PSD3 and the PSR: what the EU payment-services overhaul changes — and when

The package has been in motion since June 2023 — closer than ever in 2026, but not yet law. On 28 June 2023 the Commission tabled two texts: PSD3 (a directive, COM(2023) 366) and the PSR — Payment Services Regulation (a directly-applicable regulation, COM(2023) 367) ^[1][2].

The path since: the European Parliament adopted its first-reading position on 23 April 2024; the Council reached a general approach in June 2024; on 27 November 2025 the co-legislators struck a provisional political agreement in trilogue; and the ECON committee approved the agreed text on 5 May 2026. The official status: “close to adoption” ^[5].

But: the agreement still has to be formally adopted by Parliament and Council and published in the Official Journal before it enters into force. Until then there is no binding application date — calibrate your programme to the agreed text now and you risk building on a non-final position. The law that applies today is still PSD2 plus the SCA-RTS.

The reform splits today's PSD2 regime into a directive and a regulation. PSD3 governs what needs national machinery: the authorisation, supervision and prudential requirements for payment institutions — transposed into national law. The PSR moves the substantive conduct, transparency, SCA and third-party-access rules into a directly-applicable regulation — the same harmonisation step seen in other EU single rulebooks: less national divergence, less supervisory arbitrage ^[1][2].

One structural change: the e-money regime (EMD2, Directive 2009/110/EC) would be folded into the payment-institution framework — e-money institutions would become a sub-category of payment institutions. This too is proposed, not enacted: today EMD2 still applies unchanged, and e-money institutions stay under their own regime until something is published in the Official Journal.

Fraud is front and centre: an extension of verification-of-payee (the IBAN/name match that warns the payer of a discrepancy) beyond instant payments, plus refund rules for impersonation (spoofing) fraud — for instance where a fraudster convincingly poses as the customer's bank and the customer reports it to the police ^[5].

Better open-banking access: mandatory, non-discriminatory API access for authorised third parties and a list of prohibited access obstacles. Plus refined SCA and accessibility requirements, and an ICT alignment with DORA for the operational resilience of payment and e-money institutions ^[1][2]. Separately, and also still in negotiation: the proposed FIDA Regulation (Financial Data Access, COM(2023) 360), which would extend the data-sharing principle beyond payment accounts to “open finance”.

Today, PSD2 (Directive (EU) 2015/2366) and the SCA-RTS (Commission Delegated Regulation (EU) 2018/389) apply unchanged — and the Instant Payments Regulation (EU) 2024/886 is already biting: euro-area PSPs have had to be reachable to receive instant euro transfers since 9 January 2025 and able to send since 9 October 2025, with verification-of-payee and charge parity; non-euro-area Member States follow in 2027 ^[3][4].

For PSD3/PSR the right posture is: track it as a status-tagged pipeline, don't treat it as law. Preparing a gap analysis against the agreed text is sensible; reshaping the programme before the text is in the Official Journal is premature — and once published there will be a transition period plus a large body of technical standards (RTS/ITS) that carry their own deadlines. That separation — law in force vs. proposed reform, with an explicit legislative status — is the heart of regulatory horizon scanning: catch every stage (proposal → EP → Council → trilogue → adoption → Official Journal → RTS), classify it, and route it to the team that owns it.