The PSR And PSD3 Move Forward: What The EU's New Payments Framework Means For Regulated Firms

QuickTake

On 23 April 2026, the Council of the EU published an 'I' Item Note (dated 17 April 2026)¹ inviting the Committee of Permanent Representatives (COREPER) to approve the final compromise texts of the draft Payment Services Regulation (PSR)² and the Third Payment Services Directive (PSD3)³, paving the way for a second-reading agreement with the European Parliament. The headline points for regulated firms are summarised below in brief.

• What. The PSR and PSD3 will repeal and replace the (second) Payment Services Directive (Directive (EU) 2015/2366) (PSD2) and the (second) Electronic Money Directive (Directive 2009/110/EC) (EMD2), merging the regulatory regimes for payment services and electronic money into a single, directly applicable conduct-of-business regulation alongside a recast directive on authorisation, prudential supervision and safeguarding.
• When. Subject to formal adoption, both instruments will apply 21 months after entry into force, with the mandatory verification of payee (VoP)⁴ service applying from 27 months and existing EMIs benefitting from a 27-month transitional regime.
• Who. The framework will affect credit institutions, payment institutions (PIs), electronic money institutions (EMIs), account information service providers (AISPs), payment initiation service providers (PISPs), account servicing payment service providers (ASPSPs) and — for the first time — certain technical service providers, electronic communications providers, hosting service providers, mobile device manufacturers and operators of very large online platforms (VLOPs) and very large online search engines (VLOSEs).
• Three biggest changes. (i) a single, harmonised PI/EMI authorisation and safeguarding regime; (ii) a recalibrated fraud and liability framework, including a dedicated refund right for impersonation (“spoofing”) fraud, mandatory transaction monitoring on both payer and payee sides and the new VoP service and strict PSP liability for monitoring/VoP failures; (ii) a single, harmonised PI/EMI authorisation and safeguarding regime, eliminating the separate EMI track; and (iii) a deeper open banking regime with mandatory dedicated interfaces, data parity, a consent dashboard and a non-exhaustive list of prohibited obstacles.
• Immediate action. Firms should begin a structured gap analysis covering authorisation conditions, safeguarding arrangements, fraud controls, open banking interfaces, framework contracts and customer disclosures and should track the European Banking Authority (EBA)’s forthcoming regulatory and implementing technical standards (RTS and ITS) - most of which are due within 12 to 18 months of entry into force.

The PSR will be directly applicable in all Member States and will govern the conduct-of-business rules - including transparency, information requirements, the rights and obligations of payment service users (PSUs) and payment service providers (PSPs), open banking, fraud prevention, strong customer authentication (SCA) and enforcement. PSD3 will retain in directive form the rules on authorisation, prudential supervision, safeguarding (i.e. the protection of customer funds from the insolvency of the payment institution holding them) and passporting (i.e. the ability of a firm authorised in its home Member State to provide services across the EEA on the basis of that single licence), which by their nature require transposition into national law. Both instruments will apply 21 months after entry into force, with certain provisions, notably the VoP service, applying from 27 months and existing EMIs benefitting from a transitional regime of up to 27 months as mentioned above.

Together, the PSR and PSD3 will deliver the most far-reaching reform of the EU's payment services framework since PSD2 and EMD2, repealing and replacing both instruments and merging the regulatory regimes for payment services and electronic money into a single, unified framework. This Client Alert, which should be read in conjunction with our earlier alert⁵ as well as further coverage from PwC, analyses the Council’s final compromise texts of the PSR and PSD3, which remain subject to formal adoption and is current as at the date set out above. Non-EU firms offering in-scope payment services into the European Economic Area (EEA) will need to comply with the new framework once it applies.

Legislative timeline to date and what lies ahead

The European Commission first published the Payment Services Package on 28 June 2023, comprising the proposals for the PSR and PSD3. The European Parliament adopted its initial reports on both the PSR and PSD3 proposals in April 2024; following the 2024 European elections, the ECON Committee confirmed its negotiating mandate in late 2024 and opened interinstitutional negotiations.

COREPER agreed on the Council's negotiating mandate in June 2025 and trilogues (i.e. the informal tripartite negotiations between the European Parliament, the Council and the European Commission used to agree the final text of EU legislation) with the European Parliament commenced on 9 July 2025, with the final political trilogue taking place in Strasbourg on 26 November 2025. Numerous technical meetings between the Council Presidency, the European Parliament's ECON Secretariat and the Commission's DG FISMA (i.e. the Directorate-General for Financial Stability, Financial Services and Capital Markets Union) took place in parallel to finalise the compromise texts.

