PSD3 / PSR Adoption Track: From COREPER to Official Journal (May 2026)

On 22 April 2026, the Council's Permanent Representatives Committee (COREPER) endorsed the final compromise text of the PSD3 Directive and the accompanying Payment Services Regulation (PSR). On 5 May 2026, the European Parliament's Committee on Economic and Monetary Affairs (ECON) confirmed the trilogue outcome at committee level. The plenary vote and Council adoption are expected by mid-June 2026, with Official Journal publication tracking June / July 2026.

For EMI and PI founders, Heads of Compliance, and treasury teams, this is the calendar that matters. The substantive changes are now locked: EMI consolidation into a single PI category, mandatory diversification of safeguarding across at least two credit institutions, a 24-hour segregation timeline replacing the legacy 5-day window, formalised daily reconciliation, harmonised open-banking interface rules, an evolved Strong Customer Authentication regime, and a heavier fraud-prevention baseline. The PSR (Regulation) is directly applicable; PSD3 (Directive) imposes an 18-month national transposition window.

This article codifies what we are calling the PSD3 / PSR adoption calendar — the institutional progression from COREPER endorsement through OJ publication, the substantive changes that fall out of it, and the gap-analysis framework that an in-scope payments firm should run through Q2 and Q3 2026. Treat the COREPER text as the operating baseline; trilogue is closed and only minor recital edits are realistically still in play.

The PSD3 / PSR package is the long-anticipated successor to Directive (EU) 2015/2366 (PSD2)¹^[1]. The European Commission published its proposal in June 2023; trilogue negotiations between the Council, Parliament and Commission concluded in early 2026, and COREPER's 22 April 2026 endorsement marked the point at which the political deal hardened into a deliverable text.

COREPER endorsement is not the end of the process — it is the moment after which the substantive text is no longer politically negotiable. From COREPER, the file moves to ECON committee for confirmation, then to plenary for the Parliament vote, then to Council formal adoption, then to legal-linguistic finalisation, signature, and finally Official Journal publication. The legal-linguistic phase is the most often-underestimated step: it routinely consumes 4–8 weeks even on a clean text.

The PSR enters into force 20 days after OJ publication for selected provisions, with most operational obligations applying after a transition window that the COREPER text sets at 18 months from entry into force. PSD3 obliges Member States to transpose into national law within 18 months of OJ publication. In practical terms: an OJ in July 2026 means a national-law deadline of January 2028 and a substantive PSR application date around the same window for the operational provisions.

The PSD3 / PSR package is not a cosmetic refresh of PSD2. The COREPER-endorsed text consolidates the framework architecturally, raises the prudential and operational bar materially, and shifts a large block of obligations into a directly applicable Regulation rather than leaving them to national transposition. Five substantive changes dominate the firm-level impact.

The most architecturally significant change. Directive 2009/110/EC (EMD2)²^[2] is repealed and the EMI licence ceases to exist as a separate authorisation. Existing EMIs are folded into a single, expanded Payment Institution category covering the full range of payment services and electronic-money issuance. The COREPER text provides for an automatic transitional reauthorisation: existing EMIs convert to the new PI category without re-licensing, but must satisfy the new prudential and safeguarding standards within the transition window.

This is administratively cleaner than it sounds in the abstract — there is no fresh licence application — but it materially changes the prudential conversation. The new combined PI category inherits the higher of EMI or PI obligations on each axis, and the safeguarding regime is uplifted in ways covered below. All existing EMIs should treat the conversion as a re-baselining exercise, not a passive change of label.

Under PSD2 / EMD2, an EMI or PI could safeguard 100% of customer funds at a single credit institution provided that institution met the eligibility criteria. The COREPER text changes this. Above a defined materiality threshold, customer funds must be diversified across at least two credit institutions. The PSR also introduces an explicit option to safeguard at a central bank — historically denied to non-bank PIs in most Member States — which materially expands the structural safeguarding toolkit.

