Watch out, PSD3 (Payment Services Directive 3) and PSR (Payment Services Regulation) are around the corner. The upcoming EU regulatory package will further harmonize digital payments in Europe, enhance their security, and promote competition. What can organizations already do to prepare?
We have collected 4 critical to-dos:
PSD3 will affect a broad range of actors within the European payments ecosystem:
Banks
Traditional (retail) and online banks remain among the core regulated entities under PSD3. However, this does not mean that there are no new obligations. Banks must implement fraud controls, update their IT infrastructure, and adapt to stricter liability regimes.
Payment service providers (PSPs)
Like banks, licensed third-party payment service providers should also be familiar with PSD2, but they must take into account the growing demands on their industry. Payment service providers will be required to implement more advanced transaction monitoring, information sharing, and customer verification procedures.
Payment institutions (PIs) and electronic money institutions (EMIs)
PIs and EMIs were governed by separate directive frameworks such as the E-Money Directive. PSD3 now introduces more comprehensive supervisory and prudential requirements and folds EMIs into a single PI license framework as a sub-category.
Open banking providers
They benefited from PSD2 through open APIs for accessing customer account data. Now, these providers face enhanced requirements for operational resilience, fraud prevention, and customer protection.
Telcos and technical service providers
Certain technical intermediaries and digital platforms that previously operated in less clearly regulated spaces may now fall under stricter oversight if their activities are closely linked to payment processing or transaction execution.
Retail
Merchants may experience changes in authentication procedures, liability allocation, and payment processing standards, especially for online and instant payments.
Multinational companies
The PSR will apply directly throughout the EU. This significantly expands the practical reach and uniformity of payment rules. Companies operating across borders will therefore face a more harmonized but also more consistently enforced regulatory environment.
Failure to comply with new regulations is often a matter of timing. Companies that underestimate the complexity or put things off tend to start taking the necessary steps too late. It’s even worse when deadlines are simply forgotten. To ensure this doesn’t happen to you, be sure to keep the following timelines in mind:
Legislative phase: formal adoption and publication are expected in 2026.
Entry into force: PSD3 and PSR are expected to enter into force shortly after publication (typically ~20 days).
Implementation period: As a directive, PSD3 requires national transposition, typically within 18 months (possibly up to 24 months, depending on the final agreement). As a regulation, however, the PSR will be directly applicable throughout the EU after an 18-month transition period following publication.
Practical application: Full PSD3 compliance across the EU is expected by 2027–early 2028.
Among the changes introduced by PSD3, identification, authentication, and verification are key topics. The wider regulatory environment is becoming more stringent: DORA, AML/KYC, the EUDI Wallet, and strong customer authentication all require demonstrable integrity, identity assurance, and data quality. Instead of building isolated solutions for each regulation, institutions should establish a centralized trust layer that addresses multiple challenges simultaneously.
Qualified electronic signatures (QES) reverse the burden of proof, shifting liability risk in fraud cases away from the institution. Qualified electronic seals protect logs and approval workflows, directly supporting DORA requirements for integrity and auditability. At the same time, integrated trust services already fulfill many requirements that will become even stricter under PSD3 and FIDA.
Beyond compliance, the operational return on investment is significant: eliminating paper-based and branch-based signatures enables fully digital processes, from account opening to complex corporate lending. Trust services should therefore not be viewed merely as an IT expense, but rather as a form of insurance against regulatory fines and as the technical foundation for Open Finance and new digital revenue models.
By partnering with a qualified trust service provider, financial institutions can strengthen strategic risk management, create regulatory synergies, improve operational resilience, and accelerate return on investment through faster digital processes. Unlike simple digital contracts, qualified electronic signatures shift the burden of proof in cases of alleged fraud away from the bank, reducing liability risk.
Rather than building isolated solutions for each new regulation, such as PSD3/PSR or DORA for IT security or FIDA for data sharing, trust service providers establish a central trust layer that already supports strong authentication and data integrity requirements. In addition, securing system protocols with qualified electronic seals helps meet regulatory requirements for IT system integrity and creates a reliable audit trail. Once integrated, trust services enable fully digital processes without costly media disruption and can be deployed across business divisions to increase efficiency and support new revenue opportunities.
Swisscom Trust Services can serve as a practical trust layer for banks and fintechs that need to meet multiple regulatory requirements simultaneously. Qualified electronic signatures, qualified seals, and eIDAS-compliant onboarding can help create legally robust, fully digital customer journeys while supporting evidence, authenticity, integrity, and auditability across PSD3/PSR, AML/KYC, DORA, FIDA, and future wallet-based scenarios.
If you want to dive deeper into these topics, we have compiled the most important information in a concise whitepaper. Download here for free.