Explainer: Understanding FIDA Proposal

This explainer breaks down the EU’s Framework for Financial Data Access (FIDA) proposal and its role in optimising Open Finance. With adoption expected in late 2025, FIDA will reshape Europe’s digital finance sector. Emanuel van Praag and Eugerta Muçi guide readers through the key implications and debates shaping the final text.

Introduction to the FIDA Proposal and Open Finance in Europe

The European Union (EU) is accelerating the establishment of Open Finance following the June 2023[1] publication of the Framework for Financial Data Access (FIDA - Proposal).

Currently, significant changes are being discussed by the EU legislative bodies (the EU Parliament and the EU Council of Ministers). While the overall goal of Open Finance has consensus, many specifics – from data scope to scheme governance - are still being negotiated. The final version is expected in late 2025, and once adopted, financial institutions will have 30–32 months to comply[2].

What is FIDA Proposal?

The Framework for Financial Data Access (FIDA) is a legislative proposal presented by the European Commission in June 2023, part of the EU’s Digital Finance Strategy. The aim is to create a more integrated, transparent, and innovative financial ecosystem in which customers can authorise licenced firms to access their data securely and reliably, enabling new products, better insights, and more personalised services.

Financial Data Coverage under FIDA

The proposals aim to cover a wide financial services and products that will become subject to a data sharing right, such as:

Mortgage credit agreements, loans, and accounts, except payment accounts, including data regarding balances, conditions, and transactions;
Savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate, other related financial assets, and any resulting economic benefits;
Information gathered to determine suitability and appropriateness according to MiFID requirements;
Pension entitlements within occupational pension schemes and Pan-European Personal Pension Products (PEPPs);
Non-life insurance policies, excluding those related to sickness, health, or medical coverage;
Information collected during loan applications or credit rating requests is specifically used to evaluate a company’s creditworthiness.

Key objectives of the EU’s Open Finance Framework

Through FIDA, the EU aims to improve the sharing of financial data while strengthening customer rights and market competition. One goal is to optimise data sharing across financial sectors, enabling new business models and innovative services. Customers will gain better control over their financial data, making it easy to grant, manage, and revoke access. Additionally, competition will be strengthened by levelling the playing field for fintechs and third-party providers, and security will be improved through robust safeguards that protect privacy and prevent the misuse of financial data.

Relationship with other EU regulations

Because FIDA governs access to customer data, it must comply with several key pieces of EU legislation:

PSD3/PSR – updating payments and e-money.
GDPR for consent and data protection.
DMA (Digital Markets Act) – regulating BigTech gatekeepers
DORA (Digital Operational Resilience Act) – cybersecurity and resilience.

Additionally, the sharing of payment account data will, in the short and medium term, continue to be regulated by PSD2 (and PSD3). No substantial changes have been suggested in PSD3. The changes are mainly clarifications in line with existing EBA Guidance and Q&As:

Banks will still need to make information on the payment account available for free;
AISPs still need a specific licence for this.

Looking ahead, the EC envisions that AISPs could ultimately be exclusively governed by the Framework Regulation and subject to similar data-sharing rules. They would then become FISPs and carry the same obligations and rights as other FISPs. The EC will need to assess the practicality of this for four years after the implementation of the Framework Regulation.

How FIDA works in practice

FIDA builds on existing rules from PSD2, GDPR, and the draft Data Act, offering users the right to instruct their financial service providers (data holders) to share data with other firms (data users). Specifically, these data users can use the data they obtain to provide services to the customer. For example, this allows the client to instruct his/her bank to provide data on savings and loans to a financial advisor, enabling the advisor to provide the customer with more tailored and efficient advice. Depending on the service offered by the data user, this can be a one-time data sharing or a more regular and real-time sharing.

The Framework Regulation is relatively short. The details will need to be worked out in schemes (comparable to the SEPA schemes established by the EPC), to which Data Holders and Data Users are obliged to follow.

An important caveat is that the Framework Regulation only applies to financial institutions.

Data requirements

To make this ecosystem function optimally, FIDA lays down several conditions for data sharing:

Standardsation – data must be machine-readable and interoperable, allowing it to move between providers without complexity or distortion.
Secure access – APIs will be the primary method of exchange, ensuring speed and security.
Phased rollout – some data types will come first, others later, depending on their readiness (read more below).
Safeguards – sensitive categories may be excluded to protect customers.

Data holders

Before exploring the governance mechanisms, it is helpful to first understand the main actors in FIDA. Data holders are the institutions that currently hold financial data. It can be banks, insurers, pension funds, investment firms, securities depositories, and crypto-asset providers.

