PSD2 has been the regulatory backbone of European online payments since 2019. Strong Customer Authentication, 3DS2, transaction risk analysis exemptions, by now most Dutch online retailers have absorbed the friction and adapted their checkout flows accordingly.
But PSD2 is being replaced. PSD3 and the accompanying Payment Services Regulation (PSR) are on their way, and the timeline is tighter than many retailers realise.
Where PSD2 stands today
PSD2 introduced Strong Customer Authentication as its most visible change for e-commerce. Every online transaction above €30 requires the consumer to verify their identity using two of three factors: something they know, something they have, or something they are. The intent was to reduce fraud. The side effect was checkout friction, and for many retailers, a measurable drop in conversion.
The exemptions, transaction risk analysis, low-value transactions, recurring payments, merchant-initiated transactions, provided some relief, but their application varied significantly across PSPs and acquirers. Getting the right exemption strategy in place has been, and remains, one of the most commercially valuable optimisation levers available to online retailers.
What PSD3 and the PSR change
In November 2025, the European Parliament and the Council of the EU reached provisional political agreement on PSD3 and the PSR. Final publication in the Official Journal is expected in the first half of 2026, with the new regime entering into force in 2027 after an 18 to 21 month transition period. Full applicability is targeted for mid-to-late 2027.
The most significant structural change is the introduction of the PSR as a directly applicable regulation across all EU member states. Where PSD2 required national transposition, creating fragmentation and inconsistent interpretation across markets, the PSR sets uniform rules that apply directly without the need for national legislation. For retailers operating across multiple European markets, this is a meaningful simplification.
Key changes relevant to online retailers include:
Stronger fraud liability rules. PSPs will face tighter obligations around fraud prevention and liability, particularly for APP fraud and authorised push payment scams. The liability framework shifts in ways that will affect how PSPs price their services and structure their fraud controls.
IBAN-name verification. The IBAN-name check, already introduced under the Instant Payments Regulation, becomes a standard requirement. This reduces misdirected payments but adds a verification step to payment initiation flows.
Improved SCA exemptions. The PSR refines the transaction risk analysis framework, and there is expectation that the revised rules will give retailers and PSPs more room to apply exemptions intelligently, reducing unnecessary authentication friction for low-risk transactions.
Unified licensing for payment institutions and e-money institutions. PI and EMI licences merge under PSD3, simplifying the regulatory landscape for payment service providers. For retailers, the practical impact is that their PSPs may restructure their legal entities and service agreements in the transition period.
What this means for your payment setup right now
PSD3 and the PSR do not take effect until 2027 at the earliest. But the transition period starts from the moment the texts are published in the Official Journal, which is expected in the first half of 2026. That means the clock is already running.
For Dutch online retailers, the priority right now is not PSD3 compliance. It is making sure the current PSD2 setup is actually optimised before the new rules arrive. Authorization rates, 3DS routing, exemption strategies, and PSP contract terms are all areas where significant value is being left on the table under the current framework.
When PSD3 and the PSR come into force, the commercial terms with your PSP will need to be renegotiated anyway. Starting that conversation now, with a clear picture of your current performance and cost base, puts you in a significantly stronger position.
The bottom line
PSD2 changed how Europeans pay online. PSD3 and the PSR change how the rules are made and enforced. For retailers, the transition is an opportunity to reset the commercial relationship with your payment providers before the new framework locks in new terms.
If you want to understand what your current PSD2 setup is actually costing you in lost conversions and excessive fees before PSD3 arrives, that is exactly what EcomStream assesses.
