If you run a payments business that touches the EU, the single most consequential thing about the next regime is not a new feature requirement. It is a change in legal form. The conduct rules you ship against are moving from a directive that each member state rewrote into its own law, into a regulation that applies to you directly. That shift decides where you look for the binding text, how much national variation you have to engineer for, and who you argue with when the rule is unclear.
This lesson stays in the EU lane. The earlier module covered how a statute becomes an enforceable control in the abstract. Here we trace one concrete instance: the move from PSD2 to the paired PSD3 and Payment Services Regulation (PSR).
What PSD2 actually was, and where it leaked
PSD2 is a directive. A directive binds member states to a result, but leaves the form and method of implementation to each country. So PSD2 did not regulate your firm directly. Twenty-seven national transpositions did, plus the regulator guidance layered on top of each.
That design produced real divergence. The same SCA exemption, the same complaint-handling deadline, or the same definition of a technical service provider could read differently once it passed through national drafting. For a firm operating across borders, "PSD2 compliance" was never one thing. It was a matrix of national rulebooks that mostly agreed and occasionally did not.
The cost was not the rules themselves. It was maintaining a separate reading of each rule per country.
The split: a directive plus a regulation
The new regime breaks the old single instrument into two. This is the structural point of the whole module.
PSD3, the directive
PSD3 keeps the institutional and prudential side: authorization of payment institutions, governance, capital, safeguarding of client funds, and supervision. Because it is a directive, member states still transpose it into national law. Notably, PSD3 folds the separate e-money regime (the old EMD2) into a single licensing framework, treating e-money issuance as a category of payment institution rather than a parallel license class.
The PSR, the regulation
The PSR carries the conduct-of-business rules: information requirements, authorization and execution of transactions, SCA, fraud liability, and access to data. A regulation is directly applicable. It takes effect in national law without transposition and applies uniformly across all member states.
The provisional political agreement between the Parliament and Council was reached on 27 November 2025. Final compromise texts were published by the Council in April 2026, with adoption votes and publication in the Official Journal expected through mid to late 2026. Most of the regime is set to apply after a transition window measured from entry into force (sources cite figures in the 18 to 21 month range, so treat the exact count as not yet final until the Official Journal text lands).
What "directly applicable" changes for your firm
The practical consequences are specific, and they are mostly good for anyone who builds once and sells across the bloc.
The binding text is the EU regulation itself, not 27 national versions of it. Your compliance team reads one PSR article and the EU-level technical standards under it, rather than reconciling national gold-plating. National regulators still supervise you, but they are enforcing a common text, which narrows the room for divergent interpretation.
It also changes your change-management trigger. Under a directive, the clock that matters is each country's transposition date, which can stagger. Under a regulation, there is one application date for the conduct rules across the bloc. You plan one cutover, not a rolling country-by-country one.
The flip side: less local discretion cuts both ways. Where a national regulator previously read an exemption generously for your market, that latitude shrinks. Uniformity removes the favorable national gloss along with the unfavorable one.
A worked example: shipping the payee verification feature
Take one concrete obligation in the PSR: verification of payee, the check that the payee name matches the account identifier (the IBAN) before a credit transfer is authorized. Where there is a mismatch, the payer must be warned before they confirm. If the provider fails to give that warning and funds go astray, liability can shift to the payer's provider. For consumers the check must be free and return a result within seconds.
Now read that as a build task under each legal form.
Under the old directive model, your product team would ask: which national transpositions apply this, on what date, with what local wording on the warning text and the liability carve-outs? You would scope a feature with per-country toggles and a per-country go-live calendar.
Under the PSR, the obligation sits in one directly applicable regulation. You build one verification flow, one warning UX pattern, one liability model, against one article and its supporting EU technical standards. The notable nuance to flag in your project plan: the anti-fraud provisions like payee verification are expected to apply on a longer runway than the rest of the regime, reportedly 24 months from entry into force rather than the shorter general window. So even inside a single regulation, application dates are not uniform across all provisions. Map them per obligation, not per instrument.
That is the altitude shift in one feature. The legal form collapses a 27-variant build into a single build, but it does not collapse the timeline work. You still trace each obligation to its own application date.
The takeaway
The EU is not just rewriting payment rules. It is changing the container they ship in. Conduct rules move into a directly applicable regulation (the PSR), institutional rules stay in a directive (PSD3), and the old e-money regime folds into one license framework.
For a firm that ships, the working rule is simple: for conduct, read the PSR article and the EU technical standards as your binding text, build once, and key your cutover to the regulation's application dates rather than to national transposition. For licensing, governance, and safeguarding, you are still in directive territory, so the national transposition still matters. Knowing which half of the stack a given obligation lives in tells you where the authoritative text is and which clock you are racing.