Data Act in the financial sector: new opportunities and obligations

Which companies in the financial sector will be particularly affected by the Data Act?

The scope of the Data Act is not sector- or industry-specific. In order to answer this question, it must first be clarified who the Data Act is aimed at. It is primarily aimed at manufacturers of connected products and providers of related services, as well as their users.

Data owners

Furthermore, so-called data owners (who are not necessarily manufacturers) and providers of data processing services are also covered. Therefore, whether a company is affected by the Data Act does not depend on the sector or industry in which it operates, but must be assessed on a case-by-case basis according to the products and services it offers and distributes.

Registered office

The registered office of the company is irrelevant; the market location principle applies. Users of a product or service can be either natural or legal persons, e.g. consumers or companies that own the product or use the service.

Manufacturers

In practice, financial and insurance companies are unlikely to be considered manufacturers of connected products. This is because, to be considered a manufacturer, they would have to place such a product — i.e. an item that obtains or generates data through its use — on the EU market. Financial institutions (banks) and financial service providers offering connected services, such as banking apps, are more likely to fall under the Data Act.

Data processing services

Financial and insurance companies may also be classified as data processing service providers if they offer services or applications such as software as a service (SaaS). These could be SaaS applications for financial transactions or banking, or for managing or concluding insurance contracts, for example.

Data recipients

The Data Act also becomes relevant for financial and insurance companies if they can be classified as data recipients. In short, a data recipient is a natural or legal person acting for professional or commercial purposes who receives data from the data controller at the user's request. In this case, the data recipient and data controller must conclude a contract regarding the modalities of data provision and consideration, for example.

Common European Data Area

Another important application of the Data Act in the financial and insurance sectors is set out in Articles 33 to 36. These articles set out the key requirements for data interoperability and the establishment of common European data spaces. The FiDA Regulation is also included in these European data spaces. Financial companies falling within the scope of the FiDA Regulation and participating in the common European financial data space must comply with these regulations.

What does the FiDA Regulation cover?

The FiDA Regulation establishes rules regarding access to, disclosure of, and use of certain categories of customer data within the financial services context. It sets out specific obligations and modalities for the use and disclosure of financial data. It also specifies the extent to which data may be used.

Additionally, the Regulation sets out requirements for systems that facilitate the exchange of financial data between data owners and users.

When should affected companies take action?

The Data Act came into force on 11 January 2024. After a 20-month transition period, the Data Act will mostly become directly applicable from 12 September 2025.

The FiDA Regulation has not yet entered into force. However, it is expected to be enacted in 2025, after which it will become directly applicable 24 months later.

What requirements and opportunities does the Data Act introduce for the financial sector?

Information obligations for providers of ancillary services

If a financial or insurance company provides an ancillary service, it must comply with extensive information obligations towards users.

For example, they must provide information about the type, scope and frequency of data collected or processed in connection with the service (Article 3(3) of the Data Act). Users must also be granted access to the data collected upon request (Art. 4 Data Act).

Restrictions for data recipients and prohibition of profiling

When data recipients receive data at the request of users, they may only process it for the agreed purposes and under the agreed conditions. This processing must comply with applicable EU and national data protection laws, including the rights of data subjects (Art. 6 Data Act).

Data recipients are also prohibited from profiling (Art. 22 GDPR), unless this is necessary to provide the requested services.

Facilitating switching between data processing services

Financial and insurance companies that distribute software as a service (SaaS) applications and are considered data processing services must enable a smooth switch to another provider, both contractually and technically (Sections 23, 25 and 30 of the Data Act).

The contracts governing such switching must contain at least the content listed in Art. 25(2) of the Data Act. These mandatory clauses are intended to enable non-discriminatory and straightforward switching. From a technical perspective, Art. 30 of the Data Act requires that switching be enabled via an interface (API), for example.

Interoperability requirements in the financial data space

Financial and insurance companies participating in the common European financial data space (FiDA Regulation) must ensure interoperability. This means that different systems, networked products or applications must be able to exchange and use data.

This includes, for example:

• data set contents
• restrictions on use
• licences
• data collection methods
• data quality and
• uncertainties

All of these must be described in sufficient detail to enable the recipient to find, access and use the data.

In addition, the necessary technical measures must be taken to enable interoperability from a technical perspective in the first place, such as providing interfaces and transmitting data in a machine-readable format.

Opportunities for the financial sector offered by the Data Act

The Data Act offers many opportunities for companies in the financial and insurance sectors. The greatest opportunity lies in the Data Act's objective of harmonising and simplifying data flow and use within the EU, as well as creating a legally secure framework.

This will strengthen data exchange across industries and sectors. With its new obligations, the Data Act aims to cover a wide range of stakeholders, from manufacturers of connected products to public authorities. This gives financial and insurance companies the opportunity to process data that was previously difficult or impossible to access.

What do companies and organisations affected by the Data Act need to do?

Those affected by the Data Act should already be analysing whether they fall within its scope, and if so, how.

For instance, they should determine whether they offer products or services that can be categorised as connected products, connected services, or data processing services.

This will enable the company to assess the scope of its future rights and obligations under the Data Act, and take the necessary steps to meet the requirements.

As companies in the financial and insurance sectors primarily fall within the scope of the Data Act because of their status as data recipients, particular attention should be paid to how transmission channels are structured.

How we can support you with the Data Act in the financial sector

• Legal advice: We assess your company's implementation requirements and develop bespoke solutions for your specific challenges.
• Contract drafting and adaptation: Our experts will support you in drafting and adapting legally compliant contracts, ensuring that your interests are represented in the best possible way.
• Compliance and data protection management: We ensure that your data processes meet the requirements of the Data Act by providing a bespoke compliance concept. We can also help you implement measures to protect sensitive data.
• Training courses and workshops: Our training courses and workshops raise awareness among your employees, ensuring the successful implementation of the Data Act throughout your company.