From PSD2 to PSD3… to PSD4? Tracking the Next Wave of Regulatory Updates for Europe

As 2025 has just begun, PSD3 is closer than ever to being finalized, and there is already talk of potential further refinements, sometimes referred to as PSD4. This steady churn of payment directives reflects the EU’s recognition that technology is moving too fast for any single legislative act to remain definitive for long. Fraudsters adapt, consumer needs shift, and new business models—such as highly contextual “invisible” payments or instant lending—push the boundaries of what earlier regulations anticipated. As a result, PSD3 aims not only to tighten the rules that PSD2 introduced but also to ensure operational resilience and inclusivity by making sure SCA cannot depend exclusively on smartphones. It promises clearer responsibilities between banks, third-party providers, and the technical service firms that underpin payment flows, so that consumers remain protected even when multiple parties are involved.

Of course, PSD3 is far from the only major regulatory initiative shaping Europe’s financial ecosystem. The Digital Operational Resilience Act (DORA), which has been active since January the 17th 2025 compels banks, fintechs, and other market participants as well as critical third-party suppliers to bolster their cybersecurity defenses, limit downtime, and rapidly report incidents to regulators. By the end of 2025, many of DORA’s key requirements will be fully enforceable, which means financial institutions must prove the integrity of their entire operational setup. In addition, the EU’s proposed eIDAS 2.0 and its vision for a European Digital Identity Wallet could eventually unify how citizens verify themselves across borders, potentially dovetailing with payment authentication so that SCA becomes part of a broader, secure identity framework. Markets in Crypto-Assets (MiCA), meanwhile, is bringing cryptocurrencies and digital assets under firmer regulation, promising consumer protections around stablecoins and new responsibilities for providers dealing with digital assets. And running parallel to all of this, the seventh Anti-Money Laundering Directives (AMLD 7) intensify efforts against financial crime, ensuring that PSPs implement ever more sophisticated real-time monitoring and stronger data-sharing mechanisms.

In addition to these sweeping reforms, the EEA has also taken a decisive step toward modernizing its payment landscape. Instant payments have been enforced since the beginning of the year, with transaction fees eliminated across the region to facilitate free, real‑time transfers. A key facet of this initiative is the introduction of a Verification of Payee (VoP) system—mirroring the mechanism already in place in the UK—to ensure that funds are directed to the correct recipient. Full enforcement of the VoP requirements is set to begin in October, underscoring the EEA’s commitment to enhancing both security and consumer trust in an increasingly digital financial ecosystem.

In many ways, these measures respond to the same fundamental concern: how to maintain consumer trust in an era of relentless innovation. The wave of open finance—where data sharing goes well beyond the traditional bank account into areas like insurance, mortgages, and pensions—poses tricky questions about data consent, portability, and privacy. Embedded finance, which weaves financial services into seemingly unrelated apps and platforms, challenges older assumptions about who is the “issuer” or “service provider” in any given transaction. BNPL has soared in popularity but raised new concerns about transparency, consumer debt, and the need for robust authentication. Each of these trends brings new friction points that regulations aim to smooth out, ideally in a way that protects users without stifling innovation.

By the end of the year the cumulative effect of PSD3, DORA, eIDAS 2.0, MiCA, and the latest AML directives will likely be an even more closely integrated and security-conscious financial environment. The cost, of course, is complexity for institutions that must keep pace with overlapping rule sets and a persistent wave of deadlines. Yet this regulatory patchwork also creates opportunities for those that find efficient ways to incorporate these directives into a user-friendly experience. Seamless digital identity checks, frictionless fraud detection, and real-time compliance could become selling points rather than burdens. The earlier days of PSD2 showed that embracing regulation can actually spur creativity: new fintech platforms emerged, established banks built better apps, and consumers came to expect more control over their finances. In the same way, the next wave of rules might streamline how cross-border payments work, standardize identity verification, and reduce the friction around advanced services like embedded lending.

None of these changes will happen overnight. The EU’s legislative process is famously lengthy, and different member states will adopt measures at different paces. But if there is one overarching theme, it is the push for interoperability and end-to-end security. No single regulation can address every corner of today’s digital finance, which is why each new directive—be it PSD3, DORA, or eIDAS 2.0—tends to reference or complement the others. For financial institutions, it means recognizing that staying compliant is not just about checking a box. It is about preparing for a future where consumers expect their financial lives to work seamlessly, securely, and often without them even noticing.

When we revisit our earlier predictions about PSD3, it is remarkable to see many of them reflected in actual proposals. Regulators learned from the real-world limitations of PSD2 and realized that simply refining the language around SCA or open APIs wouldn’t be enough. That realization has given rise to a broader set of rules covering operational resilience, digital identity, crypto assets, and money laundering. While it can seem daunting, each regulation ultimately addresses a piece of the same puzzle: making digital finance both easy to use and difficult to exploit. Looking forward to 2025, the vision is an ecosystem where your identity can be verified instantly across borders, where payment data and personal information are stored and exchanged with robust safeguards, and where criminals face fewer cracks to slip through. The path to that reality will require constant adaptation from banks, fintechs, and regulators alike—but it holds the promise of a more trustworthy and efficient financial world for everyone involved.

At Okay, we recognize the challenges that embedded finance providers and fintechs face in keeping pace with an ever-evolving regulatory environment. That’s why we’re committed to empowering your offerings with tailored solutions and strategic partnerships, including partnerships that can support you with compliance and Open Finance. Our advanced authentication technology and robust partnerships ensure that every customer interaction meets the highest compliance standards, streamlining your onboarding and transaction processes.

For example, with our partner Ozone API we can help simplify the implementation of Verification of Payee (VoP) requirements, allowing you to manage transactions accurately and securely. Additionally, our partnership with MAQIT enables strengthening your IT regulatory framework compliance, ensuring that your systems remain resilient amid increasingly complex demands. Get in touch with us if you want to learn more.