The provisional political agreement on PSD3 (the third Payment Services Directive) and the PSR (Payment Services Regulation) was reached on 27 November 2025. Four months on, the legislative texts are being finalised for publication in the Official Journal of the European Union, expected in mid-2026. This article updates our earlier coverage of the agreement with the latest timeline and preparation guidance.

Where Things Stand (March 2026)

The trilogue texts are undergoing legal-linguistic review - the process of translating the agreed text into all 24 EU official languages and ensuring legal consistency. Publication in the Official Journal is anticipated in H1 2026, with some industry observers considering summer 2026 realistic.

Once published, the PSR (a Regulation, directly applicable) enters into force 20 days after publication, with a transition period of approximately 21 months before provisions apply. PSD3 (a Directive, requiring national transposition) gives member states 18 months to transpose into national law.

Updated Implementation Timeline

H1 2026: Final texts published in Official Journal

21 months after publication (~Q1 2028): PSR provisions start applying directly 18 months after publication (~Q4 2027): Member state transposition deadline for PSD3 Earliest full applicability: Second half of 2027 to early 2028, depending on publication date

Key Provisions Confirmed in Trilogue

The November 2025 agreement locked in several transformative provisions:

Fraud liability shift: PSPs become liable for fraud losses where they fail to implement adequate prevention mechanisms. This is the single most impactful change for the industry - it shifts the economics of fraud prevention from "nice to have" to "cost of doing business."

Mandatory Verification of Payee (VoP): Payee name-to-IBAN matching is codified into primary legislation, extending beyond the existing SEPA Instant Payments Regulation requirement.

Platform liability: Online platforms become liable in certain impersonation fraud scenarios, creating a new obligation for marketplaces and e-commerce platforms to participate in fraud prevention chains.

Full customer refund for impersonation fraud: If a customer reports to police and notifies their PSP, banks must provide full refunds for impersonation (spoofing) fraud. This goes further than PSD2's conditional refund provisions.

Cash access protection: Consumers can withdraw cash in shops without making a purchase, protecting cash access as physical bank branches decline.

Open banking evolution: The framework evolves PSD2's open banking provisions, though the full scope of data access requirements will depend on the parallel Financial Data Access (FIDA) regulation.

What Changed Between Proposal and Agreement

The European Commission's original June 2023 proposal underwent significant modifications during trilogue negotiations:

The fraud liability provisions were strengthened beyond the Commission's initial draft Platform liability was added during negotiations, extending fraud obligations beyond traditional PSPs The transition period was extended from the originally proposed 18 months to 21 months for the PSR, reflecting industry feedback on implementation complexity Cash access provisions were enhanced

What Firms Should Do Now

  1. Gap analysis: Map PSD3/PSR requirements against your current compliance posture. Key areas: fraud liability, VoP implementation, SCA requirements, data access obligations, licensing scope.

  2. Fraud prevention investment: The fraud liability shift means that transaction monitoring, behavioural analytics, and real-time intervention capabilities are no longer optional. Firms that underinvest will absorb losses that were previously borne by customers.

  3. VoP readiness: If you have not implemented Verification of Payee, start now. The SEPA Instant Payments Regulation already requires it for eurozone instant payments; PSD3/PSR extends it across all payment types.

  4. Platform compliance: E-commerce platforms and marketplaces should assess their exposure under the new platform liability provisions. This may require new fraud screening capabilities and closer integration with PSPs.

  5. Budget for 2027-2028: Compliance programme costs should be budgeted for FY2027-2028. The 21-month transition period sounds generous, but complex regulatory programmes (GDPR, PSD2, DORA) have consistently shown that implementation takes longer than expected.

Relationship to Other EU Regulations

PSD3/PSR does not exist in isolation. Firms should plan implementation alongside:

FIDA (Financial Data Access Regulation) - extends data sharing beyond payment accounts DORA (Digital Operational Resilience Act) - already in effect, affects ICT risk management EU Instant Payments Regulation - already in effect, mandates instant payment capability and VoP MiCA (Markets in Crypto-Assets) - already in effect for stablecoins

Key Takeaway

The 21-month transition period creates a false sense of comfort. Firms that wait until the Official Journal publication to begin planning will be behind. The prudent approach is to treat 2026 as the preparation year: understand requirements, size the compliance programme, and begin procurement. The provisions are known - only the formal publication date remains uncertain.

Sources: European Parliament - Payment Services Agreement; Linklaters - PSD3 Breakthrough: EU Legislators Agree Reforms; Regulation Tomorrow - PSD3 and PSR: From Agreement to 2026 Readiness; William Fry - PSR/PSD3: EU Payment Services Legislation Agreed.