EU’s New Financial Data Space Proposal and DORA

– A call for extensive customer data sharing and enhanced cyber security in the financial sector

On 28 June 2023, the European Commission published a proposal for a regulation on a framework for Financial Data Access (“FIDA”) for the access and use of customer data. As part of the EU Digital Finance Strategy,  FIDA is expected to lead to better-quality, user-centric financial services and new data-driven business models in the financial sector. As the financial data space evolves, the emergence of novel interfaces, data sharing methods, and other innovative technologies may also bring forth new risks, particularly in the realm of cybersecurity. We recommend stakeholders in the financial sector to consider their role and potential responsibilities and opportunities in light of the upcoming regulations.

Ambitious framework for financial customer data sharing

FIDA complements the existing financial data sharing legislation, such as the open banking provisions of PSD2 Directive 2015/2366 regulating access to payments account data, and goes far beyond them. FIDA also entails significant interplay with the horizontal framework for mandatory data sharing under the upcoming Data Act and the GDPR’s data protection rules.

Under FIDA, financial institutions (data holders) would be obliged to make available certain customer data to other financial institutions, authorised financial information service providers (“FISPs”) (data users) and to the customers, at the customer’s request.

Data holders should make the data available without undue delay, continuously, and in real-time. To achieve this, the new framework focuses on customers’ trust and control over their data, as well as on the technical and contractual means to carry out data sharing in a secure and efficient way. The data in question is personal and non-personal customer data divided into categories under FIDA, such as loans, savings, investments, crypto-assets, pensions, and non-life insurance products.

Some key features of FIDA in a nutshell

  • Dashboards. Data holders should share customer data to data users only for the purposes for which the customer has granted permission. To manage permissions, data holders should provide the customers with real-time permission dashboards in the data holder’s user interface.
  • Financial Information Services Providers. FISPs are entities other than financial institutions that wish to provide financial information services as data users. “Financial information services” are not defined in the proposal. FIDA sets forth the conditions for becoming a FISP, including authorisation and operational requirements.
  • Compensation. A data holder may claim compensation from a data user for sharing the customer data if the data is shared in accordance with the rules of a Financial Data Sharing Scheme. For customers, the data should be made available free of charge.
  • Financial Data Sharing Schemes. All data holders and data users should be members of at least one Financial Data Sharing Scheme (“FDSS”). The FDSSs are meant to develop common data and technical standards as well as contractual frameworks (including liability) governing access to specific datasets within the FDSS.

FIDA is ambitious and open questions remain. Whereas PSD2 focused on payments account data, FIDA covers a wide range of customer data and financial institutions. The Open Finance Report of the Expert Group on European financial data space, which was used to develop FIDA, covered several use cases but still only scratches the surface compared to the scope of FIDA. Further, the European Data Protection Supervisor has raised concerns regarding the broadness of the definition of customer data under FIDA in its Opinion 38/2023 on 22 August 2023. It is also set forth in FIDA that sharing of customer data should respect the protection of confidential business data and trade secrets but the practical implementation of this is unclear. Moreover, FIDA seems to be based on an assumption that FDSSs could be based on existing market initiatives, thus requiring extensive co-operation on the market. However, the Commission also has the authority to create frameworks for FDSSs if needed.

FIDA’s application periods are rather optimistic. The provisions concerning FDSSs and authorisation requirements for FISPs would apply 18 months after FIDA enters into force, whereas other requirements would apply after 24 months.

Next FIDA is subject to review in the Council and the Parliament, where the Committee on Economic and Financial Affairs (ECON) is responsible for the file. The open finance framework has been one of the EU’s legislative priorities for 2023 and 2024 but currently it seems unlikely that the proposal will be finalized prior to the 2024 Parliament Elections.

Digital operational resilience for open finance

As the EU continues to advance its open finance framework, it is imperative to ensure that innovative technologies and products align with robust financial regulation and operational risk management. This alignment is crucial to nurturing sustainable technological development, which, in turn, fosters a secure financial environment, prioritizes customer protection, and bolsters financial stability. In the era of technological advancement, it is essential to strike a balance between innovation and security, where technology and cybersecurity standards coalesce symbiotically.

