FINANCIAL DATA ACCESS REGULATION (FIDA)

Introduction

The European Union has been developing a unified regulatory approach to create a single market for data (both personal and non-personal). Since 2020, the EU’s initiatives such as the European Data Strategy and Digital Finance Strategy have advanced efforts to regulate data collection, handling, and exchange. In line with these objectives, the EU proposed the Financial Data Access Regulation, complementing the Regulation (EU) 2023/2854 or “Data Act”, which entered into force on January 11, 2024.

Scope of Application

The draft Financial Data Access Regulation (“FIDA”) establishes, in Article 2(1), a mandatory data‑sharing framework that extends well beyond payment‑account information. Covered datasets include, inter alia:

customer data on savings, investments in financial instruments, insurance‑based investment products, and crypto‑assets;
information collected for corporate credit‑worthiness assessments; and
records concerning pension entitlements of any kind.

FIDA applies whenever one of the entities listed in Article 2(2) acts as a data holder, a data user, or both. The catalogue embraces investment firms under MiFID II[1], credit institutions, payment‑ and e‑money institutions, insurance undertakings, crypto‑asset service providers, and issuers of asset‑referenced tokens.

Notably, issuers of other MiCAR tokens (i.e. non‑ART/EMT tokens) are not expressly covered.

“Customer” is defined broadly: it may be a consumer or any natural or legal person that uses financial products or services. Hence, the Regulation governs both B2B and B2C relationships. FIDA also exhibits marked extra‑territorial reach. Third‑country investment firms wishing to act as financial information service providers (“FISP”) in the EU must (a) obtain the dedicated authorization under Article 12 and (b) establish either an EU subsidiary or appoint an EU‑based legal representative (Article 13).

Key Actors and General Rules

Data holder: any financial institution (other than an account‑information service provider) that collects, stores or otherwise processes the datasets listed in Article 2(1).

Data user: any entity listed in Article 2(2) that, with the customer’s permission, lawfully accesses those datasets.

Financial Information Service Provider (FISP): a data user specifically authorized under Article 14 to access customer data for the provision of “financial information services”.

FIDA foresees a uniform contractual model between data holders and data users, embedding:

minimum remuneration obligations: a reasonable fee schedule for making data available (Article 10(1)(h));
standardised allocation of liability; and
a built‑in dispute‑resolution mechanism.

There are many obligations under FIDA, including but not limited to: (i) customer must explicitly instruct the data holder to share data with a chosen data user; and (ii) very data holder must offer a permission dashboard that complies with the formal, functional, and accessibility criteria in Articles 8 and 10(g). Through that dashboard the customer can grant, monitor, and withdraw permissions in real time. In addition, customers are entitled to obtain, via the dashboard, a copy of all FIDA‑scope data held about them.

Sanctions and supervisory powers

Besides the conventional and potentially high administrative fines, competent authorities may impose recurring penalty payments that continue until the breach is remedied (de facto “astreinte”).

Each Member State must designate a dedicated supervisory authority. Its toolkit mirrors modern EU enforcement practice and includes:

on‑site inspections, the questioning of staff, and data seizure;
orders to hosting or telecom providers to remove, disable, or restrict access to online interfaces; and
the ability to levy both lump‑sum fines and periodic penalty payments.

Where breaches persist, authorities may deploy escalatory measures up to, and including, operational shutdowns of interfaces, which could generate severe business disruption.

Timeline and Entry into Force

The current draft is expected late 2025. Under Article 36 of FIDA:

the bulk of the Regulation applies 24 months after its entry into force; and
provisions on Financial‑Data‑Sharing Schemes and authorization requirements for FISPs apply after 18 months.

Market participants therefore face a relatively short implementation window once FIDA is published in the Official Journal.

Lexify as Your Consultant

Lexify is among the first law firms to analyze FIDA’s legal and economic impact in depth. We are already moving on first ideas for drafting data‑sharing agreements for financial institutions and crypto‑asset datasets for Crypto Asset Service Providers, mapping authorization gaps, and designing permission‑dashboard solutions. Early engagement allows institutions to: