With FiDA (Financial Data Access), the EU is facing a pivotal step: moving from Open Banking to Open Finance. The new framework is intended to give consumers and businesses greater control over their financial data while simultaneously driving innovation in the financial sector. However, there are also challenges: data protection, fair competition, and the handling of Big Tech spark controversial debates. This article examines the opportunities and risks of FiDA and highlights how Privacy Enhancing Technologies (PETs) could become a key tool in reconciling innovation with data privacy.
Framework for Access to Financial Data
FiDA, which stands for Financial Data Access, marks the next step for the EU in its transition from Open Banking to a broadly applicable framework for Open Finance. While the rules under the Payment Services Directive 2 and 3 (PSD2 and PSD3) primarily focus on access to payment account data, FiDA almost covers the entire financial spectrum: loans, savings, investments, insurance, mortgages, pensions, and crypto-assets.
The core principle of FiDA is that consumers and businesses are the owners of their financial data, which may be held by various financial institutions. They can share this data with third parties, known as data users, through a Financial Data Sharing Scheme, but only with explicit consent. To access consumer and business data, data users must hold a Financial Information Service Provider (FISP) license. Financial data is accessible only with this license and with the customer’s consent. The scheme enables standardized, real-time data exchange.
Consent for data sharing is given by the customer via the dashboard of their respective financial institution. The simple and secure transfer of data aims to foster innovation and competition while supporting the development of new, personalized financial products and tailored solutions. This gives consumers more control and greater choice.
FiDA also introduces a new regulation allowing data holders to charge a fee for the use of their data, providing them with the opportunity to generate revenue by sharing their information.
Schematic illustration of FiDA
Ethics and Data Protection as a Clear Compass
Financial data is highly sensitive, as sharing it directly affects privacy, can increase financial vulnerability, and in extreme cases even compromise physical security. These risks must be carefully considered in the legislation. Political resistance from individual EU member states further complicates implementation, and the financial industry has already expressed concerns about FiDA.
Designing FiDA therefore requires a delicate approach: clear rules if necessary, yet restraint to avoid stifling innovation. Ethics and data protection are central to FiDA’s development.
In a joint position paper, the Dutch Central Bank (DNB) and the Dutch Authority for the Financial Markets (AFM) emphasize that clear and robust rules are necessary to ensure fair competition. Data sharing should occur only under the following conditions:
- with the explicit, informed consent of customers
- with clear agreements on purpose limitation and data minimization
- with protective measures against misuse and unwanted profiling
Both organizations stress that FiDA has no chance without strong consumer trust. Such trust arises not only through laws but also through technological safeguards that structurally protect privacy.
Regulatory Pressure and National Caution
One of FiDA’s greatest challenges stems from concerns over excessive regulatory pressure. Several member states, particularly France, Germany, and the Netherlands, have indicated a cautious approach to the regulation’s scope. A framework that is too broad could impose high compliance costs, especially on smaller market participants. At the same time, few concrete market opportunities have emerged, increasing uncertainty.
This cautious stance has led to limitations in the current draft legislation. According to an informal diplomatic document from May 16, 2025:
- Data older than ten years, as well as data from terminated contracts, should be excluded from mandatory access.
- The scope should be limited to natural persons and small and medium-sized enterprises (SMEs). Large companies are explicitly excluded.
While these limitations simplify implementation, they reduce FiDA’s innovation potential. Important datasets are excluded, which can significantly disadvantage fintechs, insurance companies, and data-driven SMEs, for example:
- Credit information services cannot develop long-term risk models for mortgages over 20–30 years.
- Insurtechs lack historical claims data to model rare but severe risks.
- SMEs using AI models for forecasting or fraud detection lose access to deep datasets that reveal long-term trends.
- Providers in the green finance sector are unable to analyze long-term energy or investment patterns to assess sustainability.
France has also intensified diplomatic efforts to adapt the regulation, expressing concern that FiDA could act as a Trojan horse for global tech giants. A framework intended to empower consumers, SMEs, and fintechs could, in practice, facilitate the entry of international tech giants into Europe’s financial markets. Germany and the Netherlands share these concerns, with the Netherlands also emphasizing the burden on banks and regulators.
