Explanatory Memorandum to COM(2023)360 - Framework for Financial Data Access

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2023)360 - Framework for Financial Data Access.
source COM(2023)360
date 28-06-2023


1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

To be successful in a data driven economy that works for the people and businesses, Europe must strike a balance between the flow and wide use of data and preserving high privacy, security, safety and ethical standards. In the communication on a European strategy for data,1 the Commission set out how the EU should create an attractive policy environment so that, by 2030, its share of the data economy at least corresponds to its economic weight.

In finance, the Commission identified the promotion of data-driven finance as one of the priorities in its 2020 digital finance strategy2 and announced its intention to put forward a legislative proposal on a framework for financial data access. The 2021 Communication on a Capital Markets Union3 confirmed the Commission’s ambition to accelerate its work on promoting data-driven financial services. It announced the establishment of the Expert Group on the European Financial Data Space to provide input on a first set of use cases. More recently, Commission President von der Leyen confirmed in her 2022 State of the Union letter of intent that data access in financial services is among the key new initiatives for 2023.

Customers of the EU financial sector currently cannot efficiently control access and sharing of their data beyond payment accounts. Data users, i.e. firms that want to access customer data to provide innovative services, have problems accessing data held by data holders, i.e. financial institutions that collect, stores and process that customer data. As a result even where customers so wish, they do not have widespread access to data-driven financial services and financial products. A set of inter-related problems explain the limited access to data. First, in the absence of rules and tools to manage data sharing permissions, customers do not trust that potential risks of sharing data are addressed. Therefore, they are often reluctant to share their data. Second, even if they want to share data, the rules governing such sharing are either absent or unclear. As a result, data holders such as credit institutions, insurers and other financial institutions holding customer data are not always required to enable the access of data users, like for for example, FinTech companies, i.e. companies using technology to support or provide financial services, or financial institutions that provide financial services and develop financial products on the basis of data sharing to their data. Third, data sharing is made more costly as both the data itself and the technical infrastructure are not standardised and therefore differ significantly.

This proposal aims to address these problems by enabling consumers and firms to better control access to their financial data. This would make it possible for consumers and firms to benefit from financial products and services that are tailored to their needs based on the data that is relevant to them, while avoiding the inherent risks.

The general objective of this proposal is to improve economic outcomes for financial services customers (consumers and businesses) and financial sector firms by promoting digital transformation and speed up adoption of data-driven business models in the EU financial sector. Once achieved, consumers which want to do so would be able to access personalised, data-driven products and services that may better fit their specific needs. Firms, notably SMEs, would enjoy wider access to financial products and services. Financial institutions would be able to take full advantage of digital transformation trends, while third-party service providers would enjoy new business opportunities in data-driven innovation. Consumers and firms will be given access to their financial data to enable data users to provide tailored financial products and services that better suit customers’ and firms’ needs.

The proposal does not entail administrative cost savings, as it is a new legislation not amending previous EU rules. For the same reason, this is also not an initiative included under the Commission’s regulatory fitness and performance programme (REFIT) aimed to ensure that EU laws deliver on their objectives at a minimum cost for the benefit of citizens and businesses.

Consistency with existing policy provisions in the policy area

This proposal builds on the revised Payment Services Directive (PSD2), which enabled the sharing of payments account data (‘open banking‘). This proposal enables the sharing of a broader set of financial services data and sets the rules according to which the sharing of the data is going to be achieved. It also sets out the rules applicable to the market participants who will engage in this activity.

Consistency with other Union policies

This proposal respects the General Data Protection Regulation (GDPR) which sets the general rules on the processing of personal data related to a data subject and ensures the protection of personal data as well as the free movement of personal data.

This proposal also is a sectoral building block that fits into the broader European strategy for data and enables data sharing within the financial sector and with other sectors. It is based upon the key principles for data access and processing set out in the Commission’s cross-sectoral initiatives. The Data Governance Act focuses on increasing trust in data sharing and improving seamless interconnection (‘interoperability’) between data spaces and creating a framework for data intermediation service providers. Another cross-sectoral initiative is the Digital Markets Act which establishes a number of data related obligations to tackle the power of gatekeeper platforms and ensure contestability in the digital markets by, for example, allowing financial institutions on behalf of their customers or when using gatekeeper core platform services to access data held by gatekeepers. Yet another cross-sectoral initiative is the proposal for a Data Act4 that would establish new data access rights for the Internet of Things (IoT) data – i.e. the data that products obtain, generate or collect concerning their performance, use or environment – for both product users and providers of related services. It also establishes generally applicable obligations for data holders, which are required to make data available to data recipients under EU law or national legislation adopted in line with EU law.

