.svg)
Open banking regulation is set to move forward significantly in the EU during 2026, as regulators shift from refining access rights under the revised Payment Services Directive (PSD2) to enforcing operational, security and accountability standards across the payments value chain.
With the PSD2 framework reaching its limits, the bloc is preparing to introduce PSD3 and the Payment Services Regulation (PSR) to address gaps in supervision, security and cross-border harmonisation, reducing national discretion and narrowing firms’ ability to rely on divergent implementation.
The process of agreeing the final shape of the new regime is edging towards its finish, and greater clarity is expected early in 2026.
Europe’s approach to regulation typically influences authorities’ thinking globally, and the changes introduced by this legislative overhaul will directly affect how banks, fintechs and technical service providers operate across the single market, particularly in relation to data access, liability allocation and technical resilience.
For financial institutions and payment companies, understanding these shifts will be essential for strategic planning, compliance investment and competitive positioning in 2026 and beyond, as regulatory expectations move from access enablement to control effectiveness.
Consolidation and enhanced oversight
PSD3 and the PSR represent a fundamental shift from directive-based implementation to a more unified regulatory framework, strengthening the EU’s ability to supervise payments consistently across jurisdictions.
Whereas, being a directive, PSD2 allowed member states significant discretion in transposing rules into national law, creating fragmentation across the EU, the PSR will apply directly across all jurisdictions.
This should reduce the inconsistencies that have hindered cross-border operations, but also limit firms’ ability to manage compliance through jurisdictional structuring.
Regulators are also extending supervision to technical service providers such as API gateway operators and third-party processors, bringing previously unregulated players into the formal oversight structure, and expanding the supervisory perimeter beyond licensed PSPs.
This addresses a critical gap where essential infrastructure providers operated outside direct regulatory control, potentially creating systemic risks.
Financial institutions should expect more prescriptive requirements around API performance standards, uptime guarantees and standardised error handling, which will require strengthened technical infrastructure, monitoring capabilities and clearer accountability frameworks.
Accelerating open finance
The new framework is designed to expand open banking principles into open finance, enabling consumers to share a broader range of financial data including savings, investments, pensions and insurance products.
This expansion will create opportunities in areas such as comprehensive financial planning tools, automated switching services and creditworthiness assessments, but will also raise supervisory expectations around data accuracy, access controls and liability.
Banks will need to move away from defensive compliance postures to engage strategically with the data-sharing economy. Leading institutions are repositioning as data platforms, monetising APIs and building partnership ecosystems, while ensuring compliance functions retain oversight of access, usage and risk allocation.
Fintechs, meanwhile, face both opportunity and pressure as incumbent banks become more competitive and regulatory requirements increase their operational costs.
Balancing innovation with safeguards
The EU is also aiming to strengthen security requirements in response to concerns about fraud and unauthorised access under PSD2, while ensuring compliance functions retain oversight of access, usage and risk allocation.
Expected measures include enhanced strong customer authentication (SCA) protocols, stricter liability frameworks for unauthorised transactions and more granular consent management, allowing consumers to revoke or limit data access more easily.
The challenge for the industry is implementing these safeguards without degrading user experience.
Financial institutions should prioritise frictionless authentication methods, transparent consent interfaces and real-time notifications that give consumers confidence without creating abandonment points in payment and onboarding journeys.
Preparing for these changes means conducting gap analyses against draft requirements, engaging with regulatory consultations and investing in flexible compliance architecture that can accommodate evolving standards.
As the EU moves towards finalising PSD3 and the PSR, firms should view 2026 as a narrowing window to influence the rule-setting process and position themselves for the shift to open finance.
Institutions that treat the new framework as a strategic opportunity by investing early in data architecture, API reliability, customer-centric security and cross-border product design will be best placed to compete in a more integrated European market.
Those that delay will face higher compliance costs, reduced agility and a widening gap with digital-first competitors as regulators push the industry towards greater transparency, standardisation and consumer control.
