What merchants need to know about PSD3, CCD2 and other key EU payment regulations in 2026

2026 marks a landmark year in the European payment ecosystem. Five major EU regulations will come into effect, fundamentally changing checkout processes and compliance requirements.

The good news: compliance doesn't have to be a conversion killer.

With a modern payment stack and the right strategy in place, merchants can ensure regulatory compliance while also reducing risk, improving acceptance rates, and boosting overall conversion.

Here's a concise overview of what merchants need to know now about the most important EU regulations.

Last updated: February 2026

PSD3 & PSR

Building on the groundbreaking PSD2 directive, the EU is fundamentally modernizing European payment transactions by introducing PSD3 and PSR. The goal is to establish uniform standards, enhance security, and promote fair competition between banks and payment service providers (PSPs).

• PSD3 – the new regulatory framework: The 3rd Payment Services Directive (PSD3) replaces PSD2 as the overarching regulatory framework for PSPs. It determines who is allowed to offer payment services and under what conditions. The directive must be translated into national law by all member states.
• PSR – new requirements for payment transactions: At the same time, the Payment Services Regulation (PSR) specifies how payment transactions must be processed. Among other things, it contains guidelines on security and strong customer authentication (SCA). The PSR applies automatically in all member states.

What does PSD3/PSR mean for merchants?

Although both sets of regulations are primarily aimed at banks and PSPs, they have a direct impact on checkout processes, acceptance rates, and risk management:

• VoP as a conversion factor. Verification of Payee (VoP) checks alert shoppers when the payee’s name doesn't match the IBAN, which can lead to more cart abandonment. It's one of the reasons why merchants benefit from PSPs with precise VoP processes.
• Stronger fraud protection. Stricter requirements mean fraud attempts are detected and stopped earlier — a clear win for customer protection. At the same time, suspicious transactions can be blocked more reliably. The result: fewer chargebacks, fewer disputes, fewer support tickets — and a noticeably more trustworthy checkout experience.

In short: Stronger fraud prevention leads to lower risk, fewer complaints, and a more stable checkout flow. Merchants who rely on clear processes and experienced PSPs benefit from fewer drop‑offs and higher approval rates.

Current state of implementation

With the EU having agreed on the proposed legislation at the end of last year, the texts await final adoption. PSPs are not expected to have to implement PSD3 and PSR until 2027.

You might find this interesting: The payment trends 2026

Design: Kurz & knapp (as visual infobox)

CCD2

To better shield shoppers from over‑indebtedness, consumer protection for financial products was fundamentally revamped at the EU level in November 2024. In the fall of this year, the new Consumer Credit Directive (EU 2023/2225), known as CCD2, will come into force across member states and introduce stricter rules for the first time to:

1. Small loans under €200
2. Interest-free loans
3. Short-term financing < 3 months
4. Buy Now, Pay Later (BNPL)
5. Leasing contracts

What does CCD2 mean for merchants?

With CCD2, transparency, compliance, and clear communication at checkout become non-negotiable. For merchants this means greater clarity, but also new obligations. And the opportunity to make processes more tangible, secure, and trustworthy:

• Transparency at checkout. Merchants must provide shoppers with clear and understandable information about costs, terms, payment methods, and potential risks. This helps prevent misunderstandings, improves trust, and reduces abandoned transactions.
• Extended credit checks. Consumers' creditworthiness must be checked more thoroughly before a BNPL contract is entered into. The result: fewer defaults and more reliable risk calculation.
• Stricter advertising guidelines. Misleading claims suggesting that taking out credit will improve one's financial situation are prohibited. Instead, all advertising must highlight costs and risks.
• Extended right of withdrawal. Incorrect or missing information can extend the right of withdrawal to up to 12 months + 14 days. In addition, the right of withdrawal must be highlighted more clearly for shoppers.

Merchants who align their communications early with their payment partners benefit from greater trust and increase their conversion rate.

Current state of implementation

🇩🇪 The CCD2 should have been transposed into national law back in November 2025. A corresponding law is currently pending in the Bundestag. The directive is set to come into force on November 20, 2026.

🇦🇹 The Austrian legislature is also working on a draft bill. This includes a revision of the Consumer Credit Act (VKrG), which could amount to a full substantive overhaul. It's also scheduled to come into force on November 20, 2026.

Design: Kurz & knapp (as visual infobox)

EU AI Act

The EU AI Act is the world's first comprehensive AI law. Its goal: making the use of AI safe, trustworthy, and human-centric. And starting in August 2026, key rules will also apply to merchants using AI-powered tools. Think chatbots, product recommendations, or dynamic pricing.

