Across the European Union, the most interesting question about digital regulation is no longer whether it stifles innovation. Rather, it is how far the emerging rulebook now functions as infrastructure for the digital economy: a set of rails on which identity, data, and payments can move with greater portability and trust. For businesses willing to look past the red tape, this is a distinct competitive advantage.
At first glance, frameworks such as the Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (the “eIDAS”), the Data Act, the proposed Payment Services Directive 3 (the "PSD3"), and the accompanying Payment Services Regulation (the "PSR") read like compliance burdens to add alongside pre-existing hurdles. Looking more closely, however, a different picture emerges. Taken together, these laws embed mechanisms that can reduce friction, open markets, and allow both incumbents and challengers to compete on quality rather than mere positional advantage.
The eIDAS, now significantly expanded by the eIDAS2.0 framework, and the introduction of the European Digital Identity Wallet (the “Wallet”) carry a level of commercial relevance. These instruments transform digital identity and the woes that come with it into a portable ‘trust pack’. Instead of repeatedly reconstructing the same person, attributes, and credentials in each new relationship, businesses, coined as the “relying parties” in eIDAS, will be able to rely on a reusable bundle of verifiable data that the user can present across borders and sectors.
This shift ought to be on the radar of any business that spends heavily on onboarding and verification. In financial services, such verifiable identity and attributes can drastically compress the time and cost of KYC and customer due diligence. When combined with qualified electronic signatures and seals that can support fully digital contracting, the result is not simply an efficiency gain; it fundamentally expands and facilitates the commercial perimeter of digital services.
A similar pattern of portability applies to data more broadly. Building on the General Data Protection Regulation’s (“GDPR”) framework for lawful processing, transparency and trust, the Data Governance Act (the "DGA"), the Data Act, and the proposed Financial Data Access framework (“FIDA”) extend that logic into regimes governing data access, portability and re-use. The DGA, the Data Act, the Open Data Directive (the "Open Data Directive"), and national frameworks such as the Re-Use of Public Sector Information Act (the "PSI Act") all converge on a simple policy direction, that data shall not remain locked away merely because one entity happens to control the interface, or rather the environment through which it is generated.
For connected products, the Data Act gives users, and third parties acting on their behalf, the right to access and share the data such connected products generate in usable formats, while also providing for fair, reasonable, and non-discriminatory (FRAND) compensation to data holders. In financial services, this is being extended through the EU’s proposed FIDA, which would move the market beyond open banking and towards open finance.
For public-sector information, Malta's PSI Act and national data portal are designed to support re-use in value-added services and applications, providing a more reliable legal and technical basis for unlocking commercial opportunity from public data.
The value enabler here is not abstract "openness", but the ability to design services on top of predictable, lawful data flows. The regulatory architecture increasingly supports the assumption that relevant data can, in principle, be accessed and combined, subject to safeguards, rather than being permanently siloed.
PSD3 and the PSR are intended to perform yet another similar function. On one level they seek to recalibrate consumer protection (particularly regarding fraud liability), authentication and prudential requirements. On another, they propose a strengthened transition to the open-banking layer that has been taking shape under the current PSD2.
At the heart of this transition is the data generated by the payment relationship itself: account data, transaction data and the information that flows when a payment is initiated, received or authorised. This proposed regulatory package establishes more practical API functionality requirements, clarifies data-sharing obligations, and strengthens the position of authorised non-bank payment service providers by giving them a clearer right to participate directly in EU payment systems and to hold accounts with credit institutions on objective, non-discriminatory terms.
More reliable, standardised APIs lower integration costs for third-party providers and merchants, enabling account-to-account payment propositions, and data-driven credit models at scale. At the same time, clearer access rights to payment systems reduce the structural dependency of non-bank providers on a small number of sponsoring banks. This opens the door to new partnership models in which banks act as infrastructure layers rather than bottlenecks. For institutions that already meet stringent prudential and operational standards, this is an opportunity to monetise resilience and compliance as services in their own right.
For businesses operating with a digital front, access to users is often mediated by large digital platforms which dictate the rules. The Digital Markets Act (the “DMA”) addresses this issue in a specific sense by addressing the platforms directly (or rather, those designated as “gatekeepers”) and seeks to make such platforms fairer and more contestable. In particular, gatekeepers must give business users high-quality and continuous and real-time access to the data that those businesses and their customers generate on the relevant core platform services. This provides effective portability of end-user data in a similar pattern to the previously explored facets.
At the same time, the DMA restricts gatekeepers from using non-public business-user data to compete against those users, and from relying on self-preferencing, and from enforcing ‘anti-steering’ clauses that previously prevented merchants from directing users to off-platform offers.
These measures do not guarantee a re-balancing of market power overnight. They do, however, create space for providers to engage users on their own terms. Together, the DMA and, to a more limited extent, the Digital Services Act, are helping to loosen the hold of gatekeeper platforms, forcing a shift where they are treated as important channels rather than unavoidable bottlenecks that dictate the modern market.
Seen individually, these instruments can read like discrete compliance projects. Seen together however, they form a value-enabling architecture for the digital economy.
For businesses, and particularly for financial institutions and digital service providers operating out of small but sophisticated jurisdictions such as Malta, the strategic question is therefore changing. Asking, "how do we comply?" is short-sighted. The more pertinent question is “which parts of the rulebook can we actively leverage to create value?”.
Businesses that treat regulation purely as a constraint will tend to design to cater for the minimum viable compliance. However, those that read the rulebook as a set of design parameters are better placed to build services that are not only compliant, but more resilient, highly competitive and ultimately more valuable. Strategic exploitation of these laws is the blueprint for growth.
For any additional information or assistance, please contact us at info@gtg.com.mt
Author: Dr Cherise Abela Grech, Dr Neil Gauci, and Dr JJ Galea