Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
Financial Market Regulation

PSD2 – Payment Services Directive 2

PSD2 (Directive 2015/2366) regulates payment services in the EU internal market, enabling Open Banking, strong customer authentication and third-party access.

LinkedIn X WhatsApp

Summary

The Payment Services Directive 2 (PSD2, Directive (EU) 2015/2366) is the central regulatory framework for payment services in the European internal market. It replaces the first PSD (2007/64/EC) and fundamentally modernises the rules for payment service providers to keep pace with the rapid evolution of electronic payments and new business models.

The groundbreaking element of PSD2 is the opening of payment services to third-party providers (TPPs). Account information service providers (AISPs) and payment initiation service providers (PISPs) receive regulated access to bank accounts through standardised interfaces (APIs) — the foundation of Open Banking in Europe. At the same time, PSD2 strengthens security through the introduction of strong customer authentication (SCA).

In November 2025, the European Parliament and Council reached a provisional political agreement on the successor frameworks PSD3 and the Payment Services Regulation (PSR), which will replace PSD2 in the medium term.

History

The European Commission published its proposal for PSD2 on 24 July 2013 to modernise the framework created by the first Payment Services Directive and adapt it to new market realities. After extensive negotiations, PSD2 was adopted by the European Parliament and Council on 25 November 2015 and published in the EU Official Journal on 23 December 2015 (OJ L 337). It entered into force on 12 January 2016. Member States transposed the directive into national law by 13 January 2018.

The strong customer authentication (SCA) requirements under the EBA's Regulatory Technical Standards (RTS) became applicable on 14 September 2019 after multiple deferrals, with some national authorities granting additional transition periods for e-commerce transactions until end of 2020. On 28 June 2023, the European Commission presented the payment services package, comprising PSD3 and the Payment Services Regulation (PSR). A provisional political agreement was reached on 27 November 2025; formal adoption is expected in early 2026.

Scope

PSD2 regulates the provision of payment services in the European internal market:

  • Payment service providers: Credit institutions, electronic money institutions, payment institutions, post office giro institutions and, under certain conditions, account information service providers
  • Payment services: Cash deposits and withdrawals, direct debits, credit transfers, card payments, payment initiation services (PIS) and account information services (AIS)
  • Third-party providers (TPPs): Regulated access to payment accounts for account information service providers (AISPs) and payment initiation service providers (PISPs) via dedicated interfaces
  • Geographic scope: Payment transactions within the EU/EEA and transactions involving third countries (one-leg transactions) where at least one payment service provider is located in the EU
  • Currency-neutral: Applies to payments in euro and all other currencies

Key Requirements

  • Strong customer authentication (SCA): Two-factor authentication for payment initiation and account access through a combination of knowledge, possession and inherence; dynamic linking for remote payments
  • Open Banking / account access: Account-servicing payment service providers must grant registered third-party providers access to payment accounts via secure interfaces (APIs)
  • Fraud protection and liability: Maximum liability of the payment service user capped at EUR 50 for unauthorised transactions; burden of proof lies with the payment service provider
  • Transparency obligations: Advance information on charges, exchange rates and execution times; prohibition of hidden fees
  • Surcharging ban: Prohibition of surcharges on payments with consumer cards of major card schemes
  • Access rules for payment systems: Objective, non-discriminatory and proportionate access rules for licensed payment service providers
  • Complaint handling: Payment service providers must establish an adequate complaint procedure and respond to complaints within 15 business days

Related Frameworks

MiFID II

Corrections & Errata

2026-QA-227 Clarification 20 March 2026
Orphan framework connected: PSD2 → mifid2

PSD2 had no connections. Linked to MiFID ecosystem as payment services directive.

Full details on the errata page →
2026-QA-164 Correction 18 March 2026
last_amended corrected (MiFID→PSD2 amendment)

last_amended corrected from 2024-03-28 (MiFID) to 2024-04-08 (Reg 2024/886)

Full details on the errata page →

Content last reviewed: 29 May 2026. Found an error or need an update? [email protected]