This proposal also complements the EU retail investment strategy5. It will support its objective to improve the functioning of the retail investor protection framework by providing safeguards in the use of retail investor data in financial services. Moreover, it ensures compliance with the rules on cybersecurity and operational resilience in the financial sector, as set out in the Digital Operational Resilience Act that entered into force on 16 January 2023.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The Treaty on the Functioning of the European Union (TFEU) confers on the EU institutions the power to set rules on Member States’ approximation of laws that have as their objective the establishment and functioning of the internal market (Article 114 TFEU). This includes the power to enact EU legislation to approximate requirements on the increasingly important use of data for financial institutions, as financial institutions active across borders would otherwise face diverging national requirements, rendering cross-border activity more costly. Creating common rules for data sharing in the financial sector will contribute to the functioning of the internal market. Common rules will ensure a harmonised regulatory framework on financial data governance, in line with the European strategy for data. These results will best be achieved by adopting a Regulation, which is directly applicable in Member States.

Subsidiarity (for non-exclusive competence)

The data economy is an integral part of the internal market. Data flows form a core part of digital activities, and they mirror existing supply chains and collaborations between firms and consumers. Any initiative aiming to organise such data flows must apply to the internal market as a whole. As data holders are generally licensed financial institutions subject to broad and detailed set of rules largely set out in directly applicable regulations and supervisory arrangements for which convergence is ensured at EU level, action at EU level is needed to set common conditions and preserve a level playing field among financial institutions to safeguard market integrity, consumer protection and financial stability. Another reason for action at EU level is the high level of integration in the financial sector. Financial institutions also conduct significant cross-border activity.

The problems described in the impact assessment accompanying this proposal are common for all EU Member States. Regulating financial services is a power shared between the EU and its Member States. These problems cannot be solved by Member States acting alone, given that the holders and potential users of customer data in finance often operate across several Member States. Therefore, a customer may have data held by financial institutions in different Member States. To improve trust and allow the integrated use of those data all these financial institutions would need to be governed by the same legal framework and the same technical standards. Individual national rules would result in overlapping requirements and disproportionately high compliance costs for firms without being the most beneficial to firms and consumers.

Proportionality

In line with the principle of proportionality, the proposal does not go beyond what is necessary to achieve its objectives. It only covers the aspects where the administrative burden and costs are proportionate to the objectives to be achieved. For example, proportionality is carefully designed in terms of scope and stringency. It is underpinned by qualitative and quantitative assessment criteria to ensure that the new rules will have a broad effect. Annex 5 to the accompanying impact assessment explains how proportionality has guided the selection of data sets. Annex 8 to the accompanying impact assessment explains the measures taken to ensure a proportionate impact on SMEs.

Choice of the instrument

This proposal should take the form of a regulation, which is directly applicable in all Member States. This is to ensure that common rules apply across all Member States on the conditions for access to and handling of financial services customer data.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations/fitness checks of existing legislation

This new proposal does not rely on any existing legislation. It builds on the open banking regime set up in Directive (EU) 2015/2366 but creates a new data access right for sets of data not previously covered by any other EU legislative framework.

Stakeholder consultations

On 10 May 2022, the European Commission launched a call for evidence on financial data access. The call for evidence closed on 2 August 2022, gathering 79 responses. Persons responding in individual capacity expressed concerns about data sharing in the absence of a framework adopting clear safeguards, such as privacy dashboards, clear delineation of its scope and a level playing field among market participants. Firms were rather positive as long as proper safeguards were put in place. The call for evidence showed that if properly designed, access to financial data could have a positive impact.

On 10 May 2022, the European Commission also launched a joint public consultation on the review of the revised Payment Services Directive (PSD2) and financial data access. The public consultation closed on 2 August 2022. The responses on financial data access confirmed the views expressed in the call for evidence. While most of the general public who responded would want to share their data based on strong consumer consent/agreement, some concerns were expressed over sharing financial data. These concerns were based on a lack of trust over privacy, data protection and digital security issues and a general sense of not being in control how their data is used.

