Europe’s payment services framework is undergoing its most significant overhaul since PSD2. Following the political agreement of November 2025, PSD3 and the Payment Services Regulation (PSR) are now in their final legislative stage. Formal adoption and entry into force are expected in early to mid-2026. The PSR, as a directly applicable regulation, will not require national transposition and will trigger the first enforcement wave, covering SCA, fraud liability, and open banking obligations, in late 2026 to early 2027.
At Namirial, we see PSD3/PSR as one of the clearest examples of what we described in our predictions for 2026: payments, digital identity, and Strong Customer Authentication are converging into a single trust infrastructure. The regulatory frameworks are not parallel tracks anymore. PSD3/PSR, AMLR, and eIDAS 2.0 are converging around a shared architecture for identity verification, authentication, and transaction authorization. Organizations that build for this convergence today will hold a structural compliance advantage tomorrow.
This article explains what PSD3 and PSR mean in practice for authentication, digital signatures, and identity infrastructure, how the SCA framework evolves under the PSR, how the EUDI Wallet and QES become first-class SCA instruments, and how Namirial’s platform addresses every layer of these requirements.
Why PSD2 needed an update: the authentication gap
PSD2 delivered genuine progress: it introduced SCA, created the legal foundation for open banking, and reduced card fraud rates. But its practical implementation exposed persistent structural weaknesses that PSD3 and PSR directly address.
The most critical failure was SCA quality. OTP delivery by SMS proved highly phishable: SIM-swap attacks, social engineering, and mobile malware made SMS-based SCA a weak defense against the industrialized fraud that characterizes today’s threat landscape. Meanwhile, open banking APIs were implemented inconsistently across Member States, liability for Authorized Push Payment (APP) fraud remained unclear, and delegated authentication had no regulatory framework at all.
PSD3 and PSR are a targeted response to these failures. The key changes:
- Broader and stronger SCA: covering logins, mandate setup, beneficiary management, device recovery, and all high-risk account actions.
- Expanded fraud liability: PSPs bear responsibility for SCA failures, including where authentication is delegated to third parties.
- Mandatory Verification of Payee (VoP): IBAN/name matching required before every credit transfer.
- Standardized open banking APIs: enforceable performance-parity with explicitly prohibited obstacles.
- Formal alignment with eIDAS 2.0: QES and EUDI Wallet credentials recognized as valid SCA methods.
- PSP impersonation fraud liability: PSP responsible when a customer is defrauded through impersonation of the PSP.
PSD2 vs. PSD3/PSR: The Operational Changes
The table below maps the most operationally significant changes for organizations managing digital authentication, payment workflows, and identity infrastructure:
The combined effect is a substantially heavier compliance burden on PSPs and their technology partners, with expanded liability flowing down the delegation chain. For organizations providing SCA services to PSPs, including QTSPs, IAM providers, and wallet operators, PSD3/PSR is a direct regulatory event, not a downstream consideration.
The SCA evolution: from passwords to phishing-resistant authentication
Strong Customer Authentication under the PSR retains the two-factor principle, at least two of knowledge, possession, and inherence, but significantly raises the bar for what each factor must deliver.
The core problem PSR solves: OTP is no longer sufficient
Under PSD2, most institutions satisfied SCA with a password (knowledge) plus an SMS OTP (possession). This combination proved deeply vulnerable. SMS interception, SIM-swap fraud, and malware-enabled OTP capture made SMS-based SCA a primary attack vector. The PSR responds by raising the quality bar for authentication factors and by formalizing an outcome-based approach: PSPs that demonstrate consistently low fraud rates, through robust Transaction Risk Analysis (TRA), will gain access to broader exemptions. But the bar for demonstrating that low fraud rate has also risen.
Behavioral biometrics as a formalized SCA factor
The PSR formalizes a significant expansion of what constitutes a valid inherence factor. Behavioral biometrics, including typing patterns, device handling dynamics, and browsing behavior signals, may now be formally combined with physiological biometrics to constitute a valid second factor. This opens the door to fully frictionless SCA for low-risk actions, where risk-adaptive authentication can silently verify the user without any active gesture.
Delegated SCA: innovation permitted, liability retained
The PSR explicitly allows Delegated Authentication (DA): a PSP can delegate SCA to a third party, such as a digital wallet operator, a payment gateway, or a trust service provider. This is a significant enabler for embedded finance and open banking innovation. However, the PSR classifies delegation as outsourcing, triggering full EBA outsourcing guideline compliance and DORA ICT risk requirements. The delegating PSP retains full liability for SCA failures.
The convergence that defines the decade: PSD3, eIDAS 2.0, and AMLR
As we wrote in our predictions for 2026, the most consequential development in European digital trust is not any single regulation, but the convergence of three frameworks around a shared identity infrastructure:
PSD3/PSR: authentication must be strong, delegated with care, and phishing-resistant
SCA obligations become directly enforceable via the PSR in late 2026. The quality of authentication factors, the liability for delegation, and the fraud monitoring requirements set a new baseline for every PSP operating in the EU.
eIDAS 2.0: the EUDI Wallet becomes a first-class SCA instrument
Under Article 5f of eIDAS 2.0, financial institutions must accept the EUDI Wallet as a valid authentication method by December 2027. This is not a future scenario; it is a binding obligation with a hard deadline even with some grey area to be defined, since the eIDAS wording (strong user authentication) is different and not detailed as the one needed for payment/financial regulations. Wallet-based credentials, issued by QTSPs and verified against eIDAS assurance levels, satisfy the PSR SCA possession and inherence requirements simultaneously, while also enabling selective disclosure of identity attributes, reducing data exposure.
