How European Payment Regulation Works
European payment regulation operates as a layered framework: EU-level directives and regulations set the baseline, national authorities transpose and enforce them, and industry bodies like the EBA issue binding technical standards that fill in implementation detail. No single law covers everything — compliance means satisfying multiple overlapping instruments at once. Understanding how each layer interacts is the foundation for building a compliant payment operation in Europe.
Understand the Regulatory Architecture
European payment regulation is built on directives (which member states must transpose into national law) and regulations (which apply directly without transposition). PSD2 is a directive; the forthcoming PSR under PSD3 will be a directly applicable regulation. Start by mapping which instruments apply to your business model, jurisdiction, and the payment methods you accept.
Obtain the Correct Licence or Exemption
Operating as a payment institution, e-money institution, or account information service provider in the EU requires authorisation from a national competent authority. Merchants who do not handle funds directly may qualify for a commercial agent exemption or a limited network exclusion, but these must be formally assessed. Operating outside a valid licence is a criminal offence in most member states.
Implement Strong Customer Authentication
Strong customer authentication (SCA) is required under PSD2 for most EU electronic payment transactions. SCA demands at least two independent factors from the categories of knowledge, possession, and inherence. Merchants must integrate with 3DS2-capable acquirers and understand the full matrix of exemptions — including low-value, low-risk, merchant-initiated, and recurring transaction exemptions — to balance security with conversion.
Establish AML and KYC Controls
The Anti-Money Laundering Directive (AMLD) — now on its sixth iteration — requires payment institutions to conduct customer due diligence (CDD), monitor transactions for suspicious activity, and file suspicious transaction reports with national financial intelligence units. Thresholds, enhanced due diligence triggers, and beneficial ownership verification rules all stem from this framework.
Comply with GDPR for Payment Data
Every payment event generates personal data. Under GDPR, payment service providers must have a lawful basis for processing, apply data minimisation, honour deletion requests, and maintain records of processing activities. Payment data retained for fraud prevention or legal purposes must be governed by explicit retention policies reviewed against GDPR proportionality requirements.
Align with SEPA Scheme Rules
SEPA credit transfers and direct debits are governed by scheme rulebooks published by the European Payments Council (EPC). These rules set formatting requirements (XML ISO 20022), execution timelines, and refund rights. PSPs operating in the SEPA zone must certify compliance with the applicable scheme on a recurring basis and update their systems as rulebooks are revised annually.
Monitor Regulatory Change Continuously
The EU payments regulatory landscape evolves constantly. The EBA publishes opinion papers, Q&As, and draft RTS on a rolling basis. PSD3 and PSR will restructure core obligations by 2026. Assign a regulatory horizon-scanning function — whether in-house or via a specialist firm — and subscribe to EBA and national authority update feeds to avoid being caught off-guard by implementation deadlines.
Why European Payment Regulation Matters
The EU single payments market is one of the largest in the world, and the regulatory framework underpinning it directly affects revenue, conversion rates, and operational risk for every business that accepts European payments. Getting compliance wrong is not a theoretical risk — it has measurable commercial consequences at scale.
According to the European Central Bank's 2023 Payment Statistics report, the EU processed over 114 billion non-cash payment transactions in 2022, representing a total value of approximately €210 trillion. The scale of this market means that even marginal friction introduced by poorly implemented SCA flows results in billions of euros in abandoned transactions annually. The EBA's own monitoring reports found that card-not-present fraud declined by 56% in markets with mature SCA enforcement between 2019 and 2022, demonstrating the tangible security impact of the regulatory framework when implemented correctly.
A 2023 European Commission impact assessment for PSD3 found that fragmented national transposition of PSD2 created compliance cost overruns of up to 30% for payment institutions operating cross-border, underscoring why the shift to a directly applicable regulation matters for operational efficiency. For merchants, understanding this landscape is not optional — it determines which payment methods are available, what authentication flows are required, and how liability shifts in dispute scenarios.
