EU Regulatory Framework: Navigating PSD2, GDPR, DORA & Beyond
Comprehensive guide to European banking regulations including PSD2/PSD3, GDPR, DORA, Basel III, and AML-CFT requirements for core banking platforms.
The Regulatory Landscape
European financial services operate under one of the world's most comprehensive regulatory frameworks. For core banking platforms, regulatory compliance is not just a feature—it is the foundation. Understanding these regulations is essential for product design, market positioning, and customer conversations.
Banks typically spend 30-40% of IT budgets on compliance-related activities. A platform with built-in compliance automation transforms regulatory burden from cost center to competitive advantage—faster time-to-market for compliant products and lower operational costs.
PSD2, PSD3 & Payment Services Regulation
What It Is
The Payment Services Directive (PSD2, 2015/2366/EU) established the framework for payment services in the EU, introducing Strong Customer Authentication (SCA) and Open Banking. In November 2025, the European Parliament reached provisional agreement on PSD3 and the Payment Services Regulation (PSR), expected to become applicable by H2 2027.
Key Requirements
| Requirement | PSD2 Current | PSD3/PSR Changes |
|---|---|---|
| Strong Customer Authentication | 2 of 3 factors required | Enhanced SCA, behavioral analysis |
| Open Banking APIs | Mandatory TPP access | Improved API standards, dashboard |
| Fraud Prevention | General requirements | Mandatory IBAN/name checks (VoP) |
| PSP Liability | Limited liability rules | PSPs liable if fraud prevention fails |
Strong Customer Authentication (SCA)
SCA requires authentication using at least two of three factors:
- Knowledge: Something only the user knows (PIN, password)
- Possession: Something only the user has (mobile device, token)
- Inherence: Something the user is (fingerprint, face recognition)
Verification of Payee (VoP) for IBAN/name matching becomes mandatory in October 2025. Platforms must implement this before the deadline to remain compliant.
GDPR (General Data Protection Regulation)
What It Is
GDPR (Regulation 2016/679) is the EU's comprehensive data protection regulation. Non-compliance penalties can reach 4% of annual global turnover or EUR 20 million, whichever is higher.
Data Subject Rights
| Right | GDPR Article | Response Time | Platform Implementation |
|---|---|---|---|
| Right of Access | Article 15 | 30 days | Automated data export, self-service |
| Right to Rectification | Article 16 | 30 days | Customer self-service, audit trail |
| Right to Erasure | Article 17 | 30 days | Automated deletion workflows |
| Right to Portability | Article 20 | 30 days | Standard format export (JSON, CSV) |
Breach Notification
GDPR requires notification to supervisory authorities within 72 hours of becoming aware of a personal data breach. Platforms must provide real-time breach detection, automated impact assessment, pre-built notification templates, and complete audit trail of response actions.
DORA (Digital Operational Resilience Act)
What It Is
DORA (Regulation 2022/2554) became fully applicable on 17 January 2025. It establishes comprehensive requirements for ICT risk management across approximately 22,000 financial entities in the EU. Penalties for serious breaches can reach 10% of annual turnover or EUR 10 million.
Five Pillars of DORA
| Pillar | Key Requirements | Platform Implementation |
|---|---|---|
| ICT Risk Management | Framework, policies, controls, governance | Built-in risk framework, automated monitoring |
| Incident Management | Detect, manage, report major incidents | Real-time detection, automated reporting |
| Resilience Testing | Regular testing, TLPT for systemic entities | Continuous testing, penetration testing support |
| Third-Party Risk | Oversight of ICT service providers | Vendor management, contract compliance |
| Information Sharing | Cyber threat intelligence sharing | Threat intel integration |
Cloud-native platforms are well-positioned for DORA compliance. AWS infrastructure provides 99.99% availability, comprehensive disaster recovery, and built-in security controls. This architecture helps customers meet their DORA obligations through inherited compliance.
Basel III/IV (Capital Requirements)
What It Is
Basel III, implemented through CRR/CRD IV in the EU, establishes capital, liquidity, and leverage requirements for banks. Basel IV (finalized Basel III reforms) is being implemented through CRR III/CRD VI, with phased implementation from 2025-2028.
Key Ratios
| Ratio | Requirement | Minimum Level |
|---|---|---|
| Common Equity Tier 1 (CET1) | High-quality capital / RWA | 4.5% + buffers |
| Liquidity Coverage Ratio (LCR) | HQLA / Net outflows (30 days) | 100% |
| Net Stable Funding Ratio (NSFR) | Available stable funding / Required | 100% |
| Leverage Ratio | Tier 1 capital / Total exposure | 3% |
AML-CFT (Anti-Money Laundering)
Customer Due Diligence Levels
| CDD Level | When Required | Requirements |
|---|---|---|
| Simplified DD | Low-risk customers, small transactions | Basic identity verification |
| Standard CDD | All customers by default | Identity, beneficial ownership, purpose |
| Enhanced DD (EDD) | High-risk customers, PEPs, high-risk jurisdictions | Source of funds/wealth verification |
Transaction Monitoring
- Rule-Based Monitoring: Configurable threshold and pattern rules
- ML-Based Detection: Behavioral analysis, anomaly detection
- Network Analysis: Graph-based relationship analysis for money mule detection
- SAR Generation: Automated Suspicious Activity Report drafting and filing
Traditional AML systems generate 90%+ false positive rates. AI-powered transaction monitoring can reduce false positives by 60% while maintaining detection rates—a major operational cost savings for compliance teams.
Compliance Automation Summary
| Regulation | Key Requirements | Target Automation Level |
|---|---|---|
| PSD2/PSD3 | SCA, APIs, VoP, fraud prevention | 95% |
| GDPR | Data rights, consent, breach notification | 90% |
| DORA | ICT risk, incident reporting, resilience | 85% |
| Basel III/IV | RWA, LCR, NSFR, reporting | 85% |
| AML-CFT | KYC, transaction monitoring, SAR | 80% |
Compliance is a competitive advantage. Banks spend 30-40% of IT budgets on compliance. Platforms with 80-95% automation transform this from cost center to differentiator.
DORA is now active. As of January 2025, DORA's ICT risk management and incident reporting requirements are mandatory. Platforms must support customers' compliance obligations.
PSD3 is coming. Expected H2 2027, PSD3/PSR will strengthen fraud prevention, enhance liability rules, and require improved Open Banking APIs. Build forward-compatible architecture now.