When does PSD3/PSR apply?

The provisional political agreement was reached on 27 November 2025. The final texts are expected to be published in the EU Official Journal in Q2/Q3 2026 (summer 2026 is the most likely window). The PSR general obligations apply 18 months after entry into force — giving an estimated application date of H2 2027. The IBAN/name verification (Verification of Payee) obligation has a slightly longer 24-month transitional period. PSD3 must be transposed into national law within 18 months of entry into force.

Do e-money institutions need to re-authorise under PSD3?

Yes. EMD2 (the Electronic Money Directive 2) is abolished under PSD3, and e-money institutions become a sub-category of payment institutions. Every licensed EMI must file a re-authorisation application with its national competent authority within the transitional window. Existing authorisations remain valid during this period. The re-authorisation process is expected to be streamlined for firms that already meet requirements equivalent to the PSD3 payment institution framework, but firms should engage their NCA early and monitor national transposition guidance.

What is the new APP fraud liability rule under PSR?

Under PSR, if a fraudster impersonates a payment service provider employee and tricks a customer into authorising a payment (authorised push payment or APP fraud), the PSP is liable for full reimbursement — provided the customer reports the fraud to police and notifies the PSP promptly. This closes a gap in PSD2 where technically 'authorised' payments placed the burden on consumers. PSR also introduces platform liability: online marketplaces that fail to act on known fraud after notification can be held liable. PSPs that fail to implement Verification of Payee and fraud results as a consequence also bear the loss.

Does PSD3/PSR affect crypto-asset service providers?

Indirectly, yes. CASPs that provide fiat payment services — such as fiat on/off-ramps, euro payment accounts, or payment tokens — may need payment institution authorisation under PSD3 in addition to their MiCAR authorisation. The interaction between MiCAR and PSD3/PSR is not fully harmonised in the legislative texts, and NCAs are expected to provide guidance on dual-framework scenarios. CASPs that exclusively provide crypto-to-crypto services without touching fiat payment services are unlikely to be in PSD3/PSR scope.

PSD3 and PSR: Complete Guide to EU Payment Services Reform — What Changes from PSD2, Who Is Affected, and the 2027 Compliance Timeline

Q: What is the difference between PSD3 and PSR?

PSD3 (Third Payment Services Directive) is a directive that requires national transposition and covers licensing, authorisation, and supervision of payment service providers. PSR (Payment Services Regulation) is an EU Regulation that is directly applicable across all 27 member states without national transposition — it contains the conduct rules: strong customer authentication (SCA), fraud liability, IBAN/name verification (Verification of Payee), open banking access rights, and fee transparency. The split deliberately addresses PSD2's fragmentation problem: by making the substantive conduct rules a regulation, PSR creates uniform obligations across the EU regardless of how member states implement PSD3.

Q: Will PSD3 affect open banking access rights for TPPs?

Yes, PSR strengthens open banking. Account servicing payment service providers (ASPSPs) must provide dedicated interfaces (APIs) for third-party providers (TPPs) with defined performance and availability standards. PSR prohibits ASPSPs from imposing obstacles on TPP access, bans the use of contingency screen-scraping as a primary channel, and requires ASPSPs to make interface documentation freely available. The EBA will issue technical standards on interface performance metrics. TPPs (account information service providers and payment initiation service providers) will still need PSD3 authorisation, but the conduct rules governing their access to account data will be directly applicable via PSR rather than fragmented across national PSD2 transpositions.

The Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR) are the EU's complete overhaul of its payments regulatory framework. Provisional political agreement was reached on 27 November 2025. Publication in the Official Journal is expected in Q2 2026. When the PSR enters into force — immediately as a directly applicable regulation — and PSD3 is transposed, every payment institution, electronic money institution, credit institution offering payment services, and open banking provider in the EU faces a new compliance baseline.

This guide explains what is changing, who is affected, and what institutions should be doing now to prepare.

Why PSD3 and PSR? What Was Wrong with PSD2?

The Payment Services Directive 2 (PSD2, Directive (EU) 2015/2366) came into force in January 2018 and was meant to catalyse open banking and harmonise payments across the EU. It delivered results — strong customer authentication became mandatory, third-party payment service providers gained legal access to bank account data, and cross-border payment processing became more uniform. But eight years of implementation revealed structural weaknesses that PSD2's directive format could not fix.