Their obligations are to:

Provide access when customers consent.
Join recognised schemes and follow their rules.
Guarantee security, accuracy, and timeliness of shared data.

Some of the challenges data holders will face include legacy systems, uneven digitalisation across Member States, and the high cost of compliance.

Data users and who can obtain the data

Data users are firms that want access to data to offer new services.

Their responsibilities are:

Use data only with explicit customer consent.
Comply with scheme requirements on security and governance.
Be transparent about how customer data is used.

A key decision for many data users will be whether to become authorized directly or to partner with intermediaries such as FIDPs or FISPs, a model still under review or awaiting final approval.

Only financial institutions can access the data without the need to obtain a separate authorisation. These are banks, insurers, (exempted) payment institutions including AISPs, investment firms, crypto asset service providers (as of MiCA), fund managers, insurance intermediaries, crowdfunding service providers, and pension funds. Financial institutions regulated under local laws (i.e., not EU law) are not within the scope of the Framework Regulation. In the Netherlands, these include, for example, consumer credit providers and consumer credit intermediaries.

By contrast, non-financial institutions will need to obtain authorisation from their home-state supervisor to do business across the EU (a passport regime). Such parties are referred to as Financial Information Service Providers (FISPs). The requirements for authorisation are comparable to those of an account information service provider under PSD2.

It’s currently unclear whether a service model whereby one party obtains customer data and forwards this data (with customer permission) to another party to be used for its service is allowed if this other party has no license (the license-as-a-service model).

Also, BigTechs can leverage opportunities under the Framework Regulation to enrich their datasets. A rule comparable to the draft Data Act that prohibits Big Tech from obtaining more data is not included.

Schemes, governance, and compensation models

With the key actors defined, the Framework Regulation sets rules for organising and incentivising data sharing through schemes. Key governance requirements include:

Balanced representation: Data Holders and Data Users should be equally represented, with customer and consumer organisations also participating.
Equal treatment: All scheme members must be treated fairly, without preferential conditions.
Open participation: Schemes must be open to all relevant stakeholders.
Compliance with EU law: Schemes cannot impose additional controls or conditions beyond those in the Framework Regulation or other EU legislation.
Supervisor oversight: Schemes must be notified to the relevant authority, which evaluates whether requirements are met.

If no scheme is successfully established, Data Holders are still required to provide access to the data, but cannot charge for it.

Unlike PSD2 (and PSD3 proposals), under FIDA, Data Users will not receive the data free of charge. To ensure that Data Holders have sufficient incentives to provide high-quality APIs, they may request reasonable compensation, which must adhere to the following principles:

Limited to costs directly related to making the data available to the data users and attributable to the request.
Based on an objective, transparent, and non-discriminatory methodology agreed by scheme members.
Derived from comprehensive market data collected from both Data Holders and Data Users.
Periodically reviewed to reflect technological progress.
Structured to encourage the lowest market rates.
Limited to requests covered by the Framework Regulation or proportionate for combined datasets.
More favourable conditions apply when the Data User is an SME.

Privacy and data protection considerations

Data sharing under FIDA raises important privacy considerations:

GDPR compliance: All data sharing must follow GDPR requirements.
Customer control: Data Holders must provide a permission dashboard, enabling customers to monitor and manage the access granted to Data Users. Customers can revoke access within the Data Holder’s environment, though revocation during an ongoing service may have contractual implications.
Defined data perimeter: The EBA and EIOPA, in cooperation with the EDPB, will define guidelines on the data perimeter. Data obtained within this perimeter can generally be considered necessary under GDPR, while data outside it may be more complex to justify legally.

These measures, therefore, aim to ensure transparency, customer empowerment, and a legally defensible framework for responsible data sharing.

How to get ready for FIDA?

Although the proposal is still evolving, organisations can already take steps to prepare. There are some priorities that both data holders and users must face: trust and transparency, collaboration with legal, IT, compliance, and product teams, and budget planning. Additionally, some requirements are specific.

For data holders

Audit the data – identify what is valuable, how digitised it is, and where the gaps are.
Invest in infrastructure – prepare APIs and secure system sooner rather than later.
Engage with schemes – joining early allows institutions to shape the standards.
Build governance – set up frameworks for consent, liability, and customer protection.

For data users

User-friendly consent flows – make it simple for customers to grant and revoke permissions.
Strengthen compliance – data protection and governance must be watertight.
Plan integration – prepare to connect with APIs and schemes.
Choose your model – data users need to decide whether to become authorised directly or use a FIDP as a service partner if allowed.

