The biggest payment regulations & directives to look out for now
When it comes to payment legislation, there's a lot to keep track of. This is especially true in the EU. We even cited it as one of the key reasons behind the growing complexity in corporate payments.
So, are you up to date with the latest rules and standards?
Here's a list of some of the key changes in the regulatory environment of payments you need to know today.
Payment Services Directive 3 (PSD 3)
Following the introduction of PSD 1 in 2007 and PSD 2 in 2015, the Payment Services Directive 3 (PSD 3) is set to build on the foundation of these legal frameworks within the EU and further modernize it to better reflect the current payment landscape.
But PSD3 isn’t a standalone – it will work hand-in-hand with a new Payment Services Regulation (PSR) to ensure consistent rules across the EU.
While PSD 2 proved successful in increasing consumer protections through the Strong Customer Authentication initiative, among other things, several challenges remain unresolved. For instance, online merchants face the dilemma of balancing a smooth customer experience (linked to a high successful checkout rate) with maximum fraud prevention.
Another challenge is the lack of regulation for new technologies and alternative payment methods that are part of current payment trends, like Buy Now, Pay Later (BNPL) or cryptocurrency payments.
PSD 3 looks to address all this by:
- Creating a unified, EU-wide legal framework that align with other EU frameworks such as the GDPR and the Anti-Money Laundering Directive (AMLD)
- Providing stronger consumer protection measures
- Promoting competition in the payment market
- Addressing new technologies and market requirements in the directive
The directive was first proposed in 2023 and is currently awaiting approval following ongoing negotiations at time of writing. It's expected to be implemented in late 2026-2027 but is well worth keeping an eye on now.
Digital Operational Resilience Act (DORA)
With increasing reports of cyberattacks and cybercrime costs projected to reach $10.5 trillion annually, financial institutions face escalating risks. [1]
To address this risk, the European Union introduced the Digital Operational Resilience Act (DORA). DORA establishes a unified regulatory framework to enhance ICT risk management, incident reporting, resilience testing, and oversight of third-party service providers.
Essentially, it shifts the industry from a reactive approach to a preventive one, promoting standardized security practices across EU financial institutions. And it's fair to say that DORA is set to be transformative across the financial sector, including the corporate payments industry.
The regulation requires providers to ensure stronger service reliability through strict ICT and operational standards. It also demands greater transparency, improved cybersecurity measures, and consistent compliance – leading to safer transactions and increased customer trust.
It's clear that DORA marks a turning point in financial cybersecurity. Institutions must embrace resilience not just as a regulatory requirement, but as a continuous commitment to ensure the risk is mitigated.
The regulation first came into force in January 2023, and has since come into effect in January 2025. Time will tell how much impact this will have, though we're likely to best see its impact in the coming months and years.
For more details, we've gone more in-depth on DORA here.
Instant Payments Regulation (IPR)
Euro credit transfers are about to be shaken up. Or rather, sped up.
The EU’s Instant Payments Regulation (IPR) — Regulation (EU) 2024/886 on instant credit transfers in euro introduces new obligations for payment service providers to enable instant credit transfers.
More specifically, it requires that the transferred funds are made available within 10 seconds of the payment order being made – 24 hours a day, 365 days a year.
There are several other stipulations on top of this:
- Any charges by payment providers for instant transfers should not be higher than for regular credit transfers
- Payment providers must allow payers to verify the intended recipient of the payment free of charge (via Verification of Payee (VoP) service)
- Screenings should take place at least daily to ensure users of the payment services are not subject to sanctions or other financial regulations
The regulation was brought about to help foster faster, cost-effective, and more secure payments in the region.
In turn, this will facilitate further innovation, reduce payment fraud, and satisfy customer demand for more reliable and secure instant payment services.
We've covered the topic of real-time payments before, including details of why it's so important.
The roll out of the IPR is quite complex. The regulation entered into force in April 2024, with obligations being phased in between January 2025 and July 2028.
