The EU Data Act: What It Means Now for the Fintech Industry
The EU Data Act became legally binding on September 12, 2025, fundamentally shifting the power balance in the digital economy. Its goal is to make industrial, client, and trading data more accessible, eliminate proprietary vendor "lock-ins," and ensure contract fairness.
- Data Access: Brokers must provide client and trading data in structured, machine-readable formats upon request.
- Vendor Lock-In Ends: Cloud and SaaS providers must remove technical and contractual barriers to allow firms to switch services easily.
- Stronger Rights: Smaller fintechs and brokers can now challenge unfair "take-it-or-leave-it" contract terms imposed by large infrastructure providers.
- Compliance Risk: Failing to enable data portability or ignoring access requests exposes vendors (now "data holders") to penalties.
- Strategic Upside: Firms that adapt can secure stronger negotiating positions with providers and build greater client trust through transparency and data access.
Regulation Overview
The EU Data Act is now in effect. Although it was published at the end of 2023 and formally entered into force in January 2024, the real impact began on 12 September 2025, when most of its obligations started to apply.
The Act is a key part of the EU’s broader data strategy. Its goals are to increase access to industrial and service-generated data, prevent unfair lock-ins, and create a fairer balance between large providers and smaller businesses.
For retail brokers, CFD/FX platforms, fintech firms, and their vendors, the changes are already shaping the way data, contracts, and cloud services are managed.
Like the AI Act earlier this year, the Data Act signals a shift from preparation to enforcement.
Who Does it Apply to?
| The scope is broad, but the most relevant groups in trading and fintech are: | |
|---|---|
| ✅ | Brokers & Trading Platforms – generating and relying on client, transaction, and risk data. |
| ✅ | Fintechs & Payment Providers – heavily dependent on data flows and cloud infrastructures. |
| ✅ | Technology Vendors & SaaS Providers – legally obliged to design interoperable, “data-accessible” systems. |
| ✅ | Cloud & Data Processing Services – required to support switching and prevent unlawful foreign access. |
Since September 2025, the EU Data Act has been reshaping how trading and fintech firms manage the data they produce and depend on. Brokers and platforms now have to make client, trading, and onboarding data accessible and shareable when requested. Fintechs and payment providers gain broader rights to use third-party data, but they also need to be ready to open up their own. Technology vendors must design systems that support portability and interoperability, ending the era of “closed box” platforms. Cloud providers, in turn, are required to remove contractual and technical barriers so firms can switch services more easily.
If you handle, process, or rely on client or trading data in the EU, the Act applies to you.
September 2025: What Changed
From mid-September, several rules became directly enforceable:
- Data access rights: Users, including brokers, can now access and share the data they co-generate. Vendors must provide it in structured, machine-readable formats.
- Contract fairness: Unilateral “take-it-or-leave-it” clauses are prohibited. Smaller brokers and fintechs can challenge terms imposed by large infrastructure or liquidity providers.
- Cloud switching: Providers must remove barriers that stop customers moving their services. This applies to SaaS, PaaS, and infrastructure systems.
- Public authority requests: In exceptional cases such as crises, regulators or governments may request access to privately held data, including financial flow information.
- Trade secrets & security: Sensitive data can be shared only if confidentiality is safeguarded. Data holders may refuse requests if they risk serious harm.
