EU’s New Financial Data Space Proposal and DORA

– A call for extensive customer data sharing and enhanced cyber security in the financial sector

On 28 June 2023, the European Commission published a proposal for a regulation on a framework for Financial Data Access (“FIDA”) for the access and use of customer data. As part of the EU Digital Finance Strategy,  FIDA is expected to lead to better-quality, user-centric financial services and new data-driven business models in the financial sector. As the financial data space evolves, the emergence of novel interfaces, data sharing methods, and other innovative technologies may also bring forth new risks, particularly in the realm of cybersecurity. We recommend stakeholders in the financial sector to consider their role and potential responsibilities and opportunities in light of the upcoming regulations.

Ambitious framework for financial customer data sharing

FIDA complements the existing financial data sharing legislation, such as the open banking provisions of PSD2 Directive 2015/2366 regulating access to payments account data, and goes far beyond them. FIDA also entails significant interplay with the horizontal framework for mandatory data sharing under the upcoming Data Act and the GDPR’s data protection rules.

Under FIDA, financial institutions (data holders) would be obliged to make available certain customer data to other financial institutions, authorised financial information service providers (“FISPs”) (data users) and to the customers, at the customer’s request.

Data holders should make the data available without undue delay, continuously, and in real-time. To achieve this, the new framework focuses on customers’ trust and control over their data, as well as on the technical and contractual means to carry out data sharing in a secure and efficient way. The data in question is personal and non-personal customer data divided into categories under FIDA, such as loans, savings, investments, crypto-assets, pensions, and non-life insurance products.

Some key features of FIDA in a nutshell

  • Dashboards. Data holders should share customer data to data users only for the purposes for which the customer has granted permission. To manage permissions, data holders should provide the customers with real-time permission dashboards in the data holder’s user interface.
  • Financial Information Services Providers. FISPs are entities other than financial institutions that wish to provide financial information services as data users. “Financial information services” are not defined in the proposal. FIDA sets forth the conditions for becoming a FISP, including authorisation and operational requirements.
  • Compensation. A data holder may claim compensation from a data user for sharing the customer data if the data is shared in accordance with the rules of a Financial Data Sharing Scheme. For customers, the data should be made available free of charge.
  • Financial Data Sharing Schemes. All data holders and data users should be members of at least one Financial Data Sharing Scheme (“FDSS”). The FDSSs are meant to develop common data and technical standards as well as contractual frameworks (including liability) governing access to specific datasets within the FDSS.

FIDA is ambitious and open questions remain. Whereas PSD2 focused on payments account data, FIDA covers a wide range of customer data and financial institutions. The Open Finance Report of the Expert Group on European financial data space, which was used to develop FIDA, covered several use cases but still only scratches the surface compared to the scope of FIDA. Further, the European Data Protection Supervisor has raised concerns regarding the broadness of the definition of customer data under FIDA in its Opinion 38/2023 on 22 August 2023. It is also set forth in FIDA that sharing of customer data should respect the protection of confidential business data and trade secrets but the practical implementation of this is unclear. Moreover, FIDA seems to be based on an assumption that FDSSs could be based on existing market initiatives, thus requiring extensive co-operation on the market. However, the Commission also has the authority to create frameworks for FDSSs if needed.

FIDA’s application periods are rather optimistic. The provisions concerning FDSSs and authorisation requirements for FISPs would apply 18 months after FIDA enters into force, whereas other requirements would apply after 24 months.

Next FIDA is subject to review in the Council and the Parliament, where the Committee on Economic and Financial Affairs (ECON) is responsible for the file. The open finance framework has been one of the EU’s legislative priorities for 2023 and 2024 but currently it seems unlikely that the proposal will be finalized prior to the 2024 Parliament Elections.

Digital operational resilience for open finance

As the EU continues to advance its open finance framework, it is imperative to ensure that innovative technologies and products align with robust financial regulation and operational risk management. This alignment is crucial to nurturing sustainable technological development, which, in turn, fosters a secure financial environment, prioritizes customer protection, and bolsters financial stability. In the era of technological advancement, it is essential to strike a balance between innovation and security, where technology and cybersecurity standards coalesce symbiotically.