Radical Cut: Excluding Big Tech
This concern fuels further debate. Under the current proposal, so-called gatekeepers, as defined in the Digital Markets Act, would be excluded from obtaining a FISP license. Critics argue that while this measure may be effective against Big Tech, it could simultaneously stifle innovation and disadvantage consumers.
The Computer & Communications Industry Association (CCIA) Europe stated in a letter to the EU Commission that this exclusion:
- Is not proportionately justified
- Unnecessarily hinders innovation
- Takes away consumers’ right to choose which providers they trust with their data
While preventing market dominance is a valid goal, it is questionable whether a blanket exclusion is the right approach, especially in a market that relies on diversity.
Privacy-Enhancing Technologies (PETs) as a Foundation
A crucial tool for balancing innovation and data protection are privacy-enhancing technologies (PETs). These technologies enable data to be processed or analyzed without exposing the underlying information. Examples include:
- Homomorphic Encryption: Enables calculations directly on encrypted data without decrypting it first.
- Secure Multi-Party Computation (SMPC): Multiple parties perform joint calculations without full access to each other’s data.
- Differential Privacy: Protects individuals by adding statistical noise to datasets to prevent inference.
- Federated Learning: AI models are trained locally at the data source, so data does not need to be centrally shared.
PETs make FiDA’s core promise achievable: data-driven innovation while maintaining privacy. They allow strict data minimization, insights without revealing raw data, and a technical implementation of GDPR principles.
According to the Dutch Central Bank (DNB) and AFM, PETs should be considered mandatory, particularly for highly sensitive data such as pensions or credit information. Where laws set clear boundaries, PETs provide building blocks to reduce risk, build trust, and give developers freedom for creativity and competitiveness.
Balancing Ambition and Caution
Careful drafting of the final legislation highlights both FiDA’s complexity and its far-reaching impact on the financial industry. The legislation must strike a balance between:
- Ambition in expanding data access, innovation, and competition
- Caution in handling sensitive data and market power
- Flexibility in integrating future innovations without creating lasting risks to privacy or security
In practice, this requires ongoing dialogue among policy makers, regulators, market participants, consumer organizations, and technology providers.
2025: Make-Or-Break Year or Another Stalemate?
FiDA is at a critical turning point. Trilog negotiations between the Commission, the Council, and the Parliament are expected to produce a final draft this year. Early contours of FiDA are emerging, but many central questions remain unresolved. It is also unclear whether an agreement will be reached in 2025 and when FiDA will ultimately take effect.
What is certain is that the outcome of the negotiations will determine whether FiDA becomes a strong instrument for Open Finance or a cautious compromise that preserves existing structures.
Next Steps for Proactive FiDA Implementation
With the upcoming FiDA regulation, banks, insurance companies, and other service providers must quickly assess its impact on their organizations and business models to ensure compliance and capture new opportunities.
The following measures support a structured approach to FiDA:
Awareness & Positioning Workshop
Understand and share the impact of the FiDA regulation, and define the ambition you want to achieve.
Ideation Session
Create, explore and research the new business opportunities that are within reach.
Gap Analysis
Investigate the extent of the impact of FiDA on compliance, data management, and organization.
This approach helps banks, insurance companies, and other service providers gain clarity on opportunities and challenges, enabling them to leverage FiDA actively and proactively.
It is beneficial to address FiDA at an early stage to uncover opportunities and prepare accordingly. The experts at Thede Consulting, part of the Projective Group, support you with workshops, analyses, and practical advice – tailored to your organization.
Did You Know? – Our Workshop #NextGen Payments
FiDA is part of our new workshop “NextGen Payments: Revolution or Evolution by 2030?”. In this tailored session, we explore how future drivers such as digitalization, regulation, and cybersecurity affect your business models and develop individualized solutions together. More information can be found here.
Eike Maybaum
Philipp Widua