Professional stakeholders (corporate users, fintech firms, consumer organisations as well as relevant public authorities and national regulators) were more favourable to data sharing and mentioned benefits to the customer journey in terms of increased competition and innovation for financial products and services. A significant minority of professional respondents also voiced concerns over competition, security and data misuse.

On 10 May 2022, the Commission also launched a targeted consultation on financial data access and data sharing in the financial sector. The targeted consultation closed on 5 July 2022, gathering 94 responses from professional stakeholders.

The purpose of the targeted consultation was to gather their expert input in data sharing in finance. The professional stakeholders targeted included financial institutions, data vendors, fintechs, corporate users, consumer protection associations as well as relevant public authorities and national regulators). Overall, the responses highlighted that most professional respondents see the potential benefits of a legal framework for financial data access and therefore support regulatory intervention in some areas. However, responses to the targeted consultation suggest that stakeholders’ views diverge substantially and support from consumers and data holders is conditional on how those data will be accessed and shared.

Collection and use of expertise

On 24 October 2022, the Commission received a report on open finance from the Expert Group on the European Financial Data Space. The Expert Group brings together experts from academia, consumers, and industry (including banking, insurance, pensions, investment, as well as third-party providers and fintech firms). The report describes key components of an open finance ecosystem as seen by the Expert Group (data accessibility, data protection, data standardisation, liability, level playing field and the key actors) and sets out considerations on each element, while also presenting divergent views within the group. To illustrate the challenges and opportunities of open finance, the Expert Group has assessed several specific use cases which are detailed in the report. The use cases and the findings of the report were used to develop this proposal, particularly in determining the data covered within scope of the proposal.

Impact assessment

The proposal is accompanied by an impact assessment, which was submitted to the Commission’s Regulatory Scrutiny Board (RSB) on 3 February 2023 and approved on 3 March 2023. The RSB recommended improvements in some areas to strengthen the evidence base, put further emphasis on customer trust and protection of vulnerable consumers, as well as better define the limitations and uncertainties of the cost-benefit analysis for this proposal. The impact assessment was amended accordingly and addressed the RSB’s more detailed comments.

Policy options have been chosen based on the Commission Expert Group on the European Financial Data Space and on stakeholder feedback.

Several options that were considered aimed at improving customer trust in data sharing, clarify the legal situation, promote standardisation and provide incentives. As regards customer trust, the options considered included the mandatory use of financial data access permission dashboards, setting rules on who can access customer data, and complementing those rules with other safeguards, including guidelines that protect the consumer against unfair treatment or exclusion risks.

To provide legal clarity, one option considered was the extent to which data holders could be required to share their customer data with data users. This could be done on a mandatory basis, subject to the customer request. The types of firms to be obliged to share data was also considered (credit institutions, payment service providers and other types of financial institutions across the entire financial sector).

Several options were considered to promote the standardisation of customer data and interfaces. One option was for market participants to jointly develop common standards for customer data and interfaces as part of financial data sharing schemes. Consideration was given as to whether market participants should be part of such a scheme on a voluntary or mandatory basis in order to access data. Another option was to develop such a scheme by delegated or implementing acts (so-called Level II legislation that supplements or amends certain non-essential elements of basic acts).

A number of options were considered to implement high-quality interfaces for customer data sharing. One option could be for data holders to be required to put in place application programming interfaces (APIs) implementing the common standards for data and interfaces and make them available to data users without a contract and without being able to receive any compensation from data users for using these interfaces. Another option would be to allow reasonable compensation to set up and use the interfaces and agree on contractual liability.

1.

The Commission considered that the preferred option is an EU Regulation that establishes a framework for financial data access, which includes the following characteristics:


- require market participants to provide customers with financial data access permission dashboards, set eligibility rules on access to customer data and empower the European supervisory authorities (ESAs) to issue guidelines to protect consumers against unfair treatment or exclusion risks;

- mandate access for data users to selected customer data sets across the financial sector, always subject to permission by the customers to whom the data relates to;

- require market participants to develop common standards for customer data and interfaces concerning data that are subject to mandatory access, as part of schemes; and

- require data holders to put in place APIs against compensation, implementing the common standards for customer data and interfaces developed as part of schemes and require scheme members to agree on contractual liability.

