Europe’s payment services framework is undergoing its most consequential reform since PSD2. Following a political agreement in November 2025, PSD3 and the Payment Services Regulation (PSR) are now in their final legislative stages, with formal adoption and entry into force expected in early to mid-2026. The PSR, as a directly applicable regulation, will not require national transposition. The first enforcement wave, covering most SCA, fraud liability, and open banking obligations, is expected in late 2026 to early 2027.
For any organization involved in digital payments, account authentication, or financial service onboarding, PSD3/PSR is not a distant event. The 2026 to 2027 window is the critical readiness period for architectural decisions, SCA upgrades, and technology partner selection.
This article explains what PSD3 and PSR mean in practice for digital signatures and authentication, how the SCA framework is evolving, how PSD3 converges with eIDAS 2.0 and the EUDI Wallet, and how Signaturit Group, a Namirial Company’s solutions are built to support compliance across the full payment services ecosystem.
1. From PSD2 to PSD3: Why the Update Was Necessary
PSD2, which entered into force in 2018, achieved significant results: it reduced card fraud through mandatory Strong Customer Authentication (SCA), opened banking data to third-party providers, and created the regulatory foundation for open banking in Europe. But seven years of practical implementation exposed persistent weaknesses.
SCA under PSD2 remained highly phishable. OTP (one-time password) delivery by SMS proved vulnerable to SIM-swap attacks, social engineering, and malware. Authentication flows were inconsistently implemented across Member States. APP (Authorised Push Payment) fraud, where a customer is deceived into authorising a fraudulent transfer, was not clearly addressed under PSD2 liability rules. And the open banking API ecosystem, despite its promise, remained fragmented and unevenly deployed.
PSD3 and PSR directly respond to these realities. Together, they represent an evolution rather than a revolution: reinforcing what worked under PSD2 and fundamentally tightening what did not. The key changes:
- Stronger and broader SCA: covering not just payments but logins, mandate setup, beneficiary management, and device recovery
- Expanded fraud liability: PSPs are liable for SCA failures, including where authentication is delegated to third parties
- Mandatory Verification of Payee (VoP): IBAN/name matching before every credit transfer
- Standardised open banking APIs: consistent, enforceable, and performance-parity across the EU
- Explicit alignment with eIDAS 2.0: QES and EUDI Wallet credentials recognised as valid SCA methods
| 📅 Key dates Political agreement: November 27, 2025 | Formal adoption and entry into force: early to mid-2026 | PSR first enforcement wave (SCA, fraud, open banking): late 2026 to Q1 2027 | PSD3 full national transposition: 2027 to 2028 | EUDI Wallet mandatory acceptance (parallel): December 2027 | |
2. PSD2 vs PSD3/PSR: Key Changes at a Glance
The table below summarizes the most operationally significant changes for organizations managing digital authentication and payment workflows:
| Topic | PSD2 | PSD3/PSR |
| SCA scope | Card and online payments only | Extends to logins, mandate setup, beneficiary changes, device recovery, and all high-risk account actions |
| Authentication factors | two-factor principle (at least two of: knowledge, possession, inherence) | Biometrics can now combine physiological and behavioral factors; outcome-based approach formalized |
| Fraud liability | Limited; complex allocation between PSPs | PSP liable for SCA failures, including third parties delegated to perform SCA |
| Open banking APIs | Inconsistent implementation across Member States | Standardised, performance-parity APIs with explicit prohibited obstacles; FAPI security profiles |
| Delegated authentication | Not regulated | Explicitly permitted but classified as outsourcing; full EBA guidelines and DORA apply |
| EUDI Wallet / eIDAS 2.0 | Not in scope | Alignment with EUDI Wallet expected; QES and eIDs recognised as valid SCA methods |
| PSP impersonation fraud | Not specifically addressed | PSP liable when customer defrauded by impersonation of the PSP itself |
| Verification of Payee | Optional / inconsistent | Mandatory IBAN/name matching before credit transfer execution |
The net effect is a significantly heavier compliance burden on PSPs and their technology partners, combined with expanded liability for SCA failures up and down the chain, including delegated authentication providers.
3. The New SCA Framework: What Changes for Authentication
Strong Customer Authentication (SCA) is the heart of PSD3/PSR. The PSR retains the two-factor principle (at least two of: knowledge, possession, inherence) but significantly expands both its scope and its technical requirements.
