A Puzzle of Rules: Why EU Payments Law Remains Fragmented

Author: Rebecca Marina (Counsel) and Roxana Șerban (Associate)

The European Union likes to see itself as a global leader in financial innovation. It has built sophisticated rules for open banking, instant transfers and digital assets, aiming to make payments within Europe seamless and secure. However, behind this ambition lies a problem that policymakers have struggled to solve. The EU’s legal framework for payments is fragmented. It has not developed as a single, coherent body of law but as a collection of separate regulations that only partially fit together.

For firms building and scaling payment propositions—and for consumers expecting consistent safeguards across the EU—this fragmentation imposes real operational, contractual and governance costs.

A patchwork of regulations

Over the past two decades, the EU has adopted several major legislative acts that together shape the payments landscape. The Payment Services Directive (“PSD2”), which is being revised through PSD3 and the proposed Payment Services Regulation (“PSR”), governs traditional payment services, access to bank accounts and consumer protection. The Markets in Crypto-Assets Regulation (“MiCA”) creates a framework for digital tokens and service providers. The Anti-Money Laundering Directives (“AMLD”) impose detailed compliance obligations on financial and payment institutions. The Instant Payments Regulation (“IPR”) focuses on euro credit transfers, while the General Data Protection Regulation (“GDPR”) governs how personal data is processed in all payment activities.

Each of these instruments has a legitimate objective. But they were developed at different times, under distinct policy priorities, and with separate supervisory architectures. Key definitions, triggers and obligations are not fully harmonised, leaving companies to navigate intersecting regimes with divergent concepts of “payment service,” “electronic money,” “crypto-asset,” “strong customer authentication,” “outsourcing” and “incident reporting.”

Overlaps and grey areas

This fragmentation becomes clear when these rules overlap. Euro-denominated stablecoins may qualify as “e-money tokens” under MiCA and as electronic money within the PSD architecture. Each path entails separate licensing, capital, governance and safeguarding requirements and distinct conduct rules. Without clear delineation, firms face duplicative compliance, potential forum shopping, and uncertainty in product design and disclosures. 

A similar issue arises in the field of anti-money laundering. Both payment service providers and crypto-asset firms must comply with AMLD requirements, but supervision is divided among different national authorities and the new European Anti-Money Laundering Authority (“AMLA”). Until supervisory convergence matures, enforcement intensity and interpretation can diverge across Member States, complicating group-wide policies and cross-border operations.

Business implications: cost, structure and contractual risk

For payment institutions, e-money issuers and fintech groups, this legal fragmentation translates into strategy and execution challenges. Cross-border operators must select licensing pathways, determine whether passporting is available or whether multiple authorisations are prudent, and design operating models that respect local overlays. Group structuring, intra-group outsourcing and cloud arrangements require careful mapping to avoid triggering conflicting requirements on critical outsourcing, data residency and security. Board oversight frameworks must align with differing governance expectations, including fit-and-proper standards, remuneration rules, operational resilience and ICT risk management. Smaller companies find this particularly challenging, as the cost of compliance can outweigh the benefits of expansion.

Contractually, fragmentation pushes risk into commercial arrangements. Processor, wallet, agent and distributor agreements need precise allocation of compliance responsibilities for due diligence, transaction monitoring, safeguarding, dispute handling and incident notification. Indemnities, audit rights, data sharing and sub-outsourcing clauses must be tuned to both payments and crypto regimes, as well as to GDPR’s controller/processor roles and purpose limitations. Choice-of-law and jurisdiction clauses should anticipate divergent supervisory stances and allow for modifications as EU-level technical standards evolve. 

This situation also affects competition. Established financial institutions are better equipped to manage complex regulations, while new entrants often struggle to meet requirements that differ across regimes. As a result, the promise of a truly open and competitive European payments market remains only partially realised.

Supervisory architecture and the guidance gap

The institutional framework adds another layer of complexity. The European Banking Authority oversees payment institutions and open banking. The European Securities and Markets Authority handles crypto-asset markets and AMLA coordinates anti-money laundering oversight. National regulators also retain significant powers in each area.

In practice, questions such as the treatment of stablecoins for everyday retail payments, the application of strong customer authentication in digital wallets and the boundary between account access and data portability do not yet have a single authoritative source of guidance. Firms face interpretive risk and uneven enforcement, which must be managed through conservative design choices, regulatory engagement and contingency planning. 

Efforts to bring order

The European Commission has recognised the problem and is now trying to create a more coherent framework. PSD3 and the new PSR aim to clarify definitions, strengthen consumer protection and replace national transposition with directly applicable EU rules. The IPR is designed to make instant euro transfers the new normal across the Union.

However, these reforms still exist alongside MiCA and AMLD, which operate on different timelines. Unless the EU finds a way to connect these initiatives under one strategic framework, fragmentation, although less wide, will persist even after PSD3 and the PSR come into force.

Towards a more unified approach

A genuinely integrated payments market requires more than updated legislation. It needs coordination across sectors and institutions. From a business law perspective, firms should prioritise:

• licensing strategy and corporate structuring that minimise multi-regime friction while preserving future optionality;

• governance frameworks and internal reporting that integrate payments, crypto, data protection and financial crime controls into a single group risk framework;

• contracts that allocate compliance and liability coherently across partners and suppliers, with mechanisms to adapt to evolving EU-level standards; and

• documentation and disclosure practices that harmonise consumer protections regardless of instrument, enhancing trust and reducing disputes

The European Union has made impressive progress in modernising its payment systems, but it has done so through a collection of overlapping rules rather than a single, cohesive framework. PSD2, MiCA, AMLD and other initiatives have each added important pieces to the puzzle, however the overall picture remains incomplete.

If Europe is to lead the global transition to digital payments, it will need to connect these pieces under a unified supervisory and legal vision. Until then, Europe’s payments law will remain ambitious in spirit but somewhat fragmented in practice—an operational reality that businesses must navigate with deliberate structuring, careful contracting and disciplined compliance design.