.svg)
Regulated firms across Europe can start to prepare in earnest for the new payments regulation framework, as the long period of high-level speculation ends and the roadmap for implementation becomes clear.
The Council of the EU’s release of the final compromise texts for the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR) gives payments organisations operating in the bloc clarity on the forthcoming changes to how they are regulated.
The draft texts were presented to the Committee of Permanent Representatives of the Council in mid-April 2026, with a view to reaching an agreement at second reading with the European Parliament.
The updated package is intended to update and replace the rules under the current regime (originating in PSD2 and related legislation) to reflect the rapidly evolving payments landscape and merge existing rules into a more unified framework adapted to the digital transformation of the financial sector.
“The PSR and PSD3 fundamentally shift the EU payments regime from something that has been fragmented under PSD2 to a far more harmonised, prudentially robust and actively supervised framework,” Jimmie Franklin, a payments consultant at Paylume, told Vixio.
“Expectations have also been raised in areas such as fraud prevention and open banking, creating both challenges and opportunities for payment firms and banks alike.”
The framework moves open banking regulation forward significantly, with a shift from refining access rights under PSD2 to enforcing operational, security and accountability standards across the payments value chain.
In terms of fraud reimbursement, the new regime makes payment service providers (PSPs) that fail to implement appropriate fraud-prevention mechanisms responsible for covering customers’ losses.
In addition, it provides that large online platforms and search engines can be held liable to PSPs that compensate victims for fraud originating from fraudulent online content that the platform was notified about but failed to remove.
The framework also makes refinements to the rules on strong customer authentication (SCA) and the newly mandatory verification of payee (VoP), again seeking to bolster consumer protections and address the threat of fraudulent activity.
The impact of the drafts
Regulated firms in Europe and beyond will welcome the increased clarity created by the publication of the compromise drafts, after a long period of negotiation and speculation.
The changes introduced under the regime will directly affect how banks, fintechs and technical service providers operate across the single market, particularly in relation to data access, liability allocation and technical resilience.
In addition, the impact of the package will extend beyond the EU, given that Europe’s approach to regulation typically influences authorities’ thinking globally.
The PSR’s direct applicability is a key development, and should lead to a more uniform regulatory environment across the bloc. Compliance teams will have less scope to leverage variations in the application of the rules across member states, and firms will be subject to meaningful penalties for non-compliance – fines of up to 10 percent of annual turnover for legal persons for certain infringements, such as those relating to SCA.
Meanwhile, in seeking to bolster consumer protections, the new framework transfers significant risk to PSPs. Firms that fail to apply fraud-prevention measures such as SCA and transaction monitoring correctly will be liable for any losses to fraudulent transactions.
However, the new regime does not just increase the responsibility on PSPs. Payments firms have long argued that large online platforms should shoulder some of the burden, given that so much fraud originates on social media sites.
As covered by Vixio, a study by Juniper Research found that scam advertising generated almost 1trn impressions among European social media users in 2025, and this is set to rise to 1.4trn impressions by 2030 if current trends continue.
Making large online players such as Meta liable for failing to remove fraudulent content or support SCA will help to create a new cross-sectoral compliance landscape.
Payments firms will need to seek new authorisation under the merged electronic money institution (EMI) and payment institution (PIs) regime established by PSD3. Transitional arrangements will smooth the process, but once the draft texts are formally adopted, there will be plenty of work to be done.
A benefit for firms authorised as crypto-asset service providers (CASPs) under the Markets in Crypto-Assets (MiCA) Regulation is that PSD3 allows them to resubmit information delivered during the application process for that licence, provided it is still up to date.
Further progression and timelines
Several procedural milestones lie ahead before the new payments regime formally comes into force. The remaining steps follow a standard EU legislative arc, although the regime does include specific transitional windows.
The next step will be for the compromise texts to be formally adopted by both the European Parliament and the Council of the EU. Given that political agreement was reached in late 2025, formal adoption is expected during 2026.
Once signed by the presidents of the Parliament and the Council, the final acts will be published in the Official Journal of the European Union.
The PSR will enter into force on the 20th day following its publication and most provisions will start to apply 21 months after this, although some of the more complex requirements, including those relating to VoP, have a longer lead time of 27 months.
Member states will have 21 months from the date of publication to transpose PSD3 into local law.
Immediate steps for regulated firms
Given that the compromise texts appear to be much as expected, regulated firms should already be well on the way to preparing for the implementation of the new regime.
Now is the time for relevant departments within PSPs, EMIs and other affected organisations to familiarise themselves with the details of the latest drafts and ensure they have everything they need in place.
Compliance teams should make sure they have mapped their existing fraud monitoring and IBAN-name matching capabilities against the new PSR requirements to identify technical gaps.
They must also review the updated authorisation requirements, including winding-up plans that include the return of safeguarded funds, to ensure they are ready for the re-authorisation window, which should open approximately 21 months after the directive’s entry into force.
In addition, firms should engage with the European Banking Authority (EBA), which is responsible for creating a significant body of secondary legislation. It must develop more than 40 regulatory technical standards (RTS) on topics such as SCA exemptions, data access interface and safeguarding risk management frameworks, and submit them to the European Commission within one year of the package’s entry into force.
Getting close to the EBA during this period will give firms visibility of the technical granular details in these areas, and may even enable them to influence the development of the RTS.
The new framework is designed to transition the payments industry in the EU from a fragmented, directive-based past to a harmonised, regulation-led future.
This will be a challenge for payments firms, but by prioritising technical agility and cross-sectoral cooperation, PSPs can place themselves in a strong position to compete as the new regime takes effect over the coming years.
That said, as Paylume’s Franklin notes: “Whether consumers ultimately engage more proactively with open banking solutions, or whether authorised push payment fraud materially declines, will depend on factors that sit beyond the direct control of legislators and regulators.”
