obOpen Banking Lab
GlossarySTETBlogContact
Regulation

DSP2

Payment Services Directive 2 (PSD2)

European directive that took effect in 2018 and created Open Banking in Europe: it requires banks to open up their APIs and gave rise to AISPs, PISPs and CBPIIs.

See also:DSP3FIDARTSPSRSCAAISPPISPCBPIITPPASPSP

Definition

DSP2 (Payment Services Directive 2, known as PSD2 in English) is the European directive that created Open Banking.

Adopted on 25 November 2015 and applicable from 13 January 2018, it requires banks to open up their APIs, introduces the AISP, PISP and CBPII roles, and mandates Strong Customer Authentication (SCA) for online payments.

DSP1 vs DSP2 vs DSP3

Three generations, each going a step further:

  • DSP1 (2007) — harmonises payments across the eurozone and creates the payment institution (EP) status.
  • DSP2 (2015 → 2018) — adds mandatory Open Banking, TPPs, SCA and a strengthened liability regime.
  • DSP3 + PSR (proposed in 2023, applicable 2026-2027) — tighten the fight against fraud and API quality, overhaul the CBPII role and turn the directive into a regulation (PSR).

DSP2 remains the framework in force: everything being built in fintech rests on it.

The 4 major contributions

  • Mandatory third-party access (XS2A): any bank holding a payment account must expose an open API to licensed TPPs.
  • Three TPP statuses: AISP (read), PISP (initiation), CBPII (card funds confirmation).
  • Strong Customer Authentication (SCA): 2 out of 3 factors for any payment or sensitive access (RTS of September 2019).
  • Liability regime: in the event of fraud, the bank (ASPSP) reimburses first and then has to seek redress from the PISP at fault.

What DSP2 does not cover

  • Other financial accounts (savings, life insurance, credit, investment): that is the scope of FIDA.
  • Crypto-assets: that is MiCA.
  • Operational IT resilience: that is DORA.
  • Visa/Mastercard cards: DSP2 governs the ecosystem without creating a direct alternative, except through PISPs that bypass the card.

Key timeline

  • 25 November 2015 — adopted by the Parliament and the Council.
  • 13 January 2018 — entry into application (transposed in France by the order of 9 August 2017).
  • September 2019 — application of the RTS-SCA.
  • 2022 — move to 180 days for AIS consent renewal (up from 90 originally).
  • June 2023 — DSP3 + PSR proposal.
  • 2026-2027 (estimate) — entry into force of DSP3.

In the PSD2 ecosystem

DSP2 is the foundation of every other concept in the glossary (AISP, PISP, ASPSP, TPP, SCA, QWAC, QSealC). It has shaped a European market that is now worth several billion euros.

Concrete examples

  • Without DSP2, these apps would not exist: Bankin', Linxo, Pennylane, Qonto (in part), Bridge, Tink, Fintecture, Trustly — the entire AISP/PISP ecosystem was born from this directive.
  • Impact on banks: an obligation to operate documented public APIs, available 24/7 (EBA target > 99%), compliant with the STET or Berlin Group standards.
  • UX impact: the mandatory SCA shifted the market from 3DS1 (insecure, poor UX) to 3DS2 (biometrics, push) for all online payments.
  • Observed limits: fragmented implementations across banks, variable API quality, the absence of accounting data (savings, credit) — gaps that DSP3, PSR and FIDA aim to fix.
  • Useful monitoring: follow the EBA's opinions and discussion papers, and the API performance dashboard published by the ACPR.

See also: STET handbook

Sources

Back to glossary