FiDA stands for Financial Data Access and represents the next step in Europe’s transition from open bankingto a broadly applicable framework for open finance. Whereas PSD2 (and PSD3) focuses mainly on access to payment account data, FiDA extends across virtually the entire financial spectrum: loans, savings, investments, insurance, mortgages, pensions, and even crypto-assets.
The core principle is that citizens and businesses are the owners of their financial data and may share it with third parties only with explicit consent. This should enable the creation of new services that stimulate innovation, competition, and tailored solutions, while giving consumers more control and choice.
Yet this vision is under strain. Financial data is inherently sensitive, the stakes are high, and both political caution and corporate resistance are mounting. In this context, working on FiDA requires a delicate balance: firm rules where necessary, but velvet hands to avoid stifling what should be allowed to flourish.
Regulatory pressure and national caution
One of the greatest tensions surrounding FiDA stems from fears of excessive regulatory pressure. Several member states—most notably France, Germany, and the Netherlands—have indicated they are cautious about the scope of the regulation. They fear that an overly broad FiDA framework would impose high compliance costs on financial institutions, particularly for smaller players. Moreover, there are too few visible market opportunities at this stage.
This political caution has led to limitations in the scope of the proposal. In the non-paper (which are informal diplomatic documents used in legislative processes) of 16 May 2025, it was proposed to:
- Exclude data older than ten years and data from terminated contracts from mandatory access.
- Limit the scope to natural persons and small and medium sized enterprises (SMEs), with large enterprises explicitly excluded. This was already the practice, but the non-paper closed off any ambiguity that might have left room for broader interpretation.
While such limitations make implementation easier, they also reduce FiDA’s innovation potential. Important datasets drop out of view, which could mean fewer opportunities for new players—fintechs, insurers, but also data-driven SMEs—to develop new services. For example:
- Credit history providers can’t build long-term risk models (e.g. 20–30 year mortgage default patterns).
- Insurtechs miss access to historical claims data, limiting their ability to model rare but high-impact risks.
- SMEs offering AI models for forecasting or detecting financial fraud lose the ability to train on deep datasets that reveal long-term trends.
- Green finance firms can’t analyze decades-long energy usage or investment patterns to evaluate sustainability.
France has stepped up diplomatic pressure, driven by fears that FiDA could become a “Trojan horse” for Big Tech: a framework presented as empowering citizens, SMEs, and fintechs might in practice open the backdoor for global tech giants to penetrate and dominate Europe’s financial services market. Germany and the Netherlands partly share this concern, though in the Dutch case the emphasis is equally on curbing regulatory burdens for banks and supervisors.
Ethics and privacy: the moral compass
Financial data is inherently sensitive. Sharing it directly affects personal privacy, financial vulnerability, and, in some cases, even the physical safety of citizens. That is why ethics and privacy are high on the agenda in shaping FiDA.
In their joint position paper, Dutch central bank (DNB) and Dutch Authority for the Financial Markets (AFM) stress that robust and clear policy is necessary to ensure a level playing field in this area. Data sharing should only take place:
- With the explicit, informed consent of the customer.
- With clear agreements on purpose limitation and data minimisation.
- With safeguards against misuse or unwanted profiling.
The supervisors point out that without strong consumer trust, FiDA has no chance of success. And trust comes not only from legislation, but also from technological safeguards that structurally protect privacy.
The blunt axe: exclusion of Big Tech
Another point of tension is the treatment of large technology companies. Under the current proposals, so-called “gatekeepers” (as defined in the Digital Markets Act) are excluded from obtaining a FISP (Financial Information Service Provider) licence.
This exclusion is a direct outgrowth of the Trojan horse concerns: policymakers fear that if gatekeepers gained a foothold, they could leverage their scale and data dominance to crowd out European players. Yet the tool chosen has been described by critics as a blunt axe—effective in blocking Big Tech, but also harmful to innovation and consumer choice.
The Computer & Communications Industry Association CCIA Europe stated in a letter to the European Commission that this exclusion:
- Is not proportionally justified.
- Needlessly hinders innovation.
- Deprives consumers of the right to choose which service provider may access their data.
While protection against market dominance is legitimate, the question arises whether a blanket exclusion is the right tool—especially in a market that benefits from a broad and diverse range of services.
Privacy Enhancing Technologies as the foundation for velvet hands
An important tool for easing the tension between innovation and privacy is the use of Privacy Enhancing Technologies (PETs).
PETs are technologies that make it possible to process or analyse data without unnecessarily revealing the underlying, identifiable information. Examples include:
- Homomorphic encryption – performing calculations on encrypted data without first decrypting it.
- Secure Multi-Party Computation (SMPC) – performing joint calculations where no party sees all the data.
- Differential privacy – adding controlled ‘noise’ to datasets so individuals cannot be traced.
- Federated learning – training AI models locally on data at the source, without moving the data itself.
PETs make it possible to deliver on FiDA’s core promise—data-driven innovation with respect for privacy. They help to:
- Share only strictly necessary data (data minimisation).
- Generate insights without exposing raw data.
- Translate GDPR principles into practical, technical solutions.
In the view of the Dutch central bank (DNB) and Dutch Authority for the Financial Markets (AFM), PETs should be mandatory to consider when implementing FiDA, especially in scenarios where highly sensitive data such as pension or credit information is shared.
Where laws and regulations create the hard boundaries, PETs are the velvet building blocks: they mitigate risks, increase consumer trust, and give developers the freedom to remain creative and competitive.
The balance between ambition and caution
The metaphor of the velvet hands stands for a development approach that does justice to FiDA’s complexity. It means:
- Maintaining ambition in expanding data access, innovation, and competition.
- Exercising caution in dealing with sensitive data and market power.
- Building flexibility to embrace future innovations without creating structural privacy or security risks.
In practice, this will require ongoing dialogue between policymakers, supervisors, market players, consumer organisations, and technology providers.
2025 as a pivotal year
FiDA is at a crucial stage. The trilogues between the Commission, Council, and Parliament are set to produce a final legislative proposal in 2025. The non-paper of May has already influenced the course, but many decisions are yet to be made.
The outcome will determine whether FiDA becomes a powerful instrument for open finance, or a cautious compromise that mainly preserves existing structures.
In the coming period, we will continue to closely monitor the developments and keep you informed via our website and our monthly newsletter. You can sign up for our newsletter here: