The Financial Data Access (FiDA) Regulation
What is the Financial Data Access (FiDA) Regulation?
On 28 June 2023, the European Commission published a Proposal for a regulation on a framework for Financial Data Access.
According to Article 1 (subject matter), this Regulation establishes rules on the access, sharing and use of certain categories of customer data in financial services. This Regulation also establishes rules concerning the authorisation and operation of financial information service providers.
The European Union’s financial data economy is fragmented, characterised by uneven data sharing, barriers, and high stakeholder reluctance to engage in data sharing beyond payments accounts.
Customers do not benefit from individualised, data-driven products and services that may fit their specific needs. The absence of personalised financial products limits the possibility to innovate, by offering more choice and financial products and services for interested consumers who could otherwise benefit from data-driven tools that can support them to make informed choices, compare offerings in a user-friendly manner, and switch to more advantageous products that match their preferences based on their data. The existing barriers to business data sharing are preventing firms, in particular SMEs, to benefit from better, convenient and automated financial services.
A dedicated and harmonised framework for access to financial data is necessary at Union level to respond to the needs of the digital economy and to remove barriers to a well-functioning internal market for data.
The Financial Data Access (FiDA) Regulation introduces new legal obligations on financial institutions acting as data holders, to share defined categories of data.
According to Article 2 (scope):
1. This Regulation applies to the following categories of customer data on:
(a) mortgage credit agreements, loans and accounts, except payment accounts, including data on balance, conditions and transactions;
(b) savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets as well as the economic benefits derived from such assets;
(c) pension rights in occupational pension schemes;
(d) pension rights on the provision of pan-European personal pension products;
(e) non-life insurance products, with the exception of sickness and health insurance products;
(f) data which forms part of a creditworthiness assessment of a firm which is collected as part of a loan application process or a request for a credit rating.
2. This Regulation applies to the following entities when acting as data holders or data users:
(a) credit institutions;
(b) payment institutions;
(c) electronic money institutions;
(d) investment firms;
(e) crypto-asset service providers;
(f) issuers of asset-referenced tokens;
(g) managers of alternative investment funds;
(h) management companies of undertakings for collective investment in transferable securities;
(i) insurance and reinsurance undertakings;
(j) insurance intermediaries and ancillary insurance intermediaries;
(k) institutions for occupational retirement provision;
(l) credit rating agencies;
(m) crowdfunding service providers;
(n) PEPP providers;
(o) financial information service providers.
February 20, 2026. Transatlantic tensions and the European Financial Data Access (FiDA) Regulation (Opinion, Legal Intelligence).
There’s an ongoing political debate in the EU about whether major Big Tech platforms (like Amazon, Apple, Google, Meta) should be excluded from the FiDA ecosystem. There are proposals that advocate limiting their role to protect European competitiveness and digital sovereignty.
FiDA aims to force financial data holders (banks, insurers, investment firms) to share customer data with licensed third parties under standardized technical schemes. This weakens traditional bank dominance.
But there is a geopolitical layer. US Big Tech firms such as Apple, Google, Amazon, and Meta already have enormous consumer datasets, embedded financial services (wallets, payments, credit scoring, cloud banking infrastructure), and AI capabilities that can exploit structured financial datasets at scale.
If FiDA mandates access to European banks’ data, US Big Tech firms could rapidly scale financial services in the EU using their superior AI analytics, and further integrate finance into their platform ecosystems. This would further entrench dominance.
This creates a political dilemma in the EU. Open finance increases competition within banking, but may also increase systemic platform dependency.
EU could exclude U.S. Big Tech from FiDA.
The EU appears willing to exclude U.S. technology giants such as Apple, Google, Meta, and Amazon from the FiDA regime altogether. Legal intelligence indicates that European legislators and member states are pushing to block Big Tech from participating as financial data recipients or participants in the FiDA framework.
The rationale from EU policymakers includes protecting digital sovereignty, building a European digital financial ecosystem, and avoiding dominance by non-EU platform firms.
German authorities have been especially vocal in this lobbying effort, suggesting outright exclusion of these firms to safeguard European innovation and consumer data.
This is a deliberate political stance that has direct implications for U.S. companies and U.S.–EU economic relations.
U.S. tech and industry groups have publicly criticized such exclusions. This reflects a broader U.S. concern about European digital rules affecting U.S. global platforms, which in turn feeds into diplomatic and commercial dialogues between Washington and Brussels.
Potential U.S. Trade and Policy Consequences.
U.S. officials have threatened or used tariff leverage to influence EU digital regulation outcomes. While not about FiDA specifically, this diplomatic pressure sets a precedent for how the U.S. might respond if FiDA exclusions are interpreted as discriminatory trade barriers.