The primary problems:

Transposition fragmentation. Because PSD2 is a directive, each of the 27 Member States transposed it into national law. The result was 27 different versions. Scope definitions varied. SCA exemption thresholds differed. Open banking technical standards were implemented inconsistently. API performance and reliability standards were set at national level. Payment institutions that operated cross-border faced different regulatory requirements in each market.

The open banking promise went unfulfilled. PSD2 gave third-party providers (TPPs) a legal right to access account data and initiate payments. Banks were required to provide APIs. But the quality, reliability, and functionality of those APIs varied enormously. Customer conversion rates for account information services (AIS) and payment initiation services (PIS) remained low. Friction was high. Banks had limited commercial incentive to make their APIs good. Regulatory enforcement was patchy.

Fraud reimbursement gaps. PSD2's liability framework was built around individual transaction liability. The rise of authorised push payment (APP) fraud — where fraudsters manipulate legitimate account holders into making authorised transfers — exposed a gap. PSD2's liability rules did not cover APP fraud well. Victims often received little or no reimbursement.

EMI regulation was in a separate directive. Electronic money institutions were governed by the E-Money Directive 2 (EMD2, Directive 2009/110/EC), a separate instrument from PSD2. This created duplication and divergence: EMIs were subject to two overlapping regimes with some inconsistencies. PSD3 merges the two frameworks.

Non-bank actors were inadequately regulated. The rise of buy-now-pay-later (BNPL), embedded finance, and technical service providers supporting SCA decisions created regulatory gaps. Entities performing functions critical to payment processing operated outside the supervised perimeter.

The PSD3/PSR Structural Split

The EU legislature adopted an innovative structure: instead of a single new directive replacing PSD2, it adopted two instruments side by side.

PSD3 (Directive) governs the authorisation, supervision, prudential requirements, and licensing of payment service providers. It replaces both PSD2 and EMD2. Because it is a directive, it requires transposition into national law. Member States will have approximately 18 months to transpose after publication, meaning full national implementation is expected around late 2027 to early 2028.

PSR (Payment Services Regulation) governs the conduct-of-business rules — how payment services are provided to users, what transparency obligations apply, how SCA works, open banking obligations, and fraud liability. Because it is a regulation, it applies directly in all Member States on the same date, without any transposition. This eliminates the divergence that plagued PSD2's conduct rules.

The effect: licensing and prudential rules retain some national flexibility through PSD3. Conduct rules are fully harmonised through the PSR.

Who Is In Scope

The scope of PSD3/PSR broadly follows PSD2 but with important extensions.

Payment service providers (PSPs) under PSD3:

Credit institutions (banks and building societies) providing payment services
Payment institutions (the PSD2/PSD3 licence type)
Electronic money institutions — which become a sub-category of payment institution under PSD3 (the EMI licence is abolished as a separate category; EMIs re-authorise as "payment institutions authorised to issue e-money")
Post office giro institutions
The ECB, national central banks, and public bodies when not acting in their capacity as monetary authorities

New entrants in scope under PSD3/PSR:

Technical service providers (TSPs) in the SCA chain. PSD3/PSR extends liability to TSPs that participate in strong customer authentication decisions. Where a TSP's failure to properly support SCA causes fraud losses, that TSP can share liability with the PSP. This brings payment gateways, authentication solution providers, and card network technical infrastructure into the regulatory perimeter.
Buy-now-pay-later (BNPL) partial inclusion. Certain BNPL products that were previously exempt from PSD2 as "limited network" or "commercial agent" exceptions come within scope under PSD3/PSR, though the detailed scope of BNPL inclusion remains subject to the final text.
Open banking data aggregators. Entities providing account aggregation services that consolidate data from multiple PSPs face clearer regulatory obligations regarding data quality, liability, and consent management.

What remains out of scope: Payment transactions using cash, paper-based cheques, and a number of niche instruments remain excluded. The "limited network" exception (loyalty schemes, fuel cards, etc.) is retained but narrowed.

Key Changes: PSD3 Authorisation and Licensing

EMI Licence Absorbed into Payment Institution

The most structurally significant change for existing market participants is the abolition of the standalone e-money institution licence. Under PSD3, EMIs become "payment institutions authorised to issue e-money" — a sub-category within the payment institution framework.

Transition timeline for existing EMIs:

Authorisations granted under EMD2 remain valid for 24 months after PSD3 enters into force
Within that 24-month window, EMIs must submit an application demonstrating compliance with PSD3's updated requirements for the new payment institution category
The 24-month period is extendable to 30 months at the discretion of the national competent authority
Applications must evidence: updated governance arrangements, DORA-compliant ICT and business continuity frameworks, safeguarding policies aligned with PSD3, and compliance with any revised capital requirements

Practically: any EMI that has not begun its PSD3 re-authorisation process by mid-2026 is already late.