While CER Directive 2022/2557 concerns overall digital and physical resilience, NIS2 Directive 2022/2555 plays a pivotal role in deepening the evaluation of cybersecurity and resilience across various critical sectors, whereas the Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”) leads the cybersecurity and operational resilience legislation to the sector-specific level considering the cybersecurity challenges and risk profile characteristic of financial services. It is essential to understand the distinctions between these legislative instruments while navigating the evolving regulatory landscape of fintech.

The widespread utilization of ICT services is evident through intricate contractual arrangements. Prior to DORA, financial institutions frequently encountered challenges in negotiating contracts aligned with their prudential standards and regulatory requirements. Enforcing certain rights, such as access or audit rights specified in these agreements, can also prove challenging. Furthermore, many contracts lack robust provisions for effectively monitoring subcontracting processes, limiting the ability of financial entities to assess associated risks. DORA, adopted on 27 December 2022, introduced a comprehensive framework for enhancing the operational resilience of financial entities, explicitly addressing, inter alia, the aforementioned challenges and related third party risks. This regulation mandates specific rules governing ICT risk management, incident reporting, operational resilience testing, and ICT third party risk monitoring. Notably, DORA acknowledges that ICT incidents and a lack of operational resilience can imperil the stability of the entire supply chain.

Taking effect on 17 January 2025, DORA is a response to the escalating cyber threats faced by the financial sector. It obliges financial entities to prepare for, respond to, and recover from various ICT-related disruptions and threats. Ultimately, DORA marks a substantial leap forward in EU financial regulation, establishing a harmonized and comprehensive framework for managing digital operational resilience, safeguarding the financial sector’s stability, and enhancing consumer protection. A key question in the efforts to establish a standardized open finance ecosystem is the practical interaction between DORA and FIDA, which also expands the scope of DORA to cover FISPs in the future.

DORA and NIS2 represent crucial pillars in the evolving open finance framework, shaping the future of financial technology and cybersecurity standards.

As the cybersecurity regulations evolve and are implemented, organizations should stay informed and adapt their cybersecurity practices to meet the requirements of DORA and the technical standards issued by the European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority. In addition to DORA, companies operating in financial sector or being a part of the respective critical supply chain should be able to demonstrate compliance with NIS2 and national implementing instruments. Even if DORA does not apply, it is possible that certain entities will be deemed as critical entities under NIS2 and thus subject to the obligations thereunder.

 

Article Series: Common European Data Spaces Being Developed in Strategic Economic Sectors

More by the same author

Use of Artificial Intelligence Calls for Transparency

AI accelerates business, yet requires governance The recent emergence of artificial intelligence (AI) systems has enabled companies to boost their efficiency. AI tools may be used for a wide variety of purposes, from simpler, administrative tasks to complex tasks such as core business purposes like planning business strategies and compiling analytical action plans for projects. The rise of AI systems has impacted how companies conduct their day-to-day business as they provide easy-to-use tools for making daily business more efficient. While AI systems are given increasing emphasis in businesses, companies may not disregard establishing control and governance mechanisms for understanding their obligations and mitigating the compliance-related risks.

Implementation of the NIS2 Directive in Finland: New Cybersecurity Requirements for Critical Sector Businesses and Entities

On 23 May 2024, Finland took a significant stride towards strengthening its cybersecurity legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cybersecurity measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024. The proposal denotes a significant step towards more regulated cybersecurity and positioning the review and supervision of cybersecurity risks as a top management issue.

AI, Free and Open Source Software and IPRs in the Context of Software Development

Artificial intelligence is speeding up software development Artificial intelligence (AI) has taken the world by storm and is becoming a common accelerator also in software development. Although AI in general is not something entirely new, with its roots reaching to the 1950s, generative AI has been soaring since the first commonly known large language models (LLMs) were launched a few years back. Generative AI tools are trained with content often referred to as training data (input) and they generate new content (output), such as software code, based on the user’s command, a prompt. The output may resemble human-generated text, pictures, sounds, videos – or software, for that matter.

Latest insights

The Ministry of Finance Proposes a New Tax Credit for Large Industrial Investments

Article / 7 Oct 2024
Reading time 2 minutes

Q&A: Exploring the Future of Legal Work with AI

Article / 1 Oct 2024
Reading time 2 minutes