European Payment Regulation vs. UK Payment Regulation
After Brexit, the UK retained a version of PSD2 known as UK PSD2 (via the Payment Services Regulations 2017) but has since diverged through the FCA's own roadmap. The table below highlights the key differences for merchants and PSPs operating across both jurisdictions.
| Dimension | EU (PSD2 / PSD3) | UK (PSR 2017 / FCA Roadmap) |
|---|---|---|
| Governing body | European Banking Authority (EBA) | Financial Conduct Authority (FCA) |
| SCA applicability | Mandatory for EU-issued instruments | Mandatory; FCA issued own SCA guidance |
| Open banking framework | PSD2 API access + FIDA (forthcoming) | FCA Open Banking, JROC roadmap |
| Upcoming reform | PSD3 + PSR (2026 transposition target) | FCA PSR review, Variable Recurring Payments |
| Data regulation | GDPR | UK GDPR (retained EU law) |
| AML framework | AMLD6 / AMLR (2024 package) | Money Laundering Regulations 2017 (amended) |
| Passporting | EU-wide single licence | No passporting post-Brexit; dual authorisation required |
| Dispute liability | Defined by PSD2 Article 73/74 | Mirrored in PSR 2017; FCA APP fraud rules added |
Merchants processing payments in both regions must maintain dual compliance programmes and cannot assume that EU-compliant processes automatically satisfy FCA requirements, particularly in areas like open banking API standards and APP fraud reimbursement obligations.
Types of European Payment Regulation
European payment regulation is not a single instrument but a family of laws that collectively govern the full payments lifecycle. Each targets a distinct dimension of the ecosystem.
Primary Directives and Regulations
PSD2 (Payment Services Directive 2) governs who can provide payment services, what authentication standards apply, and what rights consumers have in disputes. Its forthcoming successor PSD3/PSR will make key provisions directly applicable across all member states without national transposition variance.
Data and Privacy
GDPR sets the rules for how payment data — including cardholder PII and transaction metadata — is processed, stored, and shared. The forthcoming Financial Data Access (FIDA) regulation will extend open banking-style access rights to a broader range of financial data, including insurance and investment records.
Anti-Financial Crime
The AMLD framework (now AMLD6, with a consolidated AMLR package adopted in 2024) sets AML/CFT obligations including customer due diligence, transaction monitoring, and suspicious activity reporting. The new EU Anti-Money Laundering Authority (AMLA) will take over direct supervision of the riskiest cross-border financial institutions from 2025.
Infrastructure Rules
SEPA Regulation (260/2012) mandates SEPA credit transfer and direct debit reachability for euro-area PSPs. The Instant Payments Regulation (2024) requires euro-area PSPs to offer SEPA Instant Credit Transfer at no extra charge than standard transfers, with a compliance deadline phased through 2025–2027.
Market Integrity
The Markets in Financial Instruments Directive (MiFID II) applies where payment flows intersect with financial instrument trading. The Digital Operational Resilience Act (DORA), effective January 2025, imposes ICT risk management, incident reporting, and third-party oversight requirements on all financial entities including payment institutions.
Best Practices
Compliance with European payment regulation is an operational discipline, not a one-time project. The following practices reflect what high-performing merchants and payment engineering teams do differently.
For Merchants
Map your regulatory exposure before building. Identify which EU regulations apply based on your business model (marketplace, subscription, B2B, etc.), the payment methods you accept, and the jurisdictions you operate in. The compliance requirements for a German SaaS with recurring billing differ materially from a French marketplace with third-party sellers.
Optimise SCA exemption strategies. Blanket SCA application destroys conversion. Work with your acquirer and payment orchestration layer to apply Transaction Risk Analysis (TRA) exemptions, low-value exemptions (under €30), and merchant-initiated transaction (MIT) flags accurately. Monitor exemption decline rates — an issuer rejecting your TRA exemptions is an early warning signal.
