.svg)
On June 10, 2025, the European Banking Authority (EBA) published a “no action letter” on the interplay between Directive EU 2015/2366 (Payment Services Directive 2 – PSD2) and Regulation (EU) 2023/1114 (Markets in Crypto-assets – MiCA). In the preceding regulatory influencer, an examination of the EBA’s letter was provided. The letter provided a positive step in the right direction, clarifying specific uncertainties surrounding the applicability of PSD2 to certain crypto-asset service providers (CASPs).
As a brief recap, the EBA clarified that although a significant number of CASPs transacting in electronic money tokens (EMTs) will need only a MiCA authorisation, certain EMT-related services will require dual authorisation under PSD2. As a result, the EBA advised national competent authorities (NCAs) to grant CASPs a transition period until March 1, 2026 before PSD2 authorisation needs to be held. Furthermore, the EBA also outlined certain PSD2 provisions which must be enforced, and contrary provisions which may be overlooked.
Given the implications of the EBA’s letter, and its potentially burdensome effects for certain CASPs, this regulatory influencer examines the possible ramifications of the EBA’s pronouncements, as well as certain connected issues.
Dual-Authorisation Considerations
For CASPs subject to both MiCA and PSD2, the regulatory strain is immediately evident. Although the EBA premised its decision on the unavoidable “acknowledgement that any alternative advice would require these CASPs to obtain a second authorisation”, which would impose a disproportionate compliance burden, such a conclusion has nonetheless been reached.
Firms affected by both frameworks must carefully assess their service offerings and explore whether partnership arrangements could alleviate some of the compliance strain. Complicating matters further, the ongoing development of PSD3 and the forthcoming Payment Services Regulation (PSR) leaves it uncertain whether dual authorisation will remain a long-term requirement. Any measures taken now may therefore prove short-lived as new regulatory regimes take shape.
Moreover, as certain PSD2 provisions will be insisted upon, affected firms must prepare to meet extensive compliance obligations by the end of the transition period.
One particularly challenging aspect is the requirement for initial capital and own funds to be calculated cumulatively. Entities must meet significant capital thresholds under each legislative framework, using separate calculations, which can cause a substantial financial and operational burden. Although this approach is consistent with previous treatment of “hybrid” entities, as explained by the EBA in a Q&A, it nonetheless sets a high barrier to entry for EMT-focused CASPs. The EBA’s own example illustrates this clearly: a doubling of initial capital demands.
Similar challenges arise in relation to strong customer authentication (SCA). MiCA adopts a relatively light-touch approach, requiring that CASPs providing transfer services enter into agreements with clients specifying “a description of the security systems used by the crypto-asset service provider”. PSD2, by contrast, places SCA at its core. It is foundational, aiming to enhance the security of electronic payments and ensure the protection of users. The EBA acknowledged these practical difficulties in its no-action letter, granting a transition period until March 2026. However, with PSD3 and the PSR expected to further tighten SCA and broader security requirements, affected CASPs will need to ensure they can meet these enhanced standards.
Regulatory changes?
As mentioned within part one, for the longer term following the transition period, the EBA provided the European legislature with two options:
- To use the PSD3/PSR legislative process to amend MiCA by introducing requirements for crypto-asset services involving EMTs that qualify as payment services.
- That PSD3 and the PSR could themselves specify the types of EMT-related services to which these two legislative acts would apply, as well as the manner of their application.
The former is the EBA’s preferred approach whereby MiCA would be aligned with PSD3/PSR in key areas such as consumer protection, payment security, own funds calculation, payment fraud reporting and other relevant aspects. This mirrors the EBA’s pronouncements contained within the no-action letter.
Although this approach would again give rise to the same regulatory issues highlighted above, thereby increasing the burden on CASPs, it remains the preferable option. Its advantages, including the elimination of dual-authorisation requirements across the two regulations, the alignment of overlapping provisions and a reduction in regulatory strain and confusion, support its adoption.
However, the letter highlights certain other issues, illustrating that the challenges posed by dual-authorisation are not isolated. Keeping in mind the EBA’s view that “any given financial activity should be regulated by one piece of financial services law”, the difficulties around dual-authorisation highlight a broader problem: multiple overlapping regimes across financial services.
Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA), which applies to financial services institutions, has been in operation since January 2025. Its requirements overlap directly with Directive (EU) 2022/2555 (Network and Information Systems Directive 2 - NIS2) in the field of banking whereby NIS2 provides for requirements on strengthening the security of network and information systems. There is also Regulation (EU) 2024/2847 (Cyber Resilience Act – CRA) which, like DORA and NIS2, provides cybersecurity requirements for products with digital elements. When it applies in December 2027, financial institutions will need to contend with three separate pieces of legislation, and any delegated regulation which arises thereafter.
This overlap was recognised by the European Banking Association, which, together with the European Association of Co-operative Banks (EACB), the European Savings Banks Group (ESBG), the Association for Financial Markets in Europe (AFME) and the European Payment Institutions Federation (EPIF), released a joint statement in 2023 calling for the European legislature to avoid duplications and overlaps between the CRA and DORA.
In February 2025, the EACB published another study where it found that new and contemporary fields in financial services, such as digital finance and sustainable finance, have led to an influx of regulations further complicating the landscape and increasing compliance costs.
With the above in mind, and given the uncertainty surrounding the scope and structure of PSD3 and the PSR, their design must ensure not only internal coherence but also avoid contributing further to the existing patchwork of regulatory obligations. In light of the European Commission’s stated commitment to enhancing the competitiveness of the EU financial sector, it is essential that these forthcoming instruments prioritise legal clarity and regulatory proportionality.
At the same time, the European legislature must take a broader view to ensure that other regulatory areas — although outside PSD3’s immediate scope — are also developed in a way that avoids creating additional layers of complexity across the financial regulatory framework.
Why should you care?
The EBA’s no-action letter marks a pragmatic step forward in clarifying the obligations of CASPs dealing with EMTs. However, although the letter provides short-term regulatory relief, it does not alleviate long-term uncertainty. CASPs must now prepare for dual-authorisation obligations that may ultimately become obsolete once PSD3 and the PSR are in place, creating a risk that today’s compliance investments could require rapid adjustment in the near future. Firms must therefore remain agile, ready to adjust based upon the evolving regulatory regimes.
More broadly, this situation highlights a deeper, foundational issue in the EU’s financial regulatory framework: the proliferation of overlapping legislative regimes. As digital and sustainable finance evolve, the patchwork of compliance requirements — across MiCA, PSD2, PSD3, DORA, NIS2 and the CRA — is becoming increasingly complex, costly and difficult to navigate.
To mitigate this, future legislative reforms must do more than patch inconsistencies, they must strive for alignment and internal coherence across frameworks. This includes not only harmonising MiCA and PSD3/PSR but also addressing the broader issue of concurrent regulation that affects the financial sector.