The main discussions in the FIDA Proposal

Although FIDA marks an essential step in Europe’s shift toward Open Finance, several discussion points require attention and debate:

1. FIDA readiness

The first challenge is FIDA readiness. Not all data types are equally digitised, so the implementation costs of FIDA are higher for some than for others. Therefore, a phased[3] rollout is planned, prioritising data that is already digitally mature and delaying more complex datasets until the sector can ensure their safe and consistent exchange, as shown:

Phase 1 – Highly standardised, already digital – e.g., savings, loans; it will not require much effort for data holders to make this data available, as they would build on the experience with PSD2.
Phase 2 – More complex, partially digitalised – e.g., motor insurance, investment products;
Phase 3 – Heterogeneous, under-digitised, such as occupational pensions.

The discussion focuses on which financial product or service data should be included in which phase.

2. Data access within vs. outside schemes

A key debate in the FIDA proposal is whether data access can occur outside of recognised data-sharing schemes, and if so, whether data holders can change for that access. The current text is unclear: one article allows purely contractual agreements outside schemes (implying that compensation is possible), while another states that compensation is only permitted when data is shared under a scheme.

The uncertainty has essential competitive implications. If compensation outside schemes is not permitted, data holders may refuse direct requests and force firms – especially smaller ones – to join schemes for access. If compensation is permitted outside schemes, essential players such as big tech could leverage their market position to negotiate favourable terms, potentially undermining standardisation and collective bargaining.

Therefore, specific rules must be clarified to ensure legal certainty, protect weaker market participants, and maintain fair and standardised access to financial data.

3. Gatekeeper access

In the initial proposal, gatekeepers were not explicitly restricted, meaning firms such as Google, Amazon, or Meta could simply apply for a FISP licence[4] and gain access to Open Finance data. However, policymakers now propose explicitly excluding gatekeepers from becoming FISPs and giving supervisory authorities the power to prevent them from bypassing the rule through subsidiaries. This aligns with the Digital Markets Act[5] and Data Act, which aim to ensure that gatekeepers do not strengthen their dominance by accumulating new data advantages.

Still, gatekeepers that already hold a financial licence – a bank or insurer – may continue to access FIDA data but cannot combine it with their existing datasets in ways that distort competition. They may also obtain financial data via contractual agreements outside the scope of FIDA. In conclusion, gatekeepers are not entirely excluded from data access, but they cannot rely on FIDA rights to expand their market power.

4. FISP-as-a-service

Another debating point concerns the emerging FISP-as-a-service[6] model. Many firms want to participate in Open Finance without obtaining full authorisation themselves, instead partnering with an already licenced provider. While this model exists successfully in Open Banking, the current FIDA text still lacks clarity on its permissibility, an essential question for business models and market inclusiveness.

5. Financial exclusion concerns

Some Member States have also raised concerns about financial exclusion and customer profiling[7]. As data-driven underwriting and automated decision-making become more common, there is a fear that vulnerable consumers – or even SMEs – could be unfairly penalised based on past events, low income, or risk profiles. Lawmakers are evaluating safeguards to prevent discriminatory outcomes, while also recognising that data is essential for fair pricing and proper risk assessment.

6. Occupational pension data

Finally, the inclusion of occupational pension[8] data remains highly debated. Opponents argue that this data can reveal sensitive health information and offers limited competitive value, given that employees rarely choose their pension provider. Supporters counter that pension data is essential for building accurate financial planning tools, and the strict supervisory rules could prevent misuse. This decision will significantly influence how comprehensive Open Finance becomes.

All together, these discussions show that Open Finance is not simply a technical project, but a strategic reshaping of the EU’s financial landscape, and several things, such as innovation, competition, and protection, need to be considered.

FIDA Proposal timeline and implementation milestones

The FIDA proposal adheres to a set timeline with several key milestones:

June 2023: FIDA proposal published.
2023-2025: Legislative negotiations within the Parliament and Council.
Q3/Q4: expected adoption of the final text.
2027-2028: anticipated compliance deadlines (30-32 months).
Phased rollout: initial focus on banking data, with more complex categorisations (e.g., pensions) to be introduced later.

Conclusions – What FIDA means for the future of Open Finance in Europe

FIDA represents an ambitious initiative of the EU’s digital finance agenda. By establishing a clear framework for data sharing, it could reshape how financial data is managed, shared, and protected across the Union.

If implemented successfully, it will strengthen customer empowerment, foster new opportunities, and create a more competitive financial environment.

However, several technical and political issues remain unresolved. Key questions — including pension data, scheme governance, and the risk of economic exclusion – must be addressed to ensure that Open Finance develops in a fair, inclusive, and sustainable way. Therefore, the upcoming negotiations will be crucial in shaping the actual impact of the EU’s Open Finance framework.

