Guide to the Payment Services Directive 2 — open banking APIs, strong customer authentication, and third-party payment providers.
The Payment Services Directive 2 (EU) 2015/2366 regulates payment services and payment service providers in the EU. It introduced mandatory Strong Customer Authentication (SCA) for electronic payments and open banking — requiring banks to grant licensed third-party providers access to customer payment accounts via secure APIs. PSD2 has been in full application since September 2019, with SCA enforcement from December 2020. PSD3 is currently in legislative process.
All payment service providers in the EU: banks, electronic money institutions, payment institutions, post offices, Account Information Service Providers (AISPs), Payment Initiation Service Providers (PISPs), and card payment service providers.
Article 1
Article 4
Article 5
Article 11
Article 33
Article 66
Article 67
Article 97
Article 98
Full application
14 Sept 2019PSD2 rules on open banking access became applicable.
SCA enforcement
31 Dec 2020Strong Customer Authentication requirements became enforceable.
Determined by Member States. EBA sets regulatory technical standards. PSD3 will update the enforcement framework.
PSD2 introduced mandatory access to bank accounts for authorised third-party providers.
PSD2 requires two-factor authentication for most electronic payments above €30.
Law4Devs provides the full PSD2 as structured JSON. Filter by provider type, obligation category, or topic. Cross-reference with DORA for ICT risk management and MiCA for crypto-asset payment services.
GET /v1/frameworks/psd2/articles → 200 OK · structured JSON · official EUR-Lex source
The Payment Services Directive 2 (EU) 2015/2366 is the EU directive regulating payment services and payment service providers. It introduced two major innovations: mandatory Strong Customer Authentication (SCA) for electronic payments, and open banking — requiring banks to grant licensed third-party providers access to customer payment accounts via secure APIs. PSD2 replaced the original PSD1 and has been in full application since September 2019, with SCA enforcement from December 2020.
PSD2 applies to all payment service providers operating in the EU: credit institutions (banks), electronic money institutions, payment institutions, post offices providing payment services, and the two new categories it created — Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). Account servicing payment service providers (typically banks) must provide AISPs and PISPs with access to customer accounts through dedicated interfaces when customers give consent.
Banks must implement secure APIs for third-party access to payment accounts and apply Strong Customer Authentication (two of three factors: knowledge, possession, inherence) for electronic payments above EUR 30. Third-party providers must be authorised or registered with their national competent authority. All providers must follow strict incident reporting timelines, maintain complaint procedures, and comply with the EBA Regulatory Technical Standards on SCA and common and secure communication. PSD3 is currently in legislative process to update these rules.
Law4Devs provides the full PSD2 text as structured JSON via API. Filter by provider type (AISP, PISP, bank), obligation category, or topic (SCA, open banking, incident reporting). Access specific provisions on authorisation requirements, passporting rules, and customer protection. Cross-reference with DORA for ICT risk management and with MiCA for crypto-asset payment services. Ideal for fintech compliance teams building regulatory mapping tools.
All articles, recitals, and amendments — queryable, filterable, and always up to date.