Capital Requirements

PSD3 introduces updated minimum capital requirements. The exact figures in the final text are to be confirmed, but the direction of travel is toward risk-based calibration linked to the volume and nature of payment activity rather than simple tiered minimums. Institutions handling higher volumes of customer funds are likely to face proportionally higher requirements.

Safeguarding

Safeguarding requirements — the obligation to protect customer funds held by payment institutions and EMIs against insolvency — are updated but largely preserved from PSD2/EMD2 in structure. The key change: PSD3 gives payment institutions a new option to safeguard customer funds directly in an account held with a central bank, at the discretion of the relevant central bank. This is intended to reduce concentration risk in safeguarding arrangements where institutions are forced to use commercial bank accounts.

Passporting

PSD3 preserves the single-licence passport. A payment institution authorised in one Member State can passport its services to all other Member States. The passporting mechanics are refined, particularly around notification requirements and supervisory cooperation between home and host NCAs.

Key Changes: PSR Conduct Rules

Strong Customer Authentication (SCA)

The PSR reworks SCA in three important ways.

Liability extension to technical service providers. Under PSD2, SCA liability sat with the account servicing payment service provider (ASPSP — typically the bank) or the acquirer. Under PSR, where a technical service provider performs the SCA process on behalf of a PSP and its failure to properly execute SCA causes fraud losses, that TSP can be required to bear the loss. This creates direct incentives for authentication providers, card network technical infrastructure, and payment gateways to ensure SCA is properly implemented — or face financial consequences.

Streamlined exemptions. The PSR preserves the transaction risk analysis (TRA) exemption, the low-value transaction exemption, the recurring transactions exemption, and the trusted beneficiary exemption. However, the conditions for applying exemptions are tightened and more granular fraud-rate thresholds may be set by the European Banking Authority through regulatory technical standards.

SCA for corporate payments. The PSR clarifies the treatment of SCA for business-to-business payment flows, addressing a gap in PSD2 that created uncertainty for corporate treasury and accounts-payable automation.

Fraud Liability: Authorised Push Payment (APP) Fraud

This is the area where PSR makes the most significant departure from PSD2.

PSD2 covered unauthorised payment transactions — where a fraudster directly initiates a payment without the account holder's knowledge. It did not address APP fraud well — where the account holder is deceived into authorising a payment themselves, believing they are paying a legitimate recipient.

PSR addresses APP fraud through two mechanisms:

IBAN/name verification (payee name matching). PSPs offering credit transfers must verify that the payee's IBAN matches the name provided by the payer. If there is a mismatch and the PSP fails to alert the payer, and the payer suffers a fraud loss as a result, the PSP bears liability for that loss. This is the "confirmation of payee" mechanism that the UK implemented voluntarily and the EU is now mandating at PSR level.

APP fraud reimbursement. The PSR introduces a framework for reimbursing victims of APP fraud where the payer was deceived through impersonation of an authority or institution. The precise liability-sharing rules between sending and receiving PSP are set out in the PSR; in general, both sending and receiving PSPs share responsibility for detecting and preventing fraudulent payments.

PSP liability for inadequate SCA. Where a PSP (or its TSP) fails to require SCA when SCA was required and a fraud loss results, the PSP/TSP bears the loss regardless of whether the transaction was "authorised" by the customer in the technical sense.

Open Banking: Making the Promise Real

PSD2's open banking framework gave TPPs a legal right to access account data and initiate payments. PSD3/PSR retains and strengthens this framework with several significant improvements.

Dedicated API performance standards. ASPSPs must ensure their open banking APIs meet defined performance and availability standards. The PSR allows TPPs to use the "fallback" mechanism (direct customer interface) where a dedicated API is consistently unavailable or underperforming — a right that existed under PSD2 but was difficult to exercise in practice.

Contingency access. TPPs will have clearer rights to contingency access to account data where dedicated APIs fail, reducing the ability of incumbent banks to impede open banking access through poor API quality.

Dashboard for consent management. Account holders must be given access to a dashboard showing all TPPs to whom they have granted data access and payment initiation permissions, with the ability to revoke access in real time. This is a consumer protection measure that also creates operational requirements for ASPSPs to build and maintain consent dashboards.