What’s Coming Next, Timeline of Obligations
| 12 September 2025 Core obligations live: data access rights, contract fairness, cloud switching, public authority requests, safeguards for trade secrets. | |
| 12 September 2026 Design and manufacture rules apply: new connected products and services (including trading apps/platforms) must be "data access by default." | |
| 12 September 2027 Unfair contract term protections expand to older agreements signed before September 2025. | |
| 2028+ Possible sector-specific rules; financial services likely among the first to see additional obligations. |
Technology Vendors (B2B Providers)
Risks & Challenges: | |
| ❌ | Vendors are now considered “data holders” with legal duties; failing to provide machine-readable data exports or to ensure interoperability exposes you to non-compliance. |
| ❌ | Clients will increasingly demand compliance documentation in contracts; failing to provide it could cost business. |
| ❌ | The risk of losing customers to competitors who market themselves as “Data Act ready” is real. |
Opportunities & Immediate Moves: | |
| ✅ | Building a compliance toolkit into your products can turn regulation into a selling point. |
| ✅ | Offering simple, secure APIs for data portability strengthens client loyalty. |
| ✅ | Early adaptation reduces the risk of rushed, costly system overhauls later. |
Fintech & Payment Firms
Risks & Challenges: | |
| ❌ | Many fintechs operate under contracts heavily tilted in favour of large partners; these may now be challengeable but also expose firms to legal uncertainty in the short term. |
| ❌ | Integrating new data streams raises questions about GDPR alignment, especially when personal and non-personal data are mixed. |
| ❌ | Smaller players may face resource pressure to redesign governance frameworks quickly. |
Opportunities & Immediate Moves: | |
| ✅ | The Data Act explicitly protects smaller firms from unfair contractual terms, giving SMEs more legal leverage. |
| ✅ | New access to datasets from connected services enables innovative compliance tools, trading analytics, and risk models. |
| ✅ | Aligning Data Act obligations with AI Act and GDPR processes creates efficiency and a competitive advantage in regulatory readiness. |
Expert Opinions
John Murillo Chief Business Officer of B2BROKER
The strategic implications of this are significant and immediate. Firms cannot afford to treat this as a back-burner compliance issue. The time to act is now. The most critical first step is to update cloud contracts and architectural blueprints to be ‘exit-ready.’ This means negotiating clear terms for data portability, establishing firm timelines for migration, and testing these processes proactively.
Furthermore, fintechs and trading platforms must either eliminate or significantly cap their switching fees in line with the transitional rules and build out open interfaces to ensure interoperability. For those using smart contracts, the time is up to build in more efficient access controls, as well as detailed logging tools, and, most importantly, a ‘kill-switch’ to safely interrupt or terminate data-sharing flows in the event of an unlawful access request. This is about more than just compliance; it’s about building a more resilient, antifragile technology stack.
Starting today, the EU Data Act resets the default from closed to shareable. I believe for fintech and trading, three shifts matter most: first, enforceable user/business access to data from connected products and related services, with the right to share it with third parties under safeguards; second, B2B fairness that voids one-sided data clauses; and third, hard obligations for cloud/data processing services to enable switching, maximum two months’ notice, 30-day migration, and egress fees eliminated by Jan 12, 2027, which materially weakens vendor lock-in and pushes the market toward API first, interoperable stacks. This means: expect faster provider churn and competition on service quality, and not to be locked in by hyperscalers.
Practically speaking, CFD/FX brokers and fintechs gain leverage over trading stack vendors and hyperscalers; technology providers now must expose interoperable APIs, support functional equivalence on IaaS switching, and implement safeguards against foreign government access to EU-hosted non-personal data, while penalties are set nationally (e.g., the Netherlands proposes up to 10% of EU turnover). My recommendation for business is to ask them to map data flows; build access by design exports (machine-readable trading history, configurations, logs); re-paper vendor and client contracts to reflect switching timelines and fair terms; align with GDPR for personal data sharing and trade secret protections; and run migration drills. Non-EU providers serving EU clients are in scope; I believe the winning companies will be the ones that reduce friction to make portability effortless and ride the next wave of open finance.
Adnan Masood Chief AI Architect at UST, Microsoft Regional Director
Scenarios to Watch
- loud migration: A broker wants to move its CRM from a US-based SaaS to an EU provider. The provider must now enable this at reasonable cost and within a set timeframe.
- Regulatory request: During a stress event, authorities ask for aggregated trading data. Brokers must comply if the request is proportionate.
- Unfair terms: A payments fintech faces liability-heavy contract terms. Post-September 2025, such clauses can be struck down.
Why October 2025 is a Turning Point
Autumn 2025 marks a turning point. Firms are no longer preparing for the Data Act, they are already operating under it. Brokers and fintechs now hold stronger rights in their relationships with infrastructure and SaaS providers, while technology vendors face new requirements on transparency and interoperability.
The shift brings fresh compliance risks. Ignoring data access requests, holding on to outdated contracts, or depending on vendor lock-ins is no longer an option. At the same time, firms that adapt stand to gain: stronger negotiating positions, lower costs, and greater client trust by showing themselves as transparent and forward-looking.
Key Takeaways
It’s live now: Since September 2025, brokers, fintechs, and vendors are already subject to obligations.
- Stronger rights: Smaller firms can challenge unfair contract terms and switch cloud providers more easily.
- New risks: Mishandling data access requests or ignoring regulator demands could trigger disputes or penalties.
- Vendors under pressure: Trading tech and SaaS providers must enable interoperability and machine-readable data exports.
- Strategic upside: Early adopters can cut costs, negotiate better terms, and use transparency as a client trust tool.