This is the regulatory codification of what we have been calling the Three-Bank Resilience Standard. For PIs above the materiality threshold, the previous one-bank pattern is no longer compliant; for PIs below the threshold, it remains formally permissible but is increasingly disfavoured supervisorily. The Level 2 RTS from EBA will define the exact threshold and the eligibility weighting between credit-institution and central-bank safeguarding.

PSD2 left the segregation timeline soft — typically interpreted as a 5-business-day window between receipt of customer funds and segregation into the safeguarding account. The PSR collapses this to 24 hours. Operationally, this rewires the treasury cycle: end-of-day reconciliation has to convert into intraday cycles, sweep mechanics need to run continuously, and the operating-bank relationship must support same-day or instant transfer of pooled funds to the safeguarding bank.

Paired with the segregation rule, the PSR formalises daily reconciliation of customer-fund pools as a hard requirement, with documented evidence available to the NCA on demand. The combination of 24-hour segregation and daily reconciliation makes the safeguarding workflow the single most operationally exposed PSD3 change for many EMIs.

PSD2's API regime delivered open banking but at the cost of fragmented interface quality across Member States and ASPSPs. The PSR sets a harmonised baseline: a dedicated interface with documented performance metrics, an obligation to provide a fallback only where the dedicated interface fails specified availability tests, and an EBA mandate to publish technical standards on the interface quality. For account-servicing institutions, this means the PSD2-era "good enough" API is no longer a defensible posture.

Strong Customer Authentication moves forward in three ways: a refined definition of "possession" and "inherence" factors that closes loopholes exposed since 2019; explicit treatment of behavioural biometrics; and an evolved exemption regime for low-value and trusted-beneficiary flows. The European Banking Authority³^[3] will deliver the SCA RTS update under the PSR's Level 2 mandate, with publication expected within 12 months of OJ.

Fraud prevention is the headline new content. The PSR introduces a structured liability-sharing regime between PSPs and electronic communications providers for impersonation fraud, mandatory IBAN-name matching for credit transfers, an obligation to participate in industry-wide fraud information sharing mechanisms, and customer-refund obligations in defined fraud scenarios. This is the most consumer-protection-driven block of the package.

With COREPER endorsement now behind us and the ECON vote complete, the substantive text is fixed. The right Q2 / Q3 2026 posture for an in-scope EMI or PI is a structured gap-analysis run against the COREPER text, not a wait-and-see hold for the OJ. Five workstreams cover the practical surface area.

Map current safeguarding-bank concentration. If the firm holds 100% at a single credit institution and runs above the materiality threshold (the EBA RTS will define it precisely; assume mid-cohort EMIs will be in scope), document the second relationship that needs to be onboarded. Our EMI Safeguarding Architecture guide walks through the diversification design.

The 24-hour segregation rule plus daily reconciliation rewires the treasury operating model. Confirm operating-bank support for intraday sweeps; confirm safeguarding-bank capacity for same-day or instant inbound credits; document the reconciliation engine that produces the daily evidence pack. Most EMIs will need a 6-month implementation runway here.

With diversification mandatory above the threshold, the second (and potentially third) safeguarding bank becomes a strategic counterparty decision. Apply the five-criteria safeguarding-bank screen — eligibility, willingness, operational capacity, cost envelope, and exit risk. The candidate set of credit institutions willing to act as a non-primary safeguarding bank is materially narrower than founders typically expect.

Map the firm's authentication flows against the refined SCA factor definitions. Build the IBAN-name matching capability (or contract it from a vendor). Confirm participation pathway for fraud information-sharing infrastructure. Update customer-facing terms to reflect the new liability and refund regime. Most of this is product and engineering work; start the scoping by Q3 2026.

For account-servicing payment-account institutions, audit the current dedicated interface against the EBA's expected technical standards. Anything below the harmonised baseline will need uplift; PIs that have been running on a marginal interface should anticipate engineering investment.

The PSR's general entry-into-force rule under EU law is 20 days after publication in the Official Journal. The text endorsed by COREPER applies that default to a defined block of provisions immediately, with most operational obligations subject to a transition window of 18 months from entry into force. The European Commission's DG FISMA⁴^[4] is the sponsor service and will publish the consolidated entry-into-force matrix in the weeks following OJ.