Financial data access (FIDA). The Financial Data Access regulation (FiDA, a companion regulation proposed alongside PSD3) extends the open banking model to a broader set of financial data beyond payment account data — including insurance products, pension data, and investment accounts. FiDA is a separate legislative instrument but is part of the same Open Finance policy initiative.

Transparency and User Rights

The PSR resets PSD2's transparency and user rights framework:

Pre-contractual information. The information that PSPs must provide to users before they enter into a payment service contract is updated and made more specific. Digital disclosure formats are addressed.

Currency conversion transparency. Currency conversion charges (and their equivalent in percentage markup over the ECB reference rate) must be disclosed at the point of transaction, including at ATMs and point-of-sale terminals. PSR imposes stricter requirements on dynamic currency conversion practices.

Charges for basic payment services. PSR preserves requirements around reasonable charging for basic payment accounts and access to payment infrastructure by non-bank PSPs.

Complaint handling and redress. All PSPs must participate in alternative dispute resolution (ADR) procedures where selected by consumers. This creates a mandatory, accessible redress mechanism for payment service disputes.

DORA Intersection

Payment institutions and EMIs that are in scope of both PSD3/PSR and DORA face an important compliance intersection. DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025 and imposes ICT risk management, incident reporting, resilience testing, and third-party risk management obligations on payment institutions and EMIs.

PSD3's updated authorisation requirements explicitly reference DORA-compliance as a component of the organisational requirements for payment institutions. Specifically, EMIs re-authorising under PSD3 must demonstrate compliance with DORA's ICT risk management framework and business continuity requirements as part of their PSD3 application package.

This means:

EMIs that delayed DORA implementation cannot use PSD3 re-authorisation as a fresh start — they must be DORA-compliant before they can submit a PSD3 application
Payment institutions building new ICT governance frameworks should design them to satisfy both DORA and PSD3 simultaneously
Third-party ICT providers to payment institutions who are designated as critical under DORA will face dual oversight from DORA authorities and national payment supervisors

For fund managers that also operate payment structures (e.g., Luxembourg management companies that manage funds and also hold payment institution licences), both DORA and PSD3 will apply. See our DORA compliance for fund managers guide.

MiCAR Interaction: CASPs and Payment Tokens

Crypto-asset service providers (CASPs) authorised under MiCAR that provide services involving e-money tokens (EMTs) will also be affected by PSD3/PSR. EMTs are crypto-assets that maintain a stable value by referencing a single official currency — economically equivalent to e-money under EMD2. Under Article 48 of MiCAR, EMTs may only be issued by credit institutions or electronic money institutions.

As EMD2 is repealed and replaced by PSD3 — absorbing EMIs into the payment institution category — issuers of EMTs will need to hold a payment institution licence authorised to issue e-money under PSD3, not an EMI licence under EMD2. The transition arrangements for existing EMT issuers mirror those for other EMIs: 24 months to re-authorise, extendable to 30 months.

Practical Preparation Checklist

For Existing Payment Institutions (PSD2 licensed)

Review the final PSD3/PSR text on publication in the Official Journal (expected Q2 2026)
Identify gaps between current compliance framework and PSD3's updated authorisation requirements
Assess whether capital, safeguarding, governance, or DORA-compliance gaps need to be addressed before any updated authorisation application
Review API infrastructure for open banking compliance with the new performance standards
Implement payee name verification (IBAN-name matching) for credit transfer products — this is a PSR requirement that also creates fraud liability
Update SCA frameworks to ensure TSPs in the authentication chain are contractually and operationally aligned with the new liability model
Review complaint handling procedures to ensure ADR participation requirements are met

For Existing EMIs (EMD2 licensed)

Everything above, plus:

Start the re-authorisation process early. The 24-month transition period sounds long, but assembling a PSD3 application package — particularly DORA compliance evidence, updated governance documentation, and capital/safeguarding assessments — takes time
Update governance structures to meet PSD3's management body requirements (which will be more prescriptive than EMD2)
Review business continuity plans and ICT risk frameworks for DORA compliance, as this will be a PSD3 application requirement
Engage with your national competent authority early — NCAs will be processing a wave of re-authorisation applications and early engagement signals preparedness

For Banks and Credit Institutions

Review the PSR's conduct rules applicable to your payment services against current practices — particularly SCA liability extension to TSPs, IBAN-name matching, and open banking API performance requirements
Update contracts with third-party SCA providers to address the new liability allocation
Assess open banking API infrastructure for PSR compliance
Review APP fraud controls and reimbursement procedures