Main FiDA provisions that are politically sensitive in the transatlantic context.
1. Eligibility of Financial Information Service Providers (FISPs).
One of the most sensitive provisions concerns who is allowed to access financial data under FiDA. US-based firms such as Apple, Google, Amazon and Meta could theoretically qualify as FISPs if the criteria are broad.
But some Member States have pushed for restricting access to regulated financial institutions, possibly excluding gatekeepers already designated under the Digital Markets Act.
From a US perspective, exclusion based on business model is discriminatory. Access restrictions are trade barriers. Reciprocity concerns arise, as US markets do not impose symmetrical exclusion.
2. Governance of data sharing schemes.
FiDA relies heavily on industry developed data sharing schemes, technical standards, and governance frameworks.
The contested issues include who governs schemes, who sets API standards, and who controls participation criteria. If schemes are dominated by EU financial institutions, US platforms could be technically marginalized. Access could be limited through operational rules. This could become a soft exclusion mechanism.
3. Consumer interface power.
FiDA enables data portability. But the strategic question is: Who controls the user interface? If platforms become default dashboards and financial AI assistants, traditional EU financial institutions lose customer relationships, brand visibility, and pricing power.
This structural shift is a core political driver behind some Member State resistance to Big Tech participation.
Two negotiation endpoints in 2026 (opinion).
A) Soft FiDA. Policy intent stays open finance pro-innovation, with fewer sovereignty guardrails. Typical features include broader eligibility for Financial Information Service Providers (FISPs), including large non-EU firms. Also, wider data scope sooner (more products, more data categories), lower friction access (fees capped low, easier onboarding), and fewer explicit gatekeeper constraints.
B) Hard FiDA. Policy intent shifts to prioritise EU control and systemic risk mitigation. Typical features include narrower FISP eligibility (EU establishment, regulated status, possible gatekeeper restrictions), tighter purpose limits and restrictions on combining data across ecosystems. Also, stronger scheme governance (mandatory controls, tougher participation criteria).
This lines up with the reported political direction to block Big Tech (Apple/Google/Meta/Amazon) from FiDA access.
EU Boards must investigate:
1. The first question that must be asked is whether the entity is at risk of losing control of the customer interface. FiDA enables third parties to aggregate and present customer financial data through alternative dashboards and AI-driven tools. If customers begin interacting primarily through external platforms rather than directly with the bank, this could fundamentally alter pricing power, cross selling capability, and brand relevance. The Board must ask whether the institution risks becoming a balance sheet utility operating behind someone else’s digital front end.
2. EU Boards must ask whether FiDA alters the institution’s liquidity and systemic risk profile. Open finance reduces friction, and reduced friction changes behavior. If customers can switch deposits or investment products instantly through a third-party interface, traditional assumptions about deposit stickiness and behavioral stability may no longer hold. The Board must ensure that liquidity stress testing incorporates interface driven switching dynamics and that funding resilience models reflect the possibility of accelerated outflows triggered not by panic, but by convenience.
3. Structural dependency. FiDA may increase reliance on shared data schemes, cloud providers, AI analytics platforms, and large technology intermediaries. The Board must ask whether it has a clear map of where financial data access, cloud infrastructure, analytics, and AI capabilities converge, and whether this convergence creates excessive concentration risk. This is important under the Digital Operational Resilience Act, but also long-term strategic exposure to external ecosystem control.
Non-EU Boards must investigate:
1. The first and most immediate question is whether the institution qualifies to participate in the FiDA framework, and under what structural conditions. Depending on how eligibility rules are finalized, meaningful EU establishment, local supervision, or licensing requirements may be necessary. The Board must determine whether participation requires an EU subsidiary, restructuring, additional capital commitments, or new supervisory relationships. FiDA requires strategic decisions.
2. Competitive asymmetry. FiDA could either restrict non-EU firms in a sovereignty forward outcome, or expose them to platform driven disintermediation in an innovation forward outcome. The Board must evaluate whether it risks structural disadvantage.
3. Regulatory and geopolitical exposure. FiDA intersects with European data governance, operational resilience rules, competition law, and cross-border data transfer regimes. The Board must ask whether participation in the EU financial data ecosystem could create conflicting legal obligations between the home jurisdiction and EU authorities, particularly in relation to data access, disclosure demands, or supervisory oversight.
DISCLAIMER: The analysis presented here is provided for informational and educational purposes only. It does not express support for, or opposition to, any government, regulatory authority, political position, or policy approach. The objective is to assist risk, compliance, legal, and governance professionals in understanding evolving regulatory, legal, and geopolitical developments that may affect their professional responsibilities.