The official implementation timeline offers the best summary of these dates. [2]
Corporate Sustainability Reporting Directive (CSRD)
The Corporate Sustainability Reporting Directive (CSRD) is another major EU framework designed to enhance corporate accountability and transparency around sustainability.
Replacing and expanding the scope of the earlier Non-Financial Reporting Directive (NFRD), the CSRD requires large and listed companies, including certain non-EU businesses with EU operations, to report detailed information on their environmental and social impact.
The directive builds on the region’s broader climate goals, like achieving carbon neutrality by 2050, and enables investors, customers, regulators, and other stakeholders to make informed, sustainability-driven decisions.
Perhaps the most notable requirement of the CSRD is the reporting of double materiality (assessing both the financial impact of sustainability issues on the company and the company’s impact on society/environment) and Scope 3 emissions (indirect emissions across the value chain).
To prepare, companies will need to develop a sustainability strategy, assess materiality, implement robust data tracking and digital reporting systems, and align ESG goals with broader risk management.
Thankfully, tools and services exist that can simplify compliance and support proactive sustainability efforts, particularly when it comes to business travel.
Around 50,000 companies are expected to be affected, with implementation rolling out in phases from 2024 to 2028, depending on company size, type, and other factors.
You can find out more about the CSRD in our dedicated article.
E-invoicing Directive
In 2014, the EU introduced Directive 2014/55/EU, known as the Electronic Invoicing directive.
Electronic invoicing or 'e-invoicing' refers to the process of digitally issuing, transmitting, and receiving invoices. Most importantly in the context of this directive, it comes in a standardized structured data format.
The purpose of the e-invoicing directive is to facilitate the use of e-invoicing in public procurement (B2G) across the EU by, among other things, creating a European standard for these data formats. This ensures that invoices issued in the region are interoperable and can be exchanged, read, and processed between member states.
Fast forward to 2025, adoption of the e-invoicing standard beyond public procurement and into B2B contexts varies between countries.
Using Germany as an example, B2B e-invoicing based on the EU standard began on a voluntary basis in January 2025, becoming mandatory in 2026. The story is similar in Belgium and France, which will see it become mandatory in B2B contexts in the next couple of years.
There are plenty of benefits to this shift, including automation opportunities and cost savings, at least in the long run. We go more into the details of e-invoices and how AirPlus is able to support you in a separate article.
What's next in corporate payment regulation?
While it feels like there's a lot going on in the payment regulatory environment, it's not so much a case of widespread change.
Rather, there is a clear direction in the EU towards standardization, transparency, security, and digitalization.
We now seem to be moving towards building a more unified legal framework that goes some way in harmonizing current guidelines to enable more interoperability between countries in the region.
At the same time, we're seeing a growing effort to better balance the need to protect consumers while enabling a level playing field amongst new and old payment providers. This means better transparency, more choice, and more innovation in the broader market.
There are two clear over-arching trends that are set to benefit from this: open banking and cross-border payments.
Building towards open banking and cross border payments
Open Banking is the enabling of authorized third parties to access data relating to payment, as well as initiate payment orders on behalf of customers via APIs provided by banks and other financial institutions.
Cross-border payments are just that, payments between different countries. It's no secret that globalization is changing the dynamics of the payment industry: Who is making payments, where those payments are going, and when those payments occur.
Despite the potential of open banking and cross-border payments on innovation and competitiveness, there are still issues that need to be resolved.
Between the strengthened security enabled by DORA and PSD2/3, the standardization provided by the IPR, and even the harmonization of reporting facilitated by the e-invoicing directive and (to a lesser extent) CSDR, the EU is looking to mitigate these issues and build a regulatory base.
What do you think? We're bound to cover more relevant regulations and legislation as they happen, so be sure to sign up to our newsletter for the latest happenings in corporate payment.
We've got plenty more interesting articles coming up – make sure to subscribe now to get our latest blog articles and more in our newsletter.
[1] Cybercrime To Cost The World $10.5 Trillion Annually By 2025 | Cybersecurity Ventures
[2] Instant Payments Regulation | ECB