Broader scope of SCA triggers
Under PSD2, SCA was primarily required for online payments and account access. Under PSR, SCA obligations extend to:
- All logins to payment accounts, not just payment initiation
- Setting up new payment mandates or recurring payment authorizations
- Adding or modifying a beneficiary (payee) to a trusted list
- Changing spending limits or account configuration
- Device recovery and re-enrolment flows
- Any action classified as “high-risk” by the PSP’s fraud monitoring system
Stronger factors and biometric expansion
The PSR formalizes an outcome-based approach to SCA: regulators will allow more flexibility, including broader use of Transaction Risk Analysis (TRA) exemptions, where a PSP can demonstrate consistently low fraud rates through risk-based controls. Critically, the PSR expands what qualifies as a valid inherence factor. Behavioral biometrics, including typing patterns, device handling, and browsing behavior, may now be formally combined with physiological biometrics to construct a valid second factor.
Delegated authentication: permitted, but regulated
One of the most significant clarifications in PSD3/PSR is the explicit allowance for Delegated Authentication (DA): a PSP can delegate the SCA process to a third party, such as a digital wallet provider, a payment gateway, or a trust service provider. However, this delegation is classified as outsourcing, triggering full compliance with EBA outsourcing guidelines and DORA requirements. The delegating PSP retains full liability for SCA failures.
| ⚖️ What this means for organizations using e-signature and authentication platforms If your organization delegates SCA to a third-party platform, including a Qualified Trust Service Provider (QTSP) for certificate-based authentication, that relationship is now formally regulated as outsourcing. You retain liability. Your provider must meet DORA ICT risk standards, maintain audit rights, and demonstrate compliance with EBA guidelines. Choosing a certified QTSP as your authentication partner is not just a technical decision: it is a liability management decision. |
4. PSD3/PSR and eIDAS 2.0: The Convergence That Matters Most
PSD3 and PSR do not exist in isolation. They are converging with two other major EU frameworks in a way that fundamentally reshapes the digital identity and payments infrastructure:
eIDAS 2.0 and the EUDI Wallet as SCA instruments
The EUDI Wallet, mandatory for all EU Member States by 2026 and for financial institutions to accept by December 2027, is explicitly positioned as a valid SCA instrument under the PSR framework. The wallet enables cross-border, high-assurance identity verification and authentication, satisfying both the possession and inherence requirements of SCA without the weaknesses of OTP-based methods.
This convergence creates a single shared infrastructure for KYC (via AMLR), authentication (via PSR), and identity verification (via eIDAS 2.0): the same qualified credential can satisfy obligations across all three regulatory frameworks simultaneously.
QES as a payment authentication method
Qualified Electronic Signatures, issued by a QTSP under eIDAS, provide a certificate-based authentication pathway that exceeds the security threshold of most PSD2 SCA implementations. Under PSR, QES-backed authentication is directly applicable for high-risk payment actions, mandate authorization, and regulated onboarding flows where identity certainty is paramount.
The AMLR connection: when KYC and SCA share the same identity
As the AMLR applies from July 2027, the overlap becomes particularly significant: financial institutions that accept the EUDI Wallet for KYC under AMLR Article 22 will also satisfy the PSR SCA requirement at the same time. Organizations that invest in a unified identity infrastructure now, rather than building separate systems for each regulation, will have a structural compliance advantage.
| 💡 The strategic opportunity The convergence of PSD3/PSR, AMLR, and eIDAS 2.0 means that a single investment in qualified digital identity infrastructure, including QES, the EUDI Wallet, and certified authentication, can satisfy multiple regulatory obligations simultaneously. For financial institutions, fintechs, and payment service providers, this is not just a compliance play: it is an opportunity to reduce duplicated onboarding, cut SCA friction, and build customer trust on a foundation that regulators already recognize. |
5. The Legislative Timeline: Your Readiness Window
The 2026 to 2027 period is the decisive readiness window. Key architectural decisions, SCA upgrades, and technology partner contracts signed now will determine compliance posture when obligations become enforceable:
| Date | Milestone | Practical implication |
| November 2025 | Political agreement between EP and Council reached | Start of technical finalisation |
| Early–mid 2026 | Formal adoption and publication in Official Journal | PSR enters into force 20 days after publication (directly applicable); PSD3 transposition period begins (18 months) |
| Late 2026 / Q1 2027 | First PSR enforcement wave | Most SCA, fraud liability, and open banking obligations apply; EBA begins drafting RTS on SCA details |
| 2027–2028 | PSD3 full transposition | National rules in force across all Member States; full compliance expected |
| December 2027 (parallel) | EUDI Wallet mandatory acceptance | Financial institutions must accept EUDI Wallet as SCA-grade identity proof (eIDAS 2.0 Art. 5f) |
A practical note on the PSR/PSD3 split:
The PSR contains most operational rules (SCA, fraud, transparency, open banking) and will be directly applicable across the EU without national transposition, 20 days after publication.