For Technology and Infrastructure Providers

Assess whether your services bring you into the regulatory perimeter as a TSP for SCA purposes
Review contractual arrangements with PSP clients to address PSD3/PSR liability allocation
Monitor the European Banking Authority's forthcoming regulatory technical standards on SCA, fraud reporting, and open banking performance requirements

Timeline Summary

Date	Event
27 November 2025	Provisional political agreement reached on PSD3 and PSR
Q2 2026 (est.)	Publication in Official Journal of the EU
Q2 2026 + 20 days	PSR enters into force (directly applicable)
Q2 2026 + 18 months (est. late 2027)	PSD3 transposition deadline for Member States
Q2 2026 + 24 months	Deadline for existing EMIs to re-authorise under PSD3
Q2 2026 + 30 months	Extended deadline (at NCA discretion) for EMI re-authorisation

Note: All dates dependent on publication of the final text. The 18-month transposition period for PSD3 and the 24-month EMI transition period run from the date of publication, which is not yet confirmed.

Analyse PSD3 requirements against your payment services business

Ask about PSD3 →

How financialregulations.eu Can Help

PSD3 and the PSR sit at the intersection of payments, open banking, fraud liability, and DORA compliance — a complex multi-regulation environment. Our platform covers:

Full-text search and analysis of PSD2 (the current baseline), EMD2, and DORA, including cross-regulation queries
Document review — upload your current authorisation application, compliance policies, or SCA documentation for AI-powered gap analysis
Cross-regulation queries — ask how PSD3 interacts with DORA, MiCAR, or EMIR in a single analysis

As the PSD3/PSR text is finalised and published, we will add the full regulatory text to our knowledge base.

Try financialregulations.eu — start with 10 free regulatory queries. No credit card required.

Start Analysing — Free

Frequently Asked Questions

When does PSD3 and PSR apply?

The PSR enters into force as a directly applicable regulation 20 days after publication in the Official Journal, which is expected in Q2 2026. However, the PSR is likely to include a transitional implementation period before its conduct rules become enforceable — this is expected to be 18 months after publication, aligning with the PSD3 transposition deadline and pointing to late 2027 as the effective compliance date. The 24-month transition for EMIs re-authorising under PSD3 runs from publication, targeting mid-2028 as the outer limit.

Does PSD3 abolish the EMI licence?

Effectively yes. PSD3 repeals the E-Money Directive 2 (EMD2) and integrates electronic money institutions into the payment institution framework as a sub-category: "payment institutions authorised to issue e-money." Existing EMD2 licences remain valid for 24 months after PSD3 enters into force, with a possible 30-month extension at the NCA's discretion. After that, EMIs must hold a PSD3 payment institution authorisation. The EMI product — electronic money — continues to exist; it is the licence structure that changes.

What is the difference between PSD3 and PSR?

PSD3 is a directive that governs who can provide payment services (authorisation, licensing, prudential requirements). It requires transposition into national law by Member States and retains some national flexibility. The PSR is a regulation that governs how payment services are provided (conduct rules, SCA, open banking, fraud liability, transparency). It applies directly across all 27 EU Member States from the same date without transposition, eliminating the regulatory fragmentation that affected PSD2's conduct rules.

Does PSD3 apply to CASPs and MiCAR-licensed firms?

MiCAR CASPs that provide custody or exchange services for crypto-assets that are not e-money are not directly subject to PSD3 in their capacity as CASPs. However, CASPs that also issue e-money tokens (EMTs) must be licensed as credit institutions or electronic money institutions — which, after PSD3, means they must hold a PSD3 payment institution licence. Existing EMT issuers holding EMD2 licences have the same 24-month transition window to re-authorise under PSD3.

How does PSD3 interact with DORA?

DORA (which applies since 17 January 2025) and PSD3 overlap in the ICT risk and operational resilience space. PSD3 explicitly references DORA compliance as a component of the updated authorisation requirements for payment institutions. EMIs re-authorising under PSD3 must demonstrate DORA compliance as part of their application. Payment institutions building or updating their ICT governance frameworks should design for both DORA and PSD3 simultaneously rather than sequentially.

Will PSD3 affect open banking access rights for TPPs?

Yes, significantly. The PSR strengthens open banking access rights for third-party providers (account information services and payment initiation services). It mandates API performance standards, gives TPPs clearer rights to fallback access where APIs underperform, and requires ASPSPs to maintain consent dashboards for customers. The intent is to deliver on the open banking promise that PSD2 established but failed to fully realise due to poor API quality and inconsistent national implementation.