While CER Directive 2022/2557 concerns overall digital and physical resilience, NIS2 Directive 2022/2555 plays a pivotal role in deepening the evaluation of cybersecurity and resilience across various critical sectors, whereas the Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”) leads the cybersecurity and operational resilience legislation to the sector-specific level considering the cybersecurity challenges and risk profile characteristic of financial services. It is essential to understand the distinctions between these legislative instruments while navigating the evolving regulatory landscape of fintech.

The widespread utilization of ICT services is evident through intricate contractual arrangements. Prior to DORA, financial institutions frequently encountered challenges in negotiating contracts aligned with their prudential standards and regulatory requirements. Enforcing certain rights, such as access or audit rights specified in these agreements, can also prove challenging. Furthermore, many contracts lack robust provisions for effectively monitoring subcontracting processes, limiting the ability of financial entities to assess associated risks. DORA, adopted on 27 December 2022, introduced a comprehensive framework for enhancing the operational resilience of financial entities, explicitly addressing, inter alia, the aforementioned challenges and related third party risks. This regulation mandates specific rules governing ICT risk management, incident reporting, operational resilience testing, and ICT third party risk monitoring. Notably, DORA acknowledges that ICT incidents and a lack of operational resilience can imperil the stability of the entire supply chain.

Taking effect on 17 January 2025, DORA is a response to the escalating cyber threats faced by the financial sector. It obliges financial entities to prepare for, respond to, and recover from various ICT-related disruptions and threats. Ultimately, DORA marks a substantial leap forward in EU financial regulation, establishing a harmonized and comprehensive framework for managing digital operational resilience, safeguarding the financial sector’s stability, and enhancing consumer protection. A key question in the efforts to establish a standardized open finance ecosystem is the practical interaction between DORA and FIDA, which also expands the scope of DORA to cover FISPs in the future.

DORA and NIS2 represent crucial pillars in the evolving open finance framework, shaping the future of financial technology and cybersecurity standards.

As the cybersecurity regulations evolve and are implemented, organizations should stay informed and adapt their cybersecurity practices to meet the requirements of DORA and the technical standards issued by the European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority. In addition to DORA, companies operating in financial sector or being a part of the respective critical supply chain should be able to demonstrate compliance with NIS2 and national implementing instruments. Even if DORA does not apply, it is possible that certain entities will be deemed as critical entities under NIS2 and thus subject to the obligations thereunder.


Article Series: Common European Data Spaces Being Developed in Strategic Economic Sectors

More by the same author

Implementing the Data Act without Clashing with the GDPR?

The Data Act will largely apply as of 12 September 2025, imposing new obligations and rights in relation to personal and non-personal data in the context of, e.g., connected products and related services. As rules governing data expand, it is increasingly important to map what data sets are processed by an organisation and how they are managed in the upcoming regulatory framework. For data sets including personal data (which is often the case!), it is vital to align the implementation of the Data Act with existing GDPR compliance.

The Big 5 – Status of National Preparation in Finland

The so-called Big 5 acts – the Data Governance Act, Digital Markets Act, Digital Services Act, Data Act, and Artificial Intelligence Act – have been a key part of the European Data Strategy in recent years. Once approved, the Big 5 acts are directly applicable throughout the EU, but many of them require Member States to enact legislation to support their enforcement and supervision, e.g., to designate nationally competent authorities and assign them new powers.

The Data Act Approved by the European Parliament

Today, the European Parliament voted yes to formally approve the new Data Act. Following today’s vote, the Data Act is expected to apply in the EU as of autumn 2025 except for Article 3(1), the transition period of which is one year longer. The exact date of application will be confirmed once the Data Act is published in the Official Journal of the European Union.

Latest insights

Are Finnish Lawyers the Happiest in the World?

Article / 4 Apr 2024
Reading time 2 minutes

Implementing the Data Act without Clashing with the GDPR?

Article / 4 Apr 2024