EMEA legal and compliance teams are entering their most demanding payments regulation cycle since PSD2. PSD3, PSR, DORA, and tightening EU AML requirements are no longer distant policy discussions – they are already reshaping day-to-day workloads and forcing closer collaboration with product and technology teams.
For many firms, 2026 will be the year when strategic regulatory decisions need to be finalised.
Key dates for 2026 planning:
- 27 Nov 2025 – PSD3/PSR political agreement finalised
- Summer 2026 – PSR enters force (20 days after EU Official Journal publication)
- 2027-28 – PSD3 applies after national transposition (18-24 months post-adoption)
Market demand is already reflecting this shift. Payments-related mandates with a PSD3/PSR focus have more than doubled between Q4 2025 and Q1 2026 as organisations begin preparing for the changes ahead.
The New Core: PSD3 and PSR
Following the 27 November 2025 trilogue agreement, PSR will apply quickly once published, while PSD3 will require 18–24 months of national transposition across EU member states.
In practice, this means 2026 becomes the critical preparation year: firms must begin adapting systems, governance structures, and licensing strategies well before PSD3 formally takes effect.
One of the most significant changes affects e-money institutions (EMIs), which will now operate under payment institution (PI) regulatory standards.
Key implications include:
Capital requirements increasing 1.8–2.2x compared to current EMI levels
100% safeguarding of client funds, replacing variable thresholds
Full PI governance and supervisory expectations
For many firms this will trigger a full review of their operating models, particularly where margins were built around lighter EMI regulation.
At the same time, the regulatory perimeter is tightening:
Commercial agent exemptions will no longer apply to multi-sided marketplaces that control merchant pricing
Limited network exemptions are restricted to €1M monthly turnover and must meet additional user diversity requirements
As a result, firms increasingly face clear strategic choices: upgrade licences, restructure services, or exit certain activities altoget
Ozge Gurbuz, EMEA Legal & Compliance Specialist:
“For many firms, 2026 is when the real PSD3/PSR decisions need to be made. Supervisors are already expecting firms to demonstrate how they fit within the new perimeter. Organisations that delay those reviews risk finding themselves on the back foot once enforcement begins.”
Fraud, Liability, and Customer Journeys Under PSR
PSR significantly strengthens the regulatory focus on fraud prevention, particularly around authorised push payment (APP) scams.
Key changes include:
Refund timelines reduced to 48 hours (from 7 days under PSD2)
Consumer liability capped at €50 per incident
Online platforms potentially sharing liability for fraudulent transaction flows
This shifts fraud prevention from being primarily operational to a board-level regulatory concern.
Legal teams are typically prioritising three areas of work:
- Customer terms and conditions
Updating liability allocations and reflecting new 5–15 day redress timelines.
- Platform contracts
Defining responsibilities for fraud monitoring, content removal, investigation cooperation, and data sharing between providers.
- Product design and authentication
Embedding stronger SCA controls, transaction monitoring, velocity checks, and behavioural biometrics without creating friction in customer journeys.
Ozge notes:
“Authentication changes now sit right at the intersection of legal, product, and compliance. If product teams aren’t involved early in those discussions, the risk is that security improvements start to impact conversion rates.”
Licensing, Exemptions, and the Shrinking “Grey Zone”
PSD3 and PSR significantly narrow the scope for creative interpretations of regulatory exemptions.
For example:
Platforms controlling merchant selection or pricing can no longer rely on the commercial agent exemption
Limited network arrangements risk breaching thresholds once user bases or transaction volumes expand
As these exemptions tighten, boards are increasingly debating questions such as:
Whether marketplace dynamic pricing constitutes payment initiation services
Whether loyalty wallets have grown beyond exemption thresholds
How regulatory responsibility should be shared within embedded finance partnerships
Ozge explains:
“In practice, the grey areas are shrinking. Supervisors increasingly expect firms to take a clear position on whether they are inside or outside the regulatory perimeter – and to document that analysis thoroughly.”
Many organisations are therefore launching dedicated perimeter-mapping and re-licensing programmes to assess future regulatory exposure.
DORA and the Operational Resilience Overlay
Alongside PSD3 and PSR, the Digital Operational Resilience Act (DORA) introduces new obligations related to technology risk and third-party dependencies.
Key requirements include:
72-hour incident reporting
Mandatory audit rights over critical technology providers
Contractual termination and contingency provisions for key ICT suppliers
For legal teams this means embedding ICT risk clauses across outsourcing and technology agreements, while demonstrating board-level oversight of resilience testing programmes.
Ozge comments:
“DORA isn’t just a technology exercise. Legal teams play a central role in ensuring outsourcing and supplier contracts meet the new standards. Firms that treat these programmes separately will struggle once resilience testing begins.”
Many organisations are now bringing DORA, PSD3/PSR, and AML initiatives under a single regulatory change governance framework.
Building the 2026 Regulatory Stack
The organisations handling this transition most effectively are treating the upcoming changes as one interconnected regulatory programme, rather than separate compliance projects.
In practice this often includes:
Regulatory exposure mapping linking products, revenue streams, and transaction volumes to specific regulatory obligations
Centralised regulatory dashboards giving C-suite leaders visibility across multiple regulatory programmes
Scenario testing that evaluates the combined impact of PSD3, DORA, and AML controls
What “Good” Looks Like in 2026
Across the market, stronger legal and compliance functions are typically characterised by four capabilities:
- Quantified regulatory exposure
Clear mapping between transaction flows, revenue lines, and regulatory obligations.
Integrated governance
Regulatory change offices coordinating legal, compliance, risk, product, and technology teams.
Data-driven fraud strategy
Fraud controls and thresholds informed by actual transaction and incident data, rather than purely theoretical risk models.
Early product collaboration
Compliance specialists participating in product design and development cycles from the earliest stages.
Connect with our Legal & Compliance Specialists
For further support and market insights regarding legal and compliance hiring please get in touch with our legal & compliance global specialists:
Legal & Compliance Specialist | EMEA
Legal & Compliance Specialist | APAC
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
