FiDA Hub

FiDA: Back on the Agenda

After a rocky start which threatened to see EU Financial Data Access (FiDA) scrapped from the EU’s agenda , it’s back on the agenda with the first trilogue meeting taking place in April 2025. Here’s a snapshot about what FiDA is all about, its current status and what industry is saying.

FiDA in a snapshot

The Commission published its FiDA proposals back in 2023, marking it out as a pivotal component of the EU’s digital transformation framework. The proposals aim to revolutionise financial data accessibility, fostering a more transparent, competitive, and innovative financial ecosystem across member states – an agenda intended to compliment the “open banking” developments we’ve seen in the payment services arena recently. In essence, the idea is to:

• Empower customers: By providing customers with greater control over their financial data, FiDA seeks to empower them to make informed decisions and benefit from personalised financial services

• Boost innovation: Secure data sharing among financial institutions and third-party providers will drive innovation, enabling the development of new products and services tailored to consumer needs

• Enhance competition: By levelling the playing field, FiDA aims to foster competition among financial service providers, ultimately offering consumers better choices and pricing

Back in 2024, the Parliament and Council published their respective versions of the proposals, setting out where they agreed or disagreed with the Commission version. So we now find ourselves at the trilogue stage – that’s the process during which the Commission, Parliament and Council meet to discuss their respective versions of the text with the aim of ultimately agreeing final legislation.

The proposals

Here’s a quick rundown of the key proposals (and issues of concern for industry):

Regulation: The proposals are drafted in the form of a regulation (not a directive). This means the provisions, once applicable, will directly apply across all member states (without member states needing to draft the provisions into national law). This is a key trend we’ve been seeing across EU legislation – an attempt to harmonise application across the EU and prevent national disparities which can arise when directives need to be drafted into national law, thereby (at least this is the intention) reducing regulatory barriers across the EU (and regulatory arbitrage).

Firm scope: The proposals apply to a wide variety of firms – including, but not limited to, credit institutions, investment firms, UCITS ManCos, AIFMs, crypto-asset firms, insurance undertakings (financial institutions) and more – whether they are acting as a firm holding data (data holders) and/or a firm that wants to use customer data (data user). Whilst some firms (in particular those in the FinTech space) are broadly (though not all!) in favour of FiDA – seeing potential business opportunities in being able to use data to drive product solutions – much of the financial services industry has expressed concern over the wide scope of FiDA, administrative burdens and the cost of tech builds that would be required under the current proposals.

Customer scope: This has been one of the most controversial aspects of the Commission’s proposals. Broadly, the proposals apply in relation to “customers”, defined as a natural or legal person who makes use of financial products and services. There is no differentiation between retail and non-retail. The disproportionate application of FiDA to all customer types is of concern to many market participants, especially because non-retail customers often negotiate bilateral data-sharing arrangements with firms already.

Data scope: Another controversial element is the broad scope of the types of data captured under FiDA, which covers data on a very wide variety of product types – including data on, for example, mortgage products, loans and accounts, savings, investment in financial instruments, crypto-assets, insurance products, pension products and creditworthiness assessments. The Parliament, Council and Commission versions significantly diverge in this area.

Dashboard: Firms holding data (data holders) will need to provide a “permission dashboard” to monitor and manage the permissions that a customer provides to firms that get access to the customer’s data (data user). As a concept this appears sensible and is to be welcomed. However the devil is in the detail. Much of the drafting is unclear on precisely how and what the dashboard should look like and how information can be provided in real-time between the customer and the data user. Firms will need significant tech build in this area.

Data sharing schemes: Data holders and data users will be required to become members of a financial data sharing scheme, the rules of which will govern access to the different data types under FiDA. Whilst the proposals attempt to set out how these schemes are to be set up and how they will operate, there are a lot of questions arising as to how these will operate in practice, especially where the membership of the scheme is spread across more than one member state. Areas of divergence between the Parliament, Council and Commission versions focus on the timelines for these schemes being set up, how the rules on how compensation for data are to be determined, whether national regulators or EU regulators will be responsible for assessing each scheme and what happens if no scheme is set up. Industry has also expressed concern as to the extent of evidence that all these schemes are needed i.e. is there customer demand for across all data types or only some? If only some, then these schemes should only need to be set up where there is demand. Making firms jump through these hoops across all data types (irrespective of whether customers will actually want it or use it) would be placing undue burden and cost on firms for little to no customer benefit.