[1] European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554’ (COM(2023) 360 final 2023/0205(COD), 28 June 2023) <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52023PC0360> accessed 27 September 2024.

[2] As of writing, the proposal is waiting for a vote in the European Parliament after obtaining the vote in the responsible committee (Committee on Economic and Monetary Affairs (‘ECON Committee’)) <www.europarl.europa.eu/doceo/document/A-9-2024-0183_EN.html> accessed 27 September 2024. Several meetings have taken place in the Council of Ministers as well. See for the Council’s approach (January-June 2024), Council of the EU, ‘Proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 - Progress report’ (10949/24, 14 June 2024) <https://data.consilium.europa.eu/doc/document/ST-10949-2024-INIT/en/pdf> accessed 27 September 2024.

[3] Ibid in the Council’s Progress Report.

[4] The designated gatekeepers are Alphabet Inc. (Google), Amazon.com Inc., Apple Inc., ByteDance Ltd. (TikTok), Meta Platforms, Inc. (Byte) (Facebook), Microsoft Corporation Inc. and Booking, at European Commission, ‘Digital Markets Act (DMA): Gatekeepers’ <https://digital-markets-act.ec.europa.eu/gatekeepers_en> accessed 27 September 2024.

[5] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) OJ L 265/1, 12.10.2022.

[6] Article 3(6a) FIDA Proposal ‘‘financial information service’ means the online service provided by a data user of collecting and consolidating customer data to customers and does not include the provision of services regulated under existing Union financial services legislation and reserved for financial institutions authorised under Union law’.

[7] French Delegation to the Council of the European Union, ‘French Non-Paper, FIDA: How to Tackle the Risk of De-Mutualization’ (WK 6757/2024 ADD 1, 8 May 2024) <https://pensionseurope.eu/wp-content/uploads/FR-non-paper-FiDA.16.04.pdf> accessed 27 September 2024.

[8] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1 04.05.2016 <https://eur-lex.europa.eu/eli/reg/2016/679/oj> accessed 27 September 2024.

About Emanuel van Praag

As an Attorney-at-law at Kennedy Van der Laan, Emanuel van Praag helps leading financial institutions navigate the complex and dynamic regulatory landscape. With over 15 years of experience in the financial industry, he has in-depth knowledge and practical insights into the legal and business challenges facing the sector, especially in the areas of Big Data, Open Finance, Payments (PSD2), Investment Services (MiFID II, AIFMD) and Cryptoassets. Emanuel combines legal practice with academic research and teaching as a Professor of Financial Technology and Law at Erasmus School of Law. He publishes articles and books on the impact of emerging technologies on the financial sector and the law. He wrote a leading textbook on PSD2 and Open Finance. Kennedy Van der Laan is a full-service Dutch law firm with more than 120 lawyers, serving market leaders since 1992, with specialist legal knowledge in the areas of FinTech, Payments, IP, Privacy and Employment Law.

About Kennedy Van der Laan

Kennedy Van der Laan was established in 1992, and since then has been driven by the ambition to serve as top-level attorneys and improve the world. With over 120 lawyers KVdL is a full-service law firm. KVdL’s FinTech and payments practice is highly regarded.

About Eugerta Muçi

As a third year PhD Candidate at Erasmus University Rotterdam, Erasmus School of Law, Eugerta Muçi researches how a safe and competitive infrastructure for Open Finance can be built in the EU. Eugerta has graduated summa cum laude from KU Leuven and the University of Zürich with a Double Degree Master in Law in European and Financial Law. She has various publishments on Open Finance and Open Banking (PSD2). Besides her PhD, she consults a global consultancy firm on financial law matters, specifically Open Finance. Eugerta is also a Member of the Albanian Bar Association. Erasmus University Rotterdam is a highly ranked international research university founded in 1913. Erasmus School of Law offers high-quality legal and criminological education and researches law from economic and social perspectives.

About Erasmus University Rotterdam

Erasmus University Rotterdam was founded in 1913 and is a highly ranked, international research university, based in the dynamic and diverse city of Rotterdam, the Netherlands. Erasmus School of Law offers high-quality legal and criminological education and researches law from economic and social perspectives.

The authors’ analysis was expertly edited and prepared for publication by Paula Albu, Editor at The Paypers.

This article is part of The Paypers’ Explainers section. To access other educational materials, click here. If you have suggestions about other topics that could be included in this section, we invite you to write to us at editor@thepaypers.com

Explainer: Understanding FIDA Proposal and Europe’s Open Finance Agenda