Maintain contractual AML clauses with marketplace sellers. If you operate a marketplace, you may be classified as a payment institution under PSD2. Ensure seller onboarding includes KYC/KYB documentation collection, and maintain an audit trail that satisfies AMLD requirements.
Appoint a dedicated compliance owner. European regulatory change is continuous. Someone must own the EBA Q&A tracker, monitor national authority guidance, and translate regulatory updates into product and process changes before deadlines hit.
For Developers
Build SCA into your checkout architecture from day one. Retrofitting 3DS2 onto a checkout flow built without it creates technical debt and conversion problems. Use a payment SDK that surfaces 3DS2 challenge/frictionless outcomes and passes the correct authentication data fields to your acquirer.
Implement idempotency and data residency controls. GDPR requires that personal data — including payment metadata — be stored in compliant jurisdictions. Ensure your payment data pipeline uses EU-region infrastructure or adequately contracted third-country transfers. Build idempotency keys into all payment API calls to avoid duplicate charges in retry scenarios.
Log everything required by DORA. The Digital Operational Resilience Act requires financial entities to maintain detailed ICT incident logs and report major incidents to regulators within 4 hours of classification. Build structured logging into your payment processing pipeline with tamper-evident storage from the start.
Version-control your PSD2 API integrations. Open banking APIs are governed by EBA RTS on Strong Customer Authentication and Common and Secure Open Standards (CSC). These standards evolve. Tag your API integration versions and maintain a changelog that maps versions to the RTS revision they implement.
Common Mistakes
Treating SCA as a binary on/off switch. SCA has a detailed exemption framework. Merchants who apply SCA to every transaction leave conversion on the table; those who over-exempt face issuer soft declines and chargeback liability shifts. The correct approach is a dynamic exemption strategy calibrated to transaction risk score, ticket size, and acquirer TRA performance metrics.
Assuming a single EU licence covers everything. A PSD2 payment institution licence from one member state provides passporting rights, but certain national requirements — including local language disclosures, national AML registrations, and Instant Payment scheme membership — require in-country action. Passporting does not mean zero local compliance obligation.
Ignoring GDPR in payment data pipelines. Many payment teams treat GDPR as a marketing problem. In practice, transaction logs, fraud signals, and chargeback records all contain personal data with defined retention limits. Failing to purge or anonymise this data within defined windows creates regulatory exposure that grows with transaction volume.
Conflating PSD2 open banking access with commercial open banking products. PSD2 mandates that ASPSPs (banks) provide API access to licensed TPPs. It does not mandate commercial terms, SLA quality, or feature parity with proprietary bank APIs. Building a product that depends on PSD2 API reliability without fallback mechanisms for API downtime is an architecture risk.
Deferring DORA readiness until the last quarter. DORA's ICT risk management and third-party oversight requirements took effect in January 2025. Payment institutions that treated DORA as a compliance checkbox rather than an engineering programme found themselves scrambling to retrofit incident classification workflows, third-party register maintenance, and penetration testing cadences under regulatory scrutiny.
European Payment Regulation and Tagada
Payment orchestration platforms sit at the intersection of multiple EU regulatory frameworks simultaneously, making compliance coordination a core architectural concern rather than a peripheral feature.
How Tagada Supports EU Regulatory Compliance
Tagada's payment orchestration layer is designed with EU regulatory complexity in mind. SCA exemption logic is configurable at the routing level, allowing merchants to apply TRA, low-value, and MIT exemptions dynamically across acquirers without custom development. Tagada routes transactions through open-banking connectors that maintain PSD2-compliant API integrations, automatically handling versioned RTS updates so merchants are not exposed to integration drift when EBA technical standards are revised. Audit logging meets DORA incident traceability requirements, and data residency controls ensure payment metadata remains within EU infrastructure boundaries for GDPR compliance. When regulatory changes require checkout or routing logic updates — such as the Instant Payments Regulation rollout — Tagada applies these centrally, reducing the compliance maintenance burden on individual merchant engineering teams.