eIDAS2, PSD3 and Digital Identity in Payments: What European PSPs Must Do Before the End of 2026

Digital identity has moved from the edge of the payments conversation to its centre. Not gradually, abruptly, and with real regulatory deadlines attached.

By the end of 2026, all 27 EU Member States must provide citizens and residents with a European Digital Identity Wallet. By December 2027, banks, credit institutions, e-money institutions and payment service providers must be prepared to accept it as a valid form of identity verification. And sitting alongside this, PSD3 and the Payment Services Regulation, provisionally agreed by the European Parliament and Council on 27 November 2025, will impose a sweeping reset of fraud liability, strong customer authentication, and open banking obligations across the entire EU.

This is not a future scenario. The regulatory clock is running, and the compliance window is narrowing faster than many institutions have yet recognised.

These themes will be at the heart of the NextGen Payments & RegTech Forum in Barcelona on 7 May 2026 at the W Hotel, where senior leaders from banks, PSPs, fintechs, and regulators will address what these changes mean in practice and what needs to happen before the end of this year.

Two regulatory deadlines are converging and most institutions are not moving fast enough.

The Fraud Numbers That Forced a Reset

The EBA and ECB's joint fraud report published in December 2025 makes the case for urgency plainly. Total payment fraud losses across the EEA reached €4.2 billion in 2024 - up 20% year-on-year. Credit transfer fraud alone rose 16%, while card fraud jumped 29%.

The most damaging finding: 85% of credit transfer fraud losses were borne by users themselves, because they were tricked into authorising the transaction. Under PSD2, that liability sits with the customer. Under PSD3, that is about to change.

PSD3 Is Agreed - The Planning Window Is Now

On 27 November 2025, the European Parliament and Council reached provisional agreement on PSD3 and the Payment Services Regulation (PSR). Formal publication is expected mid-2026, with full compliance required by late 2027 to early 2028.

That gives institutions roughly 18 months. Based on PwC's assessment, non-compliance carries penalties of up to 4% of annual turnover. Non-bank PSPs must also re-obtain licences within 30 months of entry into force.

The key practical changes: mandatory payee name-to-IBAN verification on all credit transfers, adaptive SCA that reflects behavioural and transaction patterns, and a liability shift that moves APP fraud reimbursement responsibility firmly toward PSPs.

Two eIDAS2 Deadlines - Not One

Most institutions are treating eIDAS2 as a single event. It is not.

End of 2026: All 27 EU Member States must provide citizens with a European Digital Identity Wallet. Austria is already live. Poland's mObywatel app has 18 million downloads and is integrating EUDI compliance. Nordic countries are tracking digital identity penetration above 70%.

December 2027: Banks, credit institutions, e-money institutions and PSPs must accept the wallet as a valid means of identity verification and SCA.

The EU's 2030 target: 80% of EU citizens actively using the EUDI Wallet.

One tension that needs resolving: the EUDI framework's three assurance levels, Low, Substantial and High - do not map cleanly onto PSD2's SCA requirements. Until that alignment is settled, cross-border PSPs will need to manage both frameworks in parallel.

The New Frontier: Who Verifies an AI Agent?

The fastest-moving identity challenge in payments has no regulatory answer yet. As AI agents conduct transactions autonomously on behalf of consumers, traditional SCA assumptions collapse, because there is no human present at the point of payment.

Mastercard, Visa and Coinbase are already building agent identity frameworks. The concept of "Know Your Agent" is emerging alongside KYC and KYB. But liability when an agent over-orders, mispays or misinterprets a consumer instruction remains legally undefined.

According to a February 2026 Experian/Forrester study, 68% of senior fraud decision-makers say their current tools are no longer adequate. Agentic commerce is accelerating that gap.

Join the Conversation in Barcelona

These challenges are not theoretical. They are on the agenda at the NextGen Payments & RegTech Forum, on 7 May 2026 at the W Hotel in Barcelona.

Over 250 senior leaders from top organisation including Mastercard, Amazon Payments, SWIFT, Thunes, Alipay+, Revolut, Banco Sabadell, Santander, Oyster®, Cryptopay and AEFI will be addressing PSD3/PSR readiness, eIDAS2 and digital onboarding, agentic AI in fraud and compliance, APP scam prevention, cross-border payments, open finance and merchant acceptance in Spain.

Esteemed Sponsors include Mitek Systems, FIS, DiscAI, Copla, Unit21, Tieto, Damex and Intrepid Fox.

If you are making identity, fraud or compliance decisions in 2026, this is where the conversation is happening.

Request the full agenda or secure your place →

For sponsorship or registration enquiries, contact info@qubevents.com 

By: Zinah Abdaki, CMO at QUBE Events