In planning terms: assume that a small block of definitional and supervisory-cooperation provisions bites 20 days after OJ; the operational core (safeguarding diversification, 24-hour segregation, SCA evolution, fraud-prevention regime, harmonised interface obligations) bites at the end of the 18-month transition. The Level 2 RTS programme runs in parallel, with the EBA delivering some standards before the operational application date and others after.

PSD3 is the Directive limb of the package and obliges Member States to transpose into national law within 18 months of OJ publication. For an OJ in July 2026, that puts national transposition deadlines at January 2028. Member-state NCAs typically begin their consultation cycles 6–9 months in advance — meaning Q2 / Q3 2027 will see national consultation papers from the major PI hubs (Lithuania, Ireland, Cyprus, Luxembourg, Netherlands, Germany).

For firms running an active or imminent PI / EMI licence application, the strategic question is: should the application be calibrated to PSD2 / EMD2 today, or pre-calibrated to anticipated PSD3 / PSR standards? Our default recommendation in 2026 is to pre-calibrate. The conversion exercise that EMIs will face is materially easier if the firm's prudential and operational architecture is already PSD3-ready when the conversion happens.

Yes — the COREPER text provides for automatic transitional reauthorisation. Existing EMIs convert into the new combined Payment Institution category without a fresh licence application. The conversion is administratively passive but substantively active: the firm must satisfy the new prudential and safeguarding standards within the transition window, which in practice means re-baselining safeguarding architecture, treasury cycles, and SCA flows ahead of the application date.

The Level 1 PSR text sets the principle; the precise threshold will be defined in the EBA's Level 2 RTS, expected within 12 months of OJ publication. Our planning assumption is that mid-cohort EMIs (€50M+ in safeguarded customer funds) will be in scope, with smaller firms permitted to remain on a single credit institution provided documented eligibility. Firms above the threshold should plan a second safeguarding-bank onboarding in 2026 / 2027 regardless of when the precise threshold lands.

At the end of the 18-month transition window from PSR entry into force. With OJ tracking June / July 2026, that puts substantive application around early 2028. Treasury cycle re-engineering takes 6–12 months for most EMIs, so the practical implementation start date is Q4 2026 / Q1 2027 to be comfortably ready.

Largely, yes — the shift from a Directive (PSD2) to a Regulation (PSR) for the operational core is the entire point. National NCAs retain discretion on PSD3 transposition matters (mostly definitional and structural), but the substantive prudential, safeguarding, SCA, and fraud-prevention rules under the PSR are directly applicable across all Member States with no transposition gap. This is a material harmonisation step that closes the gold-plating gaps that have characterised PSD2 since 2018.

No. Pre-PSD3 PI licences will convert into the new combined PI category automatically; there is no advantage to waiting. The advantage is in pre-calibrating the application to anticipated PSD3 / PSR standards so that the conversion is structural-only. Pause-and-wait costs 12–18 months of go-to-market time without any compensating regulatory benefit.

• Payment Institution Licence in the EU — the application playbook for the post-EMI single PI category.

• EMI Safeguarding Architecture — the structural pattern that PSD3 codifies as the new baseline.

• Safeguarding Bank — Five Criteria — the screen for the second (and third) safeguarding-bank counterparty.

• The Three-Bank Resilience Standard — the resilience pattern that PSR diversification effectively mandates.

• Regulatory Legal Opinions — our service: PSD3 / PSR gap-analysis opinions and conversion-readiness memoranda.

COREPER endorsement on 22 April 2026 was the moment the PSD3 / PSR text moved from political negotiation into operational reality. The ECON vote on 5 May 2026 confirmed it. From here through OJ publication in June / July 2026, the calendar accelerates — but the substantive content is locked. Firms that start the gap-analysis now, calibrate their safeguarding architecture to the diversification standard, and re-engineer the treasury cycle to the 24-hour segregation rule will enter the post-OJ window with the conversion exercise already de-risked. The firms that wait for the OJ will spend 2027 catching up.