PSD2
What is PSD2?
PSD2 and the detailed regulations based on it form the core of the regulation of payment service providers in Europe. The directive aims to contribute to greater competition and enhance the security of payment services. PSD2 provides greater transparency for users, contains security requirements for electronic payments, and introduces new payment services.
The directive came into force at the beginning of 2016. Member States had until the beginning of 2018 to incorporate the obligations into their national legislation. In the Netherlands, PSD2 has been implemented in the Financial Supervision Act(opens in new window) (Wft), in the accompanying delegated regulations, and in the Civil Code.
PSD2 has four main objectives:
- Contribute to a more integrated and efficient European payments market.
- Increase competition between payment service providers by allowing new parties to enter the market.
- Make payment transactions safer and more reliable.
- To better protect consumers and businesses.
Two of the most important changes are the introduction of Open Banking and strong customer authentication (SCA – Strong Customer Authentication). With Open Banking, a regulated third party can gain digital access to a payments account after obtaining the account holder’s explicit consent. SCA – or two-factor authentication – increases the security of online transactions by requiring the payer to identify themselves using two different factors, for example, a unique personal smartphone and a fingerprint.
The European Commission has published a brochure on consumer rights under PSD2. More information about banking with PSD2 can be found at DNB.
Evaluation of PSD2
In 2022, the European Commission launched a comprehensive evaluation of PSD2. This consisted of an external study, a report by the European Banking Authority (EBA), and a public consultation. The Dutch Payments Association, together with its members, submitted a response to this consultation.
Key findings:
- Consumers are at risk of online fraud and are losing confidence in online payments.
- The open banking framework is not functioning adequately.
- EU supervisors have inconsistent powers.
- There is an uneven playing field between banks and non-bank payment service providers.
Based on this, the European Commission published proposals for PSD3 and PSR (Payment Services Regulation)(opens in new window) in mid-2023.
PSR and PSD3
The Commission has chosen to split PSD2 into two parts:
- PSD3: Directive on payment services and electronic money services(opens in new window) .
- PSR: Regulation on payment services(opens in new window) .
Most of PSD2 falls under the PSR, which is directly applicable to member states in order to reduce differences in implementation.
The proposals aim to:
- Strengthen consumer protection against online fraud.
- Improve competition and innovation within open banking.
- Ensure uniform enforcement and supervision in the EU.
- Improve access to payment systems for non-bank payment service providers.
Key elements include:
- Mandatory compensation for bank helpdesk fraud.
- Adjustments to the open banking framework.
- Transfer of large parts of PSD2 from directive to regulation.
- Extension of rights for payment institutions.
The Dutch Payments Association has responded to the legislative proposals for PSR and PSD3 with the PSR/PSD3 task force (‘TFPSR’) set up for this purpose.
Current status of the legislative proposals
In March 2026, the European Parliament (EP), the Council of the European Union (‘Council’), and the European Commission (EC) concluded their political negotiations, also known as ‘trilogue’. This trilogue resulted in provisional legislative texts for PSR(opens in new window) and PSD3(opens in new window) .
The legislative texts will officially enter into force after a few formal steps. Both the EP and the Council must give their formal approval to the proposals. In addition, translators and legal experts will ensure accurate translations into all languages of the European Union.
We expect the legislative texts to officially enter into force in early 2027. After that, implementation timelines will apply to all member states, typically spanning 21 months.