EU Legislative Insights
Expert analysis of the EU legislation shaping Ireland’s Presidency agenda.
Matheson EU Legislative Insights is a fortnightly update focusing on key aspects of the legislative agenda during the course of Ireland’s Presidency of the Council of the European Union.
Every two weeks, Matheson experts will review a key piece of legislation to provide an “at-a-glance” summary of its strategic context, objectives and implications. Should you have any queries in respect of the contents of the update, please do not hesitate to contact your usual Matheson LLP contact or any member of our team detailed below.
In focus: Third Payment Services Directive and Payment Services Regulation
What are PSD3 and the PSR, and why do they matter?
On 28 June 2023, the European Commission published proposals for a Third Payment Services Directive (“PSD3“) and an accompanying Payment Services Regulation (“PSR“), initiating the most significant reform of the EU retail payments framework since PSD2. For Irish-authorised payment institutions, electronic money institutions and banks – many of which passport extensively across the Union – the package will have immediate and practical consequences: re-authorisation planning, tighter fraud and redress expectations, and a more prescriptive and enforceable open-banking regime.
The reforms respond to shortcomings that have become increasingly visible since PSD2 entered into application in 2018. Open banking has functioned, but unevenly. Payment fraud – particularly authorised push payment and impersonation scams – has increased materially. And directive-based implementation produced different outcomes across Member States, creating operational friction for firms operating on a cross-border basis and inconsistent supervisory expectations.
PSD3 and PSR address those issues by clearly separating who may provide payment services from how those services must be provided. PSD3 refreshes and consolidates the licensing, prudential and supervisory framework for payment institutions. The PSR, by contrast, moves the core conduct-of-business, transparency, fraud and market-access rules into a directly applicable Regulation. In practice, this materially reduces the scope for national divergence, raises minimum standards across the Union, and sharpens supervisory expectations around compliance and enforcement.
From an Irish perspective, the implications are particularly significant. Ireland is one of the EU’s principal authorisation hubs for payment institutions and electronic money institutions. A large cohort of firms regulated by the Central Bank of Ireland will be required to demonstrate compliance with a revised and more detailed framework within a defined re-authorisation window, whilst also adapting to regulation-based conduct rules that will apply uniformly across all Member States.
The PSD3 and PSR at a glance
| What they are | PSD3 and PSR — the most significant reform of the EU retail payments framework since PSD2 entered into application in 2018 |
| The legal instruments | PSD3 (a Directive requiring national transposition) and PSR (a Regulation, directly applicable across all Member States without national transposition) |
| Who it affects | Payment institutions, electronic money institutions, banks and account-servicing PSPs, consumers, and national competent authorities |
| Anticipated publication | Formal adoption and OJEU publication anticipated end Q2 2026 |
| Current stage | Final legal-linguistic review complete; Council ‘I’ Item Note issued 17 April 2026; formal adoption imminent |
| Application timeline | PSR applies 21 months after entry into force; PSD3 transposition deadline also 21 months after entry into force |
| Critical deadline | Firms authorised under PSD2 must submit re-authorisation information to their competent authority within 27 months of entry into force. Firms which remain non-compliant will be suspended from providing payment services until the competent authority has received and verified the necessary information. |
| Matheson key contacts | Joe Beashel and Ian O’Mara |
What problems is the PSD3/PSR package designed to solve?
The PSD3/PSR package is intended to address four specific shortcomings identified in the Commission’s review of PSD2:
| Problem Identified Under PSD2 | PSD3/PSR Response |
| Rising payment fraud — particularly authorised push payment and impersonation scams — and insufficient consumer protection | A higher bar for fraud prevention and consumer protection through enhanced monitoring obligations, stronger customer authentication measures, and changes to liability in impersonation and authorised push payment fraud scenarios; enhanced transparency around fees and charges; strengthened rights of redress for victims of unauthorised transactions |
| Uneven functioning of open banking, with obstacles to third-party access and inconsistent interface performance | A more workable open-banking framework by prohibiting defined categories of obstacle to third-party access, imposing performance standards on dedicated interfaces, and introducing consent dashboards allowing customers to manage and revoke data access |
| Supervisory fragmentation resulting from directive-based implementation producing divergent national outcomes | Reduced supervisory fragmentation by moving most conduct rules into a directly applicable Regulation rather than relying on national transposition |
| Unequal competitive conditions between banks and non-bank payment service providers | Competitive neutrality, ensuring equivalent payment services attract equivalent regulatory treatment regardless of provider type |
Where Are PSD3 and the PSR in the Legislative Process?
The legislative file is now close to completion. Following the provisional political agreement reached between the European Parliament and the Council on 27 November 2025, the agreed texts have moved through legal-linguistic review and translation.
On 17 April 2026, the Council circulated an ‘I’ Item Note alongside final compromise texts for both PSD3 and the PSR, inviting approval at COREPER with a view to agreement at second reading. Formal adoption by both institutions, followed by publication in the Official Journal of the European Union (the “OJEU“), is generally anticipated towards the end of Q2 2026.
Once published:
- the PSR will apply 21 months after entry into force (with certain obligations applying after a further 6 months, including payee name verification and liability for incorrect application of the verification service), and
- Member States will have 21 months to transpose PSD3 into national law.
For firms authorised in Ireland, the period between formal adoption and active supervisory engagement on re-authorisation and compliance readiness is therefore likely to be short.
