The EU is committed to bringing the wider financial sector into the digital age. To this end, it has proposed a new framework for secure and open access to customer data across a broader range of financial services. As trilogue negotiations between the European Commission, the Council, and the European Parliament on the framework for financial data access (FIDA) are set to begin, it’s an opportune moment to reflect on where we stand.
FIDA’s path to trilogues, however, has not been without disruption. In early 2025, a leaked draft of the Commission’s 2025 work programme suggested that FIDA could be withdrawn—an unexpected move typically reserved for long-stalled initiatives with little prospect of agreement. This raised questions across the financial sector, as withdrawal would have signalled a major shift in the EU’s approach to Open Finance. Yet, in a last-minute reversal and following pushback within the Commission from the responsible department, the final version of the work programme listed FIDA under pending proposals, ensuring that negotiations would proceed as planned.
While the Commission’s proposal has already set the stage, notable differences remain between the Parliament and the Council on key issues such as Customer control over their data, the treatment of so called ‘gatekeepers’, the obligations of Account Information Service Providers (AISPs), market access for third-country financial information service providers (FISPs) and the timeline for implementing the framework.
This blog first highlights the key measures of the FIDA (I.), then discusses the current state of the debate surrounding the identified key issues (II.) and concludes with an outlook on the next steps (III.).
I. Key measures
The proposal builds on the (mixed) success of ‘open banking’ under the revised Payment Services Directive (PSD2) and extends its principles to a wider ‘open finance’ framework. This should empower consumers and businesses with effective tools to control their financial data, ensure compliance with GDPR, and standardise data-sharing processes to foster competition and innovation. This framework prioritises consumers’ interests, competition and security aspects, aiming to create a more efficient and innovative financial ecosystem.
Key measures include:
- Clear rights and obligations for managing customer data sharing beyond payment accounts.
- Standardised technical interfaces to streamline data access.
- Enhanced consumer control over data-sharing decisions.
These efforts are set to transform the financial sector, unlocking opportunities for new providers and fostering innovative financial products for consumers.
II. Key issues and institutional positions
1. Data and permissions
While the expressed aim of the proposal is to mobilise customer data and increase data-sharing, the ubiquitous availability of sensitive consumer data may increase the risk of financial exclusion. Accordingly, FIDA needs to strike the right balance between both considerations. To limit the risk of financial exclusion, the Commission (and in the same vein, the Parliament) excluded data collected as part of a creditworthiness assessment of a consumer as well as cover data related to the sickness and health insurance (or insurance-based investment products) of a consumer from the scope of FIDA. To the extent that other data permits related conclusions, in particular on the creditworthiness of consumers, the EBA will be tasked, according to the Commission's proposal, with drawing up technical rules describing to what extent other customer data may be used for these purposes. The Council largely followed that approach but granted member states the discretion whether to also include customer data on pension rights in occupational pension schemes. The Council also clarified that customer data should be limited to raw data received by the data holder and that it excludes any enriched data or other data that could reveal trade secrets or confidential business data of the data holder.
2. Financial data sharing schemes and phase-in
The implementation timelines differ between the various proposals, particularly regarding the Financial Data Sharing Schemes. The Commission has proposed this quite novel regime under which data holders and data users would be required to establish and become members of those schemes, which would regulate most aspects of data sharing, such as technical details, liability and compensation for transferred data.
The Commission proposed 18 months for the establishment of those schemes. The Parliament proposal introduces a staggered approach, with the general rules for the schemes agreed upon within 12 months, the technical and compensation rules within 26 months, the schemes becoming operational within 30 months and the rules becoming applicable 36 months after FIDA entered into force. The Council Position distinguishes between different categories of customer data and introduces a staggered approach for the implementation of FIDA in general. For data on, for example, savings, accounts, and general consumer credit agreements, FIDA would apply 24 months after entry into force, whereby schemes would have to be established within 18 months. For other categories of customer data, such as residential mortgage credit agreements and data on investments and suitability assessments, FIDA would apply after 36 months (and rules on schemes after 30 months). For more specific data, such as insurance-based investment products and data on creditworthiness assessments, the regulation would apply 48 months after the entry into force (and rules on schemes after 42 months). The Council bases the need for a phased approach on the availability and standardization of different categories of customer data.
3. Gatekeepers
The (generally welcomed) sharing of data has triggered considerations whether the objective of FIDA would conflict with the regulatory objective of other regulations. More specifically, the EU has introduced specific regulations under the Regulation on Contestable and Fair Markets in the Digital Sector (also known as the Digital Markets Act, DMA) that address large tech companies that already have the advantage of extensive access to customer data.
The Commission proposal refers to gatekeepers only in their general consideration, confirming that the proposal fits into the broader European strategy for data, to which also the DMA belongs. It emphasizes enabling data sharing and market contestability, particularly within the financial sector, but does not establish specific rules for gatekeepers. The Parliament introduces limitations for gatekeepers to use customer data. They are not only barred from transferring data from an eligible data user into other group companies, but the eligible data user must also not combine received customer data with other customer data obtained elsewhere. A gatekeeper may not become or establish a FISP. Furthermore, any eligible data user that is a gatekeeper or controlled by a gatekeeper would need to undergo a specific additional assessment by its financial regulator that assesses the network effects and data-driven advantages as well as organisational compliance with the FIDA requirements. The Council Position clarifies some ambiguities under the Parliament’s approach but still requires a similar assessment of gatekeepers.
4. Obligations on AISPs
AISPs play a key role in open banking by offering value-added services through user-authorized access to payment account data held by banks and other financial institutions. AISPs have been regulated since the introduction of PSD2, which established a framework for open banking by mandating banks to provide secure access to payment account data upon user request. Now, with the proposed FIDA, AISPs are set to fall under an expanded regulatory framework, covering access to financial data beyond payment accounts, and it is not certain which role AISPs will play in such an extended regulatory framework.
The key differences between the Commission, Parliament, and Council regarding AISPs and their access to customer data revolve around authorisation requirements and the timing of evaluations. The Commission generally includes payment institutions and AISPs in the scope of the regulation but excludes AISPs from the definition of a ‘data holder’. The lack of specific treatment indicates that AISPs may access all customer data without further steps. The Parliament, however, requires AISPs to obtain an additional license as FISP to access customer data. The Council Position introduces additional steps for AISPs seeking authorisation, allowing competent authorities to use previously submitted registration information if still valid, streamlining the process.
5. No market access for third-country FISPs
The Commission envisaged an authorisation and market access regime for FISPs established in third countries if they appoint a legal presentative in the Union. However, both the Parliament and the Council removed these provisions, effectively eliminating the possibility for third-country providers to access the market under the current regulation.
III. Next steps
Following the approval of the Economic and Monetary Affairs Committee position, the Parliament decided to enter into interinstitutional negotiations in December 2024. On the Council’s side, on 04 December 2024, the Council adopted their position on FIDA to enter trilogues. Co-legislators were expected to kick off trilogues in February 2025 under the leadership of the Polish Presidency.
While the last-minute reversal of FIDA’s potential withdrawal has ensured that discussions can continue, its long-term fate remains uncertain. If negotiations stall, the possibility of withdrawal could resurface. A failure to advance FIDA would leave the EU at a crossroads in financial data policy, especially as the UK moves ahead with Open Finance initiatives.
We are now expecting trilogues to kick off in March 2025 although the general expectation is that this final stage of negotiations would last longer than is usual and would likely be finalized under the Danish Presidency between July and December 2025. These will be critical in determining whether the EU can establish a competitive framework for financial data access or risks falling behind global peers.
