PSD2 regulates payment services in the EU, introducing open banking through mandatory access to bank accounts for third-party providers and strong customer authentication.
Focus: Open banking, strong customer authentication, third-party payment providers, payment security
Article 1 — Subject Matter
Article 4 — Definitions
Article 5 — Authorisation of Payment Institutions
Article 11 — Passporting
Article 33 — Access to Payment Account Services
Article 66 — Payment Initiation Services
Article 67 — Account Information Services
Article 97 — Strong Customer Authentication
Article 98 — Regulatory Technical Standards on SCA
GET /v1/frameworks/psd2/articles → 200 OK · structured JSON · official source
The Payment Services Directive 2 (EU) 2015/2366 is the EU directive regulating payment services and payment service providers. It introduced two major innovations: mandatory Strong Customer Authentication (SCA) for electronic payments, and open banking — requiring banks to grant licensed third-party providers access to customer payment accounts via secure APIs. PSD2 replaced the original PSD1 and has been in full application since September 2019, with SCA enforcement from December 2020.
PSD2 applies to all payment service providers operating in the EU: credit institutions (banks), electronic money institutions, payment institutions, post offices providing payment services, and the two new categories it created — Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). Account servicing payment service providers (typically banks) must provide AISPs and PISPs with access to customer accounts through dedicated interfaces when customers give consent.
Banks must implement secure APIs for third-party access to payment accounts and apply Strong Customer Authentication (two of three factors: knowledge, possession, inherence) for electronic payments above EUR 30. Third-party providers must be authorised or registered with their national competent authority. All providers must follow strict incident reporting timelines, maintain complaint procedures, and comply with the EBA Regulatory Technical Standards on SCA and common and secure communication. PSD3 is currently in legislative process to update these rules.
Law4Devs provides the full PSD2 text as structured JSON via API. Filter by provider type (AISP, PISP, bank), obligation category, or topic (SCA, open banking, incident reporting). Access specific provisions on authorisation requirements, passporting rules, and customer protection. Cross-reference with DORA for ICT risk management and with MiCA for crypto-asset payment services. Ideal for fintech compliance teams building regulatory mapping tools.