October 2025 and 2026 mark two huge regulatory shifts for the EU payments industry.
First, the Instant Payments Regulation (IPR) comes into effect. It mandates that euro-denominated transactions in the EEA must be processed in under 10 seconds, 24/7. No delays, no buffers.
Second, 2026 will bring in PSD3, the next evolution of the Payment Services Directive. Unlike PSD2, which focused on preventing unauthorized fraud, PSD3 goes further. It holds banks liable for authorized fraud too, especially impersonation scams.
The result is a perfect storm. Transactions have to be instant, but if a scammer tricks someone into authorizing a payment, the bank could be held responsible.
For PSPs, this changes everything.
Fraud detection systems can no longer rely on post-transaction reviews. Authentication must happen in real time and provide undeniable proof of identity.
That means two things:
Passwords and SMS OTPs can’t do this. Neither can most passkey or token-based systems.
Biometrics, above all decentralized models, can.
Our upcoming report explores:
How IPR will force faster fraud prevention systems.
What PSD3’s liability shift means for authentication.
Why biometrics are now critical for transaction approval.
Europe’s new rules make authentication the frontline of fraud defense. Make sure your systems are ready.
Don’t miss our full analysis in The State of Authentication 2026, launching this October. The State of Authentication 2026 report will cover the five key forces reshaping authentication in the year ahead.
Stricter privacy and biometric compliance laws – and why decentralized biometrics are emerging as the only viable long-term solution.
Digital identity wallets – and how they’re set to replace traditional KYC and recovery flows.
The collision of IPR and PSD3 – and what it means for fraud, liability, and real-time authentication.
The evolving deepfake threat – and how organizations can future-proof their biometric systems today.
The limitations of passkeys – and why they’re not enough for high-risk scenarios.