PSD3 governs the licensing and supervision of payment institutions and will require national transposition over 18 months. This means core SCA and fraud obligations will be enforceable before national PSD3 rules are fully in place.
6. How Signaturit Group, a Namirial Company Supports PSD3/PSR Compliance
As a Qualified Trust Service Provider (QTSP) under eIDAS, operating through Universign, Vialink, Validated ID, and Ivnosys, Signaturit Group, a Namirial Company provides the authentication, signature, and identity infrastructure that payment service providers and financial institutions need to meet PSD3/PSR requirements.
Qualified Electronic Signatures and certificates for SCA-grade authentication
Signaturit Group, a Namirial Company issues qualified certificates via Universign (France), Vialink (France), and Ivnosys (Spain), enabling organizations to deploy certificate-based authentication that exceeds PSD2 SCA standards and is directly applicable under PSR. Single-use (disposable) certificates, valid for the duration of a specific transaction, allow high-assurance signing and authentication without requiring permanent certificate storage, reducing friction for end users.
EUDI Wallet integration for cross-border SCA
Through Validated ID and the VIDwallet platform, Signaturit Group, a Namirial Company is an active participant in the EUDI Wallet ecosystem. Our Verifiable Credentials (VC) infrastructure enables organizations to issue, manage, and verify wallet-based credentials that meet the high-assurance identity standard required for PSR SCA compliance, ahead of the December 2027 mandatory acceptance deadline.
Multi-factor authentication for payment account access
Our Certificate Management and Certificate Creation solutions provide a robust foundation for two-factor authentication flows, combining certificate-based possession factors with identity verification, covering the expanded SCA triggers introduced by PSR, from logins to beneficiary management and mandate setup.
eSign anywhere for regulated payment documentation
PSD3/PSR introduces expanded consent and mandate management obligations. Signaturit’s solution provides a legally binding, eIDAS-compliant platform for signing payment mandates, terms and conditions updates, and SEPA authorizations with full audit trail and QES support, satisfying both the SCA requirements for mandate setup and the evidential standards required in the event of a fraud dispute.
Qualified preservation for compliance evidence
PSR’s expanded fraud liability rules require PSPs to retain robust, tamper-proof evidence of SCA compliance for each transaction. Signaturit Group, a Namirial Company’s qualified digital preservation solutions, backed by certified long-term archiving, provide the audit trail infrastructure required to defend against fraud liability claims and demonstrate to supervisory authorities that SCA was correctly applied.
Signaturit Group, a Namirial Company solutions mapped to PSR SCA requirements:
| Authentication method | PSR SCA relevance | Signaturit Group, a Namirial Company solution |
| QES (Qualified Electronic Signature) | Satisfies SCA inherence + possession via identity certificate issued after rigorous verification. Directly applicable for high-assurance payment flows. | Certificate issuance (Universign, Vialink, Ivnosys) + eSignAnywhere integration |
| EUDI Wallet credentials | Recognized under eIDAS 2.0 as high-assurance identity; directly applicable for SCA as cross-border verified identity proof. | VIDwallet (Validated ID) + Verifiable Credentials platform |
| Multi-factor authentication (MFA) | Satisfies two-factor SCA requirement via possession + knowledge or inherence. Strengthened under PSR with biometric expansion. | Certificate Management + authentication layer |
| eID integration (SCA-grade) | Notified eIDs at “substantial” or “high” level qualify as possession/inherence factor combination under PSR SCA rules. | Certificate Creation + eID recognition via Universign/Vialink |
Conclusion: PSD3 Is an Evolution, Not a Revolution. But the Window for Readiness Is Now.
PSD3 and PSR build on PSD2’s foundations rather than dismantling them. But the changes to SCA scope, fraud liability, delegated authentication, and EUDI Wallet alignment represent a structural shift in the compliance requirements of any organization involved in European digital payments.
The 2026 to 2027 window is not a future planning horizon: it is the operational readiness period for decisions that need to be made now. Organizations that choose technology partners aligned with eIDAS 2.0, the EUDI Wallet, and AMLR requirements simultaneously will not only meet PSD3/PSR obligations; they will build the identity infrastructure that underpins the next decade of trusted digital transactions.
Signaturit Group, a Namirial Company, as a pan-European QTSP, is ready to support payment service providers, fintechs, and financial institutions through this transition: as a certified authentication partner, as a EUDI Wallet-ready identity platform, and as a qualified evidence preservator for the compliance obligations that follow.
| 📥 DOWNLOAD OUR WHITE PAPER Prevent fraud with 100% secure digital onboarding 👉 signaturit.com/resources/prevent-fraud-secure-digital-onboarding/ |
📎 Related articles on signaturit.com