What does the EU AI Act mean for merchants?

The following requirements apply to anyone who uses AI-supported tools in their shop:

• Transparency for chatbots. If online shops use a chatbot, users must be clearly informed as soon as they enter the chat.
• Merchants remain fully responsible for AI-generated content. AI-generated product texts, images, or descriptions remain the responsibility of the store. Meaning: Copyright infringements or misleading statements must be avoided, even if they originate from AI.
• Data protection remains critical. GDPR continues to apply. This is particularly critical if AI tools store or process data in non-EU countries.

Current state of implementation

The EU AI Act has been in force since August 2024. Its regulations will gradually take effect until 2027. However, some of the most important requirements for merchants will apply from August 2, 2026. Like the PSR, the law is automatically applicable in all EU member states.

Design: Kurz & knapp (as visual infobox)

DORA

Financial services should continue to function reliably even in the event of cyber-attacks, system failures, or problems with third-party providers. That's why the European Commission is strengthening the digital resilience of the financial sector with the Digital Operational Resilience Act (DORA).

The regulation requires all payment partners to adhere to stricter standards in the following areas:

1. Risk Management,
2. Incident Reporting,
3. Digital Operational Resilience Testing,
4. Third-Party Risk Management
5. Information Sharing Arrangements (encouraged but not required)

What does DORA mean for merchants?

Though DORA is intended for regulated financial institutions, it has a direct operational impact on merchants:

• Greater stability at checkout. PSPs must implement stricter ICT risk management, regular resilience testing, and robust security measures. For merchants, this means fewer outages and more stable transactions.
• Clearer processes in the event of disruptions. Incident reporting, monitoring, and escalation processes are standardized. Merchants must expect new or modified contract terms and benefit from greater visibility and faster responses to outages.
• Reduced third-party risk. For the first time, critical third parties such as cloud providers are regulated as well. This leads to lower risks in payment processing.

Current state of implementation

Since January 2025, all PSPs must comply with the new DORA standards.

Design: Kurz & knapp (as visual infobox)

EU AML Paket

Money laundering is one of the greatest risks facing the global financial sector. In Germany alone, the source of around €100 billion is concealed every year. The new EU Anti-Money Laundering Package (EU AML Package) aims to combat this more effectively.

It includes:

1. the new European authority AMLA (based in Frankfurt)
2. the AML Regulation
3. the 6th Anti-Money Laundering Directive
4. the Revised Transfer of Funds Regulation

The framework marks a fundamental paradigm shift: moving away from fragmented laws toward unified, centralized money laundering prevention.

What does the AML Package mean for merchants?

The AML package affects merchants indirectly because their PSPs face stricter onboarding and monitoring requirements. And these have an indirect impact on online shops:

• Stricter auditing and monitoring obligations for PSPs. Merchants must expect additional data and information requirements, but will benefit from less fraud damage, streamlined processes, and more stable acceptance rates.
• Merchants with their own BNPL/credit offerings will become regulated entities. They will be subject to AML obligations in the future. These include KYC checks, identity verification, and ongoing transaction monitoring. While this brings new process requirements, it also creates more security.

In short: The stricter standards reduce the risk of fraud at checkout significantly. And that's a key factor for more stable acceptance rates and a secure, smooth checkout experience.

Current state of implementation

The EU AML Package was passed in June 2024, and the rules of the AML Regulation will largely apply from July 10, 2027. By then, member states must also translate the 6th Anti-Money Laundering Directive into national law.

AMLA has been progessively taking on its duties since last summer.

Design: Kurz & knapp (as visual infobox)

2026: The pivotal year for compliance in European e‑commerce

The new EU rules will affect not only payment and financial service providers. They will impact the entire commerce ecosystem. For merchants, this means tighter requirements, new interfaces, and rising expectations for transparency and security.

At the same time, this presents a unique opportunity to strategically realign the checkout process. And use regulatory compliance to boost conversion rates, improve acceptance rates, and stabilize fraud management.

That's why merchants should set clear priorities now:

1. Evaluate payment partners. Assess SCA quality, fraud management, resilience, and regulatory readiness.
2. Aim for technological readiness. Flexible SCA options, modern fraud prevention, and robust PSP systems are crucial for balancing security and conversion.
3. Keep an eye on developments. As many details are still being finalized, it’s crucial to be aware of deadlines and requirements at an early stage.

Merchants who act early will benefit in two ways: greater stability and security today – less effort and a real competitive advantage in the future.

Do you have questions or need support with implementation?

Get in touch with us. We'll guide you through the process of setting up a regulatory compliant payment solution.

Contact us