Data Act and FiDA: An overview for financial institutions

Since 12 September 2025, the provisions of the Data Act (DA) have been binding on many companies in the EU. Companies in sectors such as manufacturing and the automotive industry are actively engaging with the new rules. Key focusses include access rights and data usage agreements (detailed information can be found in our booklet). For users and providers of cloud services, the spotlight is on the cloud switching requirements.

Based on our observations, the DA does not yet play a particularly significant role in the financial industry, even though it could provide financial institutions with access to interesting data. European legislator intend to further promote data sharing and an open finance strategy with the sector-specific Financial Data Access Regulation (FiDA).

The Data Act: overview and financial sector relevance

For financial institutions, the DA is particularly relevant in two areas:

• Access to data from connected products (IoT): The DA introduces new rights to access data generated by connected products and services (IoT), covering data on product performance, usage and environmental factors. Although financial institutions are rarely manufacturers or suppliers of such products, they can unlock significant business opportunities by leveraging customer data generated externally through IoT platforms and devices. This requires an agreement with the data holders.

• Cloud service switching: The DA establishes clear obligations for data processing service providers to eliminate switching barriers and support multi-cloud strategies. This applies to banks, insurers and investment firms using IaaS, PaaS, SaaS or AIaaS. Implementing a multi-cloud approach strengthens operational resilience according to DORA. Financial institutions should also assess whether they themselves offer data processing services ‒ in which case, they too must adhere to these new switching requirements.

Possible applications of the Data Act for financial institutions

In the insurance sector, connected products are already in use. One commonly encountered use case is telematics-based tariffs for car insurance. Beyond this, data access rights can also help the broader financial industry to enable new or optimised business models. The opening up of data from connected products made possible by the DA creates new possibilities for data-driven business models in the wider financial sector, such as:

• Data-based credit models: Using sensor or fleet data (e.g. from company vehicles) to assess credit repayment rates or agricultural sensor data to offer optimised lending in the agricultural sector
• Personalised financial offers: Development of personalised product packages (e.g. special credit cards with additional insurance based on travel abroad)

Data protection interfaces and compliance requirements (GDPR)

The GDPR remains fully applicable and takes precedence in the event of a conflict (Article 1(5) of the DA). Insofar as personal data is subject to data access rights, financial institutions (both data holders and data users) always require a valid legal basis under Article 6 (and, if applicable, Article 9) of the GDPR. This is typically the customer’s consent or, in specific cases, a legitimate interest following a balancing of interests.

Outlook for the Financial Data Access Regulation (FiDA)

The FiDA Regulation complements the horizontal Data Act within the financial sector and serves as a sector-specific legal framework for open finance.

• Objective: To create a European financial data space to promote innovation, competition increased customer centricity
• Data affected: Customer data except for payment accounts: but including mortgages, loans, savings and investments in financial instruments; insurance investment products; crypto assets; non-life insurance products (with exceptions, e.g. life and health insurance).
• Affected parties:
  • Data holder (e.g. banks, insurers, investment firms, credit rating agencies, crypto service providers).
  • Data users (other financial institutions or, newly, financial services information providers (FISPs)). FISPs require their own authorisation and are designed to consolidate data and provide value-added services (e.g. financial cockpits, automated advice).
• Key content & responsibilities:
  • Customer control: Data may only be shared with the customer’s express permission.
  • Dashboard requirement: Data holders must provide dashboards (Article 8 of the draft FiDA) for real-time monitoring and management of data sharing.
  • Technical standards: Data must be provided immediately, continuously and in real time via standardised APIs.
  • Governance: Participation in Financial Data Sharing Schemes (FDSS) that set standards, liability rules and remuneration.

The Regulation (as a directly applicable legal act) entered the legislative process in June 2023. The trilogue negotiations began in April 2025. Adoption is expected in the first half of 2026. The draft provides for phased transitional periods for the implementation of the FiDA provisions. FiDA will then become fully applicable 24 months after it enters into force.

Conclusion

Both the DA and FiDA require financial institutions to make significant investments in IT infrastructure and governance. For this reason, there has been considerable criticism of FiDA within the financial sector. The Regulation effectively compels the sector to digitalise while imposing high standards on data quality and the technical feasibility of real-time data provision. Early strategic positioning (as either a data holder or data user) and active involvement in Financial Data Sharing Schemes (FDSS) are vital for managing costs and leveraging competitive advantages. After all, both FiDA and the Data Act enable financial institutions to access new areas of growth.

You can always find the latest developments in data law in our Data Law Tracker. Information about our Data, Tech and Telecoms practice group can be found here.