An Updated Look at What PSD3 and PSR Bring

The EU's payments framework is moving to its most significant update since PSD2 became applicable in 2018. The compromise texts for the Third Payment Services Directive (PSD3) and the new Payment Services Regulation (PSR) were published by the Council of the EU on 23 April 2026, marking the end of nearly three years of negotiations.

Together, the two are set to replace PSD2 and the Second Electronic Money Directive, updating how the EU governs authentication, fraud liability, customer data sharing, and the licensing of payment institutions.

This article covers what has been confirmed in the agreed texts, the timeline ahead, and the operational areas affected. The new rules are relevant to any business operating in the EU payments space, whether it operates in a single member state or across multiple markets.

From PSD2 to PSD3 and PSR

The biggest change in the package is how the rules themselves are organized. PSD2 was a single Directive, which meant each EU member state transposed it into national law individually. The new framework replaces this with two pieces of legislation, one covering who is allowed to provide payment services and how they are supervised, and another covering the rules those providers must follow when serving customers.

Key updates:

• PSD3 (Directive). Covers the licensing and supervision side. It sets the rules for who can be authorized to provide payment services in the EU, how those institutions must be governed, how much capital they need to hold, and how they are supervised by national regulators.
• PSR (Regulation). Covers the day-to-day rules those providers must follow once they are operating. It governs authentication, who is liable when something goes wrong, what information must be shared with customers, and updates rules for how open banking operates, including new controls for customers over who accesses their data. As a Regulation, it applies directly across every EU member state without each country having to write it into its own law.
• A single license type. The Second Electronic Money Directive, which currently governs how Electronic Money Institutions (EMIs) operate in the EU, is being repealed and its rules absorbed into PSD3. EMIs will now fall under the same license category as payment institutions, with e-money issuance treated as one of the services a payment institution can be authorized for. Stricter requirements apply where e-money is issued, such as higher minimum capital and additional safeguarding rules for the funds backing the e-money issued.
• Updated rules for open banking providers. Account information service providers (AISPs) are third-party platforms powered by open banking that consolidate bank account information, helping consumers track spending across multiple accounts and manage their budgets. The new framework clarifies how AISPs operate across EU member states.

Transitional arrangements will apply to existing payment and electronic money institutions as they move to the new framework.

Updates to strong customer authentication

The EU has been one of the leading forces behind strong authentication standards in online payments. Under PSD2, strong customer authentication (SCA) requires the user's identity to be verified using at least two independent factors drawn from three categories:

• Knowledge, something the user knows, like a password or PIN.
• Possession, something only the user has, like their phone or a payment card.
• Inherence, something tied to the user themselves, like a fingerprint or face scan.

The PSR refines this framework slightly. Two inherence factors, such as a face scan paired with a fingerprint check, will be permitted in combination (107b). The list of actions that trigger SCA is also clarified, with explicit reference to changes to spending limits (73c), the activation of a payment app on a new device (73e), and saving a card to a digital wallet (118).

Accessibility is addressed more explicitly. PSPs must offer multiple SCA methods, free of charge, suited to customers without a smartphone, with disabilities, with limited digital skills, or older customers (110).

Fraud liability and customer data

The agreed texts update several rules around who carries responsibility when fraud occurs, and around how customers see and control the parties that access their payment data. The main changes are:

• Impersonation fraud refund. Where a consumer is manipulated into authorizing a payment by a fraudster impersonating the consumer's PSP through that PSP's own channels (for example, by spoofing the PSP's phone number or email), the PSP is required to refund the consumer in full. The consumer must notify the PSP and the police without undue delay (80a).
• Verification of Payee. Before executing a credit transfer, the payer's PSP must check that the name supplied for the payee matches the account identifier provided. The service must be free of charge for users (70). This already applies to euro credit transfers under the Instant Payments Regulation since October 2025, and the PSR extends it to other credit transfer types (71).
• Permission dashboards. Consumers gain a single view of which third parties have access to their account data, with the ability to revoke that access (65). AISPs must re-authenticate consumers periodically to keep that consent current.
• Fraud data sharing between PSPs. The PSR creates a framework for PSPs to share information on unique identifiers linked to confirmed fraud (103), with data protection impact assessments (103a) and time-limited retention periods applying to that data (102a).

The road to implementation

The PSD3 and PSR package has been in motion since the European Commission first published its proposals in June 2023. The Parliament and Council reached a provisional political agreement in November 2025, the Council published the compromise texts on 23 April 2026, and the Parliament's ECON Committee approved both texts on 5 May 2026. The full Parliament plenary vote is expected to follow in the coming weeks, with publication in the Official Journal anticipated for around mid-2026.

The PSR enters into force 20 days after publication, with most rules applying 21 months after that. On that basis, most rules would begin to apply in 2028. Verification of Payee follows a longer 24-month transition period, applying somewhat later.

PSD3 and PSR build on more than a decade of EU work to advance how payments operate across the bloc, following PSD1 in 2007 and PSD2 in 2018. The agreed texts reflect how payment behaviors, technology, and fraud risks have shifted since PSD2 first came into force. The compromise texts for PSR and PSD3 are available on the Council of the EU's public register, alongside the European Commission's original 2023 proposals.

Talk to our team about your payment setup.