The expected overall economic impact of this proposal would be enhanced access to better-quality financial services, improving the overall price-quality relationship. Financial data access would result in more user-centric services: personalised services could benefit consumers seeking investment advice, and automated creditworthiness assessment can be expected to help facilitate access to finance for SMEs. The expected impact on the wider economy is positive due to more efficient service provision as a result of more effective competition. For these positive impacts to materialise, however, it is important to ensure that data reuse does not lead to anti-competitive behaviour and collusion, especially given the requirement for mandatory adherence to contractual schemes, and that data holders, in particular, do not foreclose competitors through high fees for accessing data.

The proposal can be expected to have an overall positive social impact provided that the associated risks are kept in check. Sharing of customer data would be controlled as it is subject to customer request – mandatory access would only be triggered once the customer has requested his or her data to be shared. More detailed data sharing could open up access to finance to previously excluded users. It could facilitate targeted savings and pensions by facilitating a comprehensive overview of private and occupational pension entitlements as well as other savings for retirement. On the other hand, without appropriate safeguards, more data use could, in specific cases, lead to a risk of higher cost or even further exclusion of customers with an unfavourable risk profile. Particular attention needs to be paid to services with inherent risk mutualisation, such as insurance. The preferred option would however mitigate any such impact since data sets which are directly relevant to essential financial services for consumers would be excluded from its scope and EBA and EIOPA guidelines on the applicable personal data use perimeters would constitute an additional safeguard.

Overall, financial data access can be expected to have a neutral to positive indirect impact on the environment, as it would likely support the uptake of innovative investment services, including those that channel investments towards more sustainable activities. Even though there could potentially be some negative implications from more intensive use of data centres that would go together with wider data reuse, these are likely to be limited in scope as most of the data covered by this proposal already exists in digital form. The additional processing volume would mainly come from data users accessing these data.

Given the limited data availability and the nature of this proposal, it is inherently difficult to make quantitative predictions about how it would benefit the economy as a whole. Likewise, it is equally challenging to disentangle the effects of each policy measure from the potential aggregate impact. Whilst the costs of each policy option are already challenging to estimate, its isolated benefits are even more difficult to gauge. An attempt was made to provide a macroeconomic assessment of the potential benefits based on a macro-level study, the aim of which however was not to quantify the benefits of this proposal explicitly. Thus, the range of figures presented below should be taken as an illustration of the potential benefits rather than a dedicated estimate. According to this macroeconomic assessment, the total annual benefits for the EU economy produced by enhanced access to and sharing of data in the EU financial sector ranges between EUR 4.6 billion and EUR 12.4 billion, including the direct impact on the EU financial data economy in the range of EUR 663 million to EUR 2 billion per year. The overall estimated cost of the proposal could be up to a range of EUR 2.2 billion to EUR 2.4 billion in one-off costs and between EUR 147 million to EUR 465 million in recurring annual costs.

Digital finance has many aspects that can improve the workings of economies and further the cause of sustainable development. Access to finance is one of the major challenges of sustainable development. While not the direct aim of the proposal, it will indirectly help advance inclusive and sustainable economic growth and employment. It can help socially excluded individuals gain better access to finance. This proposal is in line with building resilient infrastructure, sustainable industrialisation, and innovation. It can unleash competitive economic forces that improve connectivity in the area of finance. The proposal will also help address climate change through targeted investment advice, helping investors to make more informed decisions which can help to channel of capital flows towards sustainable investments.

Regulatory fitness and simplification

This proposal will make it easier for data users to access customer financial data, thereby making it easier for customers to access innovative financial services. It will notably support SMEs and their access to finance. To mitigate any negative impact on SMEs as data holders, it includes several measures. For example, by introducing compensation for data access, smaller market participants would be allowed to recover costs incurred by the requirement to provide technical interfaces for data access (‘application programming interfaces‘). Moreover, SMEs acting as data holders could further reduce their implementation costs by developing joint interfaces or making use of external service providers. In addition, SMEs acting as data users will be able to access customer data against a reduced compensation, capped at cost, in line with Article 9(2) of the Data Act proposal. An option considered and rejected would be to exclude SMEs as data holders from the scope of the obligations to make data available. However, this option would have several disadvantages. It would considerably reduce the positive impact of the proposal, as some use cases rely on data from all financial institutions serving a particular customer and therefore holding their data to be pulled together. For example, use cases related to investment advice would only work efficiently if all relevant data on a customer’s assets and investments (whether they are held with smaller or larger firms) are comprehensively available for access. Moreover, it would not be consistent with ensuring that all market participants abide by key rules to ensure a level playing field. More broadly, the administrative costs introduced for businesses (EUR 18.5 million one-off costs) is a proportionate and relatively small administrative burden.

