bring any added value to retail customers and SMEs given that the data these institutions hold are rather less relevant to these customer groups.
FISP authorisation
The EU Commission would be looking to both simplify the FISP authorisation for some and ban it altogether for some other prospective applicants. First, conscious of the fact that account information service providers (AISPs) are already providing a service under the PSD2 framework (with much more limited scope of accessible data though), that is in many material aspects very similar to the financial information service under FIDA, the EU Commission is looking to simplify the authorisation process for them. For this purpose, all information that supervisory authorities already have on them and that may be necessary for the FISP license application, will require no resubmission.
On the other hand, mindful of industry concerns, the EU Commission has reiterated the position of the EU Parliament with respect to treatment of gatekeepers as defined under DMA, that will not be allowed to apply for a FISP license.
Streamlining and standardisation
Under the FIDA proposal, data holders will be required to develop and make available permission dashboards that the customers can use to provide and withdraw their consent for the use of their financial data. These dashboards are intended to provide a full overview each ongoing data access permission (with the name of each data user, purpose of the permission, categories of data and the period of validity of consent) so that the customers can keep track of their data processing by financial institutions easily. Given that the package for the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR) likewise contain provisions on customer dashboards (in the context of data access management for payment service users), the EU Commission is looking to align the FIDA Regulation with PSD3/PSR package more closely.
The EU Commission is also looking to change its original position on the creation of common data sharing and industry recognized interface standards within the open finance ecosystem. Under the original proposal, the EU Commission has suggested the creation of common standards within the so-called financial data sharing schemes, that financial institutions would be obliged to become a member of. Conscious of the risk of development of diverging common data standards the EU Commission is looking to shift away from its original proposal by looking to advocate for the creation of harmonised EU-wide data sharing standards created by European standardization organizations.
Outlook
The potential changes to the proposal laid out in the EU Commission’s non-paper, may well be some pleasant news for the industry, but one needs to stay mindful of the fact that this is still not an official proposal. In the coming months, the FIDA proposal will continue finding its way through the EU legislative making process, through the trialogues that are continuing based on the latest positions of the EU Parliament and the Council.
It goes without saying however, that the points from the EU Commission’s non-paper will most likely be noted and discussed as part of the trialogues, but it remains to be seen what their practical impact on the FIDA proposal in the end will be.
The progress over the coming months will be crucial to achieving a final compromise text on the FIDA Proposal, hopefully by late 2025. Nonetheless, given that the transitional provisions of the original proposal have also been subject to amendments lately (with the EU Parliament and the Council looking to extent the original 18/24-month transitional period to transitional periods ranging from 36 to 48 months for different types of customer data) the go-live date of the first EU open finance framework, remains some (significant) time away.