This content is intended to facilitate informed decision making by highlighting structural trends, regulatory interactions, and potential areas of operational impact. It does not constitute legal advice, policy advocacy, or an endorsement of any particular regulatory framework or political position. The perspectives discussed reflect an analytical assessment of publicly available information, and should be interpreted in the context of risk awareness, compliance preparedness, and strategic foresight only.
October 20, 2025, Commission work programme 2026, the Financial Data Access Regulation (FiDA) proposal appears in Annex III, Pending proposals, item 41.
COM(2023)360 final means: Commission document (COM, an official document issued by the European Commission). 2023 is the year the Commission registered the document. 360 is the Commission’s sequential number for that year (the 360th COM document registered in 2023). Final means the formally adopted version (not draft or provisional). Final is the version sent to the European Parliament and the Council for the legislative procedure.
2023/0205 (COD) means: The procedure was formally opened in 2023. It is the 205th legislative file registered in 2023. COD = Codecision, Parliament and Council are co-legislators, and both must agree for the act to be adopted.
Being in Annex III, Pending proposals confirms that the file remains active in the legislative process, the Commission expects it to proceed (not withdrawn or deprioritised), and it will continue through trilogue toward political agreement.
9 December 2024, Joint statement: "Avoid concluding the Financial Data Access (FiDA) Regulation before a thorough assessment of its impact across the entire value chain is completed."
As the European Parliament adopted its position and the Council reached its General Approach, the Association for Financial Markets in Europe (AFME), the European Association of Co-operative Banks (EACB), the European Banking Federation (EBF), the European Fund and Asset Management Association (EFAMA), the European Savings and Retail Banking Group (ESBG), and Insurance Europe call on the co-legislators to deliver on commitments to boost European competitiveness and to avoid concluding the Financial Data Access (FiDA) Regulation before a thorough assessment of its impact across the entire value chain is completed. To safeguard and boost the competitiveness of the European financial sector, it is essential to ensure an approach that delivers tangible benefits to European citizens while at the same time ensuring that Europe’s financial industry can continue to innovate in a robust and cost-effective manner.
The data economy, especially when based on an exchange of data between different sectors, holds the potential to spark data-driven innovation in the European economy, including the financial sector, and deliver new opportunities for customers.
The success of the proposed FiDA framework calls for a more focused and evidence-based approach that delivers clear benefits to European citizens and companies. This necessitates further time for careful scrutiny of its broader and practical impact, both for consumers and industry. Without such an approach, FiDA will not only fall short of its ambition, but also undermine the protection of EU/EA citizens and the competitiveness of the European financial industry alike.
The financial industry highlights the following recommendations to ensure an effective FiDA framework:
▪ The framework should balance value for customers, market demand, and costs for financial institutions prior to implementation. It is noted that in the impact assessment for the proposed legislation the costs have not been adequately assessed, nor has customer and market demand for data sharing been evidenced. The FiDA framework needs to be driven by demonstrated evidence of benefits to customers and market demand, as otherwise it risks undermining the competitiveness of financial institutions operating in the EU/EEA, by diverting resources from innovation plans, including from areas where FiDA can be successful.
▪ As FiDA creates new entities (financial information service providers - FISPs) that will be on the receiving end of large quantities of sensitive customer data, implications for data security and privacy need to be carefully considered. This necessitates, at a minimum, robust regulation and supervision of FISPs (to the same standards as those applied to regulated financial institutions), while ensuring the rigorous protection of European companies’ data. These key aspects of data sharing cannot be adequately achieved by the current design of FiDA, therefore creating risks to upholding European citizens’ fundamental right to data protection.
Following the ECON vote and the COREPER mandate for negotiations, and despite some positive improvements introduced in the EP and the Council positions, they remain very broad in scope, particularly in terms of data categories, and do not adequately address the competitiveness and data protection concerns mentioned above. The financial services industry has repeatedly raised these and other key concerns, also proposing relevant solutions, however they remain largely unaddressed.
The financial services industry stands ready to continue contributing to ensure the creation of a well-designed and workable FiDA framework that provides legal clarity and can effectively support the sound development of Open Finance in the EU/EEA.
2 December 2024 - The Council reached an agreement on the proposed framework for Financial Data Access (FIDA).
The Council in its position largely supports the Commission’s initial proposal, following a step-by-step approach for the implementation of the regime. It clarifies its scope by defining what specific data sets, products or sectors, these rules should cover and apply to, as well as a timeframe for the data sharing obligations to kick-in. For instance, the Council excluded data related to occupational pensions but gave member states the possibility to opt into the regime. It also granted data sharing schemes the ability to introduce a time limit to the customer data to be shared if it is not readily available in digital form.