Financial information service providers (FISPs): FISPs are a new category of firm introduced in the proposals i.e. non-financial institutions wanting to access and use customer data under FiDA. These firms will need to become authorised as FISPs (similar to account information service providers – AISPs – under PSD2). The proposals set out the requirements for authorisation, including insurance requirements and outsourcing conditions (no letter box entities). The EBA will maintain a public register of all FISPs. The Commission, Parliament and Council are broadly aligned on the concept of FISPs, but there are some major differences on application:

• Both Parliament and Council require a FISP to be a legal person

• Council (in an apparent attempt to prevent regulatory arbitrage) requires that a FISP will need to show that it intends to carry out at least part of its activities in the member state where it has it registered office

• We also see the concept of gatekeepers (as defined in the Digital Markets Act) featured in the Council and Parliament versions (completely absent in the Commission version). In the Parliament version gatekeepers are excluded from being able to become FISPs, whereas in the Council version additional authorisation procedures are to be applied if a gatekeeper is to become a FISP. The coverage of the gatekeeper concept in the Parliament and Council versions has been welcomed by industry who have expressed concern about BigTech accessing data via FiDA.

• Last, but certainly not least, is the Commission’s proposals around third country FISPs, allowing authorisation of non-EU firms as FISPs provided they appoint a legal representative in a member state. Those proposals have entirely been deleted by the Council and Parliament – welcome news to many in the industry who have expressed concern around the security of the EU customer’s sensitive data and the impact on EU competitiveness if non-EU firms are able to access the EU’s data market via FiDA.

Cross-border access to data: Financial institutions and FISPs will be able to access customer data held by data holders across the EU, but if FISPs wish to access customer data for the first time in a member state that is not its home state regulator, they will need to make a notification to the home regulator, which within 1 month will send it on to the host regulator (this appears to operate a bit like a MiFID passporting notification). The Council and Parliament are broadly aligned with the Commission proposals on this, though the Parliament provides that host regulators can temporarily suspend transmission of data of customers in its state where the FISP has infringed FiDA.

Regulator powers: Another trend we’ve been seeing over the last few years is the increased scope of regulator (national and EU) powers included in regulation. FiDA is no exception. The Commission, Council and Parliament positions are largely aligned on scope, though there are some differentials, in particular the Parliament and Council both significantly raise the maximum amount of administrative fines that regulators can impose on firms.

For a more detailed explanation of the proposals, and the divergences between the Commission, Council and Parliament versions, check out the Simmons & Simmons FiDA Tracker Table. We will continuously update this tracker to keep you informed of any new developments as they arise. Should you wish to receive future updates, please feel free to send us an email expressing your interest.

Simplification is the buzzword

At the first trilogue meeting - in a trend we’ve been seeing recently across a number EU legislative measures, the Commission was asked by Parliament and Council to prepare simplification proposals. You can read more about those proposals here.

Those simplification proposals were discussed by Parliament, Council (under the Polish Presidency) and the Commission in a second trilogue meeting held on 17 June, with alignment in some areas starting to take shape (though no firm agreement as yet) - see our Simons & Simons FiDA Tracker Table above for details. An internal Council meeting (under the new Danish Presidency) subsequently took place on 16 July, to digest and discuss the outcome from that second trilogue meeting.

The next trilogue meeting between Parliament, Council and the Commission is expected to take place in September.

What’s the timing?

We know we sound like a broken record (!), but the Commission, Parliament and Council texts diverge on application timing. The Commission requires the provisions to apply 24 months after FiDA comes into effect. The Parliament requires application of the provisions from between 30-38 months after FiDA comes into effect (depending on the provision). The Council takes a slightly different tact and requires the provisions to apply in 3 different tranches depending on the type of customer data, varying from 18-48 months after FiDA comes into effect.

…but for now, trilogues have just started so we’re a little away from a final text at this stage.

What should we do now?

At this stage you should be aligning your business with relevant trade associations and lobbying efforts. It is also worth starting to map which of your entities and business lines are going to be impacted, where areas of opportunity/growth could arise, and starting to think about the budget and plan around the significant tech builds that FiDA is almost certainly going to require, whatever shape the end version looks like.

At Simmons & Simmons, we’re following developments closely and will keep you updated as we hear more. We would be pleased to assist with scoping, advising on decision-making, and project plans as well as all other FiDA-related questions.