The draft texts were submitted to the Council Working Party on Financial Services on 20 March 2026 for a silent consultation ending on 25 March 2026; no delegation objected to the proposed texts. The 'I' Item Note now suggests that COREPER approve the final compromise texts (doc. 8221/26 for the PSR and doc. 8222/26 for PSD3) with a view to reaching an agreement at second reading with the European Parliament.

Architecture upgrade – from Directive to Regulation

A structural change of fundamental importance is the decision to elevate the conduct-of-business rules governing payment services from an EU directive, which required national transposition and tolerated significant divergence across Member States, to a directly applicable EU regulation. The recitals to the PSR make explicit the rationale: under PSD2, there was significant room for "forum shopping" - i.e. PSPs choosing, as their home country, Member States that applied more advantageous interpretations or less active enforcement of EU payment services rules and then providing cross-border services on a passporting basis into jurisdictions with stricter approaches. The PSR is designed to eliminate this margin for interpretation and to achieve maximum harmonisation of the rules governing the conduct of payment services business.

PSD3, meanwhile, preserves the directive format for the rules on authorisation, supervision and safeguarding of payment institutions. This reflects the fact that those requirements interact with national insolvency law, administrative law and supervisory structures, making full harmonisation through a regulation impracticable at this stage. Nevertheless, the EBA is mandated to develop extensive RTS and ITS to harmonise key aspects of the prudential framework, including the authorisation process, safeguarding risk management, own funds calculation and cross-border supervisory cooperation.

For regulated firms, the practical consequence is significant: conduct-of-business rules will be uniform across the EU from the date of application, with no scope for Member States to gold-plate (i.e. to impose stricter requirements than those required by the EU instrument when transposing it into national law) or diverge. Firms that have relied on favourable national transpositions of PSD2 will need to re-assess their compliance posture against the single PSR text.

PSD2 vs PSR/PSD3 - at a glance

The principal contrasts between the existing and incoming regimes can be summarised as follows:

• Legal instrument. PSD2: a directive requiring national transposition. PSR/PSD3: a directly applicable regulation for conduct-of-business rules, plus a recast directive for authorisation, prudential supervision and safeguarding.
• Scope of regulated entities. PSD2/EMD2: separate PI and EMI regimes. PSR/PSD3: a single PI regime, with electronic money issuance reclassified as a payment service.
• Tightened scope and harmonised exclusions. The PSR will harmonise the interpretation of two exclusions that have generated significant divergence under PSD2: the “commercial agent” exclusion and the “limited network”/”specific-purpose instrument” exclusion. The commercial agent exclusion will only apply where the agent acts on behalf of either the payer or the payee (not both) under a genuine mandate. The limited network exclusion will be narrowed and subject to enhanced notification thresholds and EBA guidelines, with consequential implications for marketplaces, platforms and closed-loop programmes that have relied on a broad reading of these carve-outs.
• Surcharging. The PSR will explicitly extend the prohibition on payee surcharging to all credit transfers and direct debits in the EU, resolving the divergence left by inconsistent national transposition of Article 62(4) PSD2.
• Virtual IBANs. The PSR will expressly recognise virtual IBANs (vIBANs) as valid payment account identifiers and the Commission is mandated to review the risks and benefits of their use within three years of entry into force. Their recognition might have a substantial impact on business models involving centralized payment such as “payment factories”.
• Open banking. PSD2: dedicated interface obligation with optional fallback. PSR: mandatory dedicated interface with prohibited obstacles, data parity, consent dashboard and a definitive ban on screen- scraping.
• SCA. PSD2: two-factor authentication based on three element categories. PSR: extended scope (mobile activation, accessibility, digital wallet outsourcing) and possible use of two inherence elements subject to demonstrated independence.
• Fraud and liability. PSD2: limited PSP liability framework. PSR: recalibrated framework with mandatory transaction monitoring, mandatory VoP, dedicated impersonation-fraud refund right and strict liability for monitoring/VoP failures.
• Cross-sectoral obligations. PSD2: confined to PSPs. PSR: extends fraud-prevention and access duties to electronic communications providers, hosting services, mobile device manufacturers and VLOPs/VLOSEs.
• Enforcement. PSD2: divergent national approaches. PSR: harmonised minimum sanctions and powers, EBA product intervention powers and a single internal market reference text.

Footnotes

1 Available here.

2 Available here.

3 Available here.

4 See coverage here.

5 Available here.

To view the full article click here