The Overhaul of the PSD2 Framework: Progress and Implications for Payment Services in the EU

By Dr Kelly Fenech, Founding Partner GKF Legal October 2025

The European Union’s Payment Services Directive 2 (PSD2), introduced in 2015 and transposed into national laws by 2018, revolutionised the payments landscape by promoting open banking, enhancing consumer protection, and fostering competition. However, as digital payments have surged and new risks emerged, the framework has shown its limitations, prompting a comprehensive overhaul. This revision, encompassing the proposed Payment Services Directive 3 (PSD3) and the accompanying Payment Services Regulation (PSR), aims to address gaps in PSD2 while adapting to technological advancements and evolving threats like fraud.

As of late September 2025, the legislative process is advancing steadily, with the Council of the EU having agreed its position in June 2025, followed by COREPER’s approval of amended texts in early September. This sets the stage for inter-institutional negotiations, or trilogues, between the European Parliament, Council, and Commission. At GKF Legal, we have advised numerous clients in the payments sector—from fintech innovators to established institutions—on preparing for these changes. This article provides a concise overview of the PSD2 overhaul, its key elements, the current stage of development, and strategic considerations for stakeholders.

The Rationale and Origins of the Overhaul: From PSD2 to PSD3 and PSR

PSD2 sought to create a single market for payments by mandating banks to open their infrastructure to third-party providers (TPPs) via application programming interfaces (APIs), thereby enabling account information services (AIS) and payment initiation services (PIS). It also introduced strong customer authentication (SCA) to bolster security. Yet, implementation challenges, including inconsistent API standards and rising fraud, highlighted the need for reform.

In response, the European Commission launched a review in 2020, culminating in proposals for PSD3 and PSR in June 2023. PSD3, as a directive, will require transposition into member states’ laws, focusing on national adaptations, while the PSR, as a regulation, will apply directly across the EU, ensuring uniformity in core rules. This dual approach addresses PSD2’s fragmentation issues. By mid-2025, the proposals have evolved through consultations, with emphasis on fraud prevention, open banking enhancements, and better enforcement.

Scope and Key Changes: Strengthening the Payments Ecosystem

The overhaul expands PSD2’s ambit while refining its mechanisms. It applies to payment service providers (PSPs), including banks, electronic money institutions (EMIs), and payment institutions (PIs), with extraterritorial effects for non-EU firms serving EU customers.

Principal reforms include:

• Fraud Mitigation: Enhanced SCA rules, including dynamic linking for high-value transactions, and new liability frameworks to combat authorised push payment (APP) fraud. PSPs must implement transaction monitoring and share fraud intelligence.
• Open Banking Improvements: Mandatory standardised APIs with improved performance metrics, plus a new “open banking permission dashboard” for consumers to manage consents. This builds on PSD2’s access-to-accounts (XS2A) provisions but introduces fees for premium APIs.
• Licensing and Passporting: Streamlined authorisation processes, with PSD3 harmonising national variations in capital requirements and safeguarding rules. The PSR introduces direct EU-level enforcement for cross-border issues.
• Consumer Protection: Stricter transparency on surcharges, clearer dispute resolution, and protections against “de-banking” for vulnerable users.
• Scope Expansions: Inclusion of buy-now-pay-later (BNPL) schemes under lighter regulation and clearer rules for crypto-asset payments, aligning with the Markets in Crypto-Assets Regulation (MiCAR).

Exclusions remain for certain intra-group payments and limited network schemes, but the framework’s proportionality principle scales obligations for smaller entities.

Current Stage of Development: Where We Stand in September 2025

The legislative journey began with the Commission’s 2023 proposals, followed by the European Parliament’s adoption of its negotiating position in April 2024. The Council progressed more deliberately, publishing compromise texts in June 2025 and securing COREPER endorsement in September. This paves the way for trilogue negotiations, expected to commence in October 2025 and conclude by early 2026.

Once agreed, PSD3 will require transposition within 18-24 months, while the PSR will apply directly six months post-publication. Enforcement is not anticipated before 2027, allowing a transitional period for compliance. Delays could arise from debates on fraud liability sharing or API remuneration, but momentum suggests timely adoption. Member states, including Malta, are already preparing national consultations to align with the changes.

Compliance Challenges and Enforcement: Anticipating Hurdles

Transitioning to PSD3/PSR will demand significant investments in technology and processes. Legacy systems may struggle with enhanced API requirements, while fraud detection mandates could increase operational costs. Cross-border PSPs face harmonised but stricter passporting scrutiny, with the European Banking Authority (EBA) gaining expanded supervisory powers under the PSR.

Enforcement will involve national competent authorities (NCAs) for PSD3, coordinated by the EBA, with penalties up to 10% of turnover for serious breaches. Common pitfalls may include inadequate consent management or failure to integrate fraud-sharing mechanisms. At GKF Legal, we recommend early gap analyses and pilot testing to mitigate risks.

Strategic Implications: Opportunities in a Revamped Market

This overhaul is not mere refinement—it’s a catalyst for innovation. Compliant PSPs can capitalise on improved open banking to develop value-added services, such as embedded finance or AI-driven fraud tools. For non-bank providers, the PSR’s uniform rules reduce entry barriers, potentially boosting competition.

In the broader EU economy, the reforms aim to cut fraud losses (estimated at €20 billion annually) and enhance consumer trust, supporting the Digital Finance Strategy. Non-EU firms should monitor equivalence discussions, as alignment could facilitate market access.

At GKF Legal, we see this as a pivotal shift: proactive adaptation will position firms to lead in a €1.5 trillion payments market.

Navigating the Changes with GKF Legal

As trilogues unfold, PSD3/PSR demands forward planning—from API upgrades to compliance roadmaps. GKF Legal has guided over 40 payments clients through similar transitions, blending regulatory expertise with practical fintech advice.

If the PSD2 overhaul is impacting your strategy, we are here to assist. Book a confidential consultation at info@gkflegal.com. In the evolving payments arena, informed guidance is indispensable.

Dr Kelly Fenech is a Founding Partner in GKF Legal’s Financial Services Practice, specialising in EU payments regulation. The views expressed are his own and do not constitute legal advice.