Fundamental rights

This proposal has an impact on the fundamental rights of consumers, notably Article 7 and 8 on the right to respect for private life and the right to the protection of personal data enshrined in the EU Charter on Fundamental Rights (the EU Charter). The proposal establishes access rights for data in the financial sector, which would contribute to increased sharing of data, including personal data, at customers’ request. The impact to fundamental rights will be mitigated by ensuring that in line with Article 38 of the EU Charter there is a high level of consumer protection and that data sharing is strictly subject to the request of the customer. To uphold Articles 7 and Article 8 of the EU Charter, some provisions, notably financial data access permission dashboards and targeted guidelines in areas of higher exclusion risk, will boost customer trust and provide a framework of user control sharing personal data. The dashboard will strengthen customer control, notably when personal data is processed for the requested service, based on consent or necessary for the performance of a contract. In addition, restriction on re-use of data beyond requested service is introduced. Introducing the new category of authorised ‘financial information service providers’ would ensure that only trusted and secure providers are eligible to access and process customer data in the financial sector. In addition, consumers will be protected with strong security safeguards against possible data misuse and data breaches as both data holders as well as data users will be bound by the rules of the Digital Operational Resilience Act (DORA).

4. BUDGETARY IMPLICATIONS

The implementation of this proposal would not have an impact on the general budget of the European Union. Although the European Supervisory Authorities (ESAs) will need to undertake some tasks so that the legislation is properly implemented, most of these tasks fall within the existing mandates of the ESAs, e.g. preparing draft regulatory or implementing standards or guidelines for the better application of this Regulation. In addition, while the European Banking Authority (EBA) would be required to set up a register with information on e.g. financial information service providers, the cost of establishing such a register would be limited and should be covered by cost savings resulting from the synergies and efficiencies that all Union bodies are expected to realise. Conversely the legislation would not confer any new supervisory or monitoring tasks on the ESAs. Therefore, any costs resulting from the implementation of the proposed legislation should be covered by the existing budget of the ESAs.

There are limited implications in terms of costs and administrative burden for national competent authorities (NCAs). Their magnitude and distribution will depend on the requirement placed on financial information service providers to apply for a license provided by an NCA and the related supervisory and monitoring tasks. These costs to NCAs would be partially offset by the supervisory fees that NCAs would levy on financial information service providers.

Regulated financial institutions that already have a licence would not be affected by the new licensing regime that this proposal would establish, and there would be no additional regulatory reporting, licensing or other requirements. For the firms that would need to seek a licence, the total costs of seeking a licence is estimated to be about EUR 18.5 million, assuming that about 350 firms would apply to become financial services information providers (FISPS) to be able to access customer data. These firms would also have to comply with the DORA requirements and put in place the required cyber-security standards.

5. OTHER ELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

Providing a monitoring and evaluation mechanism is necessary to ensure that the regulatory actions undertaken are effective in achieving their objectives. The Commission will assess the impact of this Regulation and will be tasked with reviewing it (Article 31 of the proposal).

Detailed explanation of the specific provisions of the proposal

This proposal seeks to establish a framework governing access to and use of customer data in finance (financial data access ‘FIDA’). Financial data access refers to the access to and processing of business-to-business and business-to-customer (including consumer) data upon customer request across a wide range of financial services. The proposal is divided into nine Titles.

Title I sets the subject matter, scope and definitions. Article 1 sets out that the Regulation establishes the rules in line with which certain categories of customer data in finance may be accessed, shared, and used. It also establishes the requirements for the access, sharing, and use of data in finance, the respective rights and obligations of data users and data holders and the respective rights and obligations of financial information service providers in relation to the provision of information services as a regular occupation or business activity. Article 2 sets the scope of the Regulation to certain exhaustively described sets of data and lists the firms to which this Regulation applies. Article 3 sets the terms and definitions that are used for the purposes of this Regulation, including ’data holder‘, ’data user‘, ’financial information service provider‘ and others.