AMLR: the same identity that performs KYC can perform SCA
When AMLR applies from July 2027, the regulatory overlap becomes operationally decisive: an institution that accepts a EUDI Wallet credential for KYC under AMLR Article 22 simultaneously satisfies the PSR SCA requirement for the same customer interaction. This is the convergence that makes infrastructure investment strategic rather than merely compliance-driven. A single qualified identity, verified once to ETSI TS 119 461 v2.1.1 standards, can serve as the trust anchor for KYC, SCA, and regulated document signing in the same workflow.
The legislative timeline: acting before enforcement
The 2026 to 2027 period is the operative readiness window. Architectural decisions made now will determine compliance posture when obligations become enforceable:
A practical note on the PSR/PSD3 split: the PSR contains most operational rules, including SCA, fraud, transparency, and open banking obligations, and enters into force directly 20 days after publication, without national transposition. PSD3 governs licensing and institutional supervision of payment institutions and requires an 18-month transposition period. Core SCA and fraud liability obligations will therefore be enforceable before national PSD3 rules are fully in place.
How Namirial addresses PSD3/PSR: a full-stack authentication platform
Namirial is a Qualified Trust Service Provider (QTSP) under eIDAS, operating across multiple European markets through Namirial S.p.A. (Italy), Uanataca (Spain). Our platform covers the full SCA stack required by PSD3/PSR: EUDI Wallet infrastructure, qualified certificate-based signing, federated eID integration, and qualified compliance archiving.
Namirial Wallet: EUDI Wallet SCA, ready before the December 2027 deadline
Our Wallet platform, comprising Wallet Gateway (protocol orchestration), Wallet App (user-side credential management), and Wallet Studio (issuer management), enables organizations to integrate EUDI Wallet credentials as SCA instruments under both PSR and eIDAS 2.0 Art. 5f. Namirial is an active participant in the EUDI Wallet Large Scale Pilots through the Potential consortium, with experience across government services, banking, telecommunications, and e-signatures. A Wallet-as-a-Service (WaaS) offering is in development for institutions that need rapid integration without building wallet infrastructure from scratch.
QES via Namirial Sign Enterprise: mandate signing and high-value payment authentication
Qualified Electronic Signatures, issued by Namirial’s multi-QTSP infrastructure across Italy, Spain and France, provide certificate-based authentication that exceeds most PSD2 SCA implementations. Under PSR, QES-backed authentication is directly applicable for mandate setup, SEPA authorizations, and regulated onboarding workflows where identity certainty is required.
Disposable (single-use) certificates, valid for 60 minutes and bound to a specific transaction, enable high-assurance QES signing without permanent certificate storage. This makes QES practical at scale for payment flows where strong authentication is required per-transaction rather than per-session. The multi-QTSP architecture, spanning Namirial and Uanataca, also provides geographic resilience and continuity under DORA: if one QTSP is unavailable, SCA flows can be rerouted without interruption.
Namirial Archive: audit-proof SCA compliance evidence
PSR’s expanded fraud liability rules require PSPs to retain robust, tamper-proof evidence that SCA was correctly applied for each transaction covered by the regulation. Namirial Archive provides qualified long-term preservation (QPRES, compliant with eIDAS eArchiving), NF 461 certified in France (AFNOR) and SAE QC2 qualified in Italy (ACN). Authentication events, signing certificates, transaction logs, and identity verification records are preserved with full legal validity for the retention period required by national supervisory authorities.
Namirial solutions mapped to PSR SCA requirements:
Conclusion: SCA is now a business, not just a compliance requirement
Our Regulatory Observatory flagged PSD3/PSR SCA as a ‘positive, new business’ opportunity, specifically in the Keyless/IAM segment. We stand by that assessment. The PSR’s expansion of SCA scope, the formalisation of delegated authentication, and the alignment with the EUDI Wallet create a genuine market for phishing-resistant, FIDO2-grade, wallet-native authentication at the payment layer, and that is precisely the infrastructure Namirial has been building.
The 2026 to 2027 window is not a planning horizon. It is the operational readiness period for infrastructure decisions that need to be made now. Institutions that select authentication partners aligned with PSR, DORA, eIDAS 2.0, and AMLR simultaneously will not only satisfy regulatory obligations: they will build the identity and payment infrastructure that underpins the next decade of trusted digital finance.
Namirial is ready to support this transition: as a EUDI Wallet technology provider, as a multi-market QTSP for QES-based SCA, and as a DORA-aligned ICT partner across the full payment authentication lifecycle.
Related content on namirial.com
- Namirial predictions for 2026: payments, SCA, and the convergence of digital trust
- Turning compliance into opportunity: the EUDI Wallet in financial services
- From AMLR to eIDAS 2.0: compliance in KYC and onboarding
- AML-KYC: the tsunami arriving in 2026-2027
- Namirial Wallet Platform: next-generation digital identity and trust services