The Council reinforced the rules governing third country financial information service providers (FISPs), which are entities that are authorised to access and use customer data to offer services like financial advice and personal financial management. Furthermore, entities that qualify as gatekeepers would be strictly regulated and supervised in order to ensure fair competition.
Next steps.
With this agreement, the Council is ready to negotiate the final shape of the legislation with the European Parliament. Once an agreement has been found, both institutions would have to formally adopt the new legislation, before it would be published on the EU’s Official Journal and entered into force.
2 December 2024 - Mandate for negotiations with the European Parliament, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554
https://data.consilium.europa.eu/doc/document/ST-16312-2024-INIT/en/pdf
More accessible data.
Better data sharing would allow market participants to target consumers with highly personalised financial products and services, for example investment opportunities, streamlined loan application processes or lower interest rate products.
This would create a more competitive financial sector and improve consumers’ - in particular private persons and small and medium-sized enterprises’ (SMEs) - access to finance.
The proposal aims to reach this byintroducing harmonised rules on what data to share and how to share it, fostering transparency and comparability, and ensuring appropriate compensation for the data holders that make such data available.
Meanwhile, in order to ensure adequate customer protection, the new framework would guarantee that customers retain effective control over their data. In addition it would empower the European Supervisory Authorities to issue guidelines to provide for protection against unfair treatment or exclusion risks.
How is the Financial Data Access (FiDA) affecting financial information service providers that do not have an establishment in the Union?
According to Article 13 (Legal representatives):
1. Financial information service providers that do not have an establishment in the Union but that require access to financial data in the Union shall designate, in writing, a legal or natural person as their legal representative in one of the Member States from where the financial information service provider intends to access financial data.
2. Financial information service providers shall mandate their legal representatives to be addressed in addition to or instead of the financial information service provider by the competent authorities on all issues necessary for the receipt of, compliance with and enforcement of this Regulation. Financial information service providers shall provide their legal representative with the necessary powers and resources to enable them to cooperate with the competent authorities and ensure compliance with their decisions.
3. The designated legal representative may be held liable for non-compliance with obligations under this Regulation, without prejudice to the liability and legal actions that could be initiated against the financial information service provider.
4. Financial information service providers shall notify the name, address, the electronic mail address and telephone number of their legal representative to the competent authority in the Member State where that legal representative resides or is established. They shall ensure that that information is up to date.
5. The designation of a legal representative within the Union pursuant to paragraph 1 shall not constitute an establishment in the Union.
The Financial Data Access (FiDA), the General Data Protection Regulation (GDPR), and other EU legal acts
This proposal for the Financial Data Access (FiDA) respects the General Data Protection Regulation (GDPR) which sets the general rules on the processing of personal data related to a data subject and ensures the protection of personal data as well as the free movement of personal data.
The FiDA proposal is a sectoral building block that fits into the broader European strategy for data and enables data sharing within the financial sector and with other sectors. It is based upon the key principles for data access and processing set out in the Commission’s cross-sectoral initiatives.
The Data Governance Act focuses on increasing trust in data sharing and improving seamless interconnection (‘interoperability’) between data spaces and creating a framework for data intermediation service providers.
Another cross-sectoral initiative is the Digital Markets Act which establishes a number of data related obligations to tackle the power of gatekeeper platforms and ensure contestability in the digital markets by, for example, allowing financial institutions on behalf of their customers or when using gatekeeper core platform services to access data held by gatekeepers.
Yet another cross-sectoral initiative is the Data Act that establishes new data access rights for the Internet of Things (IoT) data – i.e. the data that products obtain, generate or collect concerning their performance, use or environment – for both product users and providers of related services. It also establishes generally applicable obligations for data holders, which are required to make data available to data recipients under EU law or national legislation adopted in line with EU law.
The FiDA proposal complements the EU retail investment strategy. It will support its objective to improve the functioning of the retail investor protection framework by providing safeguards in the use of retail investor data in financial services. Moreover, it ensures compliance with the rules on cybersecurity and operational resilience in the financial sector, as set out in the Digital Operational Resilience Act (DORA).
This website is developed and maintained by Cyber Risk GmbH as part of its professional activities in the fields of risk management and regulatory compliance.
Cyber Risk GmbH specializes in supporting organizations in understanding, navigating, and implementing complex European, U.S., and international risk related regulatory frameworks.
Content is produced and maintained under the professional responsibility of George Lekatis, General Manager of Cyber Risk GmbH, a well known expert in risk management and compliance. He also serves as General Manager of Compliance LLC, a company incorporated in Wilmington, NC, with offices in Washington, DC, providing risk and compliance training in 58 countries.
Cyber Risk GmbH, some of our clients