Title II introduces a legal obligation on data holders and governs the way this obligation should be exercised. Article 4 indicates that the data holder must make available to customers the data within the scope of this Regulation based on a request. Article 5 provides the customer with the right to request that the data holder shares this data with a data user. Where personal data is concerned, the request must comply with a valid legal basis as referred to in the General Data Protection Regulation (GDPR) that allows for the processing of personal data. Article 6 imposes certain obligations on data users receiving data at the request of customers. There should only be access to the customer data made available under Article 5 and this data should be used only for the purposes and the conditions agreed with the customer. The customer’s personalised security credentials should not be accessible to other parties and the data should not be stored for longer than what is necessary.

Title III sets the requirements to ensure responsible data use and security. Article 7 provides guidance on how firms should use data for given use cases and ensures that there will not be any discrimination or restriction in the access to services as a result of the use of the data. It ensures that customers that refuse to grant permission to use sets of their data will not be refused access to financial products just because these customers refused to grant permission. Article 8 establishes the financial data access permission dashboards to ensure that customers can monitor their data permissions by being able to access an overview of their data permissions, grant new ones and withdraw permissions if necessary.

Title IV sets the requirements for the creation and governance of financial data sharing schemes whose aim is to bring together data holders, data users and consumer organisations. Such schemes should develop data and interface standards, set the coordination mechanisms for the operation of financial data access permission dashboards as well as a joint standardised contractual framework governing access to specific datasets, the rules on governance of these schemes, transparency requirements, compensation rules, liability, and dispute resolution. Article 9 provides that the data falling within the scope of this Regulation must be made available only to members of a financial data-sharing scheme, rendering the existence and membership to such schemes mandatory. Article 10 sets the governance processes of such a scheme, including the rules on the contractual liability of its members and the mechanism to resolve disputes out-of-court. Article 10 also provides for the developments of common standards for the sharing of data and the creation of technical interfaces to be used for the sharing of data. Such data-sharing schemes must be notified to the competent authorities, they must benefit from a passport for operations across the EU and or transparency purposes, the schemes must be part of a register to be maintained by EBA. The minimum arrangements for a financial data sharing scheme should also state that data holders must be entitled to compensation for making the data available to data users, according to the terms of the scheme they are both part of. Compensation in any case must be reasonable, based on a clear and transparent methodology previously agreed by the scheme members and should aim to reflect at least the costs incurred for making available a technical interface to share the data requested. Article 11 provides for a Commission empowerment to adopt a delegated act in the event that a financial data sharing scheme is not developed for one or more categories of customer data.

Title V sets out the provisions on authorisation and operating conditions of financial information service providers. These requirements highlight the required content of an application (Article 12), the appointment of a legal representative (Article 13), the scope of the authorisation, including the EU passport of financial information service providers (Article 14) and the right granted to competent authorities to withdraw an authorisation. Article 15 provides for the establishment of a register of financial information service providers and data sharing schemes to be held by the EBA. Article 16 provides for the organisational requirements of financial information service providers.

Title VI provides details on the powers of competent authorities. Article 17 imposes on Member States the obligation to designate competent authorities. Article 18 sets out detailed provisions on the powers of competent authorities, Article 19 provides for the power to reach settlement agreements and expedited enforcement procedures. Articles 20 to 21 detail the administrative penalties and other administrative measures, as well as the periodic penalty payments, that can be imposed by competent authorities. Article 22 sets out the circumstances that should be considered when competent authorities determine administrative penalties and other administrative measures. Article 23 covers professional secrecy for information exchanges between competent authorities. Title VI includes rules on the right to appeal (Article 24), the publication of administrative sanctions and administrative measures imposed (Article 25), the rules on the exchange of information between competent authorities (Article 26) and the settlement of disagreements between them (Article 27).

Title VII provides for the notification procedure to competent authorities for firms exercising the right of establishment and freedom to provide services (Article 28), as well as an obligation of information from competent authorities when they take measures involving restrictions on the freedom of establishment (Article 29).

Title VIII includes the exercise of the delegation with a view to adopt Commission delegated acts (Article 30), as the proposal itself contains an empowerment for the Commission to adopt a delegated act under Article 11. This Title also includes the obligation for the Commission to review certain aspects of the Regulation (Article 31). Articles 32 to 34 include the necessary amendments to the regulations establishing the ESAs to include this Regulation and financial information service providers within their scope. Article 35 includes an amendment to the Digital Operational Resilience Act Regulation. Article 36 indicates that this Regulation enters into application 24 months after its entry into force, except for Title IV (on schemes) that enters into application 18 months after the Regulation’s entry into force.